The GDPR regulations offer greater rights to data subjects and more reporting requirements for companies that transact with and collect data from EU customers and suppliers. Under GDPR, there will be joint and several liabilities on both data controllers and data processors.
Companies should, if they have not already done so, carry out an audit of their systems in order to ensure that they are secure, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. A simple review entailing some basic updates could avoid major fines as the following cases demonstrate.
The telecom company was issued with a record fine of €450,474 by the ICO for security failing that allowed a cyber attacker to access customer data with ease. The ICO found that the attack could have been prevented had TalkTalk taken some basic steps to protect customers’ data. There were technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes. The Information Commissioner Elizabeth Denham said: ‘TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s system with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard customer information. It did not, and we have taken action.’
Carphone Warehouse’s failure to secure the company’s systems allowed unauthorised access to the personal data of over three million customers and 1,000 employees, leading again to a fine of €450,474. The company’s customer data included names, addresses, phone numbers, date of birth, marital status and, for more than 18,000 customers, historic payment card details. The records of some employees, including names, phone numbers, postcodes and car registrations, were also accessed.
The Information Commissioner said: ‘A company as large, well resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not venerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systematic failures we found related to rudimentary, commonplace measures. Companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.’
Transfer of personal data
Where personal data moves across borders outside of the EU, this may put at increased risk the ability of customers and other data subjects to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of their personal information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders.
Chapter V of the GDPR governs the transfer of personal data to third countries (non-EU countries). This says that any transfer of personal data to a third country, including the onward transfer of personal data from that third country to another third country, shall take place only if the conditions laid down in chapter V are complied with by the controller and processor.
The chapter V conditions are:
- A transfer of personal data to a third country may take place where the EU Commission has decided that the third country in question ensures an adequate level of protection. Such a transfer will not require any specific authorisation.
The Commission will publish a list of the third countries which it has decided offer an adequate level of protection and those that, it decides, no longer offer that protection.
The following countries outside of the EU currently have data protection laws that fully comply with the requirements of the EU and have passed laws which meet the principles of the GDPR: Norway, Liechtenstein, Iceland, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US.
- Where there is no adequacy decision in respect of a country, the controller or processor must ensure that there are adequate safeguards for the transfer of data.
Adequate safeguards can include the use of standard data protection clauses adopted by the Commission or a supervisory authority and approved by the Commission.
- In the absence of an adequacy decision or appropriate safeguards, a transfer of personal data to a third country shall only take place on limited conditions, including:
- where the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer for the data subject due to the absence of an appropriate Commission decision and appropriate safeguards; or
- where the transfer is necessary for the performance of the contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or
- where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
- where the transfer is necessary for the establishment, exercise or defence of legal claims
- where the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent
Under Article 30 of the GDPR, certain organisations that are data controllers are required to maintain a record of the processing activities that they carry out or which are under its responsibility. This record must include the categories of recipients to whom the personal data has been or will be disclosed, including, where applicable, recipients in third countries and the identification of those third countries and of any appropriate safeguards.
These obligations will not apply to an enterprise or organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
The chapter V conditions are in addition to the general principles for processing data which require that personal data is processed fairly and in a transparent manner; only processed for specific, explicit purposes; is adequate and not excessive; is not kept for longer than is necessary; and is subject to adequate security.
It is vital that going forward you have good processing contracts with your suppliers who are processing data on your instructions, including those suppliers that are based overseas, and ensure that you introduce adequate security measures so that your suppliers are fully committed to securing and safeguarding the data that you will be sharing with them. Where the supplier that you are dealing with is not in a country that has adequate levels of data protection, you should implement measures to compensate for the lack of data protection by way of appropriate safeguards for your customers.
Such safeguards may consist of making use of binding corporate rules, standard data protection clauses or contractual clauses. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the UK or EU. But, most importantly, they will hopefully avoid you having to face a hefty fine.