After four years of discussion, the new EU data protection framework, taking the form of a regulation - the General Data Protection Regulation (GDPR) - will replace the current Data Protection Directive and will be directly applicable in all member states. It will take effect on 25 May 2018. With less than seven months to implementation businesses of all sizes are getting to grips with their preparations. It is best to consider the risks now rather than risk increased litigation and financial costs later. In this article, we look at the implementation of the GDPR and what litigation challenges it might present.
With an increasing number of businesses and services operating across borders, international consistency around data protection laws and rights is seen as crucial to businesses, state organisations and individuals. The political will to safeguard individuals’ rights in the digital age is stronger than the desire to minimise regulation in the digital economy. However, the increasing obligations for data processors put them at a significantly increased risk if they are responsible for a breach.
The GDPR extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data and adopt appropriate technical and organisational measures.
It will challenge the privacy practices of medium and large organisations that process any personal data of EU citizens. Further, it is widely anticipated that there will be a flurry of requests to data controllers as soon as the GDPR comes in to force. New rights of portability and the ‘right to be forgotten’ will encourage privacy activists as well as disgruntled ex-employees, litigants, consumers and members of the media.
That in turn will potentially result in further complaints to the regulator about data controllers’ failure to respond satisfactorily.
Profiling is likely to be one of the areas that could lead to an increase in litigation. Profiling as set out in the GDPR is ‘any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.’
Given the breadth of the definition, many organisations who utilise data to better understand their customers, employees or stakeholders may consider they are engaging in profiling. Critically, the data subject will now have the ability to opt out, even if they have previously consented to data processes. Profiling, it would seem, covers more than just automated processing, and such profiling may not involve decisions with potentially serious or legal outcomes for the data subject, but, when it does need to, the data subject is entitled to many additional rights and remedies.
What this means for business is that, in short, preparation is key to understanding how your business practices and data security will need to be changed. However, only the largest organisations are likely to be able to solve the logistical nightmare of handling and responding to a sudden influx of subject access requests.
As the GDPR expands the legal definition of personal data, businesses will find it increasingly difficult to control the flow of data across their organisation and safeguard this data. This may result in yet more potential breaches and further customer concerns. When you consider the fact that GDPR also removes the small, but arguably limiting ability to level a charge for data requests, a flood of requests from potentially vexatious data subjects seems likely. The changes are being followed as closely by online privacy blogs as they are by the legal and compliance communities.
Other preparations businesses could make to avoid litigation over GDPR include looking to pre-emptively amend contracts and building revised consent mechanisms well ahead of time. IT teams should be giving consideration to putting technologies and processes in place for dealing with objections to profiling and for responding to a new wave of subject access requests. As with the DPA, non-compliance can result in legal action or large fines (up to four per cent of an organisations global turnover or €20 million) - whichever is greater.
Another area of uncertainty is the potential for large-scale US style ‘class action’ claims where data security breaches affect a large number of individuals. In theory, group litigation orders already provide a potential avenue for such claims but commentators speculate that a collective action regime may be rolled out or extended to cover data protection, whereby all affected individuals are automatically part of the ‘class’ of people bringing the action unless they choose to opt out.
Under the GDPR, the consent of a data subject subsists as a legal ground for the processing of personal data, but it will be much more difficult to show that consent has been obtained than under existing law. It is therefore likely that the other lawful grounds for processing data, such as necessity for the performance of a contract or the compliance with a legal obligation, will need to be re-considered in more detail than ever before, as parties to litigation will not be able to rely on consent as readily as they have done in the past.
There are also concerns that the tightened regulations on processing personal data may impact on the process of disclosure in litigation, particularly in large e-disclosure exercises. Litigants may need to consider whether additional consent is required when undertaking disclosure if the relevant documents in the case contain personal data. If a party to litigation is based outside the jurisdiction, it will also be necessary to consider the lawful grounds for the crossborder transfer of personal data.
In addition, GDPR’s definitions are more detailed than the DPA and make it clear that information such as an online identifier, for example, an IP address, can be personal data. For most organisations, keeping HR records, customer lists, or contact details, the change to the definition should make little practical difference. It can be assumed that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include personal data that has been pseudonymised, for example, key-coded, and can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. With greater scope, and encompassing provisions, the more work needed to be done by businesses in order to achieve compliance and avoid litigation or regulatory censure.
Practical affects and operational impact of GDPR
- Cost of compliance by investing in readiness initiatives
- Increased IT costs for businesses seem inevitable
- Financial penalties for noncompliance are likely to grow in value and regularity
- Negative media or social coverage of compliance failure is now a risk for all kinds of businesses
- Potential for shareholder legal action if there is significant data breach
- Data stewardship likely to become a key concern for consumers in certain sectors. Good compliance is likely to give certain businesses a competitive edge
- Onerous requirement of having a data protection officer
The GDPR makes substantial changes to an area of law that affects a vast number of companies and individuals. As with any such wide reform, the key concern is uncertainty, until the new Regulations come into force, and we begin to understand the details of how the GDPR’s provisions will operate in practice.
What we can say for certain, however, is that the notion of data privacy is becoming more and more pervasive. Few businesses will escape the onerous requirements of the GDPR. From a legal perspective, the impact will not only mean that in-house lawyers and data protection specialists will have to ensure that their own processes are compliant with the new rules, but ensure that awareness is brought in throughout the business.
Large organisations, in particular, will need to have in place clear lines of responsibility to ensure that data breaches within the organisation itself are identified and dealt with appropriately internally without undue delay.