Data Protection - essential update

Some people find data protection a very dry (or even boring) subject. However, we would urge those people, particularly if you are in a position of management in a company, to bear with us, if only for this article, as data protection within the EU is just about to get a lot more interesting/serious – see the summary box below as to why.  HPLpro can of course provide a freelance in-house lawyer to help you with your data protection requirements on a part time, short-term or project by project basis. We will post more articles on this subject as we get nearer to the implementation date.

As always, it is worth restating that HPLpro is not a legal firm, and this article should not be taken as legal advice. It is important for you and your business to have experienced legal practitioners advise you upon the data protection regulations to ensure that you are adequately prepared.

We will repeat this later in the article but it is worth saying up front as it will grab the most attention, the new fines for the most serious data protection breaches can be up to 4% of global turnover. Yes, that is turnover not profit. In terms of legislative 'bite', this means that EU data protection regulation now has the same teeth as EU competition law regulations. In other words, if you are not doing so already, it is now time to start taking this subject very seriously.

What is data protection?

Very briefly, data protection is regulation which governs how companies use, store and process the personal data of EU citizens, personal data being defined as any data that can directly or indirectly identify an individual. The European Commission lists some examples as: "name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address."

Given that a fairly sizable change is on the horizon, we will not cover the current data protection position in any detail in this article.

So, what is changing then?

The new piece of EU law is the General Data Protection Regulation. Notice firstly, that this is a regulation rather than a Directive, meaning that it is automatically imported into EU Member State law – unlike with the old Directive where those Members States had to enact their own legislation to bring the Directive into force in their country. This means that the new law will be the same across the whole of the EU. The new Regulation applies from 25-05-2018.

What do I need to know about the new rules?

Penalties

Previously, reputational damage was arguably the biggest risk to a company breaching data protection regulations. Fines did exist and have been used - regularly - but those fines amounted to hundreds of thousands of pounds at the top end (the largest being £400,000 to mobile telecoms provider Talk Talk). As stated above, things are about to change dramatically in this area. Under the new regulations, organisations in breach can be fined up to a maximum of 4% of annual global turnover or Twenty Million euros (whichever is the greater). For clarity, if your company is a subsidiary in a global group, the fine is 4% of the group turnover. Such fines are likely to be reserved for the most serious breaches of the regulations such as big personal data leaks, not having proper consent from individuals for processing and not putting data protection at the heart of designing new systems and processes.  

Who the regulations apply to

The new regulations apply to so called 'controllers' and 'processors' of personal data where the controller is the party directing the processor why and how the data needs to be processed. A company can of course be a processor and a controller at the same time. For the sake of ease, this article will refer solely to the term data processors for both types of entity.

Extra territorial scope

The new regulations apply to: any EU based entity processing the data of EU citizens (wherever in the world that data is processed) and no matter whether that company is processing data on behalf of another company; and it will also apply to the processing of personal data of EU subjects by a non-EU processor, where the activities relate to: offering goods or services to EU citizens and the monitoring of the behaviour of EU citizens. Additionally, Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.

Getting consent

The regulations demand that the processing of personal data requires the consent of the subject of that data. Further, that consent must: be unambiguous; be obtained using clear and understandable language; relate to the purpose that the data will be used for; and it must be just as easy to withdraw the consent as to give it. For sensitive personal data, the bar is set even higher with opt ins being required (sensitive data consists of things such as the subject's religious beliefs, sexual practices, political opinions, racial origin, mental health and so on). If you have mailing list tick boxes, you need to reconsider whether they are fit for purpose in light of these changes.

Notifying authorities when a breach occurs

Where a data breach occurs that is likely to, “result in a risk for the rights and freedoms of individuals,” data processors now have a mandatory obligation to notify the regulatory authorities. In fact, this has to be done within 72 hours of the processor becoming aware of the breach. In certain circumstances, data processors will also be required to directly notify their customers “without undue delay”. Guidance from the regulatory authorities on any threshold for notification and what breaches will constitute “a risk for the rights and freedoms of individuals,” is expected to be forthcoming and we will write a further article to clarify when that guidance is released.

Right to access data/portability

The regulations also increase the ability of data subjects to access data that an entity holds on them including a requirement for the processor to supply a copy of that data, free of charge, in an electronic format. Further, the data subject can now request the information in a common format to enable it to be transferred to another data processor.

Right to be Forgotten

The ability to be forgotten by data processors has been in the news over the last few years but now the regulations will address the issue; specifically, this right enables data subjects to require processors to erase their personal data and cease further use of it provided certain conditions have been met (such as the data no longer being required or consent to processing being withdrawn). When considering such requests, data processors have to consider the individual's rights in relation to "the public interest in the availability of the data" and, presumably, detailed guidance will be forthcoming at some stage in respect of how to do that.

Privacy by Design

Entities now have an overt obligation to consider data protection when they build new systems and policies. For example, the regulations require data processors to only hold data only for as long as it is necessary to complete its duties and access to personal data must be limited to only those persons who actually need it.

Data Protection Officers

Public authorities and entities that engage in large scale systematic monitoring or processing of personal data now also have to have an employee responsible for ensuring that the regulations are complied with – a Data Protection Officer.  Companies that do not fall into these categories will not have to have such an employee but those companies will nevertheless do well to consider how they are going to ensure compliance with the regulations without an individual overseeing the whole programme. A data protection officer can be an employee or an external service provider (such as an HPLpro freelance lawyer) and must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices – it will not suffice to simply give an employee the title of data protection officer in order to comply with the regulations. Interestingly, the regulations require that data protection officer to report to the highest level of management in an entity and prevents that officer from doing any tasks which may conflict with their duties as data protection officer.  Again, it is worth repeating that this applies to processors of EU data for goods and services or monitoring, no matter where in the world they are based.

What should we be doing now to prepare?

The chances are that most companies and entities have not done enough in respect of getting prepared for the change so there is probably an enormous amount left to be done over the next 12 months. Take a look at the below infographic, produced by the UK information Commissioner's Office, which shows you how prepared UK local government authorities are for the regulations. This is fairly alarming considering local authorities have to comply with some of the most rigorous elements of those regulations.   

Below are some activities that your company can start doing now in anticipation of the 2018 deadline.

Talk to the Board/CEO/GM/MD/VPs

Achieving compliance with the regulations, particularly for a large entity, is unlikely to be a quick and easy affair, indeed, it will most certainly take time and commitment from employees who are undoubtedly busy with other matters meaning that it will also likely take money. In that sense, it is imperative that the boards of companies buy in to the importance of data protection and treat it as seriously as they would competition law, bribery and corruption, health and safety and environmental regulations. This topic should be raised with the board of companies as soon as possible if it has not already been done, particularly by (if a company has any) the in-house lawyers, IT Security personnel and compliance officers. We anticipate that this will significantly impact EU companies that have US parent companies and the boards of those parent companies should be alerted as soon as possible. A company that takes its data protection obligations seriously will undoubtedly be viewed differently to a company that is dismissive, reckless or negligent in its approach to data protection.

Get a map

The most important thing is to know where you currently stand in relation to the data that you hold and data that you need now and data that you will need when the regulations come into force in 2018.

In other words, you need to map your data – where is it, who touches it, what system is it on, how secure is it, who has access, what do they do with it and so on and so forth. Remember, this is for any data that can identify an individual – going back to the European Commission's list of examples that can include: " name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address."  If that sounds like a daunting task, just remember that the penalty for getting this wrong could be as high as 4% of the global turnover of the corporate group.

Review the required consents

Once you have mapped your data, you will need review it to ensure that that data and that use has the appropriate level of consent from the people that the data relates to as required by the legislation and that the consent, if required, is easily evidenced and accessible. If not, you should take steps now to ensure that you have the mechanisms in place to obtain the appropriate levels of consent; there is no need to wait until the deadline to ensure that your consent database is fit and healthy.

Data Access requests

You will need to ensure that your business has an adequate system for processing data access requests as and when they arrive. Given that companies can no longer charge for such requests, it will likely be more cost effective to have a robust, easy to use system and/or process in place prior to any request coming in.

Review your contracts

You should examine all of your contracts to ensure that any party holding data on your behalf has the appropriate obligations in those contracts to ensure that your company does not fall foul of the regulations. Additionally, such requirements should be backed up by strong indemnities and warranties to provide appropriate remedies and emphasise the importance of compliance to your company.

Train your people

Awareness campaigns and training programmes should be established now so that by the time the regulations land, the principles therein are common place within your business and are part of your business culture. Culture, of course, comes from the top (see the ' talk to the Board' section above).

Data Breach checklists and tests

What would you do if your company suffered a significant data breach? Having a policy to follow will minimise any missteps in the process, bearing in mind that there is a 72 hour clock to notify that starts ticking. It is perhaps worthwhile having a 'dry run' data breach exercise in order to expose flaws in your present systems and policies. Data breaches, and the regulatory assessment of those breaches, can always get worse depending upon how your company reacts to them.

Additionally, you should consider performing privacy impact assessments for all new projects prior to the regulations coming into force. What personal data will the project involve? What are the risks involved for that project? what will compliance look like for that project?

You may also consider checking your insurance coverage in the event of such a breach.

If you start scheduling some of the above activities into the diary of your business now you will put that business in a better position to be able to be able to 'beat the rush' which will inevitably occur as we near the 2018 deadline.

There are two other things to be aware of on the subject of these regulations -

Impact of Brexit

Any UK company processing data relating to selling goods or services to EU citizens will need to comply with the regulations, regardless of what happens in respect of Brexit. It is also possible, one might say probable, that the UK government will choose to port over the regulations in order to: shortcut the development of alternative regulations; and maintain a system whereby data can be exchanged between the UK and the EU easily.

Artificial intelligence

Elizabeth Denham, the UK Information Commissioner, recently published a paper on the ICO website which reviews the implications of artificial intelligence (AI) and machine learning for data protection. The concern being that if an AI is processing data, and learning and altering its data processing as it does so, how can it be guaranteed that the AI will do so within the data protection regulations framework.  That paper concluded with six key recommendations, that big data analysis should: avoid the use of personal data where possible and anonymise that data; ensure that the processing is transparent; perform privacy impact assessments as a routine element of the process; adopt a privacy by design approach as mentioned above; develop and use an ethical principles policy; and develop auditable machine learning algorithms.

Interestingly, what that paper did not do was address how data protection regulations apply to the personal data of AIs. This perhaps seems an amusing, if not trivial, statement to make at present, but, given the expectation that AI will exceed the human mind this century - perhaps even the first half of this century, we should probably be considering the impact of AI on legislation and vice-versa. Think on this for a moment, the data that relates to an AI will not be covered by these regulations unless it can also identify an individual human. So, an IP address that relates solely to your Foodie-Bot ™ will only be protected if it also relates to you. If your SociBot ™ is busy posting social updates on the next generation of social networks, those posts will also not be protected, unless they also relate to you. If your IBank-BankyBot ™ has its own bank account, those details are not covered, unless they also relate to you. That last fanciful example is timely given the recent prediction by banks that AI will be running human/bank interactions within three years. Legislation is almost always behind technology; at some stage, probably fairly shortly, we will need to start considering how our current legislation fits with an AI world; as we noted in our recent article on copyright, if your BanksyBot ™ paints a wall mural it will not be worth $1million as it will be able to be copied by all and sundry – well, bad luck -  'its' personal data won't be protected either.

As stated above, HPLpro can of course provide a freelance in-house lawyer to help you with your data protection requirements on a part time, short-term or project by project basis. Our freelancers could help you map your data, train your people, perform dry run data breach exercises, or they could even help put in place consent certification mechanisms and policies – just let us know your needs. Detailed guidance on a lot of the above areas will certainly be released by the regulatory authorities and we will post more articles on this subject as and when that guidance lands.

Cheers

HPLpro Team