GDPR and your Firm
Described by the EU as the most important change in data privacy regulation in 20 years[i] The General Data Protection Regulation (GDPR) was finally approved after four years of preparation and debate on 14 April 2016 and will come into effect in the UK on 25 May 2018 – at which time those organizations in non-compliance will face heavy fines.
Replacing the Data Protection Directive 95/46/EC (DPA) the GDPR was designed to:
- harmonize data privacy laws across Europe,
- protect and empower all EU citizens data privacy, and
- reshape the way organizations across the region approach data privacy.
It is unlikely that implementation of GDPR will be affected in any significant way by Brexit. Those who provide goods or services to EU citizens, and who process data to do so, will need to comply with the GDPR, whether or not the UK retains the GDPR post-Brexit (although the position is less clear where those goods or services are only provided to UK citizens). However, the UK Government has indicated it will implement an equivalent or alternative legal mechanisms and, given the UK’s previous support of the GDPR, it is likely that it will largely follow the GDPR.[ii]
In fact, it is worth noting that the GDPR not only applies to those organisations located within the EU but also to organisations offering goods and services to EU citizens located outside of the EU or who hold personal data of those residing in the EU, regardless of the organisation’s location.
It is vital that all businesses that hold or use personal data are aware of the GDPR and the impact it is likely to have upon them, of the steps that they will need to take in order to comply and that those steps are taken BEFORE 25 May 2018. It is worth noting that in a recent survey of IT decision makers in the UK, Germany, France and the U.S. by Varonis Solutions Inc. [iii], a leading provider of cyber attack software solutions in the USA, it was revealed that:
- 75% of organizations indicated that they would struggle to be ready for the deadline,
- 42% stated that it was not a priority for their businesses, notwithstanding that those businesses could become subject to fines of up to 4% of global turnover or €20 million (whichever is greater) in the event of failure to comply,
while a staggering 90% or more of respondents saw challenges complying with GDPR by the deadline.
What does the GDPR Require?
The purpose behind the GDPR is to establish one single set of data protection rules across Europe so as to make it simpler and cheaper for organisations to do business across the Union.
In essence, the GDPR requires that those who are responsible for holding and using personal data take steps to ensure that the data is only used fairly and lawfully, kept secure, used only for the purposes for which consent was given when it was obtained.
Mostly, it will apply to those to whom the DPA currently applies. That is to say, it applies to ‘controllers’ and ‘processors’ of personal data where the controller is the person or organisation that says how and why personal data is processed and the processor is the person or organisation acting on the controller’s behalf. However, the GDPR places specific legal obligations on data processors – for example to maintain records of personal data and processing activities – which did not previously exist without at the same time relieving data controllers from their obligations where a processor is involved. In fact, the GDPR places further obligations on controllers to ensure that their contracts with processors comply with the GDPR.
As with the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition of what constitutes personal data is more detailed. For GDPR purposes, personal data means any information relating to an identified or identifiable natural person. Even information such as IP address or the sending out of a cookie can constitute personal data if it is possible to identify the subject and link back to them – reflecting the ways in which technology has changed information about people is collected. Even indirect information such as an identification numbers, location data and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person are included.
In practice, this means that organisations that keep HR records, customer lists, or contact details that previously fell within the scope of the DPA will be subject to the GDPR, whilst many organisations that previously fell outside of the DPA will now find that they are caught – including those who store personal data that has been made ‘anonymous’ depending on how difficult it is to attribute any pseudonym to a particular individual.
Article 9 of the GDPR[iv] also refers to “special categories of personal data”. These categories are broadly the same as those in the DPA, with some minor changes, including special categories specifically including genetic data, and biometric data where processed to uniquely identify an individual.
The Six Principles
Article 5 of the GDPR[v] sets out the principles relating to the processing of personal data. These equate to the 8 principles to be found in the DPA. The six principles require that personal data is:
- processed lawfully, fairly and in a transparent manner in relation to the data subject,
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes,
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay,
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject, and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, Article 5 requires that the controller shall be responsible for, and be able to demonstrate, compliance with these six principles.
When and How Can Data be Used?
So how can data be processed in practice? For processing to be lawful under the GDPR there needs to be a legal basis before personal data can be processed. These are often referred to as the “conditions for processing” under the DPA. It is vital that firms determine that legal basis for processing personal data and document it.
Article 6 of the GDPR[vi] provides that processing shall be lawful only if and to the extent that at least one of the following applies:
- there is consent from the data subject,
- it is necessary for the performance of a contract with the data subject or so that a contract can be entered into,
- it is necessary for compliance with a legal obligation
- it is necessary to protect the vital interests of a data subject or another person
- it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- it is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Article 6 goes on to provide that where the processing is for a purpose other than that for which the personal data was collected and is not based on the data subject’s consent or is a necessary and proportionate measure in law then the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
- the possible consequences of the intended further processing for data subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Other Important Provisions
Aside from the change to the principles and the provisions as to processing data, what in practice are the main features of the GDPR?
- Penalties – one of the most talked about aspects of the GDPR is the draconian level at which the EU have set the penalties for breach. Penalties can be levied up to the greater of ten million euros or two per cent of global turnover for infringements of recording keeping, security, breach notification and privacy impact assessment obligations. These penalties may be doubled for violations relating to legal justification for processing, lack of consent, data subject rights and cross-border data transfers.
- Consent – one of the changes which is likely to have the greatest impact is that of consent. The GDPR, refers both to ‘consent’ and to ‘explicit consent’ (although the difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes).
For there to be consent under the GDPR there must be a clear affirmative action on the part of the person whose data is being processed. Implied consent arising from silence, pre-ticked boxes or inactivity does not constitute consent for these purposes. The definition in Article 4 of the GDPR states that consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
What is more, consent must be verifiable which means that some form of record must be kept of how and when consent was given.
Consent can be implied to the extent that it can be implied from the data subject’s relationship with the company. Thus, if a firm was providing services then it is assumed that the data can be used for the purposes of carrying out those services. However, it is not yet clear whether it can be implied that the data subject can be sent marketing emails from the organisation where the subject has not indicated they are happy to receive them. It may be that for that, explicit consent must be obtained.
A further factor to bear in mind is that individuals have a right to withdraw consent at any time. That means that any systems that an organisation has in place for recording consent in the first place must be sufficiently flexible to allow the organisation to remove details when requested to do so – possibly even for some specific purposes but not for others.
Finally, if the organisation has previously obtained consent, that can only be relied upon if the standard of that consent meets the new requirements under the GDPR and if not an alternative legal basis must be found or the organisation must cease or not start the processing in question.
- Managing Risk – Every organisation will need to implement a risk-based approach to privacy and must, where appropriate, implement controls which take account of the degree of risk associated with a particular data processing activity. This may require the organisation to carry out privacy impact assessments, put in place data protection safeguards (which must be designed into products and services from the earliest stage of development), adopt privacy-friendly techniques such as pseudonymisation and generally ensure that systems are sufficiently robust and flexible to allow for opting out by data subjects. This will be looked at shortly in the section dealing with what firms must think about going forward.
- Data Protection Officers – an area which is unlikely to affect most law firms, but which may be relevant to larger law firms or their clients is that of the appointment of Data Protection Officers.
Data Protection Officers must be appointed for all public authorities, where there is regular and systematic monitoring of data subjects on a large scale or where the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like). An earlier proposal that it should apply to all organisations with more than 250 employees was dropped.
Article 39 of the GDPR[vii] states that the data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority; and
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- Information when Obtaining Data – The GDPR also sets out the areas of information that must be made clear to data subjects when data is being collected. These include:
- the identity and the contact details of the organisation seeking the data;
- the reason the data is required and the uses to which it will be put;
- the legal basis of the processing and, where relevant, the legitimate interests that the organisation or a third party are pursuing;
- who will be receiving the personal data and whether or not the organisation intends to transfer the personal data internationally:
- for how long the personal data will be stored, or if not known the criteria used to determine that period;
- the fact that the data subject has a right to access, rectify or erase the personal data, the right to portability of the data and the right to withdraw consent at any time;
- the right to lodge a complaint.
A few of these points are worth further clarification.
- So far as access to the data by the data subject is concerned, the GDPR makes it clear that the reason for allowing individuals to access their personal data is so that they can be sure the data is being used lawfully. The organisation using the data must provide a copy of the information free of charge (the £10 subject access fee under the DPA having been removed. However smaller organisations will be able to make a charge for providing access where requests are either unfounded or excessive. Where a legitimate request is made, it must be carried out “without undue delay and at the latest within one month of receipt of the request.”
- The right to data portability has yet to be fully clarified but will probably apply to a right for the data subject to have their information sent between providers of services such as banks, utilities companies and telecoms providers.
- The right to be forgotten – data subjects need to be told for how long their information needs to be kept. Once that date has elapsed, then the subject can apply for the data to be removed and erased – placing duties upon those controlling the data to ensure that any third parties who have been provided with the data to do likewise.
- Children – Where services are offered directly to a child, then there is a duty to ensure that any privacy notice is written in such a clear and plain way that a child would be able to understand it. If the service is an online service then the organisation will need the consent of a parent or guardian to process the child’s data. The GDPR emphasises that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles and it is not intended that parental/guardian consent be required where the processing is related to preventative or counselling services offered directly to a child.
- Security – Article 32 of the GDPR provides for security. It states that the controller and the processor shall implement appropriate (by reference to the organisation) technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” must be reported “without undue delay and, where feasible, not later than 72 hours after having become aware of it” and if this cannot be done then the controller must provide a “reasoned justification” for the delay. However, notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals,”
In the event that the controller believes the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” then information must also be given to the affected data subjects “without undue delay” although this may not apply if the controller has “implemented appropriate technical and organisational protection measures” that “render the data unintelligible to any person who is not authorised to access it, such as encryption”
What are the Likely Practical Implications for Solicitors Firms?
Clearly, the GDPR is going to have a significant effect on many businesses – especially those who rely on obtaining, processing and utilising large quantities of data – for example companies who carry out large-scale marketing activities, telecoms providers, multi-nationals, online and social media providers and the like. Solicitors, on the other hand, are in all likelihood going to be less affected by the changes as most are already subject to the provisions of the DPA and already abide by regulatory provisions contained in the SRA Code of Conduct – such as Outcome O(4.5) which requires firms to have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks, Outcome O(7.5) which requires that you comply with legislation applicable to your business, including data protection legislation and Chapter 6 which requires that firms act in the client’s best interests when referring clients to third parties.
Clearly, larger firms and firms that engage in national marketing are more likely to be affected by the GDPR changes. That said, however, there will be implications for all solicitors, whatever their size.
So far as the six data principles are concerned, these are, as we have commented, very similar to the principles in the DPA and so firms will simply need to make sure that they continue to:
- process data fairly and lawfully and not further process it for incompatible purposes. Thus, firms must not provide the data they collect to third parties for marketing purposes (which would, in any event, be a breach of Outcome O(4.1) requiring them to keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents) and must treat clients fairly – as is required in Outcome O(1.1);
- only collect the data they specifically need – this might be difficult in some cases, especially where the scope of a retainer is unknown – so firms might want to review what data is being collected by staff on a regular basis and review whether it is all relevant and necessary;
- ensure that the data they hold is accurate and up to date. This may mean firms having a policy of contacting the client with the data they hold and checking that it is still current or alternatively giving the client access to a protected system where they can go and check their own data and make amendments as necessary;
- keep data in such a way that permits identification of the data subject – this may mean ensuring that the firm has a central register of clients that contains details of the existence of and whereabouts of files and documents relating to that client.
- ensure that data is kept secure. Again, this is something which is repeated in the outcomes dealing with confidentiality and at Outcome O(1.2) – you provide services to your clients in a manner which protects their interests in their matter – and Outcome 7.5 – that you comply with legislation applicable to your business, including data protection legislation
Although most law firms will not need to appoint a DPO, nevertheless it is good practice to appoint someone whose responsibility it is to take the lead on data protection. This person should:
- be aware of the legislation, regulations, guidance and relevant case law and keep abreast of changes,
- be responsible for informing the relevant authorities of any breaches or issues,
- keep the notification up to date and renew annually any licences,
- audit the use of personal data, how it is stored and when it ceases to be needed (note the GDPR provisions in relation to this),
- manage appropriate policies and procedures (see below as to what will be required under the GDPR), and
- act as a central point for other members of the firm who may have data related issues.
Firms might also want to give thought to the overlap between the requirements of GDPR and issues such as the keeping and storage of files containing client data and the ownership of files.
Firms will also need to look at the methods by which they gain client data and need to make it clear to clients how the data is to be used, how long it is to be used for (including, for example, keeping files after the end of the retainer) and to whom the information provided will be given. Bear in mind the points in the “Information When Obtaining data” section above.
Finally, firms need to think about the uses to which client data is put. For example, firms might want to consider whether utilising client details for the purposes of marketing other services comes within the legitimate use of that data.
What Firms Need to Consider Going Forward
The final issues to be considered here is what firms need to be doing going forward to ensure that they are compliant in May 2018.
If firms are going to be ready for GDPR then they need to implement a five-stage process of:
In other words firms need to:
- Make sure that key personnel are aware that the law on data protection is changing and that steps may need to be taken in order to ensure that the firm is compliant. This may involve training managers, department heads and those responsible for collecting handling and managing data.
- Carry out an inventory of all data held by the firm, where it came from, why it was collected, who has access to it, with whom it is shared, whether it is up-to-date and whether it is still needed. This means ALL data not just the obvious. Thus, it includes, electronic and paper files, accounts systems records, address books, marketing lists of email and physical addresses, information stored on the web, deeds and wills the firm holds.
- Undertake a review of all privacy policies within the firm and where necessary update them. Ensure that staff are aware of these and are trained as necessary.
- Consider the new rights that GDPR gives and ensure that the firms policies and procedures address these.
- In particular, consider how the firm will handle requests for information about the data held within the prescribed time-scales and how the firm will deal with issues such as the right to be forgotten.
- Review how the firm currently gets consent (where it is necessary) and the information that is supplied to clients at that time.
- Review the robustness of data security provisions within the firm paying attention to issues such as files being taken out of the office, loss of data on laptops, BYOD, mobile devices, cyber security, the ability to withstand technology failure and all of the other risks associated with data retention.
- Consider how the firm is to market itself going forward if it deems that the use of client data for such purposes is unacceptable.
- Where weaknesses are identified, put in place solutions which will remedy the those defects.
- Implement and then monitor all plans taken.
Whatever the final terms of Brexit, it is almost inevitable that the UK will, by next May, have a data protection regime that is not far removed from the provisions of the GDPR. They will, in any event, apply to the UK from May 2018 until formal Brexit and, so far as EU citizens are concerned, will apply in any event.
The risks of not complying are sufficiently great that firms would be foolish to ignore the regulations – especially as doing so will not only put them in breach of the GDPR but also of the SRA Code of Conduct too.
Given that firms must comply now with the DPA, the incremental demands of the GDPR should be attainable provided that firms make a start now.