bluedesign - Fotolia
Data protection law has recently been updated by Europe and will be in place in less than two years. Despite the Brexit vote, businesses and organisations need to note the numerous changes as the penalties for breaches will be severe and adjusting to the new rules will take time.
The European Union’s General Data Protection Regulation (GDPR) was finalised at the end of April 2016 after four years of discussion, disagreement and negotiation and will directly affect all member states of the EU from May 2018. Firms have a choice. They can either take the GDPR seriously and use it as an opportunity to review their approach to data protection or they can hope it goes away – which it won’t.
But a question arises: Now that we’re scheduled to leave the EU will the GDPR still matter? The answer is yes - it will. This is because we will still be an EU member state when the legislation comes in but also, when we leave the EU it will be in the UK’s interest to have something equivalent to the GDPR for trading reasons.
Take the law seriously
The GDPR is not a monster but it needs to be taken seriously. This is because changes will be required, and if the required changes are not made then companies risk considerable fines and reputational damage. Indeed, under the GDPR, those organisations that breach the law could face a fine of up to 4% of annual worldwide turnover or €20m (whichever is the greater). This is markedly higher than the £500,000 that the Information Commissioner can levy now.
The present data protection regime, under the Data Protection Act 1998 (DPA), protects a person's rights in respect of their personal data and is built upon eight data protection principles. These are all common sense and require that personal data is:
- Processed fairly and lawfully
- Obtained and used for specified and lawful purposes only
- Adequate, relevant and not excessive in relation to their purposes
- Accurate and up-to-date
- Not kept for longer than is necessary
- Processed in accordance with the individual’s rights
- Kept secure
- Not transferred outside of the EEA without adequate protection
Apart from these there are other critical points to note about the present regime.
The first is that there are extra obligations when handling sensitive personal data such as information about ethnic origin, sexual life, trade union membership etc. Further, individuals have a right via a Subject Access Request (SAR) to find out what information is held about them (there are, however, a limited number of exceptions).
It’s also worth noting that if an organisation fails to answer its obligations under the DPA then they can be fined up to £500,000 by the Information Commissioner – and fines are being levied. The majority of fines are imposed because of security breaches and usually the security breach is a consequence of a failure to take data protection seriously.
So, what should firms be doing to plan ahead?
Decision makers should know what is coming over the hill. This will give their firm time to get ready - the GDPR should act as a catalyst for a review of current data protection practices. Those that leave the critical preparation until the last minute could find that there is a real danger that they won’t be compliant in time.
An extremely useful starting point is to review what personal data is held, why it is held, where it was obtained from, what privacy notices exist and who personal data is shared with (and why). Under the GDPR, firms that discover that they have shared inaccurate personal data are required to inform the organisation they shared it with of the inaccuracy. But, of course, this cannot be done unless they know what data is held in the first place.
It’s very important that organisations take the opportunity to review any data protection policies they have and consider what, how and who keeps policies up to date. The GDPR requires “data protection by design” and operates on an "accountability principle" which will require firms to show how they comply by, for example, having effective policies and procedures.
Rights of the individual
Individuals need to know what is going to be done with their data, and who it is going to be shared with. A privacy notice tells people about this and is often found on a company's website or is indicated to an individual when their personal data is collected such as during the order process. Under the GDPR there is additional information which must be provided. Firms will need to tell data subjects – users - the legal basis for processing their data, the data retention period, and of their right to complain to the Information Commissioner. There is also a requirement that the privacy notice is concise, easy to understand and in clear language.
Under the GDPR individuals still have the right to know what information is held about them but they will also have rights to have inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (because of this firms will have to provide data electronically). These rights are enhancements to existing DPA rights. If a firm is compliant with the DPA then they should not face any great difficulties. They should test how able they are to locate and delete data as well as who in the organisation would take these critical decisions. The bottom line here is that firms must have procedures in place to take individuals' rights seriously.
Presently, firms have 40 days to respond to a subject access request but under the GDPR this will drop down to a month. There are also some changes to the grounds for refusing a SAR (including that the need behind the request is manifestly unfounded). Refusing a request will require a firm to have appropriate policies and procedures in place. There will also be obligations to provide additional information such as data retention periods and the right to have inaccurate data corrected. These additional requirements could cause considerable logistical problems if an organisation handles a significant volume of SARs.
Consent for data processing
One of the most challenging areas under the DPA is that of “consent”. Consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity. The GDPR requires that consent must be freely given, specific, informed and unambiguous. If a firm is going to rely upon “implicit consent” then it must be ready to deal with a challenge as to how unambiguous the consent was. It may be that consent can be properly inferred but the need to be ready for a challenge is important.
Further, if an organisation collects information about children (in the UK this will probably be those under 13) then it will need a parent's or guardian's consent. This will need to be verifiable, and, of course, the language used in the privacy notice must be capable of being understood by children.
There is presently no general obligation to report any data breaches (although it may be tactically worthwhile to do so). The GDPR radically changes this and creates an obligation to report data protection breaches which could cause an individual harm within 72 hours. Firms should consider how they would deal with this new obligation. They should be asking: How secure are their systems? What training do staff have? Is personal data encrypted? What breaches might result in an obligation to report? How would the harm to individuals be mitigated? Do the procedures in place around data breaches allow these obligations to be met?
We’ve seen that there are certain key expressions in the GDPR such as "Data Protection by Design", "the Accountability Principle", "Privacy by Design" and "Data Minimisation". But there is one particularly important expression which brings with it a specific obligation - "Privacy Impact Assessments" (PIAs). These are required where there is a significant change in the processing of data and in particular where there is a risk to data subjects, that is, individuals.
While it is mainly public bodies that need to appoint a Data Protection Officer under the GDPR, it also makes real sense for any business or organisation affected by data protection to ensure that it complies with the DPA and GDPR. By definition the best way of doing this is to designate a capable, interested person with the responsibility for ensuring that the obligations are met.
So to conclude, the GDPR is a real and present threat to firms and organisations of all sizes and the financial consequences for ignoring the new rules are severe. However, those that plan ahead and who choose to follow their obligations should have little to worry about.
Andrew Gallie is a senior associate at Veale Wasbrough Vizards specialising in information and data protection law.
Panel: The sector gets hacked
Acer, a Taiwanese multinational hardware corporation, reported in June (2016) that it had to notify users who accessed its e-commerce site between 12 May 2015, and 28 April 2016 that they may have had their information compromised due to the unauthorised access by a third-party.
The company is not saying how many users were affected by the intrusion but said that data such as names, addresses, payment card numbers, card expiration dates, and three-digit security codes may have been compromised. The affected customers were all in the US, Canada and Puerto Rico.
Following an investigation Acer stated that they didn't find any evidence of the attacker gaining access to user login credentials. The company took steps to fix the issue, and later notified the credit card payment processor.
June also saw the GoToMyPC service the subject of a “very sophisticated password attack”. Citrix, the firm behind GoToMyPC, advised all users of the service that it had reset their passwords. The company didn’t offer further details about the attack; instead, it simply gave customers advice on how to create strong passwords and encouraged them to set up two-factor authentication. The service is only the latest in a long string of hacking attacks on prominent tech companies. In May hackers released tens of millions of log-in credentials stolen from MySpace and Tumblr.
And as if to prove the point that no one is invulnerable, it’s worth noting that security firms have also been hacked. In June 2015 Kaspersky revealed that it thought a nation state had been behind an attack on its systems that sought to spy on the company’s technologies. The same month saw LastPass, a third-party holder of multiple user passwords having to deal with an attack. While encrypted user data was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes.
And in January 2016, Cyberoam, an Indian security firm, had to reveal that it was hit at the end of 2015 with a hack that resulted in leakage of its database that contained customer and partner personal details including customer names, phone numbers, email addresses, company names. A security researcher encountered a hacker on the dark web who was willing to sell the database for 100 bitcoins, worth roughly £30,000. Cyberoam was acquired by UK cyber security firm Sophos in 2014.