Data Protection & Reform - What You Need To Know
Data protection reform, underpinned by the General Data Protection Regulation (GDPR), means that not only must your business operate and use personal data in line with established data protection principles, you must now also be able to demonstrate legal compliance to the Information Commissioner’s Office (ICO) and to consumers and employees whose personal data your business uses.
The new regime requires a more accountable approach to data protection and privacy involving organisational measures and procedures to ensure compliance, transparency and responsiveness in the face of a personal data breach or a request from an individual data subject to enforce rights.
More details about data protection reform GDPR brings with it new and significant enforcement rights meaning that compliance must be prioritised by all businesses. The ICO’s powers to fine businesses that breach data protection laws have been increased from a maximum of £500,000 to 20 million Euros (or higher for large companies). Enforcement powers also include the ability to restrict data processing resulting in loss of profits and individual data subjects also have bolstered rights under the legislation.
Reform is an opportunity to focus on data protection, improve business processes and get the most from your information asset. Those businesses which can demonstrate an informed and intelligent approach to data protection will gain reputational and commercial advantages in a time where consumers and workers are wary of cyber-crime, identity theft and other risks faced as a result of an economy based on information and technology.
Our data protection solicitors have over 20 years’ experience in dealing with data protection laws. Our experts have keenly followed the progress of reform in this area acknowledging data protection as a key area of compliance for all businesses. Our experts are experienced and knowledgeable and work with clients of different sizes and sectors to provide effective, proportionate and affordable compliance solutions.
How We Can Help
General Data Protection Regulation (GDPR) and Data Protection Reform
The much anticipated GDPR has been in force in the UK since 25th May 2018 and is supplemented by the new Data Protection Act 2018.
Reform is a response to advances in technology, the way business uses technology and data and the consequential privacy risks for consumers and employees. GDPR represents the biggest shake-up in the data protection arena in 20 years, introducing stringent compliance requirements and tough penalties in the event of breach of data protection principles.
Myerson has developed Data Protection Audit and Review - a tool to evaluate your data processing activity and review your current practices and procedures and their adequacy under the new regime.
Data Subject Access Requests
Individual data subjects (consumers and employees) have a number of individual rights under data protection legislation.
In addition to data subject access requests, individuals have the right to request that personal data held or processed about them is corrected, restricted or erased. Levels of public awareness through public campaigns and new requirements to issue detailed privacy information to individuals is likely to result in an increase in the exercise of such rights.
Responses to such requests must be provided free of charge, promptly and with the correct privacy information. Such rights are not absolute, and caution must be taken so as not to unnecessarily compromise commercial interests or the privacy rights of third parties. An internal protocol on how to handle such requests can be a useful tool to avoid delay, wasted time and risk.
Myerson can provide advice and assistance in developing an appropriate protocol or procedure to ensure that responses to such requests are compliant, timely and consistent. We can also provide guidance and assistance in responding to such claims, providing advice on the appropriate response, applicable exemptions and the required privacy information.
Big data describes a massive volume of both structured and unstructured data that is so large it is difficult to process using standard database and software methods. It has been described in The Gartner IT glossary as “high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making”. Big data:
- uses massive, diverse, complex, longitudinal, and/or distributed datasets that are generated by, or collected from, a variety of different devices, sensors and transactions (volume);
- brings together data from different sources, both structured and unstructured (variety); and
- is processed quickly, often exceeding current processing capacity (velocity).
As big data is a burgeoning phenomenon, the legal framework is quickly developing to try to keep up with and manage compliance with data protection laws. The Information Commissioner Office (ICO) published a report on big data in the UK in 2014 which is a useful tool for understanding big data and your obligations.
Although much of big data is not personal data (for instance world climate and weather data) there are examples where big data analytics include the processing of personal data (for instance data from monitoring devices on patients in clinical trials, mobile phone location data, data on purchases made with loyalty cards and biometric data from body-worn devices). As such, the authorities have decided that big data should fall within the scope of data protection laws and therefore must comply with the eight data protection principles.
Businesses processing big data should:
- Abide by the rules of fairness and transparency and meet the reasonable expectations of the data subject in processing data;
- Explain the benefits of analytics to the data subject and obtain prior consent;
- Collect and use data for specified, explicit and legitimate purposes;
- Use and collection of data must be adequate, relevant, not excessive and must not be kept longer than is strictly necessary;
- Anonymise data;
- Respect the rights of data subject; and
- Consider carrying out a privacy impact assessment to assess how big data analytics is likely to affect individuals whose data is being processed and where such use is fair.
Data Protection Audits
The introduction of GDPR in May 2018 represented a significant evolution in data protection laws and a sea-change in terms of compliance requirements.
Myerson has developed a number of audit-based tools which can be adapted to suit most organisations and budgets in order to identify gaps in compliance. Our audit approach will provide a roadmap for your organisation to follow for the purposes of supporting and demonstrating that appropriate measures have been taken in relation to GDPR compliance.
Data Protection & Marketing
Data protection laws in the UK are supplemented in the context of electronic marketing by the Privacy and Electronic Communication Regulations (PECR).
Those organisations engaged in marketing initiatives using a telephone, email and text as a route to market are strongly advised to ensure that marketing activities (particularly those aimed at consumers) do not breach these rules.
Putting aside enforcement action in relation to personal data security breaches, breaches of PECR are the most common breaches subject to enforcement action by the regulator, the ICO. In addition to reputational damage through being named and shamed for breach of the rules on the ICO website and in the general press, fines for breaching these rules can be significant.
Data Protection & HR
Employers of all sizes are legally obliged to collect and use certain categories of personal data relating to their employees and most likely hold significant amounts of personal data in their personnel records.
Such personal data is likely to include sensitive personal data (or special categories of personal data) as well as highly confidential data about their employees and other workers.
It is essential that human resources managers ensure that the data protection principles are observed in relation to the use of personal data relating to job candidates, employees, workers and leavers.
Key areas for consideration include:
- What privacy provisions should contracts of employment include?
- What privacy notices should be issued to candidates and employees?
- What data protection policies should we have in place?
- How should we deal with health records?
- How should we deal with diversity and equal opportunity monitoring?
- How should we deal with reference requests?
- How do we ensure payroll information is secure?
- How should we share information with benefit providers?
- How do we respond to an employee subject access request?
- What records should we keep in relation to leavers?
- What data protection training should we provide to our employees?
Our data protection solicitors can help your human resources manager ensure that personnel records and HR processes and documentation are GDPR compliant. We are also experienced in guiding clients through the difficult process of properly responding to employee data subject access requests, particularly in the context of grievances and disputes.
For more information, please read our blog guide Data Protection for HR Teams - Top Ten Tips, or watch the video below presented by Joanne Henderson.
Training for Data Protection Officers, directors and managers
Certain organisations have a statutory requirement to appoint a data protection officer and to ensure that the Data Protection Officer has enough knowledge, experience and resources to properly perform the role. We can offer advanced training on data protection for office holders to assist in satisfying statutory requirements. Our training courses may also be appropriate for Data Protection Managers and other senior managers or directors who have responsibility for data protection matters.
Staff Training: As with all areas of required compliance, the adoption of policies and protocols are of very limited value without proper implementation through communication and training. Myerson offers a range of staff training packages which can be tailored to suit your requirements and internal policies and procedures.
Data protection law requires organisations to demonstrate compliance.
This can be difficult to achieve without having in place appropriate policy documentation and written protocols or operating procedures which evidence understanding and promote adequate data protection practices.
All businesses should consider and review whether there is in place adequate documentation to reassure both the regulator, consumers, employees and third parties that appropriate measures have been put in place to ensure compliance. Many third parties and business partners through their own due diligence will require a statement confirming compliance in order to enter into or continue commercial relationships.
What are the data processing recordkeeping requirements?
Most businesses will be required to keep a formal record of their regular data processing activities. The much talked about small employer exemption is narrow and in any event, it will be difficult for a business to demonstrate compliance if it does not hold an inventory of the personal data it holds and processes. A data processing record must include, amongst other details, full details of the categories of data processed, the basis for such processing and details of security measures in place.
What privacy notices must be issued?
All data subjects about whom your business processes personal data should be issued with a formal Privacy Notice which is compliant with GDPR requirements. Such notices include details of the processing, the purposes of it and legal basis for it, retention periods and details of the data subjects rights. Privacy Notices should be included in employee documentation, consumers terms and conditions and included on your business website.
Terms and Conditions
Terms and Conditions with Data Processors: GDPR imposes mandatory obligations to enter into contractual terms where a data controller uses the services of a third-party data processor, for example, a provider of IT services. Identifying whether an organisation is acting as a data controller or a data processor can be difficult and is often misunderstood, but it is an important distinction to draw potentially affecting the responsibilities and liabilities of parties to a commercial arrangement.
Data processing terms must satisfy specific requirements in order to comply with the legislation. Myerson can provide appropriate documentation or review and advise on documentation issued by third parties. Organisations should be wary of agreeing to terms which erroneously identify the responsibilities of respective parties or which seek, inappropriately, to shift responsibility and liability.
Terms and Conditions with third parties: Beyond strict obligations for contractual regulation between controllers and processors, it is generally appropriate for organisations that choose to share personal data to ensure that measures are taken to ensure shared data is processed without undue risk.
Due diligence in relation to data protection standards adopted by business partners and other third parties is an appropriate measure towards compliance. Data sharing agreements will be the best practice to ensure that parties understand respective responsibilities and liabilities. Myerson can advise on what approach and documentation are required in relation to the specific data sharing arrangements supporting your business activities.
Terms and Conditions with consumers must incorporate appropriate Privacy Information or refer to a compliant Privacy Notice.
Perhaps the most important data protection principle is the principle that personal data must be kept securely.
In a digital economy increasingly dependent on technology and an ever-growing risk of cyber-attack the challenge for organisations in relation to data security must be of the highest priority.
IT solutions and standards, such as Cyber Essentials, are fundamental aspects of data security but the most significant security risk is typically within an organisation, often through human neglect or error. It is therefore essential that organisational measures such as appropriate policies and staff training are implemented in addition to having place appropriate technical security measures.
We can advise you on the standards of data security expected by the regulator and provide appropriate information security policy documentation and staff training in relation to the importance of data protection (including data security).
We can also provide assistance in relation to how to respond in the event of a personal data breach.
Personal Data Breaches
A very significant proportion of data protection enforcement action taken by the regulator, the Information Commissioner (ICO), relates to security breaches.
The data protection regime requires data breaches to be recorded and, where there are risks to individual data subjects, there is a requirement to report breaches to the ICO and sometimes to the affected individual data subjects.
The legislation requires prompt action, with a requirement to report material breaches within a challenging 72 hours. We recommend that organisations put in place protocols or procedures to ensure an appropriate and timely response to personal data breaches and to demonstrate a responsible approach to compliance.
We can also advise in the event of a personal data breach on reporting requirements and procedures.
Data Processors are organisations that provide data processing services, particularly IT-related services, to Data Controllers, where the Data Controller specifies the purpose for which and the manner in which personal data are processed.
Both Data Controllers and Data Processors have compliance obligations under data protection legislation but the obligations for Data Controllers are more onerous. Determining whether an organisation is a Data Controller or Data Processor can be difficult but is an important distinction. Myerson can advise you about whether you have responsibilities under the legislation as a Data Controller or Processor and what the implications are.
Data Protection legislation includes a mandatory requirement for specific terms and conditions to be put in place where a Data Processor provides relevant services to a Data Controller. The required contractual terms must cover important points specified in the legislation including terms relating to data security measures, confidentiality and subcontracting. Such arrangements can sometimes be complicated by the fact that Data Processors can often be located outside of the EU and special rules in relation to may apply.
Myerson can assist in relation to putting appropriate contractual terms in place or advising on data processing terms proposed by third parties.
There are no other mandatory requirements for terms and conditions to be put in place, but the regulator requires as a matter of best practice appropriate due diligence of third parties with which personal data may be shared as well as appropriate data sharing agreements.
Cross Border Transfers
In a global economy, many organisations will regularly transfer personal data outside of the EU, sometimes unwittingly where for example suppliers, for example, IT providers such as cloud computing services.
Data protection laws prohibit the transfer of personal data outside of the EU unless appropriate safeguards are put in place in order to ensure that the personal data is processed in a lawful and secure environment. This issue can be particularly relevant to organisations which are members of a multi-national group or where its business partners or suppliers are based outside of the EU.
Relevant safeguards can include adequacy arrangements approved by the EU such as the US-EU Privacy Shield, Binding Corporate Rules approved by relevant supervisory authorities and the inclusion of Model Clause in binding agreements between the relevant parties.
We can advise your organisation on the requirements for safeguards and provide you with appropriate documentation to ensure compliance.
Meet Our Specialists
Home-grown or recruited from national, regional or City firms. Our specialists are experts in their fields and respected by their peers.
Jo is a Partner in both our Employment and Compliance Teams
Carla is a Partner and Head of our Commercial Team
Terry is a Senior Associate in our Corporate Commercial Team. Terry is also the Head of the Brexit Team at Myerson.