The new data protection law, the GDPR, significantly raises the stakes as respects compliance. Solicitors are not exempt, and we report on a Society CPD seminar designed to help them prepare
A headline maximum fine of €20 million for regulatory non-compliance should make any business sit up and take notice, you might think. But with only six months left of the two-year countdown period to tough new data protection laws coming into force (that’s fewer than 130 working days), it seems that many, legal practices included, have been slow to take seriously the implications of the GDPR.
Perhaps the General Data Protection Regulation, to expand the acronym, has been regarded as a rewritten version of our Data Protection Act. True, the existing data protection principles in effect continue – but the rights of data subjects have been widened, and the control and enforcement mechanisms are much strengthened. Perhaps there has been some Brexit effect – as an EU regulation, will it really apply here? It will, having direct effect from 25 May 2018, and under the European Union (Withdrawal) Bill will therefore become part of domestic UK law after Brexit day. In addition, if UK businesses want to continue to hold and process data relating to EU customers and contacts, as they inevitably will, our law will have to continue to comply with EU standards, or risk falling foul of litigants such as Max Schrems, the Austrian student who won the ruling in the “Safe Harbor” case against his personal data being held by Facebook on computers based in the US, because of the lack of protection from surveillance.
The UK Government has introduced a new Data Protection Bill covering areas such as national security which the GDPR allows to be determined by national law. This bill also defines what is to be regarded as a public body or authority where that is relevant for GDPR purposes – basically one covered by the freedom of information legislation.
So there is no question but that the GDPR is coming. What difference will it make in practice, and what should legal firms do to prepare? The Law Society of Scotland has been offering CPD on the subject, led by Tim Musson, convener of its Privacy Law Committee, who runs his own data protection and information security consultancy. This feature is based on his most recent day seminar.
It's about people
It is worth highlighting that human rights principles underpin data protection law, as article 1 of the GDPR makes clear at the outset: “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
In GDPR language, those who work with personal data are classed as either “controllers” or “processors”, with lesser (but still strict) obligations, and penalties, applying to the latter. Solicitors will for the most part be data controllers, in that they determine the purposes for which and means by which the data will be used. Processors by contrast are those who carry out functions on or with data under instructions of the controller, perhaps cashroom support, your cloud provider or indeed IT support depending on their role. Joint controllers are recognised, making it vital to have an agreement in place that ensures obligations to data subjects can be met. Depending on the relationship, a payroll provider could be a joint controller with an employer.
As “personal data” includes any information relating to an identifiable natural person – identifiable by any means, such as a unique reference or a mobile phone number – and “processing” covers pretty well anything you might conceivably want to do with the data, including its erasure or destruction, the GDPR can be seen to be all-embracing in its scope.
When is it legal?
One myth should be busted: that you must have people’s consent before you can process their personal data. Consent is only one of six grounds for legitimate processing set out in article 6, the others in essence being where the processing is necessary:
- in relation to a contract (though “necessity” is a somewhat elusive concept here, Musson comments);
- for the data controller to comply with a legal obligation, e.g. in relation to HMRC;
- to protect the vital interests of the data subject or another individual;
- for the performance of a task carried out in the public interest; or
- for legitimate interests of the controller (for example debt collection) – subject to a human rights qualification.
“Data protection does not stop you doing the right thing!” Musson emphasises, recalling cases of child protection failure where this has been an issue.
By article 9 a higher standard applies to some special categories – basically data relating to characteristics that are protected for discrimination law purposes. Here “explicit consent” is required, unless one of various more closely defined instances of necessity apply. Criminal convictions, separately provided for in article 10, will effectively be made subject to the same regime by the UK bill.
Who is in charge?
Whether to appoint a data protection officer (DPO) is a key question exercising the minds of law firms. It is an urgent one too. Suitably qualified individuals are already much sought after, and may be virtually unobtainable come next May. Who, then, actually needs one?
By article 37, data controllers, and processors, must have a designated officer if (read short):
- they are a public body, defined as noted above; or
- their processing operations require regular and systematic monitoring of data subjects on a large scale – probably more relevant to private hospitals, or banks on the lookout for money laundering; or
- their core activities consist of large scale processing of the article 9 or 10 special categories of data, i.e. including data relating to criminal convictions.
This last bullet point is the tricky one. Sole practitioners are exempt, being specifically excluded as “large scale” processors by recital 91 in the GDPR’s extensive preamble. Ten or more fee earners, in Musson’s view, would be caught depending on the type of work carried out. But we are talking about individuals’ data, so a purely corporate practice has less reason to worry. At higher risk are those in criminal, family, employment or HR, increasingly so the more fee earners in the practice.
Musson’s advice is to carry out a risk analysis. How long do you keep information? Of what type? If in doubt, you probably should have one.
The DPO’s function (article 39) could be compared in some ways to a firm’s money laundering reporting officer, being an advisory rather than a “doing” role. It includes keeping employees right as to their GDPR duties, monitoring compliance and acting as the contact point with the ICO. But independence is important and conflicts of interest to be avoided, which according to Musson rules out fee earners, as well as certain managers such as marketing. Except in large organisations it probably is not a full time position – but given that the necessary skills and expertise include data protection law and practice, particularly the GDPR, as well as an understanding of IT, data security and the processing operations carried out by the organisation, he believes that in practice it will need to be outsourced to a consultant rather than carried out along with another role. But better, he adds, for this to be a corporate body on which due diligence can be carried out.
Rights to get right
What is the compliance regime there to ensure? Data security, obviously, but that is only part of the story. Data subjects – the individuals whose data you hold – have a number of important rights (GDPR, chapter 3), building on the present law:
- access to their data, along with information on why it is being held, for how long, and on their rights in relation to you as data controller;
- rectification, without delay, of inaccurate and (within limits) incomplete data;
- to object to processing under the public interest/legitimate interest justifications set out above (unless the controller has compelling legitimate grounds to override this), or to processing for direct marketing purposes;
- erasure of data no longer necessary to the original purpose, or in certain other circumstances;
- restriction of processing in certain cases of dispute;
- to require some human intervention so as not to be subject to a decision based solely on automated processes;
- data portability – a new right likely to impact on banks and utility companies, but for which Musson proposed possible further uses such as obtaining a supermarket’s records of your purchasing habits for use elsewhere.
He emphasises the importance of getting this aspect of compliance right: if one of your more difficult clients makes a subject access request, and you fail to meet the 30-day deadline, a complaint to the Information Commissioner’s Office could prompt the ICO to start asking about all aspects of your compliance systems.
But data security is obviously key. The GDPR standard (article 32) is “technical and organisational measures to ensure a level of security appropriate to the risk”, taking into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.
Those measures may include encryption; system confidentiality, integrity and resilience (recoverability); and regular testing and evaluation.
Musson told us of a recent security test he carried out with one company, by sending a bogus email containing a potentially dodgy link – within 15 minutes, 16 out of 110 employees had clicked on it, an action that could have left the business wide open to cybercrime. “And the number of times I’ve seen someone repeatedly sending a fax to the same wrong number...”
This year’s WannaCry attack that affected the NHS, among many other businesses globally, was the more damaging where organisations were still using outdated and now unsupported software such as Windows XP: was the ICO being lenient in not penalising them for not having appropriate technical measures in place? Staff training, industry or professional regulator standards, and an organisation’s practice in carrying out risk analysis could also all be relevant in deciding whether appropriate measures were in place.
Check out also article 35, on “high risk” operations for which an impact assessment should be carried out: new IT systems, or new operations on data held, might be caught.
Steps to compliance
How to prepare for next May? First, designate a “board level” person as GDPR champion, Musson counsels – not to do everything, but to make sure it gets done. If they are not to be a DPO, call them something else.
They can drive GDPR awareness within the business, along with any official guidance, though bearing in mind that this is going to be slow to appear.
Meantime an audit should be carried out of personal data held. What is it, how is it collected and where is it stored? What is your legal basis for processing? (Document this.) In particular, how long are you keeping it for and how is this monitored? Who has access to it, and is it shared externally?
It’s better if you have a legal basis other than subject consent, but if it is consent, as with a marketing database, check this is GDPR compliant. (Wetherspoons deleted their whole marketing database and started again; Flybe did a mass emailing seeking consent, knowing it would go to too many people, but reckoned the £70,000 ICO penalty this attracted was worth it.)
Also important is to know in advance who should be told if a breach occurs (sooner or later it will). Leaks of which information would have to be reported to the ICO? And which to all the individuals affected in addition? Knowing this will make complying with post-breach obligations far easier.
Check your privacy notices; review any data processor contracts; and have procedures in place to comply with data subject rights: delivery of access requests within a month (covering the information set out in article 15); correction of inaccuracies; erasure; portability; marketing compliance.
Could encryption reduce your notification requirements? Musson regards this as crucial: “Do it if you possibly can,” he told the seminar. If you carry others’ unencrypted personal data on a memory stick, phone or laptop and it is lost, “you will be hammered” by the ICO. Look at your options. Can you encrypt attachments if not emails? The Society has adopted Egress Switch to send secure emails, to read which you need to set up your own account (an online procedure).
Review your need for a DPO, and if outsourcing is your solution, “Do it sooner rather than later. They will be overwhelmed!”
And, of course, there is staff training. It’s essential, and it’s what the ICO will look for if they become involved.
This is inevitably a condensed, and selective, account, but one that we hope provides some pointers to action that may be necessary for a little more peace of mind in relation to personal data within your organisation.
I am grateful to Tim Musson for reading over a draft of this article and making suggestions for improvement. Responsibility for its content remains with me.
There appear still to be some people who believe that keeping information on pieces of paper in a box will keep you out of the clutches of this law. Not so. “Processing” is defined as any operation performed on personal data, “whether or not by automated means”.
Where processing is based on consent, the controller must be able to demonstrate this consent (article 7); it must be “freely given”, which gives rise to questions of power imbalance.
The GDPR contains new provisions (article 8) to enhance the protection of children's personal data; the UK bill makes provision (with separate provision for Scotland) regarding age and capacity to exercise a right or give consent
“Plan, don't panic”: blog by Tim Musson with links to useful resources.