It is a truth universally acknowledged or undoubtedly your inbox has been sufficiently inundated with emails informing you that today, being Friday 25 May 2018, marks the entry into force of the General Data Protection Regulation (“GDPR”). The Data Protection Act (“DPA”) 2018 will give effect to the GDPR in the UK and replace the DPA 1998.
Law firms, like many other organisations, have been equipping their employees with the knowledge, understanding and practical implications of GDPR through bespoke GDPR compliance training.
Notably, the GDPR does not provide for a grace period, so employees involved in the processing of personal data will be subject to the ongoing obligations mandated by the new data protection framework. The central tenets of the GDPR are control, transparency, security and accountability.
Take 30 seconds to sign up to TLP and you’ll receive free, tailored information for your aspirations and stage straight to your inbox, as well as be the first to know about new, free events – what are you waiting for?Sign-Up Now
The GDPR aims to modernise existing data protection law, which has been largely unchanged for the past 20 years.
Six legal grounds for processing personal data have been introduced:
The GDPR will have extraterritorial effect and apply to any organisation that processes the personal data of European Union citizens.
Paradoxically, the strengthening of rules about obtaining valid consent before using personal data has sparked the unintended consequence of endless “Keep in touch” and “The Law is Changing” emails. Notwithstanding, Recital 17 of the GDPR that permits reliance on existing consent if obtained in accordance with GDPR requirements and properly documented.
There has been a daily flurry of emails about updates to privacy policies and requests to opt-in before 25 May 2018 to continue receiving direct marketing.
My personal favourite is the “Your Inbox Your Choice” that I received from Waterstones (yes, I bought my law textbooks from Waterstones in my first year of undergraduate study…)
Elizabeth Denham, Chief Commissioner of the Information Commissioner’s Office (“ICO”) asserted that the new data protection regime makes it clear that pre-ticked, opt-in boxes do not indicate valid consent. The GDPR requires consent to be “freely given, specific, informed and unambiguous’.
Moreover, consent is only one of the six legal grounds for processing personal data, so organisations were not required to ask subscribers to renew their consent as a matter of course.
The GDPR strengthens the existing subject access request (“SAR”) regime. Data subjects will continue to exercise their right to find out the personal data that an organisation holds on them, the rationale for holding this personal data and to whom this data has been disclosed by the organisation.
The new data protection regime will confer data subjects with the right to access personal data, which was a key principle of the DPA, the right to data portability, the right to rectify and delete data, the right to restrict and object to the processing of data and the right to lodge a complaint with a national supervisory authority such as the ICO.
To reflect the modernisation of data protection obligations, employees must be able to make electronic SARs and the ICO has updated its code of conduct on SARs to confirm that data subjects can make SARs using social media channels such as Facebook and Twitter.
The principle of accountability has been introduced by the GDPR and requires organisations to both comply with the data protection principles and demonstrate compliance with the data handling requirements by implementation of data protection policies, record keeping obligations and data protection impact assessments.
Data protection enforcement powers under the GDPR include the ability of national supervisory bodies to levy fines of up to 20 million euros (£17.5 million) or 4% of an organisation’s annual global turnover in the preceding year, whichever is higher.
The administrative sanctions available to the ICO range from warnings and reprimands, to compliance orders and restrictions or bans on data processing. The incumbent Information Commissioner stressed that fines will not be used as sticks to unduly punish organisations, but will be commensurate to the seriousness of the data breach and reserved for the most flagrant and damaging data.
Article 82(2) of the GDPR sets out the factors to be assessed by the national supervisory authority when deciding whether or not to impose an administrative fine. These include the number of data subjects affected by the infringement, the level of damage suffered by them and the categories of personal data involved.
The ICO will also take into account the conduct of data controllers and data processors: in the past, in the lead up to the breach and following the breach.
Under the former data protection regime, telecoms giant TalkTalk was fined £400,000 in 2016 and £100,000 the following year for failing to adequately protect customer data from cyber attacks.
The GDPR has not only lifted the monetary penalty ceiling but also introduced a 72 hour time period within which data processors must report breaches to the national supervisory body (the ICO) and, if the data breach is sufficiently severe, to inform the data subjects whose personal data have been compromised.
Organisations with comprehensive codes of conduct, procedures and policies will be well-placed to navigate the new data protection minefield and avoid corrective measures for infringements.
Want more insight into the biggest legal news stories? Take a look at our new How to Discuss series!
Whilst the advent of GDPR is currently taking centre stage, the effect of Brexit still looms large. The UK’s withdrawal from the EU, which is set for 29 March 2019, will signify the classification of the UK as a third country.
This means that data controllers in the remaining 27 EU member states will have to rely on a specific legal basis under the GDPR to legally transfer personal data to the UK. For example, an international City firm with European offices may decide to rely on a special derogation under the GDPR in order to legally transfer client data.
“There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone” – Elizabeth Denham
The GDPR presents challenges in the form of implementing policies, procedures and systems to comply with the new data protection obligations. The twin aims of the GDPR are:
The latter includes law firms (although they can also act as data processors when receiving bulk data) and data processors such as sporting bodies. For example, FIFA, who process the personal data of football stars including England captain Harry Kane, who believes that The Three Lions could win the 2018 World Cup but I digress…
Processing is broadly defined under the GDPR and includes collection, recording, storage, use, erasure or destruction.
Invariably, processing client data is intrinsically linked to the role of a lawyer and law firms will need to carefully consider their risk profiles for GDPR compliance. They will also need to think about the impact on data collection for the purposes of setting up a data room and disclosure, or discovery, as it’s known in the US (cast your mind to season 2 of Suits, Travis Tanner and the memo found and destroyed by Donna).
Having been involved in three disclosure exercises in my Litigation seats during my first 9 months as a trainee solicitor, I can assure you that the volume of documents to be reviewed for relevancy to the issues in dispute can be immense.
For those with a glass half-full mentality, the GDPR heralds the dawning of a harmonised data protection regime across the EU. The streamlined approach to data protection compliance will bring an end to navigating multiple data protection regimes across different jurisdictions.
Inevitably, data protection lawyers have been very busy advising clients on GDPR best practice and should be kicking off the bank holiday weekend with a GDPaRty…
Read more big news stories and how they affect the legal industry here:
Author: Hilda-Georgina Kwafo-Akoto
Loading More Content