The EU’s new data protection regime – the General Data Protection Regulation (GDPR) – comes into effect on 25 May 2018, by which time businesses across Europe will need to be compliant. As the deadline fast approaches, those companies that do not yet feel adequately prepared are advised not to panic, and to focus on some immediate priorities for compliance.
Alex Razak is an associate in the corporate department at Trowers & Hamlins, where he specialises in data protection, IT contracts and commercial transactions. He says:
"I have met clients who are panicking about GDPR, but I have not yet met a client that is not compliant with the Data Protection Act 1998, which is the current law.”
“The GDPR builds on the Data Protection Act, and so if you are materially compliant with that then you are not far off complying with GDPR. The first message is one of reassurance.”
GDPR compliance should be seen as an ongoing process, with one of the fundamental principles of the new law being that an organisation has to demonstrate compliance, which means developing awareness of data issues across the business, right up to Board level.
Charlotte Clayson is a senior associate in our dispute resolution and litigation department, where she handles cyber and data breaches. She says: “For clients who haven’t yet started to do anything in practical terms on GDPR, there is no need to panic. The best place to start is understanding exactly what personal information the business holds about people, where it holds that data, and why it has it.” She adds: “That initial audit is the most step towards understanding how GDPR will effect the company, which allows management to then go on to prioritise the key areas of risk in the business.”
Those risk areas will vary from organisation to organisation, and may be to do with reputational risk, strengthening cyber security technology or practices, or changing the cultural attitude of employees towards personal data. On the latter point, the Information Commissioner’s Office (ICO) in the UK has been clear about the need for the protection of personal data to be at the heart of every business’s strategy, given that data is typically one of a company’s biggest assets. Any incidence of a data protection breach can impact employees as well as customers, and can have ramifications beyond just business and commercial, to include serious reputational harm.
Razak says: “The reality is that, from a cyber criminal’s perspective, data is the new oil, and they will target organisations based on how susceptible they are to a breach. Making sure organisations are putting up the best defences possible and data is managed can minimise the impact.”
In the event that a data breach does occur, following the immediate challenge of managing the reputational issues, the ICO will be looking to a business to demonstrate how it complies with the regulations. The ICO has a range of corrective powers and sanctions to enforce the GDPR, including warnings and reprimands; imposing temporary or permanent bans on data processing; suspending data transfers to third countries; and ordering the rectification, restriction or erasure of data.
The GDPR also introduces fines of up to €20 million, or 4% of global annual turnover, which is higher, which can be imposed on a case-by-case basis.
Clayson says: “It is critical to have policies and procedures in place so that people in your business understand the best way to handle personal data, where it’s particularly sensitive, where there should be additional controls and how it is stored on systems. If you can show these policies and procedures, and there’s an audit trail showing you’re not just thinking about the bottom line for the organisation but are also giving proper thought to protecting personal data, then you will be in a far better position if you find yourself talking to the ICO after something has happened.”
Demonstrating buy-in at Board level is also important, to illustrate company-wide commitment and avoid any perception that data is the responsibility of, for example, the IT department.
When it comes to the next steps that follow an initial data audit, it is important not to assume that seeking consent will always be appropriate, as there may be easier ways to legitimise holding data.
Clayson says: “There is a tendency to get a bit hung up with consent, which is entirely appropriate in some circumstances, but shouldn’t necessarily be the starting point for how you legitimise what you are doing. If you are relying on someone’s consent to process their information, and they withhold that, you need to ask yourself whether your whole business model falls down. What are the implications? It comes down to the legal basis on which you are holding or sharing information.”
Companies will need to be far more transparent with people about why they are holding their personal data, and what they are doing with it – often addressed through terms and conditions of doing business.
Razak advises business leaders to take a risk-based approach in the run-up to implementation date. “There seems like there is a lot of work to be done by 25 May,” he says. “It may not be possible for some companies to become entirely compliant. So, I’d advise businesses to update the information notices that they give to individuals, which inform them on how their data is being processed. Another piece of work that should be done is identifying impacted contracts between the company and third parties – inter-company contracts are priority two. It can be a lengthy due diligence process to identify the provisions that need to be updated in those contracts.”
While the deadline for compliance may be pressing, the reality is that GDPR requires ongoing work, with policies and procedures needing constant review to make sure that the data of customers and employees is being handled correctly.
Mark Kenkre, a partner in our dispute resolution practice whose work includes a focus on cybercrime, says: “This is really just about best practice in data protection, and people who aren’t following the basic steps are leaving themselves vulnerable to breaches. More than one regulator will be interested in the event of the breach – the Financial Conduct Authority, for example, will do its own investigations and hand out fines, as well as potentially enforcing ongoing monitoring at a cost to the organisation.
"The costs associated with a breach and recovery are potentially extremely serious.”
While no one need panic, now would certainly be a good time to get your data protection house in order.