Tips on laying the groundwork around GDPR, for busy managers and founders of growing technology companies – from the 2017 series of Threads discussions.
Discussion host: Rory Suggett, Partner at Ashfords LLC.
GDPR is already in force, since 24 May 2016, however due to the complexity of the changes it will not apply until 25 May 2018 to allow organisations to prepare. Data which is publicly available is still caught by the GDPR.
The value of data
Your data are every bit as valuable as your IP rights and the commercial assets of your business. Reviewing GPDR compliance can be a good catalyst for managing the business and its data better, where additional value or opportunity may be discovered.
Ensuring adequate cyber protection is a healthy exercise at any time; good starting points include undertaking ‘Cyber Essential’ or ‘Cyber Plus’. Some organisations will be required to appoint a data protection officer (DPO), you should take advice before appointing one as there are strict statutory requirements around DPOs.
Global data protection standards
Different data protection standards exist worldwide, with data held in those jurisdictions subject accordingly. US data protection laws differ in each state, with California having some of the most comprehensive. If your system fail-over is international your compliance must be too.
GDPR for the first time places statutory obligations on data processors, which only applied to data controllers in the data protection act.
Consent; if the nature of consent was obtained prior to GDPR and is aligned with its principles, it’s still compliant. If not, fresh consent is required. Data can only be processed for the purpose of which it was collected; it can’t be stored to do ‘something interesting’ with in the future.
Consent must be unbundled from other communications, and as easy for a consumer to withdraw as give. The consumer should be provided with a full overview of their rights, actions and timeframe for retention.
It’s important to remember that consent is not the only legal basis for processing personal data. Organisations can rely on: (i) performance of a contract; (ii) legal obligation; (iii) protection of vital interest; (iv) public interest; or (v) legitimate interests.
Legitimate reason exists under the data protection act, but because of the accountability requirements organisations will need to be clear about how they are relying on legitimate interests. You will need to develop a policy where you can demonstrate how you have balanced your commercial interests against the data protection rights of individuals and how such an assessment demonstrates that your commercial interests do not have a negative impact on the individual’s data protection rights.
Subject access request; the Data Protection Bill is proposing to create a criminal offence if an attempt is made to tamper alter the personal data in an attempt to prevent its disclosure.
Right to be forgotten; GDPR establishes a right to be forgotten, this right will also need to be enforced with anyone you have shared the data.
The ‘data controller’; has ultimate responsibility for the data, and is responsible for consent. A ‘data processor’ (e.g. SaaS provider) may process data on behalf of the controller, but only within the original purpose. GDPR requires that controller–processor relationships must be under a written contract, with adequate data protection provisions included. The required provisions are set out in GDPR.
Online marketing activities are governed by PECR. As part of the overall data protection reform package the EU is proposing a new e Privacy Regulation which will update PECR. It was hoped that this would be in place by 25 May 2018, this is now looking unlikely. Broadly, legitimacy of outbound contact relies on consent from an individual. Once consent is obtained, the business is entitled to market to them until the consumer withdraws consent. Organisations are entitled to offer similar goods and services to consumers to those already sold to an individual without the need to establish additional consent, provided that they are given the opportunity to opt out each time you contact them. B2B marketing is slightly different.
Profiling organisations, which profile individuals, should think about how their activities impact GDPR and the data protection rights of the individual. They should be able to demonstrate ‘legitimate interest’.
Organisations should map out why, how and where data comes into their operation, thinking “why do we have this data, what is its purpose and for how long should we have it?”. Organisations should be aware of how long they are holding data, and have a data deletion policy.
Human judgement or error is still the most likely reason for a data breach. Standards, such as ISO27001, go a reasonable way towards compliance, but aren’t sufficient in isolation.
In the instance of a breach at a data processor, it must notify the data controller without undue delay.
Organisations handling special category data (known as sensitive personal data under the data protection act) should conduct an appropriate risk assessment.
Consider the risk of anonymised data becoming coupled with data which identifies an individual; it does happen. Anonymised data is only truly anonymous if it is aggregated data.
Data policy and records
Organisations should have a data policy, with safeguards and processes already in place, mapping the course of action in event of a breach. It should be readily possible to determine which data has been reached, the risk, and any affected individuals identified – data processors are required to notify all breaches to data controllers without undue delay. Data controllers must notify the ICO without undue delay and if possible within 72 hours of becoming aware of the breach. In circumstances where the breach poses risks to their rights and freedoms the affected individual must also be notified.
Data protection records should be kept up-to- date.
In the event of an undiscovered vulnerability or system virus causing a data breach, organisations may will need to demonstrate that they had adequate system upgrade and patching safeguards already in place.
Data protection will become an increasingly important feature in due diligence exercises from funders, prospective customers and partners, and should be something that a founder or exec can readily validate within the business.
Contracts should state that compliance is required with data protection laws and be processed in accordance with those laws; including stipulating notification in the event of breach.
Provide staff with an acceptable use policy, with an additional management policy for handling an incident. This should be a subject access rights policy, to deal with any requests. Organisations should familiarise themselves with the new regulations from the ICO website, and may like to follow the ‘Myth Busters’ blog, and to complete the relevant checklists, which are provided free of charge.
Organisations are encouraged to visit the ICO website, follow the exercise, and identify any holes in policy and practice to remedy as necessary. It is important to raise staff awareness accordingly.