Protecting personal data: how can businesses ensure they have adequate procedures?

The digitisation of our personal information has made that data vulnerable: as HMRC found out in 2007 it is relatively easy to lose the records of 25 million individuals when they are contained on a couple of floppy discs – 25 million paper records are far harder to mislay.

As users and processors of this personal information, businesses have a duty to keep that information secure. The public outcry resulting from HMRC’s error led to a tightening of the laws and the introduction of a £500k fine.

Secure data protection is essential to maintain trust between business and the public; it is not just a legal requirement, it is good business practice.

Businesses increasingly recognise that data protection is more than boring red tape but is vital for public confidence in their operations and essential to a thriving digital economy.

GDPR:

The General Data Protection Regulation (the “GDPR”) comes into force in May 2018. It will ensure consistency across the EU and provide greater clarity for businesses, although there will be some national exemptions and the UK government is yet to clarify its position on this.

The GDPR places greater emphasis on accountability. It will require companies to explain what they hold and to show that there are systems in place to protect that data.

The transfer of data outside the EU will continue to be subject to current strict requirements, but the GDPR provides some improvements and clarifies the criteria and processes that apply to international data transfers. In relation to notification, it will generally be mandatory for data protection breaches to be notified without undue delay and, as far as controllers are concerned, within 72 hours.

Penalties will be significantly higher: From EU10m or 2% of worldwide turnover to EU20m or 4% of worldwide turnover, whichever is higher.

It is worth noting that much of it builds on existing law and the 8 Data Protection Principles already established under the Data Protection Act, with which most organisations should already be complying.

The GDPR builds on these principles with the following changes:

  • Clarification of what constitutes personal data (i.e. anything that can identify an individual).
  • Extending the territorial scope to any organisation that offers goods or services to EU residents or monitors their behaviour.
  • Encouraging pseudonymisation.
  • Enhanced erasure laws.
  • Greater data portability giving subjects increased rights to access any data held in an easily transferable format.
  • Restrictions on use of data – i.e. data can be maintained but may need to be ‘put beyond use’ by the data controller.
  • Ability to object to profiling.
  • Tougher rules on marketing requiring pro-active consent – that is freely given and informed.
  • Stricter guidance on collecting data from U16s – there may be some derogation at state level e.g. reducing the age limit to U13s.

Good Practice:

  • Ensure awareness among decision makers and key people that the data protection law is changing to GDPR.
  • Ensure that robust policies and data privacy procedures are in place.
  • A data privacy compliance framework needs to be well embedded.
  • Data Privacy Officers need to be in place to ensure compliance with regulation and the company’s privacy plans.
  • An accountability framework should be put in place.
  • IT data mapping is also being considered by some organisations.

The Information Commissioner’s Office has guidance on the 12 steps organisations need to be taking now.

Key Challenges:

For many complying with the GDPR should involve the ramping up of existing practice and procedures. However, a number of key challenges were discussed:

  • Data portability: the right to data portability is new and requires companies to provide data electronically and in a commonly used format. If paper print-outs or an unusual electronic format are currently used to provide data, companies will need to revise their procedures. Companies are worried about the security around this issue and also the right format to use.
  • The international transfer of data will be a significant challenge and companies will be looking to the regulator for guidance. The goalposts have already changed around model clauses making it hard for organisations to do the right thing.
  • With the emphasis on accountability, companies will need to establish how best to systemise document accountability to evidence robust protection.
  • Knowing what is happening on the ground and that the system is working will be essential, particularly for those organisations holding a huge amount of data. Companies will need robust and on-going monitoring arrangements.
  • Outsourcing contracts will need to be updated to reflect the new obligations.
  • Companies will also need to establish where the liability lies between data controllers and processors to make it clear who is responsible.
  • Companies will also have to ensure that this regulation is applied down the supply chain which will be a challenge.
  • Where a huge workforce has access to personal information implementing robust controls and evidencing the steps taken will also be a challenge.

Concerns:

Will the guidance on GDPR from the different EU Data Protection Authorities result in confusion?

Could enforcement be stricter in the other EU member states than the UK?

How can companies balance what is right for the consumer against the commercial imperative? This is a challenge for the regulators too who cannot be seen to destroy the digital economy.

The GoodCorporation Perspective:

As with the UK Bribery Act the first step in ensuring adequate procedures for data protection will be a systematic risk assessment of current systems. Businesses need to evaluate how their data is obtained, stored and transferred in order to understand if it is properly protected in the light of GDPR and what further measures, if any, will need to be introduced.

Companies may also be at risk if they delegate all responsibility for adequate data protection to data controllers and the compliance function without assessing how this sits within the business culture. Protecting personal data properly is a function of an ethical business culture, it demonstrates a commitment to doing the right thing and should therefore be seen as another component of good corporate governance.

 

Posted June 2016