January 09 2018
Data protection law in the UK is set for a radical overhaul in 2018 and companies should be preparing now for the changes and the compliance challenges that this will bring.
Smartphones, social media and other new digital technologies have transformed how data is collected and current legislation is out of date. The EU General Data Protection Regulation (GDPR) is an attempt to harmonise data protection laws across Europe. The UK's recently announced Data Protection Bill (which will replace the current Data Protection Act) will transpose the GDPR into UK law and will be applicable despite Brexit.
The new enhanced regime, which will be in force from 25 May 2018, has been described by the Information Commissioner as "a game-changer for everyone" since it will affect all businesses that process (i.e. collect, record, use or disclose) data relating to an identified or identifiable natural person ("personal data").
Companies will not escape the need for compliance with the GDPR regime since they will frequently process personal data as part of their core business activities, hold personal data on their employees (including sensitive personal data such as ethnicity and criminal convictions data when DBS checks are carried out) and possibly use personal data for marketing purposes. Any company (inside or outside the EU) that holds and processes data about EU citizens will have to comply.
With maximum fines of up to the higher of €20m or 4% of annual turnover, companies cannot afford to be complacent. So what should company directors and risk managers be doing now to prepare for the new legislation, to minimise the risk of incurring significant fines and potential reputational damage if they are held to be non-compliant? What are the insurance implications if they fail to prepare? This article gives practical insight on how companies can best prepare themselves over the coming months.
The GDPR has introduced a new principle of accountability, which will require companies to comply with the law and have appropriate records to demonstrate compliance. Therefore companies should incorporate a compliance programme to put in place a suite of policies, procedures and audit controls to monitor and ensure compliance. A successful programme is likely to require HR, IT, Business Development, senior executives, risk managers and input from all other areas of the business to work together to raise awareness of the new regime and its impact on day-to-day business, and to assist with risk assessments and record keeping.
How data is captured and used is more prescribed in the GDPR and therefore, companies should undertake a detailed review of their personal data processing activities. In particular:
Many companies will store personal data on clients and employees.
Under the new law, any data breach which is likely to result in a risk to the rights and freedoms of individuals must be reported within 72 hours to the ICO. In these circumstances, such individuals will additionally have to be notified without undue delay.
Companies should review their existing IT security measures. Do they meet the highest security settings of "data protection by design and default" which the GDPR requires for personal data? Is there an appropriate data breach response procedure to manage a major data breach? Is this procedure tested regularly? Do employees know who to report breaches to?
Companies should identify what people within the business know about data protection measures and the new enhanced regime. Do they know: what constitutes personal data and sensitive personal data? What personal data they hold? How data moves around the firm? How data is processed? How long data is retained for? Regular internal training on the GDPR should be given to all staff so that they understand the new legislation and the implications for the firm if it is non-compliant.
There may be occasions where companies need to send documents to third parties for review. When defending allegations of misconduct or when responding to regulatory investigations, directors of companies may need to forward documents to their solicitors for advice. Companies may wish to use an external document review agency to review large volumes of data and documents (including personal data) to identify only those documents which are relevant to a transaction. Companies may instruct translators in an international transaction to translate foreign language documents into English. What should companies do to ensure they are GDPR compliant in these situations?
Companies will need to carefully review relationships with third parties and consider what additional provisions may need to be included in these contracts to help ensure compliance with the GDPR. It should ask questions such as: how does the third party process personal data? How long does it store it for? What data security does the third party have in place? Do they have cyber and data breach insurance? In short, organisations need to satisfy themselves that any third party handling outsourced data is also complying with the GDPR regime.
Directors need to take the GDPR seriously by reviewing internal procedures and the company's cyber security and data breach response.
Directors should ensure they have appropriate D&O insurance to respond to claims against them by the company/shareholders for non-compliance with the GDPR. The costs of defending claims against them for their personal failure to ensure compliance should be covered.
Companies which store large amounts of personal data should also ensure they have an effective cyber policy with appropriate indemnity limits. The financial consequences of a data breach can be significant. Notifying all individuals affected that there has be a data breach can be expensive and time consuming and these costs can be insured under a cyber policy. The policy should also cover liability claims brought by individuals who seek compensation for damage (including distress) as a result of the breach, as well as the associated defence costs of responding to these claims.
With just over 6 months until the new data protection legislation comes into force, companies need to be actively preparing to ensure they are GDPR compliant. For many businesses, it will be a matter of identifying what measures are already in place, identifying what steps are needed to comply with the regime, and then filling any gaps.
The legislation is coming in and companies should not be complacent. Clients will expect the companies they do business with to comply with the new regime; the fines could be crippling for the business; there is a serious risk of reputational damage for those companies which fall foul of the legislation.
For further information on this topic please contact Rhiannon Webster, Shehana Cameron-Perera or Francesca Muscutt at DAC Beachcroft by telephone (+44 20 7894 6800) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The DAC Beachcroft website can be accessed at www.dacbeachcroft.com.
This update has been reproduced in its original format from Lexology – www.Lexology.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.