Khepri's A to Z: Data Protection - Buy and Sell-Side Compliance
Introduction
This is an opportune moment to issue the next instalment in our A to Z services, D – Data Protection, coming as it does hot on the heels of the European Commission issuing a €1.2bn (that’s €1,200,000,000) fine to Facebook in connection with the alleged transfer of users' data from the European Union (EU) to the USA.
Application
All UK businesses are required under UK General Data Protection Regulation (the “UK GDPR”) to have in place effective technical and organisational data protection measures.
The UK’s Data Protection Act 2018 (“DPA 2018”) enacted the EU UK GDPR’s requirements into UK law and, with effect from 1 January 2021, the DPPEC (“Data Protection, Privacy and Electronic Communications” (Amendments etc) (“EU Exit”)) Regulations 2019 amended the DPA 2018 and merged with the requirements of the EU UK GDPR to form a new, UK-specific data protection regime, that works in a UK context after Brexit as part of the DPA 2018. This new regime is known as the ‘UK GDPR’.
The UK GDPR creates a unified approach to data protection across the EU and in the UK. It set rules for the collection, use, transfer, and storage of personal data by firms. The EU has now formally adopted ‘adequacy decisions’ for the UK GDPR, enabling the ongoing free flow of personal data from the EU/EEA to the UK. As a result, all 12 of the third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK to maintain a unified approach to data protection across Europe and the UK.
UK GDPR applies to all processing of Personal Data, whether undertaken by a controller or by a controller’s behalf by a processor, where;
a controller determines the purposes and means of processing Personal Data (i.e., us as a company); and
a processor is responsible for processing Personal Data on behalf of a controller (such as our service providers).
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether automated or not. These operations include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Responsibilities
Firms must ensure that the way in which they process and protect Personal Data meets the requirements of the UK GDPR. Firms are responsible for, and must be able to demonstrate compliance with, the Data Protection Principles contained within the UK GDPR.
Ultimately, Firms are responsible for ensuring that their practices and procedures regarding data protection are adequate to ensure compliance with the UK GDPR.
All Directors and employees have a role to play in ensuring that the Firm is and remains UK GDPR-compliant.
Personal Data
The term “Personal Data” means, any information relating to a person who can be directly or indirectly identified by that information, particular by reference to an identifier. This implies that a wide range of personal identifiers could constitute Personal Data, including name, date of birth, residential address, identification number, location data, online identifier, amongst others.
It is important to understand that information does not have to include a person’s name to be considered Personal Data. Therefore, the scope of what is captured is likely to be broader than you may have originally considered.
Personal Data does not include data from which you can no longer be identified, such as anonymised aggregate data. However, this information must be truly anonymised. Accordingly, if the data set is so small that the individuals caught are still readily identifiable, then the information will still be considered Personal Data.
As noted above, simply stripped out a person’s name or their usual reference number from certain information, does not necessarily make the data non-Personal Data. You must always be aware of the wider “mosaic” of data that is held and may enable you to identify someone, even without their “usual” identifiers attached to the information.
A “Data Subject” is the common term used for a natural person whose Personal Data is processed by a firm.
Top 10 - stumbling blocks
It is not possible for us to summarise UK GDPR in a blog post. However, we thought it would be useful to highlight some of the more frequent stumbling blocks (not necessarily in frequency order) that we see when advising clients on data protection matters:
Scope: The devil is in the detail and it is important to fully understand the difference between processing and the controlling of personal data because your obligations under the UK GDPR will vary depending on the role you play. Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. Processors act on behalf of, and only on the instructions of, the relevant controller. Controllers shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements. You are also responsible for the compliance of your processor(s).
Privacy Notice: In general, privacy notices are in practice poorly drafted. The main reason for this is that it can be incredibly complex and time-consuming to understand, for a given business, all the different types of personal data collection, why you have each of the items of data and what is the legal basis for holding each and to describe what you are doing with the data. We think that a well drafted privacy notice is a good starting point when implementing UK GDPR. The ICO has Examples of Good and Poor Practice and a Privacy Notice Template.
Data Protection Impact Assessments: If you are like us, then you operate at a fast pace and are constantly busy with various conflicting demands. This can increase the risk of not considering the impact of failing to comply with one or more of the UK GDPR principles or other specific aspects of the UK GDPR, both initially and as the business changes. The ICO has a helpful DPIA Template.
Lawful Basis: You cannot hold personal data without a lawful basis to do so. We often see firms taking a broad-brush approach, where they say that, in general, all the personal data held will likely be captured by one or more of the lawful reasons. However, this is not sufficient. It is important to be specific with each type of personal data collected and for each channel or purpose of collection. In addition, a common misunderstanding is that the legitimate interest lawful reason is one-sided, i.e., it only represents the data subjects' legitimate interest. In fact, it includes your own legitimate interest but must be balanced against protecting data subjects’ rights and interests.
Data Subject Access Requests: If you have ever received one of these requests, and they are surprisingly easy for Data Subjects’ to make, then you will know that they can be time consuming and divert your attention from more pressing matters. It is important to have a documented process to identify all relevant data and to have two pairs of eyes on the output. In addition, it is important to work with your advisers on whether there are any exemptions which can apply to your disclosure obligations, particularly in situations where the information may lead a contentious situation between yourself and the data subject.
Security Basics: By “security basics” we mean actions that contribute to managing your security risks, protecting personal data against cyber-attacks, detecting security events and minimising the impact (the UK GDPR Security Outcomes). We often find that firms tell us they have covered this aspect by engaging an outside IT provider, but that is not always the case. There is an important internal layer of security management that cannot be outsourced, which includes individual behavioural matters such as keeping data on a need-to-know basis, periodically reviewing access rights, clear desk management, security over paper files, enforcing cloud storage rather than local storage, etc.
Marketing: One of the most frequent queries we receive is in relation to how a firm can legitimately obtain contact details and then send marketing information to those individuals. In particular, whether reliance can be placed on the firm's legitimate interest legal basis. You need to be able to justify that sending marketing is in your legitimate interests – or someone else’s – and you need to balance these interests against people’s rights and expectations. But that’s only if PECR doesn’t apply, such as when you’re marketing by post, or if you don’t need consent under PECR. This is because electronic marketing has to comply with PECR as well as data protection laws. When you need consent under PECR, it makes sense to use this as your lawful basis under the UK GDPR. This will mean legitimate interests is unlikely to be appropriate or necessary.
International Transfers: As we learn from the recent Facebook fine, it is important to understand where personal data is stored when using cloud-based systems or when transferring data to service providers. People risk losing the protection of the UK data protection laws if their personal data is transferred outside the UK. On that basis, the UK GDPR contains rules about transfers of personal data to receivers located outside the UK. People’s rights about their personal data must be protected, or one of the limited number of exceptions must apply. Please refer to the ICO’s Guide to International Transfers for more information.
Governance: To avoid finger pointing when something goes wrong, it is important to have clear accountability frameworks for all aspects of the UK GDPR. This means that you will need to consider who is responsible for each of (a) overall leadership, (b) policies and procedures, (c) training, (d) DPIAs, (e) records management, etc. In addition, it will be important for the board to receive timely management information.
Responding to Breaches: We are not perfect, and breaches do happen. It is important to adequately documents why the breach occurred, what the impact was, and how you will reduce the risk of it occurring again. Don’t forget to create a breaches log.