The GDPR marathon

It’s been nearly two years since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. What has evolved during this time as best practice for firms and what pitfalls should they be avoiding?

There is also the matter of how you should be working with your policies and procedures (which you may have drawn up fresh in May 2018 but have been residing in the bottom of drawers ever since).

First, it is clear that the GDPR is not just a tick box exercise – that once the job of ‘GDPR fying’ your practice has been completed, you can stop thinking about GDPR compliance.

The UK’s Information Commissioner Elizabeth Denham stated that the legislation “creates an onus on companies to understand the risks that they create for others, and to mitigate those risks.

It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation”.

Culture club

The GDPR is all about developing a culture of privacy – putting privacy at the heart of the organisation. And that impetus needs to come from the top. If the senior management of your practice is not taking privacy matters seriously, then it’s unlikely the rest of the staff are.

One of the most common questions I’m asked by firms’ data protection officers and data protection professionals is how to get buy in from the rest of the organisation when trying to implement a new procedure or policy, to discuss the risks involved in a new type of processing or a reluctance to change operations in order to become GDPR compliant.

There are three reasons why senior management (and everyone else within the organisation) should care not just about GDPR compliance but putting privacy at the heart of the organisation.

Of course, there is the possibility of fines, other sanctions and the negative publicity. But there is also the upside. A recent report from Cisco, From privacy to profit, has shown that:

• Most organisations are seeing very positive returns on their privacy investments, and more than 40 per cent are seeing benefits at least twice that of their privacy spend.
• There is a strong correlation between organisations’ privacy accountability and lower breach costs, shorter sales delays and higher financial returns.
• The percentage of organisations saying they receive significant business benefits from privacy (eg operational efficiency, agility, and innovation) has grown to over 70 per cent.
• The vast majority (82 per cent) of organisations view privacy certifications such as ISO 27701 and Privacy Shield as a buying factor when selecting a product or vendor in their supply chain.

In addition, there is the positive impact on clients and potential clients that putting privacy at the heart of the organisation brings.

IKEA is leading the way with this and has just announced its Customer Privacy Promise – a set of principles and approaches to how it uses data with the stated goal to have “people feel as safe online as they do at home”.

For it must be understood that people do have grave concerns about how their personal data is being treated. A 2018 survey by Acxiom, of more than 10,000 people from 10 countries, showed that the vast majority of people from those countries surveyed are concerned or very concerned about the issue of online privacy (see Fig 1).

Aside from being armed with information about these three important factors, your communication and influencing skills will also come into their own when obtaining buy-in.

GDPR may not be perceived to be the sexiest topic but life can certainly be brought to it. If you are passionate about privacy matters then let this passion shine through.

Make your education and awareness practical and relevant to the organisation. Use real life case studies to bring life to the topic and to enable people to see both the downside of neglecting it and the upside of paying attention to it.

Have ‘privacy days’ once a quarter over lunch where you share challenges and best practice; and give awards to individuals within the organisation who have taken steps to embody the privacy culture.

Make those individuals within different teams who show an interest in privacy ‘privacy champions’. Encourage them to get involved by giving them additional training, recognising their efforts throughout the organisation and by providing additional resources.

Controller or processor

Another common question I am asked is whether solicitors are data controllers or data processors. This is obviously a key question due to the different responsibilities and obligations on controllers as opposed to processors, so you don’t want to consider yourself a data processor when, in reality, you are a data controller.

A data controller is the entity that decides how and why personal data is used. A data processor only follows the instructions of the controller with regard to the processing.

A data processor can use its expertise to decide the suitable technical measures necessary to conduct the processing (such as how to store the data, which IT systems to use to collect the data and which security systems to use). But if the processor decided more than that (for example, what to use the data for) then the processor will become a controller in its own right.

If you are under a statutory obligation to process personal data, such as to comply with money laundering legislation, section 6(2) of the Data Protection Act 2018 says such an organisation will be a data controller in the processing of personal data in order to comply with this obligation.

The Article 29 Working Party (the predecessor to the European Data Protection Board) offered further guidance on this question and stated that “a barrister represents his/her client in court, and in relation to this mission, processes personal data related to the client’s case.

The legal ground for making use of the necessary information is the client’s mandate. However, this mandate is not focused on processing data but on representation in court, for which activity such professions have traditionally their own legal basis. Such professions are therefore to be regarded as independent ‘controllers’ when processing data in the course of legally representing their clients”.

The Information Commissioner’s Office (ICO) (the UK’s data protection authority) provided guidance that a solicitor should be considered a controller in the following situations:

• When the solicitor receives personal data about a third party in order to advise the client concerning its rights with regard to that third-party data (eg where a business asks a solicitor to help it with regard to an ex-employee stealing confidential information); and
• when a client has “little understanding of the process the solicitors will adopt or how they will process the personal data” during the course of providing legal representation. If, however, a client instructs you purely to process data (which includes personal data), such as a document review, presumably the solicitor would be a data processor in relation to such processing.

If you are a data controller in relation to certain processing, you have a number of obligations under the GDPR including:

• To comply with the six data protection principles and overarching accountability principle.
• To only process personal data when you have lawful grounds for doing so.
• To be transparent in your processing and provide suitable privacy notices, and so on.
• Only use a data processor that is compliant with the GDPR and put appropriate contracts in place.
• Use data protection by design and default when processing personal data.
• Implement appropriate security measures to keep personal data secure.
• Keep appropriate records of processing.
• Transfer personal data internationally only where lawful to do so.
• Comply with data protection right requests within the requisite time periods.
• Notify data breaches where legally required to do so.
• Pay data protection fees to the ICO.

What the transparency obligation means is (subject to what I say below about confidentiality) if you are processing the personal data of a third party (for example, the ex employee stealing confidential information), you should make the third party aware of the fact that you are holding the data and what you intend to do with it.

You normally do this via your privacy notice. Article 14 of the GDPR says that where personal data is not collected directly from the data subject, you should provide them with your privacy notice by the earlier of:

• One month from the date of collection.
• The date on which you use the personal data to contact the data subject for the first time.
• The date on which you disclose the personal data to a third-party recipient.

However, you do not need to provide this information where the personal data must remain confidential, subject to an obligation of professional secrecy regulated by law. If you are a data processor, you also have certain obligations (though not as extensive as for controllers) including:

• To implement appropriate security to keep data secure.
• To only process personal data on the instructions of the controller.
• To notify the controller of any data breaches without undue delay.
• To only transfer personal data internationally where lawful to do so.
• To keep appropriate records of processing.
• Where appointing a sub processor, to ensure that the same contract is entered into as between the controller and the processor.

Note that where you are processor and you suffer a data breach, you must not notify data subjects or the data protection authority directly, rather you must notify the data controller “without delay”.

Remember, data protection compliance is not a sprint, it’s a marathon – and as global data protection laws are being strengthened on an almost weekly basis, data protection and privacy are most certainly here to stay.

If your practice is not quite as up to speed with the GDPR, check out the resources now readily available.

Suzanne Dibble is the author of the bestseller GDPR for Dummies (available at Amazon bookstore). She is also an award-winning small business lawyer suzannedibble.com