³ÉÈËÓ°Òô

In part one Laura gave us an overview of the GDPR, reminded us of the lawful bases for it and discussed the discrepancy between what was thought would happen post-implementation, and what actually occurred. Here she explores some of the key developments and shares what we can expect in years to come. 

Key developments

Some of the key developments since the GDPR’s implementation can be categorised as follows:

• Individual’s rights requests
• Personal data breaches
• Consent and transparency

 Individual rights requests

Individual’s are now more aware, but organisations are not responding in the correct way. The new individual rights brought in by the GDPR are:

• Right to erasure (aka the right to be forgotten) e.g. with dating apps like Tinder there has been disputes around how long they can store old conversations
• Right to restriction
• Right to portability
• Right to object
•  Right not to be subject to automated decision-making

With this in mind, organisations need to be more vigilant in preventing individual rights breaches. Laura suggested the following actions, to:

• set-up effective communication channels
• clear internal policy and procedure
• operationalise the policy and procedure: educate and test – you need to test your policies i.e. how can you make sure they’ve been read? This could be done by delivering them in bitesize training, arranging drop-in sessions, and arranging a test to learn from and inform your next step in this process
• use external counsel – it may be better to outsource due to the sheer volume of work that the GDPR creates and to obtain expertise
• Record action taken
•  future review

Personal data breach

This is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to personal data which is transmitted, stored, or otherwise processed. Hence, this can be more than just a rogue e-mail, it can include something broader like access to HR files.

For the process of reporting a data breach, see diagram below:

Of these breaches, most of them have been unauthorised disclosures. For example, Marriott International have recently been in the news for their purchase of a hotel without conducting appropriate due diligence leading to mass wrongful data disclosure. They have been served an ‘intent to fine’ of more than £99 million. Similarly, British Airways have been given an intention to fine £183.39 million for a data breach after they allowed a third-party website to siphon off all their customer’s data.

The actions for prevention are the same as for individual rights requests. Laura emphasised that the key focus should be on the time limits (see diagram above). You need to know the relevant information as soon as possible and any issues/potential reports. To do this most efficiently, IT and legal teams need to work together.

At this point, one of our audience members enquired whether Laura had any advice as to how to approach these teams to ease this collaboration. Laura agreed that this can sometimes be a difficult conversation. As an example, she brought up the concept of deleting and destroying data. This can pose problems as many of those in the technology and IT sectors would say that data is not completely erasable without destroying a hard drive or the equivalent. Further, they are often keen to retain systems which do retain data forever. Laura’s advice was to always explain in person if possible: communication will be smoother, and it reinforces the idea that you are working side-by-side to reach a solution.

Consent and transparency

Consent is one of the lawful bases for processing. It is defined in the GDPR as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement […]’. Consent cannot be an ambiguous concept: to be obtained, it must explain fully all the on which platforms an individual’s data is being shared. As it is sometimes hard to prove consent to this extent, it may be useful to look at alternative lawful bases.

Transparency entails providing clear information which explains any data processing activities. This is most commonly in the form of a privacy notice. For example, if it were Google, they would need to make any transparency information easily accessible, the language needs to be intelligible and the concepts easy to understand. One suggestion is displaying this information in an easily digestible format like a short video.

Generally, the involved party will be more likely to withdraw their consent if you are not being upfront with this information.

To aid in both consent and transparency, Laura suggested actioning the following:

• checking all privacy notices needed are in place and comply with requirements e.g. website, terms and conditions, job applicants/recruitment, employees and subscription to marketing
•  going over and above the requirements of the GDPR: align with regulator guidance and enforcement action e.g. CNIL & Google
• business awareness of privacy notice contents – checking all employees have actually read their own privacy notice

 GDPR and beyond

Laura went on to discuss what is next for the GDPR and how organisations can continue to improve with this. Some priorities she suggested to focus on were to get businesses to ask themselves:

•  are my actions analytic?
• does my organisation have an international reach?
•  how can I change as the law moves forward?

It is especially important to watch out for international transfers of data. The GDPR affects any data which comes in and out of the EU so can apply to a country which is not part of the EU if they are instrumental in that transfer. If Britain leaves the EU without a deal, we are likely to be that externally affected country so there needs to be an freshly evolved regulation to rely on. This will likely be in the form of model clauses and privacy shields as in the US.

The case of Schrems II, brought by Max Schrems has challenged this form of data protection however, which would then mean we have no mechanisms available to us in the event of a no-deal Brexit.

Another development to watch out for is the e-Privacy regulation, which is currently in draft format. This is a cross-over with the GDPR but also regulates the use of cookies and electronic marketing. All companies will need to conduct an audit in preparation of the final form of the e-Privacy regulation. It is important be well-informed from the get-go and to align yourself within the confines of the draft version.

Predictions

Laura then told us some of her predictions for data protection in the future:

• risk assessments are likely to be needed as proof of action in advance of a breach happening
• due-diligence will now be more focussed on the GDPR and data protection
• data protection will become a business priority and will create a benchmark for other countries and organisations to follow across the globe
  

Join Aspire today

is free to join and open to all in-house lawyers in the early stages of their legal career. . 

Additional recommended reading:

  - This Practice Note illustrates how to manage a data protection breach (including a cybersecurity breach) under the EU General Data Protection Regulation (GDPR). It maps out a data breach process, providing guidance and links to relevant precedents for each stage of that process. It can also be used for cybersecurity breaches

- This Precedent Data breach panic sheet gives tips on what to do and what not to do in the immediate aftermath (first 24 hours) of a personal data security breach

- This Practice Note explains the right of data subjects to have access to their personal data contained in the General Data Protection Regulation (GDPR). It considers compliance strategies for businesses, particularly in relation to data subject access requests, also known as DSARs

- This Flowchart sets out a process for handling data subject requests received under the EU General Data Protection Regulation (GDPR). It maps out a process to follow when you receive a request from a data subject to exercise one of their data subject rights under the GDPR, providing guidance and links to relevant precedents and separate detailed flowcharts

– This Practice Note sets out information requirements that are contained at various places in the General Data Protection Regulation. Most of these relate to privacy notices, but there are also information requirements relating to issues like data breach and data protection officer

- This Precedent Privacy policy is a customer-facing data protection policy (or privacy notice), intended for general commercial organisations. It reflects information and transparency requirements in the EU General Data Protection Regulation (GDPR) and relevant guidance issued by the Information Commissioner’s Office and Article 29 Working Party