Most Lexcel practices will be aware of the EU General Data Protection Regulation (GDPR) and the significant impact it will have on their approach to data protection. Most will also have begun their preparations for May 2018 when it comes into force. If you haven't yet begun to prepare, this article will help you make a start.
The good news for Lexcel firms - who will generally be on top of the issue - is that effective compliance with the Data Protection Act (DPA) is a platform on which you can build; nevertheless, as the Information Commissioner's Office (ICO) points out, 'there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.'
Working your way through the guidance from the ICO on the 12 steps that organisations should take now to prepare for the GDPR is a good way to start your preparations and identify your priorities from this checklist. If you've already done this and you're looking for something more substantial then go to the ICO's GDPR overview page. Amongst other goodies it contains a link to the ICO's draft consent guidance for public consultation as well as guidance from the Article 29 Working Group on data portability, lead supervisory authorities and data protection officers.
The 12 steps
The first step is to ensure that decision makers and other key personnel are aware of the GDPR, the impact it could have and its resource implications. For some legal practices, particularly large ones, the resource implications could be considerable. This should become apparent as we consider the other 11 steps recommended by the Commissioner.
Understanding the personal data you hold, including where it came from and who it is shared with, is the next step.
An information audit may be necessary either across your practice as a whole or within particular practice areas at risk. Clearly this is a useful exercise for many facets of compliance with the DPA and GDPR but it may yield wider business insights of value too.
However, the particular example given by the ICO of why it is necessary concerns the accuracy of personal data. Under Article 5(1) personal data shall be accurate and where necessary kept up to date (the same as the fourth data protection principle under the DPA). It also requires that every reasonable step must be taken to erase or rectify inaccurate data without delay.
Under Article 19 a controller must communicate any rectification or erasure of personal data to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort.
The ICO's third suggestion is to review your current privacy notices and draw up a plan for revising them to meet the requirements of the GDPR.
When collecting personal data, you already need to give data subjects certain information - your identity and the purpose(s) for which you will process their data - but under the GDPR you must provide them with additional information.
These information requirements are set out in Article 13. They include:
- the legal basis for processing the data (lawfulness of processing is set out in Article 6)
- the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period and, where there is automated decision-making (likely to be more frequent with the current push to AI and machine-learning systems)
- meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
This information must be provided in a concise, transparent, intelligible and easily accessible form using clear and plain language. The ICO has published separate guidance on privacy notices under the GDPR.
Individuals' rights under the GDPR are similar to their rights under the DPA. The ICO therefore suggests reviewing your systems, processes and procedures to support current rights and to prepare for new rights like data portability.
Data portability applies where processing is legally based on consent or is necessary for the performance of a contract and the processing is carried out by automated means. It gives data subjects the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. Again, with the march of automation, this may become a more realistic scenario for practices over the next few years.
Data subject access is core to the day-to-day work of data protection officers and central to the current data protection regime. Under GDPR, charges for subject access will go and the timescale for complying has been reduced from 40 days to one month. You will also have to provide some additional information (for example, the legal basis on which you are processing the data).
The ICO notes that a reduced timescale and additional information provision could prove onerous and administratively costly for some organisations. They make the interesting suggestion that it may be worth conducting a cost benefit analysis of allowing individuals to access their personal data online.
Steps six and seven invite you to look at the data processing you carry out, identify its legal basis and document it. Where consent is the basis, you should review how you are seeking, obtaining and recording it.
Although the legal bases for processing under the GDPR are similar to those under the DPA, the ICO points out that under the former, individuals' rights can be modified by the legal basis for processing and your basis for processing data will form part of your privacy notice and any subject access request. In particular, where your basis for processing is consent, data subjects have a stronger right to erasure of their data (the ‘right to be forgotten') if they withdraw consent. Documentation is important to meet the GDPR's general accountability requirements.
If you collect information from children you should pay special attention to step eight - introducing mechanisms to verify age - as the GDPR introduces protection for children's data for the first time.
Cyber security is the focus of step nine. The GDPR introduces compulsory data breach notification and potential fines for egregious breaches of up to four per cent of gross turnover or 20m Euros - whichever is greater.
With cyber attacks a tier one national security threat, and running at record levels, cyber resilience should be at the top of every organisation's board level agenda. Help for law firms can be found on the Law Society's cyber security and scam prevention webpage. Additional guidance and an online market place can be found on GCHQ's National Cyber Security Centre website.
Data protection by design and data protection impact assessments may be less familiar territory than cyber security. Step 10 therefore suggests that organisations familiarize themselves with the ICO's guidance on conducting Privacy Impact Assessments (PIAs).
PIAs are defined as ‘a process which assists organisations in identifying and minimising the privacy risks of new projects or policies' and the guidance confirms that they are not part of the requirements for complying with the DPA. Under the GDPR, however, Article 35 requires controllers to carry out data protection impact assessments ‘where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk'.
Amongst the areas in which a Data Privacy Impact Assessment (DPIA) will be required are where there is ‘a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person' or similarly affect them. This could have implications for practices thinking of introducing advanced legal services of the kind whose early development was mapped in the Law Society's recent research report Capturing technological innovation in legal services.
The GDPR requires some organisations to appoint data protection officers (DPOs). Public authorities (except for courts acting in their judicial capacity) must appoint DPOs, as must controllers or processors whose operations require systematic processing of data subjects on a large scale. Whether or not you need to appoint a DPO under Article 37, it is good practice to appoint someone with the skills, knowledge and seniority to take the lead for you on data protection compliance issues.
Finally, for organisations operating internationally, the ICO recommends determining which data protection supervisory authority you are responsible to. The answer to this question could be complicated post-Brexit, as even if the UK opts in to provisions equivalent to those in the GDPR it is difficult to see how we could opt in to the institutional and legal framework of which it is a part.
These 12 steps are a good starting point but it should be obvious that they are likely to lead to further work. Perhaps the most important first step you can take, therefore, is to give someone responsibility for leading your work on the GDPR and then give them all the support they need.