• Contact
  • Accountants: +44 (0) 1753 551111
  • Solicitors: +44 (0) 20 7067 4300

Father Christmas finds out that the new GDPR rules make his annual delivery less HO HO HO, more OH OH OH !?

Posted on: 13 Dec, 17

GDPR is one of the most significant pieces of new regulation on companies to come into force for some years. It will affect everyone, even our friendly white bearded chap from the North Pole. So Oury and Clark attempt to break down the hype (scaremongering) and tell you what you really need to know, so that you aren’t the wrong side of the wall when the bomb drops.

Oury says...

Clark, as it’s nearly Christmas time, I was wondering if we were doing presents for each other this year?

Well, I’ve thought a lot about what I could give you, and think I’ve found something that might actually be really valuable… Perhaps even the best gift you have ever had!

Clark says...
Oury says...

Wow, OK, I was thinking of maybe another velvet hat or those bongo lessons we chatted about, but you’ve peaked my interest, so what have you got me?!

Well, I was going to wait until the 25th, but given that we are both fictional characters who only get rolled out once a month, I’m going to bend the rules and give you your present now… My gift to you is an explanation of the EU General Data Protection Regulation (GDPR), and what you need to think about to get your business compliant in advance of its implementation on 25 May 2018.

Clark says...
Oury says...

Oh man. Is this a joke? That sounds awful.

Oury, how rude! No, I am serious, this gift could potentially be the difference between you being a business leader who uses GDPR to strengthen relationships with customers, or not having a business at all.

Clark says...
Oury says...

Hmmmm, well I have heard chat about some pretty eye-watering penalties, so I suppose I’ll listen, but this had better be good. Velvet hat / bongos good.

Right, well, current law relating to data protection which was ok for an analogue world, isn’t fit for purpose in a digital one. So the EU has decided to implement one single regulation that will apply consistently across all EU member states for the purpose of better protecting the rights of the individual within the digital age.

Clark says...
Oury says...

Hold on, I thought this was supposed to be a present, not a history lesson?! Why exactly are you boring me with all of this?

Because it is really important for you to understand that the GDPR is not a business-focussed piece of legalisation. It is all centred around the rights of the individual, and this explains why some of the concepts you may have heard of, like the comically named ‘right to be forgotten’, may seem impractical / expensive / disproportionate to businesses, but are nonetheless going to have to be embraced, because that is the law!

Clark says...
Oury says...

Well, I am not sure I like the sound of that. Surely the UK will do something post-Brexit to make things a little easier for businesses who have other headaches to worry about, rather than dealing with further regulation and bureaucracy?

Unfortunately not. The UK has already tabled its own Data Protection Bill which will implement GDPR, and even if there was the chance to deviate, it wouldn’t be in the UK’s interests to do so, as it needs to have a parity of standards with the EU to allow continued data flows to/from continental Europe. So, everyone needs to think of this as the tangible and real future with laws, regulators and penalties and not the next Y2K millennium bug as some have been suggesting.

Clark says...
Oury says...

Ok, so basically you are telling me that this is happening and nothing is going to change that. What a great present that is! So what does it actually mean for me and my business?

That’s the spirit! Well, as you point out, you can’t avoid this if you are a business established within the EU, or even established outside of the EU, where you either offer goods or services to individuals within the EU, or monitor their behaviour.

Clark says...
Oury says...

Huh, that is a pretty broad net. Particularly as it applies to businesses anywhere in the world.

Sure is, and it means that nearly every organisation that does any kind of business in Europe is going to fall within the scope of GDPR. There is no consideration given to business size, so whether you are a one-man band, an SME or Google, the GDPR will apply, and with it the penalties for non-compliance, which extend to the greater of €20 million or 4% of annual global turnover.

Clark says...
Oury says...

Clark, that is insane, how can they have come up with those figures?! That would be enough to put most companies out of business overnight, and for the Googles of this world would be in the realm of billions of pounds!

Yep, it’s heavy handed, but the point is that the GDPR is an enhancement of the current data protection legislation, and the existing laws are not being taken particularly seriously, so the regulators have been handed sweeping powers to ensure data privacy moves to the heart of business practices.

Let me quickly run through some key concepts to help explain. Think of them as stocking fillers:

  • Personal data’ means any information relating to an identified or identifiable natural person and includes names, email addresses, photos, IP addresses, biometric or genetic information. Basically anything that could be used to identify a living person.
  • The ‘data controller’ is the entity that determines the purpose or means by which personal data is processed.
  • The ‘data processor’ is the entity which processes information on behalf of the controller, and…

processing’ means doing anything with personal data – storage, transfer, access, structuring, recording, etc. Got it?

 

Clark says...
Oury says...

I think I’ve got it. So when I store HR information about my employees or contact details for my own customers, I am a data controller. But when my business provides a platform technology to a client and that client determines how their end user data is utilised, then my business would be functioning as a data processor? Right?

Correct Oury. There are six core GDPR data protection principles that data controllers are accountable for and will need to be able to demonstrate both they and any data processors they use, are compliant with:

Personal data must be

  1. Processed lawfully, fairly and in a transparent manner,
  2. Collected for specified, explicit and legitimate purposes,
  3. Adequate, relevant and limited to what is necessary,
  4. Accurate and, where necessary, kept up to date,
  5. Retained only for as long as necessary, and
  6. Processed in an appropriate manner to maintain security
Clark says...
Oury says...

So, the principles basically mean that you should tell people what their personal data is going to be used for (probably as part of a privacy policy). Don’t do anything with it that is inconsistent with that policy. Gather the minimum amount of data needed. Ensure it is kept up-to-date and not held for any longer than it is needed for, and keep it secure?

Yes, exactly.

Clark says...
Oury says...

I am not really aware of any other lawful basis for processing personal data. What other options are available?

There are a few different lawful methods of processing, but for most privately owned businesses, the main alternatives to consent are to either (a) demonstrate that personal data is being processed in order to perform a contract (e.g.to fill an online order), or (b) show that such processing is in the legitimate interests of the controller’s business and does not override the fundamental rights and freedoms of the underlying data subject (e.g. customer is happy to have his address details affixed to a parcel in order that the goods he’s ordered can be delivered).

Clark says...
Oury says...

And what about businesses who currently rely on consent that’s already been given?

Under GDPR, consent needs to be freely given, specific, informed, granular and unambiguous. It needs to be by way of clear positive action and capable of being withdrawn as easily as it was given. So it’s now a big no-no to pre-ticked opt-in boxes or opt-out boxes! It also means it is highly likely that any consent gathered to date is going to be invalid on 25 May 2018, so consent needs to either be re-obtained or a company must have a different lawful basis on which it can process personal data. In respect of most third party marketing activities, and where special categories of personal data are involved (e.g. health information, sexual orientation, membership of a union, and others) consent is required. Bespoke consent notices will need to be drafted on an opt-in basis, and need to be regularly renewed.

If you rely on consent and don’t have the appropriate consent by 25 May 2018 then you will be holding personal data illegally and will need to destroy it. No ifs and no buts. Therefore, you need an action plan now to get the consent before you have to destroy the data.

Clark says...
Oury says...

Right, got it. Consent is an issue! Now you mentioned that data subjects can withdraw their consent, but do they have any other rights over their data?

Yes! There will be new and enhanced rights for data subjects. They:

  1. can make a subject access request, requesting a copy of all data held about them, which needs to be dealt within one calendar month (extendable to 40 days). You can’t charge a data subject to respond to their request unless the request is ‘manifestly unfounded or excessive’.
  2. have the ‘right to be forgotten’, meaning that all information about that data subject must be irretrievably deleted, or
  3. can request that the personal information they have provided is ported to a designated third party in an accessible format, and
  4. have a right to civil damages for breach of the GDPR which are entirely separate to the administrative penalties and are uncapped.
Clark says...
Oury says...

If I’ve understood you correctly, some of those rights are potentially going to be very difficult for businesses to comply with from a technology perspective, as many IT systems simply weren’t designed with these types of capabilities in mind.

Yes, you are right, and it is something that should be addressed in the New Year just so businesses understand what internal processes they must have in place to deal with such requests and what modifications might be required to their technology.

Clark says...
Oury says...

But how would a data subject, or indeed the regulator, know if there was a breach?

Under GDPR the data controller is required to self-report breaches to the regulator within 72 hours of the breach occurring. The controller will likely then also have to later report this to the data subject themselves, so if an incident occurred at 6pm on the Friday then it would need to have been reported by 6pm on the Monday, even if Monday was a public holiday.

Clark says...
Oury says...

Again, it seems incredible to me that the legislators are being so unreasonable/unrealistic with their scales, but let’s say for arguments sake that I didn’t comply with GDPR, what do you actually think the chances are that they will come for me? I mean there are so many businesses out there who aren’t going to be compliant by 25 May 2018, why would I be the unlucky one that the regulator looks into?

The honest answer is that nobody can know for sure. It’s like any regulatory change, businesses need to undertake their own risk analysis and work out an action plan. Dependent on the nature of the business, some will struggle to afford the compliance. And the compliance will vary a lot depending on what you are doing. Namely if you are B2B then there is a lot less risk really, as you are handling “consumers/customers/individuals” data to a far lesser degree (namely your employment contracts and employee data). But B2C you need to be thinking more carefully. Do I really think that 20million euro fines are going to be given out Willy Nilly to small B2B business putting people out of work? No it would seem unlikely, HMRC have 50,000 staff and can’t come anyway close to checking all businesses in detail. Also obviously the initial targets will be the big businesses where the govt can get some good press to make people aware, and significant fines. But if a 10 person digital agency is using mailing lists with names for which it doesn't have proper consent - then there is every chance they'll be in the ICO's firing line (whether or not they'll get a €20m fine is the subject of a crystal ball) – and certainly will be receiving many requests and complaints from individuals armed with their new rights.

The point is though – you need to start making an effort to at least understand how it affects your business. If you bury your head in the sand and make no effort – then I doubt any regulator would look on this approach in a favourable light!

Clark says...
Oury says...

I see, so you are basically saying that clients should not ignore it and think it will be okay – they should get their head around it, make a plan, and start making changes.

Yes! The key point here is that the pressure will not just come from Govt, it will more likely initially come from difficult customers making subject access requests as above. They will be able to make your life very tricky if you can’t respond to them and they start reporting you to the authorities. And yes there will undoubtedly be a huge number of businesses who will not be compliant by 25 May next year, but remember if you do become compliant ahead of this date, there’s potentially a competitive edge to be had over your competitors.

Clark says...
Oury says...

Can I just quickly ask about the transfers of personal data outside of Europe? A number of my clients have support functions (including cloud storage and CRM system) located outside of Europe Has GDPR changed the position there?

In many ways, not much has changed, any data transfer needs to be made securely and in accordance with the businesses’ privacy policy. The so-called ‘white-listed’ countries that have been assessed by the EU Commission as having adequate safeguards all remain unchanged (there are currently only eleven including Canada, New Zealand and Israel). For transfers to the US, Privacy Shield remains available to self-certifying signatories to permit transfers., and the EU Model Contract Clauses also remain valid for controller-controller or controller-processor relationships, albeit there are expected to be updates forthcoming.

Clark says...
Oury says...

Right, well clearly some business decisions need to be taken, and these will be prioritised according to the size, nature and existing practices, but as part of my so-called ‘present’ are you able to give me some practical steps to work on too?

Sure, as an added extra on top of this already amazing Christmas present, here are some practical steps that you can take:

  • Work out what personal and special category data your business uses and whether consent is required to continue using the data, or whether there is some other lawful grounds on which you may process this data
  • Review your existing privacy policies, consent mechanisms and data retention policies and update these as required. Documents should be concise, easy to understand and reviewed on a regular basis.
  • Where you have a system, software or supplier undertaking processing activities which are likely to result in a high risk to the rights and freedoms of data subjects, you will need to undertake a data privacy impact assessment. i.e. a sort of questionnaire process that interrogates the data processing functions within the new system / software /supplier. This will help you to understand where there are gaps in compliance and identify the means of plugging that gap.
  • Ensure there is buy-in from key stakeholders in the business, as there needs to be a top-down cultural shift towards embracing privacy concerns.
  • In an employer capacity, you should review all your employment contracts now to check if employee consent is being relied upon. If this is the case, then contract variations must be made, with the assistance of an employment specialist, as consent cannot genuinely be said to have been ‘freely given’ between employers and employees due to the unequal bargaining strength of the parties.

 

Clark says...

Comments (0)

Add a new comment




Allowed tags: <b><i><br>Add a new comment:


We are but two fictitious characters throwing out ideas and comment to stimulate debate and collect information. As professional service firms, we are open minded people and think independent thought and debate is essential to help understand, as well as navigate, complex problems. By joves – doing business across Europe (and the world) is set to become a whole lot more complex in light of recent seismic political events. As businesses - we provide information and hopefully some wisdom - and we see this blog and its caricatures merely as a much more fun, perhaps slightly controversial way, of stimulating debate and collecting ideas. We’re searching for some true pearls of wisdom, and as we find them, we’ll share them with you.

Need some help?

If your business is affected by issues raised in this blog post and you''re looking for advice, please get in touch.

Get in touch
  • Member of London Partners
  • Member of London of Chamber Commerce and Industry
  • Canada Chamber of Commerce
  • The Association for UK Interactive Entertainment
  • Offical Xero Partner

Copyright © 2013 - Oury Clark.