Data protection critical for wellbeing of your business
Data protection matters: Getting it wrong can cost your organisation millions and significantly de-value your business!
Business life in a post-Brexit world has brought lots of new considerations for UK, European and global organisations in every industry sector, writes Jagvinder Singh Kang, Partner, International & UK Head of IT Law at Mills & Reeve.
However, things have become even more complex from a technology law perspective over the past 12 months, in particular, with regard to how personal data is treated.
All organisations use personal data. This may be for normal Human Resources management with regard to an organisation’s workforce (eg names and contact details of employees). Certain organisations may also use personal data in:-
- Transactional arrangements
- Customer relationship management
- Marketing and advertising (eg through the use of website cookies, email and social media); or
- Clinical trials.
So what has changed? Many organisations are still struggling to get to grips with GDPR, almost three years on from when it first came into force. However, now organisations have the additional challenge associated with having two ‘flavours’ of GDPR – the UK GDPR and EU GDPR - so the data protection regime has become even more complicated.
The new regime which has come into force this year, means that organisations will need to undertake an analysis of their use of personal data not only in the context of the European Economic Area (EEA), but also in the context of the UK. This will mean complying with two different legal regimes (EU GDPR and UK GDPR), as well as any additional country level Data Protection laws.
If that was not enough, there is yet even more to contemplate, as 2020 saw the Privacy Shield being struck down by the Court of Justice of the European Union in a case commonly referred to as ‘Schrems II’. Although the case related to transfers of personal data to USA organisations, the ruling has had much wider implications.
It has affected all global personal data transfers from the UK and EEA to countries which do not have an ‘Adequacy Decision’ or ‘Adequacy Regulation’ in respect of them (ie those countries which have not been recognised by the UK or European Commission as providing adequate safeguards for the processing of personal data – so they do not have a safeguarding regime akin to that of the UK and EEA).
This therefore, affected, and continues to affect, any personal data transfers to the USA, as well as to other countries, such as India and China.
The Court ruling from last year sought to reinforce the rights and obligations of parties under the GDPR. In doing so, it has also affected every organisation which is subject to UK/EU GDPR which is transferring personal data to a group entity or service provider (including those offering Cloud/SaaS services) in countries such as the USA. Furthermore, the Court granted no ‘grace period’ for allowing organisations to get their affairs in order.
Although organisations have tried to address the requirements of the ruling – even though the ruling in itself gave rise to many unanswered questions –many businesses have been in the ‘dark’ about the effects of the ruling altogether.
Certain businesses have wrongly continued to rely upon the use of the Privacy Shield for personal data transfers to the USA, or existing Binding Corporate Rules or Standard Contractual Clauses for jurisdictions such as the USA and others. None of those pre-Court ruling mechanisms can be used to legitimise personal data transfers to the USA and certain other countries.
- The Privacy Shield has been struck down, so attempting to use that to transfer personal data, even to an organisation’s own group company, to the USA, is unlawful.
- Standard Contractual Clauses and pre-existing Binding Corporate Rules without what are known as ‘supplementary measures’ will be unlawful to transfer personal data to the USA and certain other countries.
So what are these ‘supplementary measures’? The initial Court ruling was noticeably vague about this, so the European Data Protection Board stepped in to provide some guidance – although the matter is still far from clear.
However, certain of the measures consist of additional technical and organisational arrangements to seek to deal with international personal data transfer risks – so this is something different to, and in addition to, the usual mechanisms which were being used by organisations to safeguard personal data prior to the Court ruling.
The whole international angle has also shone a spotlight on intra-group personal data transfers, as well as using international service providers. Having negotiated IT and Data Protection contractual arrangements against some of the largest technology companies in the world, it is astounding that even they have been getting it wrong when it comes to GDPR compliance – and that they have not realised that until I have pointed it out to them!
So, if some of the biggest names in the industry are getting it wrong, it means that organisations cannot simply think that because their larger competitors are putting in place certain arrangements, that they too will be compliant if they follow in those steps as well.
It is no defence to UK/EU GDPR non-compliance by simply saying that others in the industry have got it wrong as well. It is also tempting fate to think that just because you are not as large as others, or that you do not have the same market profile as others, that your organisation will not be subjected to fines and enforcement action from the ICO in the UK, or other Data Protection regulators (or ‘supervisory authorities’ as they are known) in the EEA.
Therefore, it is imperative to ensure that organisations have a good baseline with regard to their Data Protection compliance arrangements, something which specialist Data Protection lawyers can assist with.
Unfortunately, the ‘sudden rush’ to GDPR compliance in 2018 saw many organisations either ‘cutting too many corners’, or entrusting their compliance programmes to non-specialist consultants or lawyers. Such an approach is full of pitfalls.
As will be evident from the media, the ICO and supervisory authorities are not shying away from issuing multi-million-pound/euro fines for failures to comply with UK/EU GDPR compliance obligations, so organisations need to take compliance seriously – a ‘save a penny and the pounds will follow’ approach does not work when it comes to the criticality of Data Protection compliance.
Consequently, organisations will be foolhardy to think that Data Protection work is a ‘commoditised’ offering and that any consultant or lawyer can do the work.
Organisations are sometimes keen to view it as such, but ‘penny-pinching’ on compliance is a false economy, especially if by doing so, it results in adverse publicity, a loss of confidence, a major devaluation of a company’s value (whether a mature organisation, or an innovative start-up looking for venture capital funding) – and let’s not forget the risk of fines, enforcement action and potential litigation.
Compliance undertaken properly, therefore, requires the engagement of an entire organisation, as well as working with a team that understand the technology, the IT and Data Protection contractual arrangements, as well as the Data Protection regime.
This is exactly how we work with organisations, so that we can take a holistic and pragmatic approach, so that the compliance supports the organisation, rather than gets in its way.
Another important key element which underlies the Data Protection compliance regime, is ensuring that organisations within their group structure, as well as in their interactions with third parties, get the Data Protection conceptual designations right, in terms of whether an organisation is acting as a controller, joint controller or processor for UK/EU GDPR purposes.
This may seem straightforward, but there are certain complexities and pitfalls, especially in view of recent case law, which can give rise to different determinations from what parties had self-designated. Getting this wrong can in turn lead to all of the adverse consequences which are linked with breaching UK/EU GDPR requirements.
In closing, here’s five high level key points for organisations to think about as part of their compliance programme.
Do you have a strong UK/EU GDPR compliance baseline to your organisation? If not then start by getting that right, as you cannot build upon weak foundations.
Engaging with the right lawyers for this work can save you considerable headaches and significant costs down the line – especially if you get audited or investigated by the ICO or the supervisory authorities, or suffer a cyber-breach.
Have you properly designated your interactions with third parties, to determine the controller, joint controller and processor status? If not, or if it has been some time since you last did this, then you need to address or re-visit this, as otherwise all of your associated Data Protection compliance activities will be incorrect, as well as time and cost intensive to correct down the line.
Have you identified your intra-group personal data flows, as well as the rationale for them, together with how they are being conducted and which countries outside the UK and EEA are involved?
If not, then start the data mapping and document such data flows. Also consider which technical and organisational measures you have in place to safeguard personal data both within the organisation and internationally.
Are you using Privacy Shield or just Standard Contractual Clauses for international data transfers with your group organisations or third parties? If it is the former, then you’re not compliant, and if it is the latter, then it is unlikely that you are compliant – make sure that you undertake a Data Protection Impact Assessment which factors in the international dimension, and you may need to seek specialist Data Protection advice to navigate through the complexities of this.
Do you know that if you get hit with a cyber-breach which affects personal data, that if your UK/EU GDPR compliance measures are weak, then you will be at risk for a much larger fine and enforcement action? Well you do now, so make sure that you sort out those compliance issues straightaway!
• For more details on the subject email Jagvinder at the following address: Jagvinder.SinghKang [at] Mills-Reeve.com