GDPR update – what’s next?
The General Data Protection Regulation (GDPR) was the biggest change to data protection law in 20 years. It extends the rights of individuals (data subjects) and requires organisations to develop and implement policies and procedures to protect and secure the personal data they hold. Guy Cartwright, an Associate in the Commercial Services team at Coffin Mew, answers some of the most common questions we are receiving from our clients on the impact and implementation of GDPR, including lessons learnt, top tips for compliance, and his thoughts on what’s next.
1. How has Coffin Mew been helping its clients comply with the GDPR?
We understand the difficulties significant changes in regulation can have on our clients because all our Commercial Services team have worked in-house. One of the things we realised when speaking to our clients about the GDPR was that they were unclear about the steps needed to achieve compliance. In response, we developed a simple and flexible compliance tool. Clients complete our Compliance Questionnaire which consists of around 8 questions in areas including data security and data retention. We’ll then review the Questionnaire with our client, ask any follow-up questions and then draft our GDPR Compliance Report (Report). When complete, the Report provides our clients with a compliance assessment grading, areas of non-compliance and identifies any remedial actions required to achieve compliance. We assign each area of non-compliance with a red / amber / green (RAG) rating so clients can easily prioritise key risk areas.
We’ve also developed our own extensive bank of templates that can be easily tailored to fit the client’s individual circumstances. This includes data handling agreements, external privacy policies, internal policies including data protection and data breach policies. This means we cover both the internal and the external aspects of compliance. The Report can be updated periodically in response to changes in process or when an issue is remediated.
We are also seeing privacy and data protection as an increasingly important issue in corporate transactions and the Report is a useful document for both the buyer’s and seller’s legal team as part of the due diligence process.
2. What types of clients have Coffin Mew been working with on GDPR-related issues?
We’ve worked with multiple clients across different industries and sectors from large multinationals to small family-run businesses. Our largest client is a semiconductor manufacturer with a turnover of over £800 million. We’ve also worked with our clients in the technology, fashion, energy and waste management, transport and oil and gas sectors.
The GDPR has given us a great opportunity to get to know our clients and their businesses on a deeper level. The GDPR requires you to really delve into the detail and understand data flows and business processes.
3. What are the main areas for non-compliance identified since the GDPR applied?
Record keeping has been a key theme. Particularly for businesses of a certain size, the GDPR imposes strict record-keeping requirements. In order to be compliant, businesses must document their data processing activities, including establishing a legal basis for processing each category of personal data. Good record-keeping flows into all the other regulatory requirements and is the basis for compliance with the GDPR.
Another key theme has been the lack of comprehensive policies and procedures on privacy and data protection. The GDPR is explicit on the information that must be provided to individuals when collecting and processing personal data.
4. What issue have clients found most difficult to rectify?
Without doubt, the most difficult issue for clients has been negotiating data handling agreements. It’s now a requirement to have specific contractual terms in place between the contracting parties where one processes personal data on behalf of another. Depending on the type and nature of the processing, data handling agreements can be complex. One of the main aims of any contract is to appropriately balance risk between the parties. This can be difficult objective in these types of agreements because the contract value can be relatively low but the potential fines for non-compliance can be extremely high.
5. What are your top tips for compliance?
- Know your data: Audit all of your processing activities and make sure you have a basis for processing each data type.
- Update contracts: Identify your third party processors and risk-rate them according to the type and volume of data they process. Then, ensure you execute data handling agreements as soon as possible. This is a key requirement under the GDPR.
- Review policies: start by reviewing and updating your customer and employee privacy notices and then look at other ancillary policies for example outsourcing or I.T. security.
- Don’t forget retention! Data minimisation is a key principle of the GDPR so delete data you no longer need!
6. Is Brexit going to have an impact on data protection law?
The main concern for the UK Government is to ensure the free flow of data between the UK and the EU after Brexit. At the time of writing, this objective has not been achieved. Under the GDPR, organisations can transfer personal data from the EEA to a third country provided one of the following grounds is true:
(a) the organisation has consent from the data subject;
(b) the European Commission has determined the recipient country has an adequate standard of protection (adequacy determination);
(c) contractual standard clauses approved by the European Commission (“Model Clauses”) or Binding Corporate Rules are in place; or
(d) there is an approved code of conduct or certification in place
If the UK leaves the EU without a deal on data protection, organisations that are based or store data in the EEA would need to ensure one of the above grounds is true prior to transferring data to the UK, as the UK would be regarded as a third country. UK – EEA transfers will remain uninterrupted according to the Government as the UK Data Protection Act is closely aligned with the GDPR.
7. We’ve heard a lot about the potential fines under the GDPR. Have we seen any enforcement action taken by the Information Commissioner’s Office (ICO)?
The ICO issued its first ever GDPR Enforcement Notice (Notice) to AggregateIQ (AIQ) back in July. AIQ is a Canadian based digital advertising, web and software development company and has previously been linked to Cambridge Analytica and Facebook. The Notice states that AIQ failed to comply with its obligations under the GDPR when engaging in targeted political advertising on behalf of organisations like Vote Leave and BeLeave. In particular, it is alleged that AIQ processed individuals’ personal data “for purposes for which they would not have expected.”
It could prove an important test case in this uncharted area and will give us a better indication of the level of fines that the ICO is prepared to issue for serious breaches of the GDPR. The fact that AIQ is a relatively small Canadian company also shows the global impact that the GDPR is having on privacy and data protection.
8. What’s next?
We are still receiving new instructions from clients looking for data protection and privacy-related advice. More generally, the ICO has indicated that it intends to publish additional guidance on:
- data sharing;
- standards of age-appropriate design of information sharing likely to be accepted by children, considering likely use and development needs;
- regulatory action (information, assessment, enforcement and penalty notices); and
- data processing for journalism.
If you would like any help and advice on GDPR get in touch with a member of our GDPR team today or email firstname.lastname@example.org
You can also view our Guide to GDPR here.
About the Coffin Mew data protection team
The team’s led by Mark O’Halloran. Mark specialises in the technology, media and product distribution sectors, and has advised clients on data privacy since 1998.
Guy Cartwright is an Associate and a GDPR specialist with several years’ in-house experience in the banking and financial services sector.
Solicitors Andrew Jerrard and Charlotte Allery did their legal training with our Commercial Services team. Andrew focuses on the B2B aspects of GDPR and Charlotte focuses on the internal/HR aspects. Each has two years’ in-house experience – Andrew with a civil engineering company and Charlotte with a recruitment trade body.
Paralegal Nicholas Cook has substantial GDPR experience in running large data protection projects.