GDPR - Ten key points we've learnt since 25 May 2018
General Data Protection Regulation (GDPR) came into force on 25 May 2018 and it was cited as one of the biggest changes to data protection in years. It has changed the way in which organisations' manage, process and handle data.
Last year, our Professional Indemnity Team invited Jezz Gobran, a Data Protection specialist from i-Secured, to explain what the changes would mean to your law firm. He is now back to give you his thoughts on GDPR since its introduction in May.
Eight months in, you would be forgiven for thinking that not much has happened since 25 May when the Data Protection Act 1998 was replaced by the Data Protection Act 2018 (along with the GDPR).
If you've been looking, what's happened has been significant and a clear picture of what the next 6 -12 months may look like. If you think that it's going to go away, or the tick box approach will work, well you're wrong and you should really read on.
There are ten key points we'll cover in this short piece - why they should be important to your business and what action you should really take.
1. Let's start with the ICO (Information Commissioners' Office)
As many would imagine the ICO have had to recruit and train significant number of people over the course of the last 12 months. This is coupled with what according to data from law firm EMW, there has been an increase of complaints and self-reporting by 160% in comparison to the same period of time in 20171.
This gives us a real indication that organisations and individuals don't yet understand their obligations and what is or isn't reportable.
Much of the ICO's time (and over £2 million) has been spent on the Facebook-Cambridge Analytica investigations. Time will tell of how it will play out, but the starting point has been the maximum fine under the old Act.
My opinion (based on solid foundation) is that Facebook are not transparent with their privacy obligations and have shown on many occasions that despite what they say, they have very little regard for privacy.
Many of things we have seen from the ICO since 25 May have been issues raised pre-GDPR and this is likely to continue until 2019. What we have seen is that the fines issued for offences have been proportionately at a higher rate than they were previously, which in my mind is a sign of things to come.
It's also worth noting that these fines have, in the main, not been issued to large corporates but smaller organisations. This isn't something new but many feel that the ICO will only go after large businesses. It's a false assumption.
Action: I understand that as lawyers you may have different specialisms. If this is the case and you're not a data protection lawyer, it may be worthwhile getting a data protection specialist to review what has been done to ensure you're GDPR compliant and either confirm you're on the right track or suggest necessary actions.
2. Equifax and the significance for your business
Without going into the detail of the Equifax data breach there are a two standout points.
- The first issue was poor patch management of a system which was exploited. From an IT perspective, this is a fundamental of both IT and good security practices, and no checks in place as a failsafe.
- The second, is lack of adherence to internal policy. This is something I see in nearly every business I work with at the outset.
Businesses will go to the time and expense of having internal policies, in some cases well written, in most cases, a template taken from the internet that has no representation to their business. In all cases, what is written does just does not mirror working practices and becomes pointless.
In terms of meeting the obligations of the accountability principle, demonstrating organisational and technical measures or privacy by design one could be further away.
Why is this so important?
Aside from the breach of privacy which is significant enough, the ICO fined Equifax £500,000, the maximum under the Data Protection Act 1998.
It's nothing less than one would expect. However, it is something that in recent years has happened on a very infrequent basis, but to me shows intent that the ICO response will be robust where poor security is concerned.
Action: Do you know for a fact where the weaknesses are in your systems or process or do you just think you know.? There is a huge difference between the two.
3. Vicarious Liability is pretty significant
There's the surprising decision of the High Court which has been upheld by the Court of Appeal in the case of Morrisons Supermarket and their 2014 data breach. The Court's ruling in a group action of 5,000 employees has led to Morrisons being vicariously liable for their employee's actions.
In this case, the reason why it is so surprising is that the individual in question whose malicious actions led to the breach was criminally convicted and is now spending his time at Her Majesty's pleasure.
The significance of this ruling, if not overturned at the Supreme Court is likely to catch many businesses out if they continue to put their heads in the sand rather than face up to the risks and how they wish to deal with them.
Whether the rulings end with compensation being paid to the employees or not, the toll on Morrisons time and finances (£2million to date) is huge. Could your firm afford it?
Action: Conduct an information risk assessment to identify the risk to your firm and privacy impact assessment to understand the impact to individuals. Determine and document your response to those risks and ensure that what you write is what you do.
You will be surprised at what you find!
4. Know the processing you do
I get asked on a regular basis to write a privacy notice without knowing much about a business. I get asked regularly to review a privacy notice and suggest changes that need to be made without knowing much about the business. In both instances it's impossible.
Whilst law firms will practice similar legal disciplines, the manner in which they do this, some of the retention periods that they set and those they share or disclose data with are likely to be different. As a result, there is not a one size fits all approach and should not be treated that way.
The starting point whether you are required by law or not is to carry out the expectation of Article 30 of the GDPR and put together a record of processing activity. It stands to reason, you would want to know what data is processed and why.
It will also provide a really clear picture of not only everything that needs to be included in privacy notices but should be the absolute foundation for any current and future processing activity. It should be the starting point for all data processing activity.
Action: Check if the business has a complete, accurate record of processing activity and is referred to. If you don't or it isn't then put one in place and make any necessary adjustments to the ways of working as a result.
5. Lexcel requirements
For those of you that are accredited through Lexcel it will be no surprise that they have now improved the section on data protection/GDPR in their latest audit pack, which at the time of reading this, will be in use.
What's interesting is that if we go back two years (and I know this might be a little controversial), from conversations with some of their auditors, it was clear they felt uncomfortable with the section of data protection and information security and so did a surface audit. If you had a policy with the correct title and at a cursory glance looked like it had feasible content, it would simply "tick the box" and move on.
This is something that, in my opinion will have changed this year and Lexcel will want to ensure that their auditors and accreditation process is even more meaningful and robust, so a tougher time might be had if your firm cannot demonstrate understanding and compliance with their expectations.
In terms of expectations, point 4, Article 30, record of processing activity is on their list of requirements, and having worked through it fully and accurately is an essential part of their process.
Action: If you're doing what is required under the Data Protection Act 2018, you will be able to demonstrate and discuss what and how you are meeting your obligations. If you are not, then getting to grips with them and understanding how this fit into Lexcel requirements, will be essential.
6. Email marketing and social media
Now I know that email marketing is covered by both DPA/GDPR (in terms of conditions for processing personal data) and E-Privacy (consent for e-marketing). But most of the firms I meet, including law firms, are not familiar with E-Privacy which is hindering their advice and ability to legitimately reach prospective clients.
What I am finding is that the approach in many cases was to ask for reconsents prior to 25 May (which was not necessary) and this has resulted in up to 97% of existing client and prospect list no longer receiving legitimate communications.
What's worse is that this advice has been given to clients and in some cases I am working with clients who have been given incorrect information from their solicitors. I don't need to tell you that this is bad for everyone's business, reputations and seriously limiting business opportunities.
From the other side of the fence, many of the financial penalties levied this year have been for poor marketing practices.
Where social media is concerned, your firm may use it to engage with prospects and clients. This year alone a German court has ruled twice against Facebook (unlawful use of Facebook Audiences without consent and administrators of Facebook pages are joint controllers with Facebook).
Facebook are under the microscope and with billions of pounds of lawsuits to defend, this scrutiny is likely to continue., and rightly so.
Action: In the first instance, make sure you understand the E-Privacy law and how it dovetails with DPA/GDPR.
You can then change your approach and the approach advising clients with. In addition, review your how your firm uses social media for marketing purposes and ensure you that you are happy with the risks.
7. Resilience and access to information
Nothing new but a very explicit term in Article 32 of the GDPR, it states:
"The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services."
"The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident."
These requirements are something that we all take for granted, however when you really look into ensuring information systems are resilient, accessible and can be restored easily, they are not always that straight forward as some of the banks (Tesco, TSB) have found out.
Why isn't it that straight forward?
In my experience there are those firms that see information systems as an investment to support their business, in its ability to service its clients and improve efficiencies, resulting in a decent level of investment and an agenda item.
There are also those that see information systems as a cost and hindrance and therefore spend as little as possible in them, hoping and expecting them to work. Well, you know what they say, you get what you pay for….
Which type of firm is yours?
Why is this important?
Over the course of the last four weeks, I have had conversations with two firms that have both experienced up to four days of downtime due to IT and connectivity issues which has impacted their ability to service clients.
From a data protection standpoint (not to mention loss of revenue), lack of investment has limited these firms' ability to meet these two obligations set out in the above article and would no doubt have caused client care issues!
Action: Don't take it for granted that your systems work fully, as they are expected to, and you will not suffer any down time if there are IT or connectivity issues.
Get them looked at professionally, get backups tested and have failsafe's in place to limit the negative impact to clients and your business. You would be surprised the number of businesses that have no redundancy in place should the worse happen.
It would be wrong of me to write a piece and not get into any detail regarding technical measures. For now, I will stick to encryption of communications.
We know that we should keep communications safe and secure and we know as a general rule, law firms handle seriously confidential matters, yet I am amazed by the number of firms that do not subscribe to encryption services.
There seems to be a preference to putting a couple of lines in terms of business, stating that the firm recognises that emails are an unsecure method of communication, but does nothing to mitigate the risk.
You won't need me to tell you the number of businesses that have been compromised via poor email security, intercepted communications via a "man in middle attack".
The issue here is that as a data controller one must be appropriate and proportionate, understand the risk and mitigate where necessary. I can't see any legitimate argument for not encrypting emails and it's your obligation to ensure that confidentiality and integrity are maintained.
For me, encryption of email is just the tip of the iceberg and we must be concerned with the overall security of processing. Whilst this falls specifically under Article 32, security of processing for me is prevalent in at least 3 other articles - accountability, privacy by design and obligations of the controller.
Not a big word, however in the context of data protection a huge word. These nine letters are critical when looking at the legal basis for processing and the data protection principles as they appear in most of them.
Action: Start at the beginning - look at everything that your firm does with personal data, see if a legal basis can be applied and if that processing can meet the principles. Remember the word 'necessary', when you're going through the process.
10. The Data Protection Act 2018
On 25 May the Data Protection Act (DPA) 2018 came into force along with the GDPR, however, many have not read the DPA which is leading to problems with implementation programmes, I have seen to date.
As a piece of legislation, from a UK standpoint, they cannot be read and interpreted separately without a negative effect on a business and understanding of what needs to be done.
Action: Read the DPA 2018 and ensure your compliance programme meets obligations set out within it.
If over the last 6 months you were expecting to see the ICO come out, all guns blazing, you'll be disappointed, as it's not their style. There is plenty going on behind the scenes and much to deal with in terms of all the false reporting, not to mention dealing with some of the real headline cases.
From your firm's standpoint, are you taking the tick box approach and hoping that the worst never happens and if it does, well you're willing to roll the dice.
Or, do you want to meet your obligations because, well it's the law, it's the right thing to do and good for business. If you are the latter, it is worth considering each of these points and deciding to tackle each and every one.
Importantly, get specialist help where it is needed. You'd be horrified, if a client said to you they were going to google to get legal help, instead of using your firm because they can find general information on the internet and should be able to get their matter sorted from there.