Data Protection

 

 

As we are all aware, the GDPR implementation deadline of 25th May 2018 is fast approaching….. in fact it’s just over 15 weeks away.  But were you also aware that the requirements for data controllers to register with the ICO, and the fees for registration are changing on 1st April 2018?

Under the current rules, organisations that process personal information are required to register (notify) with the ICO as data controllers.  The notification includes explaining what personal data they collect and what they do with it.  At the point of notification, the data controller is required to pay a fee, currently £35 per year for organisations with less than 249 employees, and £500 for all other organisations.

After 25th May 2018 there will no longer be a requirement to notify the ICO in the same way.  Under GDPR, data controllers are to be accountable by maintain records and conducting assessments of processing activities.

However, there is a provision under the Digital Economy Act that means there is still a legal requirement for data controllers to pay the ICO a data protection fee.  As with the notification fee now, the data protection fee will be used to fund the ICO’s data protection work as all money received in fines is passed directly back to the Treasury.

The Digital Economy Act paves the way for a new funding system.  The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data.  The size of the fee will still be based on a organisations size and turnover, but will also consider the amount of personal data being processed.

The final fee structure will go live on 1st April 2018 but is likely to be a three-tier system:

• Tier 1: annual fee of up to £55 applied to small and medium firms that do not process large volumes of data;

• Tier 2: annual fee of up to £80 applied to small and medium firms that process large volumes of data;

• Tier 3: annual fee of up to £1000 for large businesses;

• And a direct marketing top-up fee of £20 for organisations that carry out electronic marketing activities as part of their business.

If your renewal is due prior to 1st April, then you will simply renew under the old system and the new structure will not affect you until your following renewal.

‘new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.’

Get in touch

For more information about Data Protection Compliance and the GDPR, get in touch with our experts today.

 

So, if you haven’t heard about GDPR by now you must have been in hibernation for quite some time!  It’s coming……soon….. but where are you on your journey?

A small percentage of you will have been aware of the General Data Protection Regulation (GDPR) since it was adopted in the EU in 2016.  A larger percentage will probably have become aware around the start of 2017, maybe a few of you have genuinely only just heard about and are starting your preparations now.

In theory, if you are fully compliant with the Data Protection Act 1998 then you are already part the way to being compliant with the new regulation, but may firms will find that they were perhaps not as compliant as they first believed………do you have a large store room full of very old files for example?

I became aware of GDPR towards the end of 2016 when I attended a Data Protection for COLPs course.  My firm, like many at the time, did not have GDPR on the radar so I went back to the office and began awareness raising, inadvertently volunteering myself to create a project plan and briefing for the Board and I have been managing our preparations since January 2017.

So what are my ten top tips?

1.  It’s a journey, not a destination….

Preparing for GDPR is not about ‘tick-box’ compliance, its about making sure your policies and procedures are sustainable, and that you have a plan for checking your controls, policies and procedures work for your business and are being followed.  Yes, you are working towards getting those policies and procedures in place to ‘switch-on’ on the 25th of May but you also need to ensure that they are sustainable.

2.  Research

GDPR enhances many of the provisions of the current DPA 98 but it also introduces new ideas and data subject rights.  Are you fully up to speed on ‘the right to be forgotten’, ‘the right to data portability’ and ‘privacy by design and default’?  If you are, do you understand what changes you need to introduce to your firm to ensure that you can have workable, sustainable procedures and processes AND to demonstrate accountability?

What is your legal basis for processing personal data?  Do you need to rely upon consent or do you have a different legal basis?  As a law firm you will be processing under a contract rather than relying upon consent but does all of your processing fall under the contract with the client?  Do you process sensitive category data?  You need to understand what data your business processes as well as the GDPR requirements for that data.  Do you understand the definition of ‘processing’?

3.  Information audit

The first, and one of the most important stages of preparation is to conduct a thorough information across all areas of your business – don’t forget that your employee’s personal data is also included for GDPR purposes, it’s not just about your client personal data.  You need to document exactly what personal information you process, why you process it and how you process it.  Consider any risks to the data during processing for each business area.  Treat the audit as a GAP analysis – do you still think you are fully DPA 98 compliant or are there clear GAPs which need to be considered?

4.  Plan, plan, plan

Once you have the results of your information audit you should be able to design a comprehensive plan for your preparations.  If you have a Project Management Team, now is the time to get them on board!  What resource do you have that you can dedicate to the preparations?  Your plan will need to be a living, breathing document that you update on a regular basis.  Your plan will evolve and grow as you work through the actions (and may grow longer before you know it!)

5.  Data flow mapping

Do you know how personal data moves through your business?  Can you clearly demonstrate the flow of data through your systems from on-boarding to file closure?  It’s important that you have this mapped out (your IT department are your new best friends!) – how can you comply with a subject access request if you don’t know where to look for all the data subject’s personal data?  Don’t forget your paper filing systems and off-site storage!

6.  Third party systems

Do you use any third-party systems?  Most law firms with a case management system will use a third-party system.  Through your information audit and data flow mapping you should identify exactly what systems you use but it’s important to also consider where that system stores the data – is it on your network and server or is it held on the third- party server.  Does it link to your case management system so you can easily access the data if your receive a data subject request?

7.  Awareness and engagement

It’s really important to promote GDPR awareness throughout your business, to all departments and all levels of employees.  Engage all business area heads at the earliest opportunity, they are the people who understand how your current processes work on a day to day basis, without them you will not be able to implement the changes you need to ensure compliance.  Your IT department, whether internal or external, is a valuable asset – do you understand how your IT systems work on a technical level, probably not so make your Head of IT your new best friend and ensure they are fully briefed on GDPR requirements.

Engagement at the top will make your project run smoother – you will need investment in your project in the form of people resource and potentially a financial investment depending on the outcome of your information audit.  You are more likely to secure this resource and investment if your Board, senior stakeholders and investors understand what GDPR means for the business.  Remember, it’s not just about avoiding the potentially huge fines, by being compliant you build trust with your clients and professional partners and through better processes you can offer a high level of customer service.

8.  Policies and procedures

You will need to conduct a thorough review of your data protection policies and procedures – this will include your retention policy and privacy risk should be included within your risk management framework.  You will need to build new procedures for the new data subject rights.

9.  Data retention

Law firms have a reputation for storing documents and files for much longer than required for legal and regulatory purposes so now is the time to ‘get your house in order’.  Do you have a robust archiving, storage and retention policy?  If you do, is it followed?  Do you have a secure way to delete files once the storage period has come to an end?  What about legacy systems and databases, and cloud systems?  Can you securely data that is held on your third-party systems?  Again, business area engagement is important to ensure that you meet your legal and regulatory obligations (which means you will have to delete some data).

10.  Training

You can have the best policies and procedures in the world, but they are useless if your employees do not know they exist or do not know how to put them into operation.  GDPR is a difficult and dry subject so it’s probably best to break the training down into small chunks.  Make it interactive and engaging (or get someone in who can do this for you).

Get in touch

So, after reading this, how do you feel about GDPR now?  If you are a compliance ‘geek’ like me then you will feel excited and fired up ready to start your journey.  Alternatively, you may be feeling overwhelmed and unsure where to start.  Fear not!  The ICO have some really useful (and free) resources. Alternatively, check out our data protection compliance services or contact one of our experts for more information.

 

Recently,  the Bill re-authorising section 702 of FISA (Foreign Intelligence Surveillance Act) was passed in the US House of Representatives after the original December deadline was extended until 19th January.  Although the Bill still has to get through the Senate, it seems that with the backing of President Trump, the Bill allowing targeted surveillance of non-US nationals outside the US will be re-authorised despite the concerns of the EU WP29.

On 28th November 2017 the WP29 published its report on the first annual Joint Review of the EU-US Privacy Shield.  WP29 had previously expressed concerns about the Privacy Shield, and whilst they acknowledge that progress has been made, they still have a number of concerns around transparency and in particular, access for US Law Enforcement and National Security purposes.

“The WP29 welcomes the various efforts made by US authorities to set up a comprehensive procedural framework to support the operation of the Privacy Shield through for example the strengthening of the checks performed prior to the listing of certified organizations.”

For those of you who need reminding, in October 2015 the European Court of Justice declared ‘Safe Harbor’ invalid, leaving the EU Commission and the US Government to find a new way of safeguarding EU-US data transfers.  In February 2016, political agreement on a new framework was reached and the final version was adopted by the EU Commission on 12 July 2016.  The self-certified Privacy Shield requires companies to establish a privacy policy which is in line with the privacy shield principles.  Companies are obliged to re-certify on an annual basis.  Part of the agreement was an annual joint review.

In September 2017, EU Commission and the WP29 visited Washington to undertake the review.  The Commission published its report in October 2017, and adopt a seemingly different position to WP29:

“The Commission stands strongly behind the Privacy Shield arrangement with the US.  Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs.  This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.”

However, the WP29 report lists a number of concerns which fall broadly into two categories; commercial aspects and concerns around Government access to EU personal data for law enforcement and National Security purposes (with specific reference to s702 FISA).

The commercial aspects that remain a concern include:

• A lack of guidance and clear information on the Privacy Shield principles, onward transfers and the rights and available remedies for data subjects;

• The need for increased oversight and supervision of compliance with the principles;

• The need to distinguish between the status of data processors and data controllers

• Required improvements in the interpretation of and handling of ‘HR data’

• Lack of rules on automated decision-making and profiling

• Unresolved issues from opinion 1 of 2016

The WP29 acknowledges that progress has been made in comparison with the previous Safe Harbor arrangements.

They also acknowledge that progress has been made in respect of the concerns around access to data for law enforcement and National Security reasons, but a number of concerns remain, specifically in relation to the collection and access of personal data for national security purposes under section 702 of FISA and Executive Order 12333.  Executive Order 12333, originally signed by Ronald Reagan, compels leaders of US intelligence services to co-operate fully with the CIA.

Two programs operate under s702 FISA – PRISM and UPSTREAM.  PRISM requires internet service providers to provide the US authorities with the data of their users corresponding to ‘selectors’.  Under UPSTREAM, telecommunication providers are required to assist the NSA by collecting data from the chosen ‘selector’.  WP29 has specific concerns around the UPSTREAM programme:

“…the WP29 calls for further evidence or legally binding commitments to substantiate the assertions by the US Authorities that the collection of data under s702 is not indiscriminate and access is not conducted on a generalized basis under the UPSTREAM programme.”

WP29 viewed the re-authorisation of s702 as “an important opportunity to include additional safeguards…” but it remains to be seen whether this feedback has been taken on board when the Bill passes to the Senate on 19th January 2018.

What is clear, is that WP29 have given a stark warning to the US in respect of the Privacy Shield if their concerns are not addressed prior to the GDPR implementation date of 25th May 2018:

“In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.”

If WP29 chose to go down this route there could be detrimental consequences for EU businesses that need to transfer data to the US (and vice versa).  It would be prudent for those businesses to ensure that they fully understand the systems and processes they have which could be impacted by any such action and to keep fully up to date with any developments.

In the meantime it’s just a waiting game, with only a few months to go until 25th May…

Get in touch

For more information about our data protection services, simply contact one of our experts today.