This is a transcript of a seminar given by Michelle Garlick of Compli, Weightmans in September 2018 and was first published on Aon’s Quality and Risk Management Portal for solicitors.
We often see the first hundred days used as a milestone when assessing the success, or otherwise, of a new role, new job or, indeed, a new President.
We’re now comfortably past that milestone for the General Data Protection Regulations (GDPR), so it’s a good time to take stock of the compliance work that firms should have completed by now, address some frequently asked questions we have received from Aon’s clients and look to what the future is likely to hold.
So, 25 May 2018 was the dawn of a new era. GDPR came into effect, and the Data Protection Act 2018 (DPA) passed into law. “A new era” might sound like hyperbole but the sanctions and reporting obligations contained in the regulations place a new and significant burden on organisations holding personal data. We witnessed a great deal of anxiety and feverish activity in the run-up to GDPR’s D-Day and I would hope that most, if not all of you reading this article, will have completed all of the necessary legwork needed to comply, at least initially, with the regulations.
The Information Commissioner’s Office (ICO) has made it clear that 25 May 2018 is not an end-point but the beginning of this new era. The ICO, who will be enforcing both GDPR and the DPA, is aware that effective data protection requires ongoing commitment and effort by organisations. In turn, it is committed to play its role by sharing information and its post-implementation experiences.
Before we examine the regulations in more detail, it’s useful to clarify what the difference is between the DPA and GDPR; there is a difference. The DPA doesn’t incorporate GDPR into UK law. As a regulation, GDPR is directly applicable across the EU and will still be law post-Brexit until or unless the government decides to replace it. The DPA aims to update data protection laws in the UK and will sit alongside GDPR. So, you need to be aware of both of them.
The DPA does extend domestic data protection laws to areas not really covered by GDPR, for example, personal data where it is related to immigration or personal data processing by intelligence services. In the main, data protection will be governed by the requirements of GDPR but don’t disregard the DPA.
There are four key GDPR issues raised in calls to the Aon Helpline that we’ll deal with in turn:
- Privacy policies (internal and external)
- Data Subject Access Requests and data breaches
- Data protection officers
- The legal basis for processing
Privacy policies (internal and external) queries
Hopefully, by now, you should have updated your privacy policies. If not, you must deal with this quickly. It’s a common misconception that GDPR is just for clients and other contacts, but it goes further than that. Your privacy policies also need to cover individuals internal to your firm. Your employees, contractors, work experience and vacation scheme placements. Your policy also needs to cover people like job applicants. You have to inform applicants within a reasonable time, and at the latest within one month of their application, how long you are going to keep their data, how they can withdraw consent, request correction, access data, request deletion of the information that you hold on them and whom to direct complaints. So, there are a lot of people you need to think about; you must understand the type of data you’ll be keeping and how you are going to manage that data.
Data Subject Access Requests and data breaches queries
Weightmans has experienced an increase in the number of Data Subject Access Requests (DSAR) since May, and I’m sure we’re not alone. Some requests may be for perfectly legitimate reasons. Others, perhaps, are motivated by the desire to make trouble, create difficulties for the firm or to avoid paying a fee bill. Whatever the incentive, DSARs are likely to be a recurring feature for your firm.
DSARs can be made verbally; they don’t have to be in writing. DSARs can be made to anyone in the firm, so it’s really important that all of your staff can recognise a DSAR when it’s made. Any request is unlikely to state “this is a DSAR”, so it’s vital to train all of your staff to recognise a DSAR and respond appropriately.
In the event you receive a DSAR, you have one month from the receipt of a valid request to provide the information. The response date is calculated from the day after you receive the DSAR to the corresponding calendar date the next month. So, if you receive a DSAR request on 11 September, you’ll have until the 12 October to provide the information. If the DSAR is complex, then you can extend the deadline by a further two months, but you have to explain why to the data subject and let them know within one month of the request.
Once you have all the necessary information, don’t delay by asking for unnecessary detail. You mustn’t be obstructive in providing the information or you will run the risk of receiving a complaint or, worse still, your firm might be reported to the ICO. It’s good practice to keep a DSAR register including key dates as the timescales for providing responses are quite strict.
You can withhold information if disclosure would adversely affect the rights and freedom of others, and remember the exemption if you can claim legal professional privilege in legal proceedings. Your exemption rights are set out in Schedule 2, Part 4, Paragraph 15 of the DPA.
You need to set out how you will deal with DSARs in a policy with a procedural plan and template letters. Having a structured procedure will certainly be a benefit if your firm is receiving a large number of DSARs, especially regarding DSAR identification and validating that the DSAR represents a legitimate request. For example, does the request contain all of the information that you need to enable you to perform the work required? Have you verified the data subject’s identity to ensure that they are entitled to the information?
Ensure that you have a process for internal and external reporting and make sure this forms part of your staff training programme. Dealing effectively with DSARs will be an important component of practice management, and it's an issue that we cover in greater depth in our webinar.
Identifying and responding to data breaches is a complex topic and one that you must be able to address should the worse happen. Again, this issue is addressed in our GDPR webinar and in detail in our “Cyber Attacks And Data Breaches / Legal Sector Vulnerability” webinars. I would strongly recommend that you use these resources as part of your training and awareness programmes.
Data Protection Officers queries
One question we often face is “do we need to appoint a Data Protection Officer ”? That will depend on your particular practice and core activities. Does your firm perform large-scale processing of special categories of personal data or data relating to criminal convictions? If so, you will need to have a Data Protection Officer (DPO). Even if your firm does not perform activities of this nature, you can voluntarily appoint a DPO but beware; your DPO will then be subject to the same data protection obligations as those working for organisations obligated to have one. If your firm’s activities don’t require the appointment of a DPO, you can still appoint someone to oversee your data activities, but you cannot refer to them as a DPO. Perhaps use Data Compliance Officer, Data Administrator or Data Officer as an alternative title.
For legal firms with Lexcel accreditation, you will need to either appoint a DPO or have a written report detailing why your firm doesn’t need one.
The legal basis for processing queries
For law firms, this is pretty straightforward. Your contract defines the legal obligations between you and your client, so obtaining consent as a lawful basis for processing data should only be a last resort.
(Note: For non-law firms the same may apply when getting consent for processing your clients data but if there isn’t a contract in place and you are processing their data for marketing or sales you will need to use one of the other methods open to your such as legitimate interest.)
So, what’s next on the horizon.
I think it’s just going to be about developing processes and procedures with the help of information and guidance from the ICO. If you’re responsible for your firm’s data, you should make sure that you subscribe to the ICO’s website and re-visit that information resource on a regular basis.
It’s very likely that the ICO will test the new regulations by using its enforcement powers and ability to impose fines. Be prepared for fines to increase as the ICO’s expectation of compliance grows over time.
Look out for the introduction of e-privacy regulations for direct marketing, website cookies and e-communications which are expected before the end of 2020.
Above all, be prepared for the new era of data protection obligations imposed by GDPR and DPA.