Webinar round up: Data protection – from best practice to damage limitation

We were delighted to join 5 Essex Court on Wednesday 13 May for their 40-minute webinar episode in their Sofa Series on data protection, marking two years since the General Data Protection Regulation (GDPR) came into force.

Dennis Lee, partner, and Oliver Willis, senior associate in our corporate and commercial team, joined Counsel from 5 Essex Court in a discussion on the impact on organisations which control and process data.

The webinar is now available here and summary notes are included below.

The webinar, chaired by Fiona Barton QC, covered:

Lessons learned from 2 years of GDPR

Alex Ustych, Barrister, 5 Essex Court

Lesson 1: understand the relationship between GDPR and Data Protection Act 2018. Apply both.

GDPR sets out the ‘mandatory minimums’ for data protection EU-wide but the Data Protection Act 2018 (‘DPA’) includes many of the requirements and exemptions applicable to processing data in this jurisdiction. DPA and GDPR are like two pieces of a jigsaw—they only make sense when pieced together. When dealing with any data protection issues, have copies of both documents in front of you and read them together (GDPR first). However, if dealing with ‘law enforcement processing’, only Part 3 of DPA will apply.

Lesson 2: appreciate that mere retention of personal data still amounts to ‘processing’ of that data

Data protection legislation applies to any ‘processing’ of personal data. It is a common misconception that only active use of personal data – such as disclosure to a third party – is ‘processing’ and so requires justification. In fact, simply having the data on your computer system means there is ongoing daily processing, which needs to be justified.

To address the risks of longer-term retention, it is useful to inventory the data held, adopt a review/deletion policy and ensure that there remains an ongoing legal basis for retention.

Lesson 3: make ‘necessity’ your mantra

Unless you are relying on data subjects’ consent, you will need to show another legal basis under GDPR and/or DPA to use that data. The key thread which runs through these requirements is ‘necessity’ – is it necessary to use the data in the way you intend? When considering necessity, here are some useful questions to ask:

• does our privacy policy/notice flag up this use and is there an appropriate legal basis for it?
• can we reasonably achieve the same result in a less intrusive way? For example, by anonymising the data.
• if the data subject sues us up to 6 years from now, how would we evidence having properly considered necessity? Document your analysis of necessity and any procedural requirements.

Lesson 4: identify the nature of your data relationships

Any large organisations will be in the centre of a web of relationships involving data transfers. Deciding whether you are a data controller or a data processor is usually fairly straightforward. However, what many organisations don’t consider is whether they are a joint controller as defined by Article 26 GDPR (two or more controllers jointly determining the purposes and means of processing). There are significant implications of this status for what you need to document and who will be responsible if things go wrong. This is a complicated area and, if you think that your organisation may be in a joint controller relationship that hasn’t been properly identified or documented before, please do get some advice.

What have the last two years taught us about the regulator’s approach to enforcement?

Dennis Lee, Partner, BDB Pitmans

Clearly very soon after the GDPR came into force, organisations and businesses alike have been very concerned about the possibility of big fines for breaches. And those fines that have been reported in the media undoubtedly sent shivers down our spines in terms of the numbers.

The ICO sends out regular updates and publishes on its website the fines that it has imposed. It is clear that The ICO has focussed more on certain types of breaches.

For instance:

• poor security measures (as Cathay, BA and Marriott fines); or
• breaches relating to direct marketing, which is not so different from its pre-GDPR approach; and
• breaches that raise public policy issues (such as the misuse of data in political campaigning).

In light of the COVID-19 situation that we are currently in, many public policy rules have had to be modified. The ICO has temporarily updated its policy to explain how it will use its powers during the pandemic period:

• it will focus its efforts on the most serious challenges and the greatest threats to the public;
• be flexible in its approach and will take into account the potential financial or resource burden its actions could place on organisations; and
• the ICO will also take firm action against those who misuse personal data to try to take advantage of the pandemic situation.

Responding to Subject Access Requests

Aaron Moss, Barrister, 5 Essex Court

Article 15 GDPR provides a Subject’s Right of Access to their personal data. Article 15 is unusual in two ways: first it is a Right which data subjects are likely to exercise, because it is both well known and useful; secondly, the response of the Courts and the Information Commissioner is particularly soft-touch.

How controllers should respond

The Draft Guidance makes the sensible point that whether or not an organisation receives requests on a regular basis, it is important to be prepared to take a proactive manner. This will ensure that a response can be effective and timely. Organisations should note that the statutory period for complying with a SAR is one calendar month.

One risk to organisations is that when responding to a Subject Access Request, it is discovered that the organisation has retained data in conflict with its retention policies. In such circumstances it is still of course necessary to disclose the existence of the data to the subject, but this leaves the organisation vulnerable to a claim for unlawful processing of the data. It is common for documents to contain data about more than one data subject.

Where a SAR requires an organisation to consider disclosing information from such a document, a controller should first try to separate the material. If that is not possible, then the consent of the second subject should be sought, where that is practicable. Where the consent cannot be obtained, the ICO considers that a data controller must themselves decide whether it is reasonable to disclose the data without consent. This puts quite a burden on data controllers. it is often helpful for a data controller to attempt to engage in a conversation with the data subject: what is the purpose of their request? What are they hoping to be given? The data subject does not have to give an answer, but by understanding the subject’s motivation at the outset it can avoid protracted disagreement later on.

Dealing with a data breach

Oliver Willis, Senior Associate, BDB Pitmans

What can you do to contain the breach?

Our experience has been that clients who are best able to contain a breach are the ones who suffer least in terms of costs, management time, and interactions with the ICO and data subjects.

Do you need to report the breach?

If you are a data processor rather than a data controller, then the answer is simple; you are required to report the breach to the data controller. Once you do so you don’t have to think about reporting to the ICO or data subjects, because the data controller makes those decisions.

If you are the data controller then you have two different questions to consider.

The first is whether you have to report the breach to your data protection regulator, which is the ICO in the UK.

The second question is whether you have to notify the individual data subjects about the breach. Both of those thresholds involve trying to predict the likely effect of the breach on data subjects. Sometimes that is easy. In other situations it is much harder to make that assessment, particularly if it takes a while to establish the full extent of the breach.

How quickly do you have to act?

If you are a data processor reporting to a data controller then the legislation requires you to do this ‘without undue delay’ after becoming aware of the breach.

If you are a data controller and the breach meets the threshold for reporting to the ICO then the legislation requires you to do so without undue delay and ‘where feasible’ no later than 72 hours after having become aware of the breach.

In our work over the past two years we have seen most controllers struggling to collate all the necessary information and submit a report within that timescale. The ones who are most successful are those which have planned ahead for what they will do in the event of a breach, but even then the timescales can be challenging.

What are the key elements of a report to the ICO?

The GDPR sets out the types of information that need to be included in a breach report, but the most important aim in terms of managing the breach will generally be to provide a coherent account of:

• how the breach occurred and how you have contained it;
• what you are doing to mitigate the effect on individuals; and
• what you are going to do to mitigate the risk of a similar breach in future.

If you have any questions, please get in touch.