Brexit does not allow companies to exit responsibility for, or understanding of, what is likely to be a ground-breaking change for many businesses.
“It is paramount to understand how GDPR will change not only the European data protection laws but nothing less than the whole world as we know it.” Jan Phillip Albrecht LL.M, Member of the European Parliament and Vice Chair of its Civil Liberties, Home Affairs and Justice Committee.
New Leaf Advisory believes that UK business is unprepared in understanding and light on preparation.
“Over two-thirds of European and US CIOs (68%) still don’t have a proper plan in place to comply with the coming European General Data Protection Regulation (GDPR), especially when it comes to the mainframe…” Compuware survey.
Understanding GDPR is mission critical and can be a business enhancing comparative advantage.
As Brexit uncertainties swarm around business, everything that can be done must be done to ensure that the UK has a seamless transition to the new regulatory world, especially in high-growth high-tech industries.
New Leaf Advisory, with our distinguished legal lead on Brexit, strongly believe that there are critical gaps in understanding, anticipating and preparing for the GDPR at all levels of government and business.
The following presents our outline of the problem – for a detailed analysis and presentation, please contact us.
New Leaf Advisory has the very best advisors to help you prepare for GDPR.
Our legal team and operations advisors are the finest available.
Our audits are managed and undersigned by the leading QC in this area of law.
Q. Brexit means I don’t have to prepare for GDPR, doesn’t it?
A. Highly unlikely. The likely fact is that the UK will have to adopt Data Protection Regulation that is either as rigorous as the GDPR or more so.
There are three paths open to the UK post Brexit:
- Joining the European Economic Area (“EEA”). This is the route adopted by Norway. Membership of the EEA will require the UK to implement rules and procedures that are equivalent to those of the European Union.
- UK signs bilateral trade deals with the EU. This is likely to result in the UK having to agree to a duty to apply laws that are at least as demanding as European Union legislation. This is the option that has been adopted by Switzerland.
- The other possibility is that the UK signs an, or a series of, independent trade deal/deals without taking on the burden of accepting equivalent EU obligations.
Under the first two options, it is clear that the UK would need to adopt Data Protection Regulation that is at least as strict as the GDPR. Under the third option, the UK would still need to adopt “adequate” protections in order for the EU to allow its members to pass information to the UK. In other words, the UK would still need to regulate to at least the standard of the GDPR. Given that such regulation is unlikely to differentiate between individual UK company jurisdictions, it is evident that all companies in the UK should be looking to comply with a standard at least that of the GDPR, and sooner rather than later.
Q. Sooner rather than later?
A. Yes. GDPR enters into force on the 25th May, 2018. The preparation for compliance is likely to require close attention. The delay by many organisations in addressing adequacy introduces the risk that the correct level of advice and time for implementation may not be available in order to satisfy compliance.
Here is an indication of the questions that should be asked and what can be done now in order to ensure that the transition to compliance with the GDPR or the UK equivalent is as smooth as possible. Remember, New Leaf Advisory are able to assist in all areas of preparation:
- Undertake a regular review of the data that the organisation is processing, including the type of data and any changes to the type of data processed. Ask these questions:
- Can any data be pseudonymised?
- Where is the data going?
- Review your processes for data breach notification; security; answering data subject requests; risk assessment.
- Carefully review the contents of contracts; do you need a data protection impact assessment?
- Carefully review your relationships with processors if you are a controller.
- Train your workforce:
- Do you need a data protection officer?
- Do you have adequate processes in place for employees to handle a serious data breach?
- Are you contracts of employment and/or contracts with subcontractors compliant with GDPR?
- Are you giving employees the correct information?
Q. This is starting to look onerous. Tell me more.
A. There is still time to prepare and New Leaf Advisory can help in all areas of readiness.
We can help you to look in more detail at the disciplines involved, what their functions are, and how they will need to prepare.
Q. I’m starting to understand the scope of what’s required. Is there anything else I need to pay attention to?
A. Yes. Privacy impact statements.
Firms will need to undertake a privacy impact assessment.
The GDPR requirement to complete an impact statement in “high risk” circumstances is defined in article 35.
Again, New Leaf Advisory are able to provide the highest level of legal guidance and operational advice in this area.
Q. Let’s go back a step. To what, specifically, does GDPR, or a likely UK equivalent, apply?
A. Good question. Let’s take a close look at the application of the regulation. The penalties for infringements are severe, so paying attention to the details is important. Remember, there is still time to get this right, and New Leaf Advisory are able to assist in all areas.
To what does it apply?
The regulation applies to the processing of personal data in the context of the activities of an establishment or controller or processor in the Union, regardless or whether the processing takes place in the Union or not.
Further, the regulation applies to the processing of personal data of data subjects who are in the Union by controllers or processors not established in the Union, where either processing activities are related either to the offering of goods or services to such data subjects in the Union or to the monitoring of their behaviour in as far as their behaviour takes place within the Union.
Here, personal data means any information relating to an identified or identifiable natural person (“data subject”); controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; processor means a natural or legal person, public authority, agency or other body which processes personal data on half of the controller.
Note, a personal breach data means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Q. OK. I’m digesting that. Tell me what my obligations are under the new regulation.
A. Certainly. We’ll start by summarising with six principles.
Personal data must be:
- Processed fairly, lawfully and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”).
- Collected for specified, explicit and legitimate purposes and not processed in a manner which is incompatible with those purposes (“purpose limitation”).
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).
- Adequate and where necessary kept up to date (“accuracy”).
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”).
- Processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (“integrity and confidentiality”).
Q. That’s a clear summary. Can you expand a little?
A. Yes. Let’s focus on a few key Articles.
Article 6 sets the parameters of the lawfulness of processing. It provides processing shall be lawful only if:
- The data subject has given consent for one or more specific purposes.
- Processing is necessary for the performance of the contract with the data subject his party knowledge take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance the legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of the task carried out in the public interest when the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by 1/3 party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that requires protection of personal data, in particular, where the data subject is a child.
Article 7 sets out the conditions for consent. It states that, where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time.
Articles 15,16 and 17 deal with the right of access by the data subject, the right of rectification and the right to erasure (“ the right to be forgotten”).
Article 33 sets out what has to be done in the event of a personal data breach. The controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware, notify a personal data breach to the supervisory authority. The processor shall also have a duty to notify the controller without undue delay after becoming aware of a personal data breach.
Article 37 introduces the concept of the data protection officer. It requires the appointment of a data protection officer where the processing is carried out by public authority; where the core activities of the controller or processor require regular and systematic monitoring of data subjects on a large-scale; or where core activities of the controller or processor consist of processing on a large scale of special categories of data.
Q. I better understand. You mentioned that the penalties for getting this wrong are severe, how severe?
A. Potentially very severe. Certain infringements are subject to fines of 20 million Euros or up to 4% or worldwide annual turnover – whichever is higher. Let’s examine some details.
Article 82 gives a right to compensation to any person who has suffered material or nonmaterial damage as a result of an infringement of this regulation.
Article 83 restates the proposition that fines should be effective, proportionate and dissuasive. Fines can be imposed in addition to, or instead of, other measures contemplated by the Regulation and the Article sets out the criteria that should be followed when determining whether and how much to fine.
The Article states that in each individual case, due regard should be taken of
- The nature, gravity and duration of the infringement taking in to account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them.
- The intentional or negligent character of the infringement.
- Any action taken by the data controller or processor to mitigate the damage.
- The degree of responsibility of the controller or processor taking in to account technical and organisational measures implemented by them pursuant to the Regulation.
In assessing, the track record of the controller or processor will be taken into account and any other aggravating or mitigating feature applicable to the circumstances of the case.
Infringements of articles 8,11,25-39,42 and 43 shall be subject to fines of up to 10 million Euros or, in the case of an undertaking, up to 2% of worldwide annual turnover for the preceding year, whichever is higher.
Infringements of articles 5,6,7,10-22,44-49 and 43 shall be subject to fines of up to 20 million Euros or, in the case of an undertaking, up to 4% of worldwide annual turnover for the preceding year, whichever is higher.
Article 84 provides that member states shall lay down the rules on other penalties applicable to infringements of this regulation which envisages member states take the initiative in introducing domestic legislation, in particular for infringements which are not subject to administrative fines as specified in article 83, and shall take all measures necessary to ensure that they are implemented. It restates the principle that the penalties shall be effective, proportionate and dissuasive.
Q. How is New Leaf Advisory able to help our organisation?
A. New Leaf provides what we consider the “Gold Standard” in preparing companies for GDPR or its equivalent.
Our services are fully bespoke, which offers optimal cost and time efficiency – you don’t pay for, or waste time on, what you don’t need.
We have direct licensed access to the Bar. You will not need to pay intermediaries, or fund their large fixed overheads, to access the very best legal advice. Our audits are managed and undersigned by the leading QC in this area of law.
We provide a complete service suite. From audit, through to full operational design and oversight, we take a commercial view and understand the dual requirement to optimise value whilst ensuring full compliance at the highest levels.