The Legal Update

Obelisk Support consultant Alisha McKerron Heese provides some advice on how data processors can comply with upcoming GDPR legislation.

We are fast reaching the countdown phase for the General Data Protection Regulation (GDPR) which comes into effect in just over six months on 25th May 2018. 

Preparing for GDPR is a complex process which requires far more than merely updating your processing agreements and fulfilling your contractual obligation. While the regulations stipulate that certain provisions be inserted in processing agreements (art. 28(3)), they do not stop at that. For the first time, statutory data protection requirements (which previously only applied to data controllers) will place direct obligations on you as well. This enables data subjects to enforce their rights directly against you. Non-compliance is also more severely punished, through significantly heavier fines. To be precise, under the current law, the maximum fine the Information Commissioner can impose is £50,000. Under GDPR, however, that fine can be anything up to 4% of an organisation’s annual worldwide turnover, or 20,000,000€, whichever is largest.

So, what are these new requirements and what steps should you take to ensure that you will be compliant from 25 May 2018?

#1 Review Existing Processing Agreements 

Your processing agreements must be GDPR compliant. This means that you have agreed to:

  1. Process personal data only after documented instructions from your client
  2. Ensure that all of your employees who are authorized to process personal data have committed themselves to confidentiality
  3. Take appropriate security measures (see step 3 below)
  4. Engage sub- processor correctly (see step 6 below)
  5. Help your client(s) to respond to requests by data subjects who are exercising their rights
  6. Help your clients to meet their compliance obligations (relating to securing personal data, data breaches, data impact assessments, and consultations with the supervisory authority)
  7. At the choice of your client, delete or return personal data
  8. Allow for and contribute to audits conducted by your client.

More details here.

#2 GDPR Compliance Accountability Procedures

You must have determined if you are required to maintain written records of categories of processing activities (art. 30). This requirement originates from the accountability principle (art. 5), a re-occurring theme throughout GDPR which puts the onus on you to be responsible for, and to demonstrate compliance. Information which must be captured includes details of any other processors, your client’s details and those of Data Protection Officers (DPO), categories of processing, details of transfers to third countries and a description of general technical and organizational security measures (art. 30 (2)). These records must be provided to the supervisory authority on request.

If you employ 250 employees or less, you will be excluded from this requirement provided that the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional, and does not include special category data.

Note: Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, and biometric data or data concerning health or data concerning a natural person’s sex life or sexual orientation (art. 9(1)).

#3 Data Security

You must have appropriate security measures – referred to as appropriate technical and organisational measures (art. 32). If you are wondering what appropriate technical and organisational measures means, you are not the first. No definition is provided by the regulation, thereby putting the onus on you to decide. You must consider a variety of factors:  the sensitivity of data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and nature of processing.

This requires you to have a comprehensive understanding of your systems and the type of data processed. While they can vary, appropriate measures include pseudonymisation and encryption of personal data. Regular testing of any security measures is also required where appropriate. This will enable you to detect any weaknesses and pick up any problems quickly which is particularly important in the event of a breach.

More details here.

#4 Data Breach Notification

You must be able to detect data breaches and notify the controller without undue delay upon becoming aware of a breach (art. 34). It may be in your interests to clarify in your processing agreement (if you have not already done so) when delay may be undue as this is not made clear in the regulation.

More details here.

#5 Data Protection Officers

You must have a DPO if required, although you may have one even if not required. A DPO is required if you are a public authority, if processing requires regular and systematic monitoring of data subjects on a large scale, or if your core activities consist of processing large scale special categories of personal data. A DPO’s primary role is to independently advise you on compliance with the GDPR, and they are the contact point for any data subjects and for the supervisory authority.

More details here.

#6 Reviewing Use of Subcontractors

You must have prior specific or general written authorisation from your client if you enlist another processor or replace a sub-processor (art. 28(2)). You must reflect the same contractual obligations you have with your client in a contract with any sub-processor and shall remain liable to your client for the action or inaction of any sub-processor.

#7 International Transfers

You must ensure that you have appropriate safeguards for any transfers of personal data to a third country (in the absence of an adequacy decision) and that the data subjects have enforceable rights in that country with respect to the data. This is your decision to make, and is independent of any instructions from your client with regards to data processing.

More details here.

Making your processing agreement GDPR complaint is just the start.  The steps outlined above are by no means an exhaustive list, but should hopefully assist you in your journey to becoming GDPR compliant. Not long to go before the clock stops ticking!

The Legal Update

Obelisk consultant Alisha McKerron Heese looks at the big issue of data protection in the modern age, and how lawyers can make sure the information they handle is safe and compliant at all times.

Compared to other areas of the law, Data Protection is relatively new and data protection for lawyers is fast becoming an essential business tool. It arises in many different aspects of day-to-day business and has undergone rapid change over the years, particularly with the development of technology and the increase in flexible and remote working.

Data protection and security affects us in more ways than we can imagine as lawyers. All service providers must make sure they keep their client data safe, but as lawyers often deal with extremely sensitive personal information, we must be particularly careful as to how we handle it, and we need to keep up to date with new regulations. It is these qualities which make it an exciting area of the law and at the MBL Conference on Data Protection & Security, we heard six speakers examine current and future developments in data protection laws and procedures. Here are the topics to look out for to keep legal information secure in your legal practice.

#1 Data Breaches and Exposure

Over the last 10 years, there have been several infamous instances of data breaches from companies such as HMRC, T-Mobile, Sony, Yahoo, TalkTalk, Sage and Three. According to Dr. Stephen Hill, a trustee director of the Fraud Advisory Panel, most of these stem from poor business practices. It seems that the greatest security risk to organisation is outdated software, and indeed, outdated employee knowledge of technology and security measures. 

Steps to prevent breaches: Data security needs to be in the hands of experts, which often means outsourcing data storage and security to a specialist company. As Jared Staver of Staver Law Group states in this Digital Guardian article, offsite servers that are encrypted, protected and have teams of people ensuring their security are the safest way to store data.

Some other simple, practical ways of guarding against these incidents include:

  • Making use of the blind copy (“BCC”) function when emailing
  • Ensuring that confidential information is removed from documents before sending
  • Emails/documents are sent/faxed to the correct address
  • Paper work is kept secure and regularly checked.
  • To find out if your email has been breached Dr. Hill recommends, which allows you to check passwords for any email account to check if they come up on lists of passwords stolen by hackers.

#2 Regulating Data Protection: Privacy and Electronic Communication

What about the areas that are out of our individual control? Advertently or inadvertently, valuable information is being collected and stored when we use electronic devices to communicate with one another. As technology advances, what is being done to ensure continual protection? To see if your browser is safe from tracking, Dr. Hill suggests using to analyse how well your browser and add-ons protect you against online tracking techniques.

Rosemary Jay, one of the leading lawyers in the area of data protection, told us that the E.U. Commission has proposed a draft regulation on Privacy and Electronic Communications (“PEC”) which contains specific provisions on cookies, online marketing and the use of content and metadata.  

  • The proposed regulation will expand and tighten our existing legislation which makes it unlawful to, amongst other things, transmit an automated recorded message for direct marketing purposes via a telephone, without prior consent of the subscriber.  
  • The proposed regulations will not just apply to telecom companies, but also to Over The Top (OTT) providers such as WhatsApp.
  • PEC will cover services such as public WiFi (found at, for example, a hotel or a bar), and services provided by “Internet of Things” (IoT) devices.  Stricter rules will apply to WiFi location tracking.
  • Access to websites will no longer be conditional on accepting tracking cookies. The aim is to get rid of cookie banners and make it a requirement that browsers contain cookie controls so that users must choose those settings as part of the installation process.

The proposed regulations have some way to go before being finalized and approved and it is likely that the timing will not coincide with the GDPR timing, as discussed below.

#3 GDPR & Technology: Friend or Foe

One need look no further than the dark web to ascertain the value of stolen data, where large amounts of data are auctioned. It’s a comfort to hear from Robert Bond, voted Best Lawyer in the U.K. for the practice area of Information Technology Law 2017, that protecting personal information is nothing new. It’s the scale of that task in modern times that has moved the goal posts. Without a doubt, the advent of the computerised world has complicated matters, because it has enabled large quantities of data to be stored and exchanged and the connections with the data subject, to be lost in the process.  

Greater protections are due to come into effect in May 2018 with the new General Data Protection Regulation (GDPR).  GDPR widens the definition of personal data, while applying the same principles that currently apply.

  • Stronger evidence of consent to handle personal data is required and there is a greater emphasis on transparency and accountability.
  • Your existing rights have been strengthened and you will have more rights–including the right to rectification, to request all your personal data be erased, to restrict processing, the right to have  personal data made portable so that it can be transferred–for example to a third party–the right to object and rights in relation to automated decision-making and profiling.
  • The proposed PEC will compliment the general GDPR with its specific rules.  

#4 Biometrics and Data Protection

What about rights in respect of information derived from us physically?

Apple’s latest phone allows you to use your thumb print to get into your phone. British e-passports now have additional security features including a chip with the holder’s facial biometric. Other examples would include iris recognition and DNA. This type of information, called biometric data, falls within the definition of personal data and is protected by the GDPR.  But there is another type of information closely associated with biometric information, called bodily-generated information, which is personal information generated by an individual directly. This may not be used as an identifier, in the sense that it allows you to identify who the individual is e.g. heartbeat, body temperature. Consider the increasingly popular activity trackers people wear on their wrists and the data they generate.

Does the GDPR cover this type of information? According to Mrs. Jay, overall the controls of GDPR should help minimise the risks associated with the use of biometric data. Whether it covers bodily generated data is a somewhat unclear, but best practice is to assume that it does.

#5 The Cost of Data Protection Compliance

What happens if an individual asks a public authority to provide him/her with a copy of all information that it holds on him/her? As Rory Dunlop explains, requests like this can be a lengthy and expensive exercise for any organisation on the receiving end.  Bear in mind that personal data extends not only to electronic data, but paper too. Thankfully there are instances where non-compliance is acceptable, for example in the context of excessive costs or vexatious claims.

The exponential growth in the collection and sharing of personal data has raised a number of questions as to how we can get a handle on, and own, our data. Fortunately, proposed legislation offers a number of regulatory frameworks to solve this problem, such as the GDPR which comes into effect in May next year and the PEC which is in the process of being finalised. Painful as they may be for companies, I believe that these frameworks are a force for good that will enable us to gain more control from large internet companies, like Facebook and Google.

Communicating securely and protecting client data are our top priorities as lawyers, so it is vital to invest the time and finance to ensure our systems and knowledge stay up to date with the changing digital landscape.

Alisha McKerron Heese is a multi-jurisdictional capital markets and corporate lawyer. She has magic circle and investment banking experience and is looking to transition from the voluntary sector back to fuller employment in the legal field. She is a magistrate and a freelance lawyer.