On May 25th 2018, the way companies handle data will change forever. On this day next year, the General Data Protection Regulation (GDPR) will come into force, changing how customer data is handled, and outlining the toughest consequences of data breaches ever seen. Considering we create 2.5 quintillion bytes of data a day , and the global volume of electronically stored data is doubling every two years , this presents a problem for businesses and their advisors internationally.
The GDPR will shake up the collection and processing of personal information of EU individuals, colossally. Whether it’s a business in France, Germany, the US or India, there is no room for complacency as the new set of obligations will apply to all companies that target both EU markets and consumers. It also presents an issue for law firms as let’s face it, they will be hit two fold; both in terms of data held about clients, employees and so forth, along with any potential data they have been provided by clients and third parties which they are storing.
Complacency is no longer an excuse for firms, they need to know what they’re doing with consumer data, or face the consequences. For those who infringe the rules, there are significant changes to the penalties they face. One of the biggest developments is that Supervisory Authorities have the power to impose hefty administrative fines for violations – be that in regard to data protection law or operational transgressions. Whilst a tiered approach is being brought in to direct the appropriate punishment, the majority of breaches look to fall into the higher tier. In terms of punishment, it currently stands at:
• Tier one: fines of up to €10,000,000, or 2% of global turnover, whichever is higher
• Tier two: fines of up to €20,000,000, or 4% of global turnover, whichever is higher
As you can see from the above, this is a significant rise from the previous limit of £500,000. To put this in context, Talk Talk was fined £400,000 for the data breach of its 157,000 customers. With the new changes, they could have faced the maximum tier two fine of up to €20,000,000 or 4% of their turnover. Quite a difference indeed and one that could ultimately ruin a smaller firm with less capital.
The problem we all face is, the world we operate in is going through a digital transformation, which relies on scrupulous data recording and being able to verify that the information we hold is truly up-to-date. The NHS, for example, fell foul of this in February when the news hit that 700,000 patients had not received sensitive health information, because records were out of date or incomplete. Imagine waiting for a biopsy result, or news on your treatment dates, only for the information to never turn up. Or, in the most recent case, being able to google yourself and find transcriptions of doctors letters on your medical treatment leaked by a 3rd Parties insecure infrastructure . You might have thought critical information such as this would be available, but this example typifies the challenges facing businesses, including those in the legal sector – you need to know what data you have, and ensure it’s correct.
But what does it mean in terms of implication and operations for UK firms? Below are five recommendations to help legal firms get ahead.
Library vs landfill
A common challenge for any client-servicing business is knowing what data to file and what to delete. Names, addresses, personal health information, legal history or payment details may well be necessities, but all this information can start to mount up, to the point that you have such a detailed picture of an individual that they would be shocked if they knew the true extent of the depth of information you hold on them. In addition to holding all this information, locating it can also present an issue for some businesses, particularly if that data goes back for years.
When you are dealing with serious amounts of data, it’s not uncommon to be using multiple mediums of communication, multiple servers and multiple databases to hold all the information, never mind the ad-hoc extracts people tend to make whenever they need them. Therefore, it’s not impossible for customer data to sit in more than one place on your system, leaving valuable information forgotten about and collecting dust. However, this is not good practice. Information should be held in one place, to make it more secure and to ensure you have an accurate (and accountable) picture of the customer’s information. Dissipated data is a nightmare, and if a business needs to quickly present accurate data information, searching for records in disparate locations is a massive drain on resources. Additionally, with data duplicated across multiple locations, businesses could be wasting space that could be freed up. Time and server space are expensive commodities, so GDPR is a good opportunity to get everything in one, secure place via a data inventory.
Leading on from the data storage point, GDPR also gives consumers the right to know how their data is stored, and what it’s being used for (data minimisation). Therefore, businesses need to be wary of what data they hold, as if they can’t give a valid, business-critical reason for holding that specific data, they need to get rid of it (and in the right way). Generally, any consumer requests for their own personal data must be fulfilled within one month of receipt.
For law firms, this presents a problem. Background information related to cases is almost always kept on file – be it testimonies, character witness statements or client details. Once cases are over, calls need to be made on how long this information should be held for, and to what extensive degree (can some files be purged quicker than others?). Above all, a decision needs to be taken as to who ‘owns’ the decision over whether data should be deleted or not, the law firm or their client?
Additionally, businesses will be looking to their legal advisors for help with the changing data legislation, so legal firms need to be advising on how best to meet the new regulations. For example, stellar security is vital to protect core assets, and identifying any weak spots should be undertaken to help avoid any breaches. Due to the extensive repercussions, Data Protection Officers could be recommended as a remedy, to oversee data governance, security, analytics and location, being directly responsible to the Board. We fully expect this job function to increase in headcount and importance over the next two to five years, as conservative estimates predict up to 28,000 DPOs will need to be appointed across the EU before GDPR comes in .
Changes in data holding will also affect employment, and how much information companies can hold (or collect) on their employees – even more so in the case of former employees. Privacy notices and consent will be big, immediate issues for businesses to deal with. Businesses will need to look at the terms and conditions of privacy notices and ensure they follow the guidelines by including information such as how long information will be held for and if said information will be transferred to other countries. Legal practitioners will therefore need to work with clients to ensure they’re meeting these regulations.
In terms of consent, this has traditionally been a murky area, so the GDPR changes may help make this clearer. As it stands, businesses can keep and process data as they have employee ‘consent’. GDPR has more prescriptive requirements around consent, and states that employees must be able to withdraw their consent at any stage and the processing of the data needs to be ‘explicit’ in detail. Employers will therefore be able to rely on the consent argument less, and will need other legal arguments to hold on to employee data.
To adopt GDPR fully, changes to the Data Protection Act will need to be made to ensure there is no duplication or confusion. The government is adopting GDPR in full, as it comes in before the UK exits the EU. Therefore, changes will be made and legal firms will need to be aware of any possible alterations, and how clients will be affected, especially given all the uncertainty around Brexit. There is also the possibility of whether the UK and US governments look to make their own data flow laws, as with the UK leaving the EU, it will no longer be covered by the EU-US Privacy Shield, never mind the future relationship between the UK and the EU.
GDPR is one of many international initiatives aimed at simplifying the legal and regulatory requirements about the management and security of data. Firms, therefore, will often find themselves bound by a wide range of requirements which can differ significantly depending upon the industries and jurisdictions they operate in. Regulations ranging from MiFID II, Basel III, Solvency II and FRCP Rule 37(e) should be fully considered and included in any data compliance strategy.
Any firm which has experienced a data breach will now be expected to report this to their Supervisory Authority within 72 hours. Currently, only those working in Financial Services or telecoms are required to report breaches, so for companies outside these sectors, they will now need to comply fully with this legal requirement. Being able to assist clients develop and integrate internal procedures for discovery, reporting and investigation of breaches will be an essential component of any advice.
Opportunity for trusted advisors
In order to meet the full requirements of GDPR, clients will need to be advised of the full extent of potential changes and the steps they will need to take to manage the alterations required. This is not limited to legal advice, but demands an element of technical knowledge as well as operational change management. To facilitate this for clients, it is vital to partner with experts who can help advise on any changes, to leave no stone unturned. Businesses can no longer leave it to the IT Director to facilitate the changes, and legal advice can help manage costs and warn on the potential damage (financial and reputational) of breaches. Clients need to employ a holistic approach to the GDPR with all their relevant data stakeholders involved in order to ensure that they make the right decisions.