GDPR Breakfast Event – Key takeaways

The session was chaired by Data Protection specialists Vanessa de Froberville and Jocelyn Paulley of the international law firm Gowling WLG, in association with LexisNexis, C&I London and Douglas Scott.

The emphasis of the event was more than just an overview of the new regulations; it also facilitated practical discussions so that delegates could share opinion on the impact of the impending implementation including the much-debated topic of who in a company should bear responsibility for compliance and how in-house lawyers can engage the leaders of their business.

 

Overview

Vanessa and Jocelyn gave a detailed overview of the new GDPR which is timetabled for implementation from May 2018, covering the reach of the new regulations, what is in, what is out and what has been beefed up. The Gowling WLG slides can be viewed as a PDF here but in summary:

  • There are 2 fundamental changes – the imposition of direct data controlling obligations on processors as well as controllers and there is new territorial scope, particularly where activities take place outside the EEA but using data collected within the EEA.
  • The core principles are broadly similar to the principles set out in the Data Protection Act 1998.
  • At the heart of the regulations is accountability, organisations are required to show how they are complying with the principles by maintaining relevant documentation on processing activities, putting in place policies and training and where appropriate appointing a Data Protection Officer.
  • There is no template of what a privacy notice looks like but there is an emphasis on ensuring that the mechanism by which consent is obtained is concise, transparent, easily accessible, and written in clear and plain language. Silence or pre-ticked boxes will not establish consent.

What’s new

  • Right to be forgotten/right to erasure – where requested, individuals’ data should be wiped without undue delay. There are, however, some exemptions around freedom of expression, obligation to comply with legal obligations ie. HMRC, NHS, some scientific research where there is a public interest and where there is ongoing legal action/cases. More details can be found in our Practice Note: The right to be forgotten, and Journal article: The Right to be Forgotten-under Spotlight: Privacy and Data Protection, PDP 16 3 (6).
  • Data portability. This right will allow individuals to obtain a copy of their personal data in a structured, machine-readable format and have it transferred directly to another data controller. This new right is intended to benefit individuals by allowing them to transfer their data from one provider to another e.g. banking providers, social networks, online shops. Further reading: Data portability under the General Data Protection Regulation.
  • Automated decision and profiling – individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on the person. With automated decisions where the computer says no, organisations must have the ability to have a human intervene in that decision.
  • Timings for notification of breaches have been reduced significantly – data controllers are required to notify within 72 hours after becoming aware of the breach. Further reading: Managing data breaches under the General Data Protection Regulation.

Practical tips for preparing for GDPR in 2018

A lot of preparation can be done upfront and can be underway now:

  • Start with an audit which will need to be a cross organisational activity – this will be a fact-finding exercise and cover:
    • What processes are in place currently
    • What data do you control or process
    • Processor due diligence
    • Contracts and jointly controlled data
    • Consider GAP analysis including external options i.e. a legal solution, consultancies, specialist e-disclosure companies offering services in this space.
  • Then undertake a risk-based exercise:
    • Where do we want to be on the risk scale
    • Do we need a Data Protection Officer (statutory definition rather than simply someone covering the tasks)
      • A DPO must be independent so it is not always going to work just saying head of legal can do it as there could be conflicts of interest.
      • Also consider Head of IT, or another role in the legal team, or within the HR department. It will depend on what other decision-making authorities they have – or financial obligations to the business. Make sure you have the right reporting lines.
    • How is your business structured world wide – check whether the new fine structure will catch you.
  • Document what you’re doing. Hold board discussions and have engagement at an executive level and document it.
  • Update your privacy policies.
  • Look at contracts and clauses – where signing contracts beyond May 2018 you need to start engaging with the 3rd party about how GDPR will be dealt with.

Check out Phase 1 of the GDPR Planner >>

Practical discussions

Delegates then moved into smaller breakout groups where more individual and nuanced discussions could occur and questions could be raised as to how others are faring with the preparation for implementation. Groups considered the following topics and then fed back to the room – we’ve summarized some of the main questions and discussions which we hope will be informative and give a sense of the issues by other in-house lawyers.

  • PROFILING – Determining when profiling has a legal/significant effect and falls within the GDPR E.g. Facebook profiling in relation to targeted ads – categorizing individuals – no names but age, gender, likes etc. Targeted media can be very significant (e.g. whether blonde hair for personalized hair dye ads may seem insignificant but apply that to politics and that is a very different story).
  • PRIVACY NOTICES – Trust is important. Also, the issue that nobody reads privacy notices – a study showed that it would take about 80 hours to read all the notices that one individual signs up to in 1 year. Need to consider impact on customer experience so as not to start affecting trade
  • WORKING WITH PROCESSORS – Due diligence – process is still the same, more emphasis on accountability, documenting issues with 3rd parties. It is possible that a data processing certification showing compliance with the GDPR could be developed in the future
  • CORPORATE ENGAGEMENT – Raising level of awareness is a major challenge, the headline grabber is level of fines. Another challenge is that Data protection is seen as a legal team problem so getting buy in from rest of business is problematic. Once possible way to engage the business is to set up a Working Group with key stakeholders across the organization. Compliance has to be from business, it is not for the legal team to impose.
  • PORTABILITY – the new requirement of portability is likely to be quite a challenge – need to get IT on board, going to be a hard ask when they have other business priorities than moving data around. How do you physically move all data to another provider? Need to map out, what is the data, and then what is the physical process.

More information

Subscribers to LexisPSL can access further related reading. Non-subscribers can request a free trial here.

Filed Under: Analysis , Events

Relevant Articles
Area of Interest