Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
Some of the key developments since the GDPR’s implementation can be categorised as follows:
Individual rights requests
Individual’s are now more aware, but organisations are not responding in the correct way. The new individual rights brought in by the GDPR are:
With this in mind, organisations need to be more vigilant in preventing individual rights breaches. Laura suggested the following actions, to:
Personal data breach
This is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to personal data which is transmitted, stored, or otherwise processed. Hence, this can be more than just a rogue e-mail, it can include something broader like access to HR files.
For the process of reporting a data breach, see diagram below:
Of these breaches, most of them have been unauthorised disclosures. For example, Marriott International have recently been in the news for their purchase of a hotel without conducting appropriate due diligence leading to mass wrongful data disclosure. They have been served an ‘intent to fine’ of more than £99 million. Similarly, British Airways have been given an intention to fine £183.39 million for a data breach after they allowed a third-party website to siphon off all their customer’s data.
The actions for prevention are the same as for individual rights requests. Laura emphasised that the key focus should be on the time limits (see diagram above). You need to know the relevant information as soon as possible and any issues/potential reports. To do this most efficiently, IT and legal teams need to work together.
At this point, one of our audience members enquired whether Laura had any advice as to how to approach these teams to ease this collaboration. Laura agreed that this can sometimes be a difficult conversation. As an example, she brought up the concept of deleting and destroying data. This can pose problems as many of those in the technology and IT sectors would say that data is not completely erasable without destroying a hard drive or the equivalent. Further, they are often keen to retain systems which do retain data forever. Laura’s advice was to always explain in person if possible: communication will be smoother, and it reinforces the idea that you are working side-by-side to reach a solution.
Consent and transparency
Consent is one of the lawful bases for processing. It is defined in the GDPR as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement […]’. Consent cannot be an ambiguous concept: to be obtained, it must explain fully all the on which platforms an individual’s data is being shared. As it is sometimes hard to prove consent to this extent, it may be useful to look at alternative lawful bases.
Transparency entails providing clear information which explains any data processing activities. This is most commonly in the form of a privacy notice. For example, if it were Google, they would need to make any transparency information easily accessible, the language needs to be intelligible and the concepts easy to understand. One suggestion is displaying this information in an easily digestible format like a short video.
Generally, the involved party will be more likely to withdraw their consent if you are not being upfront with this information.
To aid in both consent and transparency, Laura suggested actioning the following:
GDPR and beyond
Laura went on to discuss what is next for the GDPR and how organisations can continue to improve with this. Some priorities she suggested to focus on were to get businesses to ask themselves:
It is especially important to watch out for international transfers of data. The GDPR affects any data which comes in and out of the EU so can apply to a country which is not part of the EU if they are instrumental in that transfer. If Britain leaves the EU without a deal, we are likely to be that externally affected country so there needs to be an freshly evolved regulation to rely on. This will likely be in the form of model clauses and privacy shields as in the US.
The case of Schrems II, brought by Max Schrems has challenged this form of data protection however, which would then mean we have no mechanisms available to us in the event of a no-deal Brexit.
Laura then told us some of her predictions for data protection in the future:
Join Aspire today
Aspire is free to join and open to all in-house lawyers in the early stages of their legal career. Join today.
Additional recommended reading:
Managing a personal data breach—process flowchart—GDPR - This Practice Note illustrates how to manage a data protection breach (including a cybersecurity breach) under the EU General Data Protection Regulation (GDPR). It maps out a data breach process, providing guidance and links to relevant precedents for each stage of that process. It can also be used for cybersecurity breaches
Data breach—panic sheet - This Precedent Data breach panic sheet gives tips on what to do and what not to do in the immediate aftermath (first 24 hours) of a personal data security breach
GDPR compliance—data subject access rights - This Practice Note explains the right of data subjects to have access to their personal data contained in the General Data Protection Regulation (GDPR). It considers compliance strategies for businesses, particularly in relation to data subject access requests, also known as DSARs
Handling data subject requests—flowchart - This Flowchart sets out a process for handling data subject requests received under the EU General Data Protection Regulation (GDPR). It maps out a process to follow when you receive a request from a data subject to exercise one of their data subject rights under the GDPR, providing guidance and links to relevant precedents and separate detailed flowcharts
GDPR compliance—information requirements—privacy notices – This Practice Note sets out information requirements that are contained at various places in the General Data Protection Regulation. Most of these relate to privacy notices, but there are also information requirements relating to issues like data breach and data protection officer
0330 161 1234