On the 25th of May 2018, the General Data Protection Regulation (GDPR) came into force. A regulation that is changing not only how big digital players are processing data but the entire private sector, and forces organisations to get their registered information on individuals in check. With the challenges of implementing such regulation in organisations in mind, the Lawyers’ Alumni Group hosted a round-table Q&A and discussion of the newly introduced regulation and its impact.
Led by Steven Taylor (LLM 2012), a specialist in privacy law and data protection, the session brought together a small group of select alumni who have an interest and experience of the practical application of the new regulation.
Below, Steve Taylor, a specialist in privacy law & data protection, working for a US Private Equity group
Notable contributions were also made by Anita Bapat, Data Protection & Privacy Partner at Kemp Little LLP, who gained a first in Law at the LSE in 2005.
Since I've purchased annual subscriptions with several large data/Business intelligence companies like Zoominfo and Rainking, I wanted to see what the Law was on this and also, if there is some issue, whether it is the data company, my company, or both who are liable.
It's significant since the EEC has the right under GDPR to fine a company up to either 4% of annual revenue or 20 Million Euros. There is a two-tier system of administrative fines, the first being up to 10 million Euros or 2% of annual global turnover.
Steve said that the responsibility lies with the data company (the data processor), not your company (the data controller). This confirmed what I had thought. However, he said that you must also check the contract, to ensure data company does not have some type of exclusion clause.
Steve told me earlier that he'd met and talked to Elizabeth Denham, the ICO commissioner, who is overseeing GDPR in the UK. Steve's understanding of this legislation is that, to use his analogy, it's rather like doing math's homework; as long as you are seen to be trying your best to comply, the ICO will not generally expect perfection.
However I did also find this quote from Elizabeth which puts her position across somewhat stronger: “If your organization can’t demonstrate that good data protection is a cornerstone of your business practices, you’re leaving your organization open to enforcement action that can damage both public reputation and bank balance”
In terms of data use, there are two ways to establish if you can use a person's data; Consent and Legitimate interest. The first is self-explanatory; the second is a little trickier to define. Legitimate interest can be a basis to contact business customers.
The protection levels are lowered for business customers since they are typically seen as a less vulnerable group than some business to consumer contacts. For the ICO definition of legitimate interest, click here. Most agree that it means that you have a good reason to hold and use that person's data.
To fall within 'legitimate interest' you must be able to apply three rules to your data use:
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
He also reassured us that if you are a start-up, you are much more likely to be fined 4% of annual revenue, which could actually be a fairly small amount, rather than 25 Million Euros; unless of course, you are flouting the law, for example, in the case I just mentioned above.
We had an outstanding discussion on Brexit, and how that will impact this European legislation. Here, Anita, really came into her own, as She knew all the details. I had thought that there was some room for data companies, to lobby, to have this legislation removed in the UK (when all EU legislation is enacted into UK law).
However, Anita told us that GDPR had already been enacted into UK Law on May 24th, one day prior to the European GDPR date. The Data Protection Act 2018 is thus both an extension of the 1998 UK Data Protection Act, as well as implementing the same regulations as European GDPR.
Our conversations were too detailed and wide-ranging to include all of them in this blog post.. However, some points that Steve made, to remember;
Requires a company to have a representative in Europe
Requires the company to have a Data Protection Officer. This person must have an understanding of the Law and GDPR specifically and also must be an expert on handling data.
This covers breach notifications. As soon as you are aware of a data breach, no matter how insignificant, you must notify the ICO, within 72 hours.
My chief takeaway from this discussion was how uncertain, even highly trained legal experts on the subject, are as to how these laws will actually be applied. To give an example, Steven said that if the EEC (or ICO) digs deep enough, it will be able to uncover breaches of the GDPR rules anywhere, even at tech giants like Facebook or Google.
Does that give them a right to do so just to generate more revenue? How are they going to determine the extent of their dig and who they dig for breaches with?
281 Billion emails are sent every day. How can the EEC monitor all of these? Will they concentrate on large companies? Or flagrant breaches of the legislation? Steve said that the latter is the most likely.
I rounded off the evening with dinner across the road at The Delaunay (yet again) with my fellow LSE law alumni, Joanna Mcdwyer; We celebrated since She has just been offered the job of development director at Newnham College, Cambridge and will consequently also be made a fellow of that college.
Thanks to Sharon Park, LLM Student in Information Technology Law at the LSE, for checking and editing this post for me.