GDPR Update and Post-Brexit Considerations
The General Data Protection Regulation (GDPR) was introduced into UK legislation in 2018, by virtue of the Data Protection Act 2018 (DPA). With the end of the Brexit transition period fast approaching, and the ninth round of negotiations underway, this article looks at what has been implemented so far, and whether anything is likely to change on 1 January 2021, with a particular focus on subject access requests.
GDPR and the Data Protection Act
Following the rapid increase in our use of technology, the General Data Protection Regulation (GDPR) was applied across the EU in May 2018. The Data Protection Act 2018 (DPA) enabled the UK to adapt these rules and implement them into our law.
Subject Access Requests
One of the main obstacles employers face in relation to the GDPR is Subject Access Requests (SARs). There has been some uncertainty surrounding what form SARs must take and what employers' obligations are when it comes to responding to them.
How will I know that an employee has made an SAR?
SARs can take any form, written or oral, and can even be made via social media. One problem that employers can face is when an individual mistakenly labels their request as a Freedom of Information Request (which can only be made to public bodies). However, even if the individual has mislabelled their request, and it is clearly a SAR, then the employer must respond as such.
What are an employer's obligations once an SAR has been received?
Once an employer has assessed the request, it must reply within one month of the receipt of the request. The employer may extend this period, due to the complexity or extent of the request, by up to two months. If a request is "manifestly unfounded or excessive", the employer may charge a reasonable fee or refuse to act on the request. However, employers should be cautious of this approach as it can be difficult to prove that a request falls within this scope.
What is the best way to carry out a search for information under an SAR?
A request from an employee can be extensive (such as requesting to see any document or piece of correspondence which refers to them in any way) and so employers need to consider the best approach to carrying out their search. If members of staff are provided with work phones and laptops, then it may be necessary for employers to request these from certain employees so that they can be searched. A range of documents, emails and even WhatsApps and other messaging platforms may need to be searched. In order to prevent too much irrelevant data being drawn out within the search, employers should consider what parameters they can use to focus the search. Whilst employers cannot ask an employee to "narrow down" their search, they are able to clarify certain points with the employee to enable them to better focus the search.
What is the situation where a search reveals documentation containing data of other employees/individuals?
Where disclosing information to one individual could then breach the principles of the GDPR in relation to another, it may be prudent to redact such information from a document or email. References to other individuals, individuals' email addresses and other data can all be redacted from documents, so that only the information relating to the subject is available. There are various software platforms which now enable businesses to redact information easily and securely.
Issues can often arise around legal privilege and some organisations will try to exclude documents from being disclosed under the misconception that it constitutes privileged information. Legal advice privilege is where legal advice is being given or received; simply copying a lawyer into an email chain does not enable it to be classed as legally privileged. Another form of legal privilege is litigation privilege. This is any documentation produced in contemplation of litigation, or for the purposes of litigation. Care should be taken when disclosing documents under a SAR, to ensure that relevant information is not wrongly withheld, or equally not disclosed in breach.
Penalties for breach of the GDPR
So far, there have been relatively few cases relating to GDPR breaches and so it is hard to establish precedents or set outcomes. However, British Airways was the first organisation to be landed with a fine of £183m resulting from a breach of customer data in 2018. More recently, Hong Kong airline Cathay Pacific was fined £500,000 for a breach allowing hackers to gain access to the personal details of 9.4 million of their global customers.
Earlier this year, a London based pharmacy, Doorstep Dispensaree Ltd, was issued with a penalty notice of £275,000 for failing to ensure the security of Special Category Data. Also within the notice, were requirements to update their procedures to ensure that the adequate level of security was reached. This included updating policies and procedures, appointing a data protection officer and introducing mandatory data protection training.
It is important to be aware that the consequences of a breach can be severe. This includes a fine of up to €10m or 2% of an organisations global turnover.
At the moment, the Government has suggested that the GDPR will remain in force within the UK, even after we leave the EU. As we have already mentioned, the DPA was implemented as a way of implementing the GDPR into UK laws. The Data Protection Brexit Regulations were drafted in preparation for a "no deal" Brexit; however, these will be read alongside the DPA as a way of creating a regime for data processing within the UK.
The main change will be that data processing rules will only apply to data processed in the UK and, as a result, the Information Commissioner's international role will be removed. Any functions currently assigned to the European Commission will be transferred to the Information Commissioner and the Secretary of State.
Depending on the nature of your business, you may need to consider appointing a representative in the EEA by the end of the transition period (ending 31 December 2020). You need to appoint an EEA representative if you have no offices or establishments in the EEA, but are offering goods or services to individuals or monitoring the behaviour of individuals within the EEA. The representative needs to be set up within an EU or EEA state where the individuals you are monitoring or to whom you are providing services are based. The representative will be required to represent your business in its obligations under the GDPR.
The Information Commissioner's Office will be able to issue fines of up to 4% of a company's annual turnover or £20m, whichever is greater, for the worst breaches of the GDPR. The lower tier carries a maximum fine of 2% of annual turnover or £10m, again whichever is greater.
Even if the UK deviates from the GDPR in time, personal data will still be protected as the European Commission will require a certain level of protections to be implemented.
Points to Note
Whilst currently, there are no significant changes to the DPA planned, it is important to be wary of the rules already in place and what this means for your business. With an ever increasing use of technology and easy access to personal data, it is important to stay on top of the processes and requirements to prevent the risk of an unwanted breach. This can be done by ensuring that all your records are up to date and that you have a representative appointed to ensure that compliance is maintained within your business.
This article is for information purposes only and is not a substitute for legal advice and should not be relied upon as such. Please contact Valerie Bond to discuss any issues you are facing.