Developing a GDPR compliance strategy: the links in the data supply chain
October 2017 | EXPERT BRIEFING | DATA PRIVACY
Board members and other leaders now have a little more than six months left to prepare their businesses for compliance with the EU’s General Data Protection Regulations (GDPR). For most businesses, the starting point for their compliance strategy, after appointing a steering group to oversee the strategy, will be an audit to establish the facts. As such, they will look to identify all of the business’ data assets, where the data is held and who, both within the business, and externally, uses the data for the business, and for what purposes.
By this point in the run-up to 25 May 2018, when GDPR becomes applicable, the business ideally needs to have completed its audit, identified all of its data assets, and also any gaps between its current compliance measures and those that will be required for the business to comply with GDPR. Current activity, if all is going to plan, will be for the business to be working on putting in place the measures that are required to bridge those gaps.
Personal data supply chains
GDPR is difficult to interpret, not least because the official guidance published to date is still limited in scope. At this stage, however, we can see that it will impact on personal data supply chains in four key ways, as outlined below.
First, more detailed privacy notices. Privacy notices tell data subjects about how the business will use their personal data. They are required under current law in the EU, but GDPR requires more detailed privacy notices.
For example, it is still common practice for businesses to give data subjects limited information, for instance, a short sentence or paragraph about the how the data subject’s personal data will be used in the immediate short term.
GDPR requires businesses give data subjects a more strategic, long-term and detailed view of how their personal data will be used. Where the business intends to share the personal data, the privacy notice will need to be sufficiently specific so that the data subject can make an informed decision about whether or not they are willing to let their personal data be shared.
Businesses for whom the supply of personal data to their customers is a core activity will need to ensure their data subjects receive detailed privacy notices which meet the requirements of GDPR well in advance of 25 May 2018, so that from that date they are able to lawfully pass on the personal data to their customers or suppliers on the basis that the data subjects have been lawfully ‘informed’.
Businesses that rely on feeds of personal data from third-party suppliers, for example suppliers of personal data for direct marketing, will need to scrutinise their data suppliers’ practices. Do data suppliers ensure that their data subjects receive GDPR-compliant privacy notices?
Second, more limited opportunities for getting consent. There are several routes to lawful processing alongside consent, but where consent is relied on the rules are getting tougher. Businesses have got used to being able to rely on ‘implied’ consent under the current law. ‘Implied’ consent is obtained relatively easily because it can be obtained by virtue of the data subject not saying no when given an informed opportunity to do so. One of the major moves made by GDPR is that, in broad term, this kind of ‘implied’ consent will no longer be lawful.
Businesses for whom the supply of personal data to their customers is a core activity will need to amend their business processes so that when they acquire personal data, they obtain permission (such as consent) that is demonstrably informed, for example it is based on a detailed privacy notice, specific in terms of the scope of consent for both the business and its customers to use the data, affirmative in terms of granting consent (if that is the permission that is relied on), explicit in terms of not being buried within detailed terms and conditions, and evidenced.
GDPR recognises that data subjects may withhold their consent to their personal data being processed. The business will need to establish flexible systems and records that give data subjects (including employees) real options in terms of whether they allow the business to carry on more than the minimum amount of data processing.
GDPR also recognises that data subjects may withdraw a consent previously given. The business will need to establish systems that record and act on each data subject’s current consent. Alternatively, the businesses will need to rely on a source of permission that is recognised by GDPR but is other than consent.
Businesses that rely on feeds of personal data from third-party suppliers will need to scrutinise their suppliers’ practices. Do their suppliers obtain consent (where it is relied on) to the standard required by GDPR? What are the arrangements for ensuring that the suppliers update the business as and when the data subjects change their consent, or withdraw it?
In the case of direct marketing data suppliers, have they obtained consent for use of the data for direct marketing purposes by your business (or a business of that specific type), and are the specific consents in place for marketing via the specific communication channels you have in mind as required?
Third, more detailed contractual controls. Existing EU laws require businesses to put in place contracts to govern use of personal data by their suppliers and service providers: data processors. Existing recommended practice is also for businesses to enter into contracts for other types of personal data sharing, such as part of strategic partnerships, intra-group use of personal data, as well as supply of personal data as a business. Needless to say, GDPR imposes more detailed requirements for data processing contracts, and recommended practice for other data shares will continue as before. The challenge for businesses in setting up (or reviewing and revising) these contracts in preparation for GDPR will partly be to meet the new standards, but the major challenge will be to ensure that the contracts take account of the wider data landscape.
It is through these contracts that businesses, when acting as data suppliers, will be expected to provide assurances about the privacy notices they have issued to their data subjects, and the permissions they have obtained from data subjects. And when acting as data recipients, it will be through these contracts that businesses will expect to obtain these assurances.
Driven by EU regulators and data subjects, data security (including IT and cyber security) is a key factor for any businesses that uses personal data. It is through these contracts, and the associated compliance due diligence and procurement processes, that data users will obtain and data suppliers are expected to give security assurances. GDPR has a wider spectrum of concerns than existing EU data protection law, and explicitly refers to measures such as encryption, pseudonymisation and testing, and factors such as system or service availability, confidentiality, integrity and resilience and the availability and security of data.
Fourth, policies and procedures. Personal data management within supply chains requires clear, business-specific and robust policies and procedures to be in place.
Stalking horse legislation
There are two items of legislation that, for various reasons, have received less coverage than GDPR but are nevertheless relevant to business.
The EU proposes a new ePrivacy Regulation that will apply to the use of personal data for certain direct marketing purposes. This regulation will replace the existing ePrivacy Directive, which establishes rules on: (i) the use of website cookies (which is regulated whether or not the cookies contain data that relates to identified or identifiable persons, such as personal data); (ii) the use of telephone calls for direct marketing purposes; (iii) the use of fax for direct marketing purposes; and (iv) the use of email for direct marketing purposes. This includes the ‘hard opt-in’ which requires businesses to obtain explicit and direct consent to email direct marketing, and the ‘soft opt-in’ under which (in very broad terms) a business that has not obtained explicit consent but has provided goods or services to an individual may lawfully send direct marketing to the individual via email if certain conditions are met.
For many businesses, these are key purposes for which the business acquires and uses personal data.
In addition, there is Directive 2016/680, which was adopted by the EU on the same date as GDPR, and applies to the use of personal data for preventing, investigating, detecting or prosecuting criminal offences or the executing criminal penalties. Businesses may use personal data for these purposes in a number of contexts, including (depending on the sector, or the sectors, in which the business operates): as part of recruiting staff to certain roles; as part of anti-fraud measures; and as part of cyber-security intelligence measures.
For both items of legislation, it is currently a case of ‘watch this space’. The ePrivacy Regulation has not yet been adopted by the EU. A draft of it was published in January 2017, but is expected to change significantly before it is adopted by the EU, which is currently expected to happen in late 2017. On 25 May 2018 when GDPR applies, so far as one can tell at this stage the ePrivacy Directive will continue to apply, so GDPR’s initial impact on direct marketing will be on data supply chains, not on the detailed direct marketing rules.
The implications of the ‘crime purposes’ directive will need to be teased out in national legislation. Criminal law falls outside the scope of EU law and within the scope of national laws. In the case of the UK, for example, the Directive could have an impact on legislation such as the Regulation of Investigatory Powers Act 2000 and regulations under it (which apply to business use of measures such as CCTV), Disclosure and Barring Service, and legislation for specific sectors, such as financial services and the health and care sectors.
Businesses will need to stay alert for updates on both items of legislation later this year. As matters stand, businesses that wish to take a conservative approach to compliance may be able to discern enough at this stage for them to put in place direct marketing measures that will be sufficient under GDPR and the ePrivacy Regulations. Other businesses will need to plan a review of their direct marketing measures in early 2018 (at the earliest), and a review of their ‘anti-crime purpose’ data processing when the relevant local legislation is available.
David Hall is a principal associate and Isabel Teare is a technology lawyer at Mills & Reeve LLP. Mr Hall can be contacted on +44 (0)121 456 8328 or by email: firstname.lastname@example.org. Ms Teare can be contacted on +44 (0)1223 222 402 or by email: email@example.com.
© Financier Worldwide
David Hall and Isabel Teare
Mills & Reeve LLP