Data protection has become an increasingly political issue, as emphasised by the reaction to the recent decision of the Court of Justice of the EU (“CJEU”) regarding the safe harbour scheme, and with the imminent arrival of a new European data protection regime, now is the time for organisations to take stock of their existing data protection practices and procedures.
SaaS and Cloud companies are at the forefront of developing novel uses for personal data and as such they need to be considering their data protection obligations from the outset. Data protection compliance must be a priority when developing any new products or services.
The Future of Data Protection in Europe
The way organisations handle personal data in the UK is currently governed by the Data Protection Act 1998 (“DPA”), which implemented the European Data Protection Directive 1995. The technological world we lived in back in 1995 is very different to today and as such our current data protection regime is extremely outdated. The European Union is in the process of finalising the General Data Protection Regulation (“Regulation”) which will have significant consequences for all businesses that provide products and services to European citizens, especially those operating in the SaaS and cloud fields.
The Regulation should be finalised in early 2016 and businesses are likely to be given two years to prepare before the Regulation becomes enforceable.
The current regime
Cloud providers have often relied on the fact that the DPA only places obligations on data controllers. Under the DPA an organisation will be a ‘data controller’ if you determine the purposes for which and the manner in which any personal data you hold is to be processed. Cloud providers have always argued that they only process personal data on behalf of controllers and as a consequence they are not caught by the DPA, this is something that will change under the Regulation
With the increasing popularity of data collection technologies, such as data scraping and beacon technology, it is important for organisations to understand that the definition of personal data under the DPA is extremely broad. It is any data relating to living individuals who can be identified from that data, or from that data and other information which is in, or likely to come into, the possession of the data controller. Data which may appear to be anonymous may actually be caught by the DPA.
The DPA defines 8 enforceable principles with which a data controller must comply when processing personal data and whilst there are significant changes on the way under the Regulation these 8 principles are a good foundation on which to base an organisations compliance regime.
The data must be:
(i) fairly and lawfully processed;
(ii) processed for limited purposes;
(iii) adequate, relevant and not excessive;
(iv) accurate and up-to-date;
(v) not kept longer than necessary;
(vi) processed in accordance with the individual’s rights;
(vii) kept secure; and
(viii) not transferred to countries outside the European Economic Area without adequate protection.
It is important that your business complies with the DPA, as breaches can result in fines and criminal sanctions, as well as adverse publicity and reputational damage. Currently the Information Commissioner’s Office (“ICO”) has the power to fine organisations up to £500,000 per breach of the DPA.
What impact will the new Regulation have?
The fact that it is a regulation, not a directive, means it will be legally binding in all member states from a set date and directly applicable without the need for national legislation. This should mean that we have a uniform data protection regime across Europe, unlike the current patchwork we have across the various member states.
As I mentioned above one of the key features of the new Regulation is that for the first time it will place express obligations on data processors.
The ICO has released guidance on how to prepare for the new Regulation. It states, ‘the short answer is to make sure you’re right on the ball in meeting your current responsibilities’. This includes identifying which data that you hold qualifies as personal data and where this is stored. It is advisable to start minimising the amount of data that your business holds as far as possible, and ensuring that your business is not holding onto data for longer than necessary.
The ICO guidance also questions ‘how far do you give your customers control over what information you keep about them and how you use it?’ This is because that for consent to be valid under the new Regulation it must be explicit and businesses will no longer be able to rely on implied consent.
Privacy by design is a concept that is already on the ICO’s radar and is something that will be of increasing importance when the new Regulation is agreed. It is a concept that organisations should all be incorporating into their business models and something which I will discuss in detail in a future note.
As currently drafted the Regulation will require organisations to report all data breaches to the ICO within 72 hours of being informed of the breach and the individual affected must then be informed without undue delay. This is an important change to the current legislation as it will require organisations to develop and implement an on-going audit process to ensure data breaches are detected and managed as quickly as possible.
As indicated above, the Regulation introduces a more stringent data protection compliance regime. The details are still being decided, but it has been indicated that the level of fines will be up to the greater of €100 million or up to 5% of the organisation’s turnover. This is a significant jump from the ICO’s current limit.
Once implemented it is hoped that the Regulation should modernise data protection law and ensure harmonisation amongst member states.
Over the next few weeks, and following on from this overview of the Regulation, I intend to focus on three areas which are likely to be of most significance to your business. I will discuss “privacy by design” which all organisations should be incorporating into all new projects. I will also discuss “international data transfers” and how they are relevant to most businesses irrespective even where they do not think that they export personal data outside the EEA. Finally, I will look at cyber security focusing on the steps that organisations should take to minimise the risk following a cyber breach.
This post was produced in partnership with Christopher Coughlan at Ashfords.