In the third edition of our exclusive webinar series, we spoke to BLM partner and intellectual property specialist Steve Kuncewicz about how the upcoming General Data Protection Regulation will impact eCommerce.
GDPR is set to come into force on 25th May 2018 regardless of Brexit and will supersede the Data Protection Act 1998. In a nutshell, it means that personal data must be processed lawfully, fairly, held securely, used as little as possible and for a limited and specific purpose. In the past couple of years the Information Commissions Office have made a record number of claims, reaching approximately 3.2 million in 2016, including big corporations such as TalkTalk and Morrisons. So it’s understandable why average laypeople like you and I are apprehensive about GDPR’s introduction. This blog post is intended to breakdown exactly what GDPR is and what it is not, dispelling many common misconceptions along the way.
Meet Steve Kuncewicz
As well as being a close friend of our founder Darren, Steve Kuncewicz is one of the North-Wests leading intellectual property lawyers. Before becoming a partner at insurance risk and commercial law specialists, Steve was previously the head of legal at fashion enterprise Boohoo, meaning he has years of experience on his hands. His area of expertise spans across many topics including copyright and trade marking, domain names, moral rights, marketing and advertising.
- Facebook: www.facebook.com/steve.kuncewicz
- LinkedIn: uk.linkedin.com/in/stevekuncewicz
- Twitter: @SteveKuncewicz
Why is Privacy Important?
Privacy is about respecting individuals autonomy. Levels of privacy currently differ quite drastically across European Union Member States so GDPR is intended to level the playing field and make it easier for data subjects to know about their rights. Since the introduction of the Data Protection Act in 1998, technology and the internet have grown leaps and bounds meaning this area of the law is outdated. Data protection applies to all businesses that make use of personal data. So failure to comply with regulations may lead to a monetary penalty, regulatory action, claims from stakeholders and bad publicity.
Principles of Data Protection
Making sure your business is in line with the Data Protection Act 1998 is a necessary prerequisite to ensuring compliance with GDPR. This means that:
- Personal data must be used fairly and lawfully – who are you, what are you going to do with the data?
- Personal data can only be processed for specified and limited purposes – only use the data for the initially stated purpose, if the circumstances change you need to get consent again
- The data collected must be adequate, relevant and not excessive – only obtain minimal amounts of data
- The data must be accurate and kept up to date – use reasonable steps to ensure accuracy, update data subject input regularly
- The data cannot be kept for longer than strictly necessary – only keep data for as long as you need for the specified purpose
- Must be processed in accordance with the data subjects rights i.e the right to object to processing, the right to opt out of marketing
- Security must be appropriately in line with cost considerations and the potential harm that could result from a breach
- Personal data cannot be transferred outside of the European Economic Area unless to a state with ‘adequate protections’
What Is GDPR?
From 25th May 2018 merely complying with the Data Protection Act 1998 will not be sufficient. GDPR is intended to give more rights to the Data Subject as well as provide more accountability to the Data Controller and Processor. In essence:
- Implicit consent or assumed consent is no longer adequate with regards to personal data
- Data Subjects have data rights regarding the access, deletion, protection, processing, movement of their personal data within the EU and the right to an effective judicial remedy.
- There is a duty on Data Controllers and Data Processors to report breaches to the ICO and affected Data Subjects
Under GDPR consent to data processing is now under a very high new standard, but businesses MUST be able to show that Data Subjects have given consent to data processing.
- Consent needs to be specific, informed, freely-given, unambiguous and affirmative.
- If consent is obtained for multiple purposes, consent needs to be given for each purpose
- Consent can be withdrawn at any time and must be easy to withdraw
- The execution of contracts cant be conditional on consent to processing which isn’t necessary for the execution of the contract
- The ICO recommends refreshing existing consents to ensure they meet GDPR standards – but there is no requirement to do so
Sometimes consent isn’t viable and the legitimate interests of the controller may provide a legal basis for processing data. There is no exhaustive list of what a legitimate interest is, but examples include fraud prevention, customer risk assessments, customer due diligence and network security.
The Litmus Test can be used to help identify whether there is a legitimate interest, it asks:
- Does a legitimate interest exist? Why is it important?
- Is the proposed processing necessary? Can you achieve the same result in another way?
- Does the interest outweigh the individual subjects rights?
Failure to comply with these regulations can and will result in a penalty. These penalties may be as serious as a fine equivalent to 4% of your businesses annual turnover, so it’s important to get it right. Penalties must be effective, proportionate and dissuasive. You may be faced with a monetary penalty for many reasons including, but not exclusive too: privacy by design, failure to notify breach, failure to carry out privacy impact assessments, failure to appoint DPO. Breaches of data protection MUST be reported to the ICO without undue delay unless its unlikely to result in risk to the rights and freedom of individuals. If the risk to individuals is high, they must be notified without undue delay.
- Data subjects – a living individual whom personal data relates to
- Data controllers – determines how personal data is used and usually owns the data. They assume most of the compliance burden
- Data processors – Processes on behalf of the controller ie management, brokering, collection on behalf of others
- Personal data – identifies a living individual, either alone or in combination
- i.e Name, address, contact details, photos
- There are additional safeguards for sensitive personal data ie health, ethnicity, political opinions, sex life
- Processing – obtaining, recording or holding personal data or carrying out any operation on it