The long-anticipated General Data Protection Regulation (GDPR) takes effect on 25 May and will have widespread impact on the sector. Here, Poppleston Allen’s Richard Bradley, provides a rundown of the potential consequences – unintended and otherwise – of this major piece of legislation.
While the General Data Protection Regulation (GDPR) doesn’t come into force until later this month, critics have already described it as outdated largely unenforceable.
Criticism of the GDPR has been focused on some of the ambiguous and somewhat subjective provisions, which make it difficult for operators to know whether or not they will be fully compliant.
The UK’s Information Commissioner’s Office (ICO) appears to be taking a rather pragmatic view and is looking to work with those it regulates and provide advice and assistance where required. Since the implementation of the Data Protection Act 1998 (DPA), the ICO has continued to provide updated guidance as it works with those it regulates, identifying common problems or concerns and this will no doubt continue after 25 May.
To add to the current confusion around GDPR, the UK’s new Data Protection Bill 2017-2019 is currently progressing its way through the Parliamentary process and is designed to replace the DPA. The new Data Protection Act will ensure that GDPR obligations are transposed into UK law following Brexit but will also include specific provisions relevant to the UK, for example where it relates to immigration and the role and responsibility of the ICO. The GDPR also permits EU member states to provide exemptions to the strict control and use of data in particular circumstances, such as for the prevention and detection of a crime. This is in line with the current situation that permits CCTV footage to be disclosed to the police following specific requests for information relating to an active investigation. Unfortunately the details of the new bill are still subject to amendment and are yet to be finalised.
There have been many recent high profile cases, not least the recent concerns regarding social media and access to shared data, which have clearly identify that personal information is a valued commodity. It is the failures that underline the importance of appropriate data protection controls.
The fundamental aim of the regulation is to provide a consistent approach across EU member states, which compels organisations to be transparent and accountable in their use of personal information and to provide consumers with greater control.
One of the main changes under the new Regulation relates to the enhanced rights of individuals to ascertain what information is held about them, whether it needs to be rectified and the ultimate right to have their personal information erased. Erasure is not however an unrestricted right as there may be a legitimate reason for data to be retained, for example compliance with other legal obligations.
And so we have the first headache, what are the lawful grounds for processing data and what does this mean for those in the licensed trade?
This must be freely given and fully informed. In many cases operators are using this basis for marketing campaigns and collection of data for loyalty schemes. Customers should be provided a simple method by which they can opt out of any marketing messages and a clear system for dealing with complaints should be implemented.
Some companies will be relying on ‘legitimate interest’ to send marketing information and operators must ensure that that they comply with not only the GDPR but other regulations such as the Privacy and Electronic Communication Regulations 2003 (PECR), which restricts the circumstances in which you can send marketing material by electronic means, such as by phone or text.
This will be appropriate for retaining and processing certain employee data such reporting salary information to HM Revenue & Customs.
This basis has the broadest scope in many respects but should only be used where it is more appropriate than another lawful basis. This can be used where you have a legitimate reason for processing data in a manner that would be reasonably expected by the individual concerned and which will have minimal impact on the data subject or where there is compelling justification for the processing.
I have heard of some operators investing in extensive software packages that enable the redaction of CCTV images. This should not necessarily be required as requests from the Police for CCTV images must be specific and relate to a criminal investigation. Once the new Data Protection Act comes into effect, disclosure (processing) of the data for these grounds will be permitted and the police would be treated as the data controller and processor of that data following transfer. This in itself is not a significant shift from the status quo.
Do I need a Data Protection Officer?
The GDPR requires that a DPO must be appointed if an organisation carries out large scale processing of special categories of data or data relating to criminal offences.
Many organisations, particular pubs and restaurants are unlikely to require a DPO although they may choose to designate a person in this role from a Head Office position. Alternatively, companies may wish to have a data compliance supervisor whose responsibilities may be similar to a DPO without the full obligations that go along with that role.
The regulation does permit the role of DPO to be outsourced based on a service contract although many operators may prefer to keep this an in house responsibility, ultimately saving the costs of a third party contract.
Who retains responsibility?
The GDPR applies to both data controllers and data processors. Whist this may seem obvious, the data controller determines the purpose and means of processing the data and the processor is responsible for processing the data on behalf of the controller. The reality is that many operators will carry our both of these roles.
In terms of who retains responsibility for the data, this will depend on the nature of the information and the purpose for its processing. For example, anyone in control of the processing of employee data would retain responsibility for that information. If a managed or tenanted pub operates a loyalty scheme where a list of customers is retained at the premises, it is unlikely that the company’s Head Office will be involved and it will be down to the individual premises management to ensure compliance with its data protection obligations. Where records are retained on a central database such as a national loyalty card scheme, this would suggest that responsibility would lie with Head Office although a group wide policy would be needed if personal information is stored, collected or used at individual premises.
Unfortunately this is one of those subjective areas as to what is an adequate degree of protection and no doubt there are many operators spending significant sums on their IT systems. Electronic records must be secure and appropriately protected. Common software breaches, particularly in respect of malware attacks are often the result of a failure to ensure that software is kept up to date and that patches and updates are regularly installed. Businesses will have to carry out their own cost benefit analysis before obtaining expensive software packages but proportionate measures should be taken to ensure that data is protected and not transferred to third parties where there is no reason to do so.
The Data breach
Put simply this relates to any breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. Where this occurs operators must evaluate the breach to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. Have you shared names, addresses, dates of birth and passwords? How much data has been lost or how long was it exposed? This is of course another somewhat subjective test and the ICO must be notified within 72 hours of the breach if there is a likely risk. Where operators decide that a breach does not need to be reported they should be able to justify the decision and document it. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR requires that you must inform those concerned directly and without undue delay. There will of course be cost and reputational concerns here and some may feel under pressure not to report failures. If there is any doubt, the best cause of action has to be to seek legal advice or speak with the ICO directly. Making an initial report does not mean that penalties will be applied but this does focus the mind to ensure that you document all decisions and have proportionate policies and processes in place.
No doubt many operators will have spent significant time and resources in preparation for the 25th May and unfortunately there is not a one size fits all approach. The ICO has provided advice on its website but operators will have to evaluate their own internal processes and asses how they can best achieve and evidence compliance.
I believe that there has been a degree of scaremongering regarding the implementation of the GDPR, not least because of the potentially significant fines. However, the ICO has indicated that fines will continue to be proportionate to the risks and any fines are likely to be maintained in line with previous penalties. The large scale fines are only likely to be applied in response to significant large scale data breaches where operators have failed to provide appropriate protection measures. This is not to say that there aren’t heightened responsibilities and obligations being imposed but many operators will already be compliant with the existing legislation and this is a good starting point for future data protection compliance.
Richard Bradley is a solicitor at national licensing firm Poppleston Allen