Organisations need to be fully aware as to whether the new General Data Protection Regulation, which came into force on 25 May 2018, affects them and what they need to do.
Where data often used to be just an unmanaged and neglected by-product of normal business activities, its potential as a source of revenue in its own right largely unrecognised. We now live in the big data era, where vast amounts of what used to be unstructured data is being organised and systematically mined for what can sometimes be very profitable information.
And many organisations are, accordingly, aware of the potential value and usefulness of the data they hold (I use the word “hold” advisedly, as you will see).
But what is “data”? In this context, we mean information of any kind that can be stored in electronic or digital form and typically used or processed by, or accessed by way of a computer.
One legal point at the outset. There is no “property” in data, unlike in a house or a car. So you do not have ownership of all that information that Facebook has harvested about you over the years, any more so than they do. What regulates the whole data universe and stops it descending into an anarchic free-for-all is that rights to use and exploit data may be subject to constraints under general law, and, for some types of data, those who hold it are subject to often rigorous obligations on its storage, use and exploitation.
We need at this stage to make a distinction between “personal data” (which has a very specific definition) and all other types of data that an organisation may hold.
Personal Data is defined in the UK’s primary piece of data legislation, the Data Protection Act, as data which relate to a living individual who can be identified from those data, and other information which is in the possession of, or is likely to come into the possession of, the “data controller”, and includes any expression of opinion about the individual. There is a sub-category defined as Sensitive Personal Data where the data concerns matters such as the individual’s racial or ethnic origin, physical or mental health and a number of other matters set out in the Act.
The Data Protection Act imposes stringent obligations on what are termed data controllers, those who“ determine the purposes for which and the manner in which any personal data are, or are to be, processed”, which is essentially those holding personal data, other than when they are processing that data on someone else’s behalf (which would make them a “data processor”).
There has been a great deal of publicity and perhaps a bit of scaremongering about the General Data Protection Regulation which came into force on 25 May 2018, but it is very important that organisations are fully aware as to whether the new rules affect them and what they need to do to stay compliant.
Changes brought in by the regulation
Notable changes brought in by the regulation include:
- Data processors will have more responsibility in keeping data secure and have more accountability.
- Implementing “Privacy by Design”, an approach to projects that promotes privacy and data protection compliance from the start.
- Notification of breaches are now a legal requirement – breaches must be notified to data controllers by data processors, then to the relevant supervisory body by the data controllers, and if the breach is likely to result in a high risk to the rights and freedoms of the data subject, controllers must notify the data subjects as well.
- The GDPR has a global impact, as its rules are not dependent on the location of the company, but the location of the data subject. If the data subject is in the EU, then any processing of their data must adhere to the GDPR.
- Non-compliance will result in a fine for serious offences, which are, a maximum of 20 million Euros, or 4% of group worldwide turnover (whichever is greater) against both data controllers and processors.
Legal constraints and exploitation
Where the data which an organisation holds is not personal data, the legal constraints on its use and exploitation may include:
- Intellectual Property. The main area of IP law that is likely to be relevant is copyright – in other words, an organisation must ensure that, in using or exploiting data, it is not infringing another person’s copyright in that data. There is also a specific IP right, the “database right”.
- Confidentiality. Data held by an organisation may be subject either to contractual confidentiality provisions, or covered by the general law on confidential information. This applies to information which is clearly confidential in nature disclosed by one person to another (so it must not must not be something which is public property and/or public knowledge), or to information disclosed in circumstances which clearly imply an obligation of confidence on the part of the recipient.
- Sector-Specific Regulation. The legal profession, as an example, has for a long time been constrained by rules and regulation on the extent to which information can be used/disclosed and similar, often very stringent, rules now apply elsewhere, for example in the banking and financial sector. Though the consequences of breach of legal constraints relating to use and exploitation of non-personal data may not be as bad as those for breach of the GDPR, they may well be severe both financially (in damages or regulatory fines and legal costs) and, as with GDPR breaches, in terms of loss of reputation and goodwill, a longer term and possibly worse effect than a financial hit.
In conclusion, organisations holding a data resource must:
- Understand what the data they hold is (is it personal data, for example?), Where it came from (does any other person have rights over it?) and the legal constraints, if any, on its use and exploitation;
- Protect the value of data as a resource by ensuring optimum IT security and implementing internal policies that ensure employees and contractors are aware of their obligations to support and uphold this;
- Ensure that any data-share with other organisations occurs under the umbrella of legally-binding provisions which set out the confidentiality of the data and the obligations of the recipient and thus support the ability of the organisation to protect data it holds if required.