It might be Brexit 'no more European rules' complacency or the all-consuming COVID-19 survival strategies – even a mixture of both – but too many companies seem to have forgotten their carefully crafted data privacy strategies. Leaving the EU doesn't mean the end of data compliance regulation – the UK's GDPR, Data Protection Act (DPA) 2018 is, on a practical level, identical to EU General Data Protection Regulation (GDPR). Plus COVID-19 has intensified data security risks – from home working and new digital channels to reliance on third party service providers and the need to now share personal data with, amongst others, pubs and restaurants. Online fraud has rocketed and phishing attacks are becoming ever more sophisticated.
Business growth is predicted to be strong as lockdown measures ease and vaccinations take effect – further accelerating many digital transformation plans. Whether companies are focused on UK or looking to take services beyond the EU to the rest of the world – where data privacy regulation is often even more stringent – the way data is collected, stored and managed is a vital part of business planning. Companies need to rapidly reassess and reprioritise their data privacy strategies, insists Peter Newton, Managing Director, D2 Legal Technology.
How quickly we forget. In the run up to the 2018 EU GDPR compliance deadline, businesses escalated data privacy and security strategy to board level. Senior managers' attention was grabbed not only by the significant hike in fines but also the personal liability introduced by the new legislation. Three years on and in a post-COVID, post-Brexit UK economy, data privacy appears to have slid – if not right off, then significantly further down – the corporate agenda.
Many of those vital Data Protection Officers (DPO) who provided a dedicated data privacy compliance role have been furloughed or their roles have been quietly merged into a compliance function and made redundant. Facebook and LinkedIn are hacked, with 500 million records scraped, including date of birth, name and email address (things that don't change that often!), and there is barely a ripple of concern, with minimal media attention.
Individuals are now happily handing over their personal data – from email addresses to mobile phone numbers – to pubs and restaurants in a bid to secure a chilly pint and sausage roll, with apparently zero concern about how that data is being stored. What happened? And what are the implications for both businesses and individuals?
Unchanged Regulatory Compliance
Just consider what has changed over the past year. Firstly, Brexit. The UK may no longer be part of the European Union but that has not reduced the strength or severity of data privacy requirements. The UK's DPA was designed to mirror GDPR – essentially GDPR was enshrined within UK DPA, which means companies still need to meet the same rigorous data privacy demands as before Brexit.
In fact, there are additional considerations – for example, data collected before January 1st 2021 should be treated as legacy data; while data collected from that date is current. In the event a breach occurs, a company needs to be able to identify these different data resources, as the event may be regulated under different regulatory regimes.
Data transfer between the EU and UK is, of course, essential to continue trading. This is enabled by equivalence being granted – as appears probable in light of the recent Adequacy Statement – and from the date of equivalence being granted would last for four years. This will hopefully be confirmed by the EU before the conclusion of the initial withdrawal agreement on 30th June. In addition, the UK remains a party to the European Convention of Human Rights and to "Convention 108" of the Council of Europe – the only binding multilateral instrument on data protection. Moreover, while the UK has left the EU, it remains a member of the European "privacy family", which recognises a number of other regulations (originated while the UK was a member of the EU) that UK businesses need to consider – from the Freedom of Information Act (FOIA) to the Privacy and Electronic Communication Regulations (PECR), eIDAS regulation for electronic transactions and Environmental Information Regulations (EIR).
Escalating Digital Use and Risk
Compliance with these regulations has become even more pressing given the second key change that occurred during 2020, namely the extraordinary escalation in the use of digital commerce. New channels to market and new ways of working have heightened security risk. A report published by trade body UK Finance showed online fraud rocketed as criminals sought to exploit UK consumers' increasing reliance on online banking, shopping and social media amid multiple lockdowns.
For businesses, the growing sophistication of phishing expeditions suggests criminals have been using very accurate (hacked..?) data for some time – with targeted attacks intelligently and surgically exploiting personal data to hoodwink even the most switched on individual. In addition to mitigating the risk of falling foul of criminal activity, many companies have overlooked some of the basic data security requirements associated with new, "at scale" remote and distributed ways of working.
Video conference calls e.g. Zoom, MS Teams, for example, have become ubiquitous – but how many companies are recording these calls without informing all the participants? How many participants have checked the terms and conditions of the video service? And that is just one of the external services that have been adopted at speed in response to challenges created by the pandemic: who is verifying the way these services are operated, their models of data storage, protection and erasure?
This relaxed ("we must just get through the pandemic") attitude to data security is a massive concern, especially if businesses are planning to expand operations beyond Europe. From Canada to New Zealand, Malaysia to Australia, other countries have rigorous data privacy laws or are refreshing them – with high punitive fines and in some cases personal liability. The People's Republic of China (PRC) is consolidating its data privacy requirements; while there are currently over twenty Bills moving through the US state Legislative process on privacy laws – for individual states. Granted, a number will fail but the themes of consumer rights and business obligations are broadly similar and thematic.
Data privacy compliance has become a fundamental aspect of successful global operations.
It is essential that companies revisit and recommit to data privacy strategies – and that starts with a complete review of all data protection policies and procedures. Revisit the data asset inventory to understand what data is being collected, how and from where it is being collected and stored and the data deletion policies. In addition, companies need to consider third party service providers, such as payroll processors, systems suppliers, marketing clouds etc. to assess their data security and privacy provisions. A data protection impact assessment (DPIA) is key to determine how, when and where a third party is managing this sensitive data.
Enhanced due diligence with all third parties is now vital – but it is also important to review group and inter-group data transfer agreements. Any company using a centralised CRM across multiple jurisdictions, for example, needs to understand the implication of local data privacy regulations and global data transfer laws to ensure compliance.
So much has changed over the past year – but data privacy requirements have not been diminished by the UK's exit from the EU. Not only must UK businesses comply with regulations in the UK DPA that are as stringent and punitive as EU GDPR but the risks associated with data breach have radically increased.
And this is before the potential adoption of biometric data for identity cards, vaccine passports, even work access. By side-lining a commitment to data privacy, companies risk sleep walking into a data protection minefield – and one that, given the scale of possible fines, could be commercially devastating.
It is time to get those DPOs off furlough, embark upon a robust data privacy assessment and ensure that every evaluation of a possible new market includes a deep dive into that country's approach to enforcing data privacy.