This Article aims to provide an insight into Data Sovereignty and the impact of the General Data Protection Regulations (GDPR) on businesses subject to these new laws. These regulations will apply to all companies (and individuals) that process the personal data of individuals located in the EU. The new regulations carry huge sanctions for non-compliance, including fines of up to €20million Euros or 4% of the organisation’s global revenue, whichever is the greatest.
Data sovereignty is a concept whereby information that is either converted and stored in binary digital form or stored in a physical format, is subject to the laws of the country in which it is located/resides. This concept is not too dissimilar from a criminal or civil court hearing being held in the area where the alleged offender has committed an offence.
As you can see, the listed data types above cover a vast amount of information that are used by businesses and individuals alike and therefore it is extremely important that data protection forms a key part of UK company policies.
The UK Data Protection Act 1998 (“DPA”) is the current United Kingdom Act of Parliament which defines UK law on the processing of data on identifiable living people. It is currently the main piece of legislation that governs the protection of personal data in the UK.
Outlined below are some of the key legislative principles from the DPA:
The Information Commissioner’s Office (“ICO”) is the UK’s current independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
General Data Protection Regulation
In April 2016, an agreement was reached between the European Parliament and European Commission on a new privacy and personal data regulation called the General Data Protection Regulation (“GDPR”). GDPR will replace all existing data protection laws and regulations in EU Member States, and Supervisory Authorities will be appointed to enforce such laws. GDPR will come into force on 25 May 2018.
On 23rd June 2016, the UK voted in favour of leaving the European Union after taking part in a national referendum. As a result, it was declared that the UK will trigger Article 50 of the Treaty on European Union, thereby commencing negotiations to leave the EU in March 2017, however the High Court ruled that the government cannot trigger Article 50 unless Parliament expressly vote in favour of it, a decision which was reiterated in the Supreme Court. When/if Article 50 is triggered, the negotiations to leave the EU will likely take at least 2 years to complete and the UK will continue to be bound by EU law until the conclusion of these negotiations, meaning the UK will be subject to GDPR at least until the UK has officially withdrawn from the EU. For this reason, it is imperative that all UK businesses that process data in the EU or who have an “established” business located in an EU Member State, take steps to align their data protection policies and procedures with GDPR.
GDPR has been introduced to protect personal data and will apply to any business or organisation holding customer or personnel information. The regulations state the “data controller” is responsible for ensuring that data is stored and managed in compliance with the regulations.
Key legislative provisions of GDPR:
Scope of GDPR (Articles 3 and 27 of the GDPR)
The Scope of GDPR is extremely wide. GDPR applies to companies residing in the EU and companies based outside the EU that process personal data of data subjects located in the EU.
This means that even when the UK leaves the EU, UK companies will still need to comply with GDPR if they process personal data of data subjects located in the EU in connection with the above.
Even if data is not processed in the EU, the mere establishment of a company within an EU Member State carrying out a “real and effective” activity will require compliance with the GDPR.
Cross border processing (Article 56)
If the Data Controller and/or Data Processor has an establishment in more than one Member State, the “main establishment” will need to be determined. This will be the establishment where the decisions on the purposes and means of processing personal data are made. Notably, processing of personal data in a location is not a criterion for determining whether this is a main establishment.
The lead Supervisory Authority (typically located in the main establishment) for a company bound by GDPR is responsible for overseeing the enforcement of the regulations across all relevant establishments belonging to that company and will collaborate with local Supervisory Authorities who fall within the jurisdiction of the subject matter. Supervisory Authorities are also expected to be competent to handle local matters independently of the lead Supervisory Authority where required.
Where a data processor is a public authority or private body in the public interest, the only Supervisory Authority that is seen by GDPR as competent to exercise powers on the relevant subject matter will be the Supervisory Authority located where the public authority or private body is established.
Reporting Requirements (Article 35-39)
- Companies processing more than 5,000 records of personal data per year will be required to appoint independent Data Protection Officers (DPOs) to comply with the GDPR. DPOs will be responsible for monitoring compliance with the GDPR, providing and raising awareness on the data protection laws and acting as a liaison to the relevant Supervisory Authority. DPOs will be required to carry out suitable training on GDPR to hold this position and should not just be an arbitrary appointment.
- Data breaches must be reported by the appointed DPOs within 72 hours of the breach. The DPO must report to the highest management level of the relevant company and will need to maintain a personal data breach register.
- Companies will be required to carry out Data Privacy Impact Assessments (DPIAs) to identify how data handling procedures and processes could impact the safety of a data subject’s information. In the event that a DPIA reveals that there is a strong chance that the safety of a data subject’s information will be compromised by the processing of certain data, then this should be reported to the Supervisory Authority. The DPO will also be legally obligated to provide the DPIA to the Supervisory Authority anytime it is requested.
- Reporting lines will need to be created for larger organisations and a relative budget and data protection compliance programme should be introduced.
Fair Processing Notices and Consent (Articles 12-15)
Companies falling under GDPR will be required to evidence clear and affirmative consent from data subjects in relation to the processing of their personal data. Consent will then be required again if the same personal data is to be used for a different purpose. Unless there is a legislative requirement for a company to continue to hold personal data, then the data must be deleted at the request of the data subject and/or if it is no longer necessary to store such information.
Sanctions for breach of GDPR (Articles 83-84)
As previously mentioned, sanctions for breach of GDPR can lead to a maximum fine of €20 million Euros or 4% of the organisation’s global revenue (whichever is the greatest).
There is also a lower tier fine of 2% of the organisation’s global turnover or €10 million Euros for infringement of the provisions relating to obligations of the data controller, data processor and monitoring body.
Whilst the UK is still subject to EU law it will have the same data protection regulations as other EU Member States, however once the UK does leave the EU, the UK government will need to introduce its own national data protection legislation. If the UK wants to participate in the free flow of data across European borders after leaving the EU, it will have to adopt the same data protection standards as the GDPR. The UK’s ICO has stated that “international consistency around data protection laws and rights is crucial, both to businesses and organisations and to consumers and citizens”. Unless the UK follows the new EU rules, foreign companies may lose the ability to process European consumer data in the UK (e.g. a company based in Italy may not be able to use data centres in the UK if the data protection laws differ between the 2 countries). The objective of the “Great Repeal Bill” announced by Parliament in October 2016, is to clarify the elements of EU law that will be incorporated into domestic law. The legal changes within the Bill will take effect the day that the UK leave the EU.
Cloud computing is a system whereby a company is able to outsource its data to a “cloud provider”, for management and storage purposes rather than having to build and maintain computing infrastructure in situ. There has been a huge increase in the use of this cloud based service by a plethora of businesses due to its low cost, reliable and efficient storage capabilities.
However in light of the impending GDPR, UK based companies (or companies processing data in the UK) will need to ensure that their chosen cloud provider is compliant with GDPR whilst the UK is still subject to EU law and then compliant with the national legislation that is introduced thereafter.
Outlined below are a few matters for consideration when choosing a cloud provider in light of these new regulations:
Overall, the GDPR creates a wider, clearer and more authoritative system offering more protection to data subjects and organisations that fall within the scope of the regulations.
With GDPR due to come into force in 2018, companies that fall under this regulation must be vigilant in increasing staff awareness of its provisions, including periodic refresher courses and training sessions. GDPR has been created with a huge emphasis on accountability for companies affected. Organisations that process personal data in more than one Member State will need to be clear on the liability of each establishment and the DPO’s reporting duties to the relevant Supervisory Authority.
With the ever-increasing use of cloud computing, it is crucial that companies screen their chosen cloud providers thoroughly to ensure that they are in compliance with the relevant legislation (GDPR or national equivalent).
Technical and organisational measures will need to be implemented so that privacy is embedded in company software, systems and processes and not just at the point of delivery (“privacy by design”). Failure to comply with the requirements of this new regulation could lead to extremely serious consequences for those in breach. Controls should be put on the processing of personal data including the amount of data collected, the extent of its processing and the period of storage.
The national data protection regulations that will come into force once the UK leaves the EU, are likely to be based on similar provisions to GDPR to achieve continuity across the digital market, however there are no certainties on this as of yet. Once the new national regulations are determined, businesses will once again be required to closely scrutinise the relevant regulations to continue to implement the protection of personal data.
About the Author
Chi Onugha is an In-house Solicitor at Mansion House Consulting and has amassed a wide range of experience in Financial Services, Corporate Law and Commercial Contracts.
About Mansion House Consulting
MHC is an international business and technology consultancy, focused exclusively on the financial services sector. We provide high quality, practical and robust solutions for the industry through our team of highly experienced consultants and subject matter experts.
We specialise in change and transformation management, toolkits, regulatory and governance frameworks. We deliver solutions globally to the transaction and investment banking communities, including leading Tier One clients from the financial services industry.
Established in 2009 we have been expanding and evolving ever since, with a team in excess of 300 and listed in the Sunday Times Tech Track 100 on four consecutive years 2013-2016, the London Stock Exchange’s 1000 Companies to Inspire Britain 2015 as well as the Investec Mid-Market 100 list in 2016. Headquartered in London, we have a global presence through offices in Frankfurt, Singapore, New York, Jacksonville (Florida) and Bangalore (India).
To find out more about our services, explore our website www.mansion-house.co.uk or contact:
Mansion House Consulting Limited
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, the Mansion House Consulting Limited Group, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2017 Mansion House Consulting Limited. All rights reserved.
In this document, “MHC” refers to the UK entity, and may sometimes refer to the MHC group network. Each MHC entity is a separate legal entity. Please see www.mansion-house.co.uk for further information.