Data Protection and the GDPR

Hopefully, our short summary of key issues below will prove helpful in understanding this complex firmament. If you have any queries, you can contact simon.halberstam@smab.co.uk

This section of weblaw.co.uk has the following contents:

Part 1 – Data Protection in outline

The principal law in this area derives from the Data Protection Act 2018 (DPA) and the General Data Protection Regulation 2016/679 (GDPR).

  1. What does the DPA do?
    • Eight ‘Data Protection Principles’:
      1. “Fair and Lawful” (the ‘conditions’ for processing)
      2. “Purposes”
      3. “Adequacy”
      4. “Accuracy”
      5. “Retention”
      6. “Rights” of data subjects
      7. “Security”
      8. “International Processing”
  • Principles 1 and 2 are key to deciding how an organisation collects and uses data
  • Principles 4 – 5 and 7 – 8 inform how data is stored.
  • Principle 6 informs how organisations must deal with enquiries/complaints by data subjects.
  1. How has GDPR changed the landscape?
    • There are a huge number of changes to the way that organisations must collect and store data, as well as how they must respond to data subjects.
    • The headlines can be summarised as follows:
      1. New regime for fines for breach – now much higher than before.
      2. ‘Consent’ now has a new meaning “freely given, specific, informed … by a statement or by a clear affirmative action”.
      3. ‘Pseudonymised’ / ‘Anonymised’ now recognised as concepts in law.
      4. Obligation to implement ‘Data Protection by Design and Default’
      5. Obligation to perform ‘Data Protection Impact Assessments’
      6. Data Subjects have significant new powers to halt an organisation from processing their data, as well as to request rectification/erasure of their data
      7. Obligation to report breaches to ICO within 72 hours
      8. Some organisations will need to formally appoint/hire a Data Protection Officer
      9. No need to register as a processor with the ICO
      10. Removal of ability to charge £10 to process data requests (may charge for excessive/unreasonable)
  1. What do organisations need to do?
    • Data Protection Officer?
      1. Is it mandatory?
      2. Is it desirable?
      3. Ownership of ‘data protection’ issues more generally
  • Discovery – Identify qualifying datasets
    1. Data is an asset – should be able to list it in the same way
    2. Electronic discovery?
  • Audit – Principles 1 & 2
    1. How was it obtained?
    2. What is the condition for processing?
    3. What are the permitted purposes?
    4. Consent as a condition – high risk, must be reviewed
    5. Other ‘legitimate interests’ – high risk, must be reviewed
    6. Direct Marketing (e-mail, text, telephone) – high risk with additional rules
    7. All ongoing web-forms, paper-forms used to gather data need review
  • Storage and Retention – Principles 3 – 8
    1. Security – access control, permissioning, separation
    2. Pseudonymisation / Anonymisation
    3. Duration, Adequacy, Accuracy
  • An aside – third parties, the management of
    1. Oversight of activity
    2. Contractual safeguards
  • Management – Principle 6 & ongoing compliance
    1. Ownership of the data function – knowledge of key risks
    2. Responsibility for co-ordinating responses to data subjects / ICO
    3. Review and audit of new processes
    4. Regular review of processes

Part 2 – Data Security Breaches

  1. Data security breaches
    • The ICO is the regulatory body in the event of a breach
    • The ICO’s targeted and proportionate approach to enforcement action, taking into account e.g.:
      1. size/severity of the breach;
      2. size/resources of the organisation;
      3. level and efficacy of data protection/security;
      4. past behaviour.

The Law

Article 33 of the General Data Protection Regulation (“GDPR”) states: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the [ICO] in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

Contacting Incorrect Recipients

You should take all necessary steps to contain the breach and mitigate any adverse impact on the affected individuals (the intended recipients).  This will include contacting anyone to whom you incorrectly sent emails. The email should request that they do not attempt to click on the email, securely delete the e-mail and, if possible, provide confirmation that they have done so.

Reporting to the Information Commissioner and Notifying Affected Individuals

The data controller must assess whether the breach is likely to result in a risk to the rights and freedoms of those individuals whose information has been compromised. If there is likely to be a risk, then the controller should report the breach to the Information Commissioner (“ICO”). If there is likely to be a high risk to these individuals’ rights and freedoms, then the affected individuals should be notified.

Guidelines on personal data breach notification under GDPR suggests that the following factors should be considered when assessing the impact on the individuals:

  • The type of breach: for example:
    • was personal information sent to a third party without consent?
    • do you know where the information has gone?
    • has the information been lost or stolen?

Other factors to consider in determining whether the controller needs to make a report to the ICO include those listed below:

  • The nature, sensitivity, and volume of personal data: guidance indicates that the “disclosure of the name and address of an individual in ordinary circumstances is unlikely to cause substantial damage”. This is the most important factor to consider in any assessment of the affected individuals’ rights and freedoms.
  • Ease of identification of individuals: this is in relation to the level of encryption or ease of access of the personal information. If the personal information was easily and readily accessible immediately after the breach but you have promptly taken effective steps to remove the most sensitive part of the personal data from public view then this militates against the need to notify.
  • Severity of consequences for individuals: is it likely that the information has gone astray to people who can be relied on not to abuse it. If so, you may reasonably expect those people e.g. other clients not to read or access the data sent in error; or, if accessed, not to take any further action with it and follow any requests by the controller in respect of that personal data. That obviously reduces the risk profile of the breach.
  • Special characteristics of the individual: if the data subjects are high-net worth (and sometimes high-profile) individuals who may be placed at a greater risk of criminal activity such as burglary or fraud if the personal data were to get in the hands of criminals then that increases the gravity and risks.
  • The number of affected individuals: how many individuals were affected in this incident. If it is a relatively low number then this is helpful.

By way of wider background, the ICO has also recently delivered a speech explaining that companies were over-reporting.  A third of the calls made to the ICO reporting a personal data breach, did not meet the reporting threshold.  Although a controller will not be penalised by the ICO for reporting the breach, this is indicative that companies processing personal data are reporting every personal data breach when they do not need to.

Next Steps

If you do suffer a data breach then in order to satisfy your legal obligations, we suggest you take the following steps:

  1. take remedial steps if possible to minimise the impact of any such breach. For example, if the breach comprises the misdirection of any email, contact all unintended recipients immediately and ask them to delete the relevant email and provide confirmation that they have done so;
  2. conduct a full review of the personal data breach having regard to the above considerations (which you are required to do pursuant to Articles 24 and 25 of the GDPR) taking effective steps to document how it occurred and what measures you intend to put in place to ensure that it does not happen again; and
  3. keep a record of the breach which include all relevant facts relating to the breach, its effects and the remedial action taken.

Finally, if you conclude that you should notify the ICO, please note that organisations are supposed to make such notifications within 72 hours of having become aware of the breach (or else must explain why this was not achieved).

Part 3  Email Marketing Consent

Article 7(1) of the GDPR states that “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.

The significance of that change is simply that organisations can no longer keep ‘bare’ lists of contact details and justify the use of those contact details for marketing purposes on the basis that they are sure that the individuals featured within them once consented to being listed therein. Instead, organisations must be able to demonstrate how each individual data subject’s details were collected and came to be on such a list in the first place.

Generally, if you can evidence consent or another legal ground for marketing to each data subject you have on your database to the standard of Article 7(1) GDPR, you do not need to send out e-mails to consent/re-consent.

Turning to 2 common scenarios:

  1. If you were given business cards by people at a show, conference or meeting, and it is clear that the reason they gave you the card was because they were interested in your services; or
  2. their emails to you requested information about your services;

then it is reasonable for you not only initially to send them information about your services/respond to the request but also, without further consent, to send subsequent emails/info about the same kind of services/products BUT NOT about different types of services or products.

However, even where you got business cards/email addresses in those or similar circumstances, there are two situations where you clearly should send out an email asking for consent/re-consent:

  1. where the email address is a personal not a business one e.g. smith@hotmail.com rather than simon.smith@rollsroyce.co.uk or whilst it appears to be a business address, it is in fact the email address of a sole trader or a partner in an unincorporated partnership;
  2. where the person did not provide you with his/her business card/email address directly but you obtained it in some other way.

In short, other key things you need to know about e-mail marketing:

  1. All e–mail addresses which contain the names of their ‘owners’ are personal data, and the requirements of the GDPR apply to them. These requirements are wide-ranging and cover a range of issues relating to collection, recording, storage and disposal.
  2. E-mails targeted and ‘individual subscribers’ (i.e. most e-mails used in B2C marketing) are subject to the full brunt of both the GDPR and the Privacy and Electronic Communications Regulations 2003 (“PECR”). By way of a brief background, the PECR governs the use of marketing communications in the UK and should be read alongside the GDPR (from which it gets its definitions). Accordingly they should only be targeted where a valid ‘hard’ or ‘soft’ opt-in has been obtained and recorded to the standard required by Article 7. Where that has not been done, then the various courses of action described above need to be considered and a solution put in place (most likely the sending of ‘re-consent’ e-mails in an effort to gather fresh compliant consents).
  3. E-mails targeted at ‘business’ e-mail addresses are unlikely to fall within the ambit of the PECR, so only the rules of the GDPR need to be considered. Accordingly organisations may (but are not obliged) to rely on conditions for processing other than ‘consent’. That consideration remains the same irrespective of whether such e-mails are obtained through direct communications or found in the ‘public domain’. Please note that this may change in the future under the new e-Privacy Regulation which is due to come in at the end of 2018 but the final text has not yet been agreed upon by the European Commission.
  4. All e-mails should contain a clear statement explaining who they have been sent from (i.e. weathered penny) and why – with the recipient being given clear instructions as to what they need to do if it wishes to unsubscribe. This is a GDPR requirement and not a PECR one, so applies to both ‘streams’ of marketing activity. 
  5. E-mail addresses which do not name and are not directed at a specific individual (e.g. info@company.com) do not count for GDPR or PECR purposes – but, simply as a matter of good practice, it is recommended that they be treated in the same way as B2B e-mails which identify a specific recipient.
  6. When deciding whether to send a ‘re-consenting’ e-mail the key considerations are (a) whether ‘consent’ was the original justification for sending the e-mails in question, and (b) if it was, whether it was collected validly and has been evidenced to the standard required by GDPR. If the second leg of that test is not satisfied, then a re-consenting e-mail is likely the best way to achieve compliance ahead of the GDPR coming into effect.

Part 4  Incentivised consent & the GDPR

One of the questions we are often asked relates to the legitimacy of the practice of incentivised consent.  We set out some examples below and our views in relation thereto. 

Q1: If a client offered a consent form to customers saying “Click here to subscribe to our newsletter – if you do then we’ll enter you into a prize draw to win a free tumble-dryer”, or words to that effect, would the presence of that incentive be something that they would consider to undermine the ‘freely given’ aspect of my consent, or are they comfortable with it as a concept?

The draft guidance issued by the ICO and Article 29 Working Party appears to indicate that they are comfortable with the concept to a certain extent and compliance is possible so long as the data subject is not going to suffer a detriment for refusing consent.  Under the GDPR, a data subject cannot be unfairly penalised for saying “no, I don’t want to give my consent and subscribe to this newsletter.”  In our example, would losing the opportunity to enter into a draw for a tumble-dryer constitute a detriment?  Not necessarily according to the guidance, especially if other contests are available to customers who do not consent to subscribing to the newsletter.  Please see the below excerpts from the guidance for further detail.

Q2:  Is there an official example or case study that goes to the heart of that specific question?

There is one example (highlighted below) about a retailer’s loyalty scheme that comes with access to a money off voucher.  The guidance says that those who do not sign up will not suffer a detriment so it would appear there is some scope for incentivised consent.

There is also an analogous example dealing with offline prize draws rather than online (also highlighted below).  This example is given by the ICO in the context of its advice on “clear, unambiguous consent” and cautions that consent would not extend to using the contact details (or email address in our example) for any purpose other than the prize draw and sending a newsletter i.e. for other marketing purposes.

It may also be preferable to phrase the offer as “Tick this box if you consent to subscribe to our newsletter – if you do, we will enter you into a prize draw to win a free tumble-dryer”.  According to the guidance, this would constitute explicit consent.  Our current phrasing of the offer may be implied consent.

ICO Guidance on Consent 

Incentivised Consent

“The GDPR is clear that people must be able to opt out without being penalised.  Recital 42 says:

“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

It may be possible to incentivise consent to some extent.  There will usually be some benefit to consenting to processing.  For example, if joining the retailer’s loyalty scheme comes with access to money-off voucher, there is clearly some incentive to consent to marketing.  The fact that this benefit is unavailable to those who do not sign up does not amount to a detriment for refusal.  However, you must be careful not to cross the line and unfairly penalise those who refuse consent.”

Freely Given 

People must be able to refuse consent without detriment and must be able to withdraw consent easily at any time.  Recital 43 says:

Consent is presumed to not be freely given…if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Example:   

An online furniture story requires customers to consent to their details being shared with other homeware stores as part of the checkout process. The store is making consent a condition of sale – but sharing the date with other stores is not necessary for that sale so consent is not freely given.

You may be able to rebut the presumption and argue consent is valid even though it is a precondition and the processing is not strictly necessary but this would be unusual.  For example: (1) if it is reasonable consent to be bundled with the service or (2) consent is clearly specific, information and unambiguous.

Unambiguous Indication

“It must be obvious that the individual has consented and what they have consented to.  This requires more than just confirmation that they have read terms and conditions –there must be a clear signal that they agree.  If there is any room for doubt consent is not valid.

Referring to Recital 32 which sets out guidance on clear affirmative action, “Clear affirmative action means someone must take deliberate action to opt in, even if this is not expressed as an opt-in box.  For example, other affirmative opt-in methods might include singing a consent statement, oral confirmation or a binary choice presented with equal prominence.

The idea of an affirmative act does still leave room for implied consent in some circumstances particularly in more information offline situations. The key issue is that there must be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose. However, this type of implied consent would not extend beyond what is obvious and necessary.

Example: “An individual drops their business card into a prize draw box in a coffee shop. This is an affirmative act that clearly indicated they agree to their name and contact number being processed for the purposes of the prize draw.  However, this consent would not extend to using those details for marketing or any other purpose.”

Explicit v Implied Consent

The definition of consent says the data subject can signify agreement either by a statement which would count as explicit consent or by a clear affirmative action which would not.  Implied consent which is inferred from someone’s actions cannot be explicit consent however obvious it might be that they consent.  Explicit consent must be confirmed in words.

Example of implied consent:

Enter Email address here (optional):  _____________________

“We will use this to send you emails about products and special offers

Example of explicit consent:

Tick this box if you consent to receive email about your products and special offers [  ]

Specific and Informed

Consent must be specific and information and it must cover the purposes of the processing.  Recital 43 says:

Separate consent will be needed for different processing operations wherever appropriate – so you need to give granular option to consent separately to separate purposes.

Duration of Consent

The GDPR does not set a specific time limit for consent.  It is likely to degrade over time but how long it lasts depends on the context.  You will need to consider the scope of the original consent and the individual’s expectations.

Example:

A gym runs a promotion that gives members the opportunity to opt in to receiving emails with tips about healthy eating and how to get in shape for summer.  As the consent requests specifies a particular timescale and end point – their summer holiday – the expectation will be that these emails will cease at the end of summer and consent will therefore expire.

Article 29 Working Party Guidelines on Consent

3.1.4. Detriment

The controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment (recital 42). For example, the controller needs to prove that withdrawing consent does not lead to any costs for the data subject and thus no clear disadvantage for those withdrawing consent.

Other examples of detriment are deception, intimidation, coercion or significant negative consequences if a data subject does not consent. The controller should be able to prove that the data subject had a free or genuine choice about whether to consent and that it was possible to withdraw consent without detriment.

Example:

When downloading a lifestyle mobile app, the app asks for consent to access the phone’s accelerometer. This is not necessary for the app to work, but it is useful for the controller who wishes to learn more about the movements and activity levels of its users. When the user later revokes that consent, she finds out that the app now only works to a limited extent. This is an example of detriment as meant in Recital 42, which means that consent was never validly obtained (and thus, the controller needs to delete all personal data about users’ movements collected this way).

Example:

A data subject subscribes to a fashion retailer’s newsletter with general discounts. The retailer asks the data subject for consent to collect more data on shopping preferences to tailor the offers to his or her preferences based on shopping history or a questionnaire that is voluntary to fill out. When the data subject later revokes consent, he or she will receive non-personalised fashion discounts again. This does not amount to detriment as only the permissible incentive was lost.

[Example: 10]

A fashion magazine offers readers access to buy new make-up products before the official launch. The products will shortly be made available for sale, but readers of this magazine are offered an exclusive preview of these products. In order to enjoy this benefit, people must give their postal address and agree to subscription on the mailing list of the magazine. The postal address is necessary for shipping and the mailing list is used for sending commercial offers for products such as cosmetics or t-shirts year round. The company explains that the data on the mailing list will only be used for sending merchandise and paper advertising by the magazine itself and is not to be shared with any other organisation. In case the reader does not want to disclose their address for this reason, there is no detriment, as the products will be available to them anyway.

For further information please contact Simon Halberstam (Partner – Head of Technology Law) Simon.Halberstam@smab.co.uk