07 Mar 2018 | 11.54 am
Interview: Oisin Tobin, Mason Hayes & Curran
GDPR compliance looms large
07 Mar 2018 | 11.54 am
In its Salary Survey 2018 report, recruitment consultancy Abrivia is cheery on the prospects for legal clients and their highly-paid staff. “The introduction of the General Data Protection Regulation in May 2018 is a huge opportunity for legal firms to provide consultancy services to an ever-increasing client base, as any firm which deals with personal data will be affected by GDPR,” the report states. “GDPR offers legal firms a huge opportunity to expand their client base.”
None more so perhaps than Mason Hayes & Curran, the top-tier commercial law firm based in Dublin’s Silicon Alley. MH&C has carved out a pre-eminent position in Dublin’s law scene in the areas of Privacy and Data Security, which has been a growth area in Ireland for years due to the influx of American companies that operate online across Europe from their bases in Ireland.
The European Union-mandated GDPR represents a step change in the regulations and laws surrounding personal data. In its most recent ‘Getting Ready for GDPR’ advisory, the Mason Hayes briefing on the subject extends to 42 pages of text. The briefing paper lists 22 Mason Hayes partners, associates and consultants who have expertise in this area, and peer firms have been ramping up their expertise too.
Also expanding is the Irish regulator, the Data Protection Commissioner. Its budget for 2018 has been increased by half to €11.7m to fund the recruitment of 40 additional staff, bringing the total headcount to around 130. In 2014, €2m was sufficient to fund DPC operations, and the expansion reflects the DPC’s role in regulating the personal data processing activities in Europe of most of the world’s top internet technology multinationals.
All new regulations are a cost and administrative burden for business. The problem with the GDPR is that nobody can be sure what exactly the Regulation means in practice. Even the DPC anticipates an “unprecedented increase in its workload”, due to the “the legal complexity of issues dealt with”. If the regulator is befuddled by GDPR, what chance for the average SME?
For the bureaucrats who dreamt up GDPR, its main target is large institutions and organisations that process the personal data of hundreds of thousands or millions of people. However, there are no exemptions from GDPR based on size. If a business or organisation processes any amount of personal data, it comes within the GDPR ambit.
Under the GDPR, there has to be a lawful basis for processing any personal data. These reasons span consent, contract, legitimate interest and legal obligation, and if asked the data processor has to know which one it is. In its advice to SMEs, the Data Protection Commissioner recommends that small firms should maintain a ‘data protection risk register’, so as to demonstrate compliance in the event of a regulatory investigation or audit.
Sanctions for non-compliance with the GDPR are meaningful: up to the greater of 4% of annual revenue or €20m. It’s this kind of stick that has business worried, especially those firms whose trade is mainly conducted online. For the vast majority of small firms, the GDPR will never be an issue – unless something goes wrong or the DPC swings by for an audit.
One of Mason Hayes & Curran’s data privacy experts is partner Oisin Tobin, who works out of the firm’s office in San Francisco. In the following interview, Tobin shares his insights into the GDPR impact on business.
Legal rules surrounding Privacy and Data Security have been place for decades. So what’s changing with the GDPR?
OISIN TOBIN: The current data privacy rules were adopted in Europe in 1995, and Ireland initially adopted legislation dealing with data security and data policy issues in 1988. So these issues aren’t new. What is changing is that from a business perspective data has become more important for most companies and is working its way up the priority list. Secondly, the rules surrounding personal data are becoming more complex, and penalties for breaking those rules will be a lot heavier.
In addition, the personal data rules in the GDPR are very complex. Under the current Data Protection Act, the rules we have at the moment are principle based. There are general principles around data security, processing data fairly and so forth. The GDPR keeps those general principles but it also adds very technical and complex requirements, some of which are open to interpretation. I think the GDPR is going to be challenging for a lot of businesses, particularly organisations that don’t have the resources to devote full time personnel to the issue.
To be clear, the same GDPR rules apply to an online shoe retailer in Longford as Facebook?
There are some limited variations but in substance that’s correct. SMEs won’t have the same level of paperwork requirements as a social media platform, but at its core the GDPR has the same rules for everybody, which is challenging. Regulation is a risk-based activity and when the GDPR becomes law it’s unlikely that your typical SME business is going to hear from the Data Protection Commissioner unless something goes wrong, like a security breach or if a customer makes a complaint.
I would be surprised if on day one the regulator proactively targets SMEs for the same sort of robust enforcement we are going to see with large institutions and multinational corporations. However, you can’t rule out the possibility of random audits; in the past the regulator has targeted the retail sector, for example. The main focus is going to be on the large organisations that hold the most personal data.
Every business keeps records of its customers. Does this bring them with the scope of the GDPR?
Anything that you can relate back to a person is personal data. If you have an individual’s credit card number because they did a transaction on your website, that’s going to be personal data. If you have their email address on file because you operate a local mailing list, that is very likely going to be personal data too. And everything involving your employees is going to be personal data as well. Any part of your business that touches on human relationships is likely going to involve personal data. About the only thing that isn’t personal data is pure corporate information such as corporate accounting information.
The GDPR provides that in order to process personal data you must have a lawful basis to do so. One of the lawful grounds is the legitimate interests of the company or organisation. Is such data gathering okay in the absence of explicit consent?
If it’s sort of data you retain in the ordinary course of the business and that the customer would expect you to have, and you deploy basic safeguards to keep the data secure, then you may be able to rely on legitimate interest and not rely on consent. However, this is the sort of issue that very quickly becomes murky when you get into the implementation of the law.
To a large extent whether or not you can rely on the legitimate interest reason is going to turn on factors like what the data is, how you use the data, the safeguards etc. There are complex regulatory guidance documents on these issues and it’s very hard to say anything definitive. It really depends on the precise facts of the case. And that in turn is part of the reason why these rules can cause some business concern, because there’s legal uncertainty and therefore legal risk.
Most businesses store personal data on a PC in the office. How does the GDPR impact on structures regarding the security of that data?
Data security provisions are pretty similar in the GDPR to existing law. However, two changes arise from the GDPR. The first is that if you fail to deploy appropriate security, the penalties are larger under the GDPR. The other change is that if something happens to the data, mandatory notification rules apply. You may have to pick up the phone or send a letter to your customers telling them about the breach. There are some breach notification rules in Ireland at the moment under a code of practice issued by the DPC, but the GDPR codifies that whole area, and again the penalties for non-compliance are going to be a lot stricter.
What’s the impact of the GDPR on online marketing, such as a business e-mailing existing customers about a special offer?
Online marketing such as emails are covered by the E-Privacy Directive and those rules are not being directly changed by the GDPR. There are rules around how you gather those emails in the first place, but provided you are following basic principles the post-GDPR situation should be fairly similar to the current law in respect of B2B marketing.
You’re based in San Francisco. How does the GDPR compare with the data privacy regime in the United States?
The American model is regarded as one of the more liberal in the world. In the US the way it tends to work is that you make certain promises about how you keep data and how you use data, and as long as you stick to those promises you are usually okay. There are exceptions like financial services and healthcare data, but in America they see data as a consumer protection issue i.e. are you being upfront and transparent and fair with people about how you use the data.
In most of the rest of the world you have a model that’s very similar to that which we have in Ireland at the moment. The GDPR is the strictest private privacy regime that has ever been adopted worldwide.
In your view, is the GDPR justified or is it using a sledge-hammer to crack a nut?
There was a general view that data privacy legislation was in need of updating. Personal data is becoming valuable and people want more control over it, and individuals’ data also needs to be protected. The problem is that the GDPR has a focus on very technical rules, rather than adopting a risk-based approach.
For example, the fact that I’m a solicitor together with my corporate email address and some bio is freely available on the internet. Under the GDPR, that sort of information is categorised as personal data in the same way as my credit card numbers, so with some difference in the detail the same rules basically apply.
How are your clients in Ireland tackling the GDPR issue?
It really depends on how the issues are addressed and considered at senior management level. Adopting to the GDPR doesn’t work if it’s just left to the lawyers. You have got to take the HR side for employment data, you need to work with IT on security and you require interactions with your customers if for example you need to get fresh consents.
It really is a whole of business effort, and companies that adopt that mindset have been able to make quick progress. There is only so much compliance you can do just with drafting contracts and policies. You need to look at how a company does business and maybe refine it in some respects.
How does Ireland compare with other European countries in terms of preparing for the GDPR?
The one area where Ireland is a laggard is with respect to our own Data Protection Bill. The GDPR has a lot of gaps that need to be filled by national measures to update domestic law in this area to reflect the GDPR. Such legislation has already been enacted in Germany but in Ireland it hasn’t yet been introduced to the Oireachtas.
Does that mean businesses that think they have signed off on GDPR will have to have a second look after the new domestic law is enacted?
I don’t think anyone at this stage can say they have signed off on GDPR compliance. Everyone is trying to get their house in order and keeping a very close eye on things. One issue that can get quite contentious is the whole area of subject access. For example, under the GDPR you can write to a bank and request all of the data they have on you, and there can be disputes around what needs to be released in response to this access request.
At the moment the basic parameters of the access right are fairly clear. There are some exemptions limiting the right, and in Ireland those exemptions are fairly well understood because they have been there for a number of years and there is lots of guidance from the regulator. The GDPR leaves it up to EU member states to decide what those access request exemptions are going to be.
So Irish businesses need to see what the forthcoming Irish legislation says about exemptions before they can implement an access request framework. When discussing this issue with clients, I’m saying that we need to circle back in a few months and see whether we need to change any of the practices that have been adopted.