Data is such an important asset to any business, whether in its early stages or well-established. The financial and reputational risks of breaching your data protection obligations should not be underestimated. Ian de Freitas, a partner in Farrer & Co’s Commercial Disputes team, looks back over the impact of the introduction of GDPR, one year on.
Ongoing compliance work
Organisations are continuing to work towards compliance. We predicted that this would be driven by pressure from customers and employees, but in fact a major driver has been other organisations with whom personal data is shared. Supply chains are increasingly dictating that if you want access to their personal data then you have to be able to demonstrate a sufficient level of GDPR compliance first. Regulators have also demonstrated a willingness to issue serious fines to businesses that do not have compliant data sharing arrangements in place (see for example the fines issued to Equifax and Yahoo!). When thinking about new products or services that will make use of personal data, an early consideration of data privacy impacts is important. Without being able to demonstrate this Privacy by Design approach, your offering risks lacking credibility with potential investors, customers and counterparties.
There was a lot of noise pre-GDPR about the tougher rules around obtaining consent from individuals to use their data. Many organisations tried and failed to obtain consent, cutting off contact with large numbers of their customers and contacts. Because of this, there is a growing recognition that organisations should be relying on other grounds to process personal data, including legitimate interests. Even regulators are making this clear. So, don’t assume you need consent. However, if you are going to rely on legitimate interests instead, make sure that you fully document your assessment. Even if a regulator doesn’t agree with your assessment, documenting it will help you avoid a sanction. We have seen regulators being less prepared to take enforcement action where clients can demonstrate that the documented position they have taken is arguable.
Fines make headlines, particularly the €50m penalty issued to Google by the French data protection regulator for lack of clarity in its privacy policies and non-compliant consent processes. However, of more significance we believe is the willingness of regulators to issue stop processing notices, requiring organisations to cease using personal data that has not been lawfully acquired. This was the first post-GDPR enforcement notice issued by the Information Commissioner’s Office (ICO) to a Canadian company, Aggregate IQ. The ICO has also been prepared to issue such a notice to HMRC (for non-compliant use of Voice ID data). We expect more such notices to be issued, with the potential to seriously disrupt businesses. Again, this points towards a Privacy by Design approach to new products and services, ensuring that the personal data generated is compliant with GDPR and hence of greater value (and lower risk).
The global picture
GDPR is still seen as the global goal standard, but other jurisdictions are catching up. For example, California is due to introduce similar laws next year under the California Consumer Privacy Act. Accordingly, if you are planning to operate across borders, be careful to check local laws that might apply in the data privacy space. And remember also that the EU data protection rules are overseen by national regulators who may have differing approaches or national courts who may have extra layers of privacy laws to consider.
If you require further information about anything covered in this briefing, please contact Ian De Freitas, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2019