Below is a Tool Kit for all independent reps to get you compliant quickly and painlessly.
GDPR and the new Data Protection Act 2018 replace the old Data Protection Act and intends to give the public more protection.
- Download the Data Compliance Documents and amend them as necessary
- Download the Data Processing Agreement and get it signed by all your instructing firms.
- The instrucing Firm will normally be the Data Controller
- As a rep you are primarily a Data Processor
- Agencies like No Comment are Data Processors
WHAT YOU NEED TO KNOW:
- You should not keep any documents relating to clients
- Send all paperwork to the instructing firm as soon as possible
- All paperwork is legally privileged so most subject data requests can be ignored
- You have a lawful reasons to collect data
- Think seriously about how you keep personal data secure
- Get a signed agreement with all your firms and agencies
- Do not agree to any indemnity clauses - they are not necessary
- Do not use client data for any other purposes
- You do not need to join ICO
- Controllers and Processors are lible for each others errors!
|DATA FLOW MAP|
|This image is a data flow map. It is part of the information audit. It should be prepared by someone who has an in-depth knowledge of your working practices. The aim is to identify the data that you process and how it flows into, through and out of the business. The purpose of the audit is to identify risks.|
|Privacy Template||Privacy Template||Privacy Template|
|DATA SHARING AGREEMENT|
|You need a writen agreement with any firm that instructs you. Ask any firm that instructs you to sign one. A template is below for you to download and use. Remember the data processor is liable if the data controller makes a mistake if the data processor is even responsible in the most minor way. Monor matters include not having a agreement in place. |
|Data Sharing Agreement||Data Sharing Agreement||Data Sharing Agreement|
DATA CONTROLLERS, PROCESSORS and SUBJECTS IMPORTANT!Bear in mind that GDPR says that if a data breach occurs then both the data controller & processor are liable. As a rep you can be responsible for the errors of the firm even if your failing is minor. Minor things include not having a written agreement in place. Do please get a signed agreement in place with all your instructing firms and agencies.
GDPR draws a distinction between data controllers (who determine the purpose of data collection) and data processors who act on their behalf. Criminal firms have assumed they are data controllers but its not that simple.
Reps are primarily data processors. But instructing firms, clients and agencies will actually have a number of relationships. For example when we complete a legal aid form the firm and the rep are both processors for the Legal Aid Agency who are the data controllers.
The Bar Council has advised barristers not to sign any data sharing agreements with solicitors. They argue that self-employed barristers are data controllers of their client’s data. They are not data processors. Barristers are not sub-contractors on the solicitor’s behalf, merely processing data accordingly, but rather providers of independent objective specialist advice and advocacy.
It is up to the barrister to determine what information to obtain and process for the task. Only in ’very limited circumstances’, such as when on secondment to a law firm, are barristers properly to be considered data processors and for it to be appropriate to enter into an Article 28 contract with a solicitor.
Regulating the flow of personal data between controllers and processors is a core aim of the GDPR, which took direct effect across the EU on 25 May 2018. The Data Protection Act 2018 also needs to be considered. We will need to wait and see how this one plays out.
Realistically all reps are data processors under normal circumstances. Only occasionally will you ever be a data controller. We will need clarification. It will get easier of course as time goes on. At present we have no idea what guidance the EU will give and no idea how the courts will deal with the UK Data Protection Act 2018 or indeed what effect Brexit will have.
|Back to Top ↑|
The General Data Protection Regulation (GDPR) comes into effect in the UK on 25 May 2018. Failure to comply could lead to heavy fines. GDPR is designed to:
• Harmonize data privacy laws across Europe
• Protect and empower all EU citizens data privacy
• Reshape the way organizations approach data privacy
GDPR is unlikely to be affected by Brexit but the UK does have some opt-outs which are contained in the new Data Protection Act 2018. Any provider of goods or services to EU citizens, and who process data, need to comply with GDPR. It also applies to organisations outside of the EU or who hold personal data of those residing in the EU, regardless of the organisation’s location.
Any businesses that holds or uses personal data needs to prepare for and comply with GDPR.
Police Station Reps are obliged now to conform to the new data protection regime. GDPR requires anyone responsible for holding and using personal data to ensure that the data is:
• only used fairly and lawfully
• kept secure
• used only for the purposes for which consent was given when it was obtained.
It applies to ‘controllers’ and ‘processors’ of personal data where the controller is the person or organisation that says how and why personal data is processed and the processor is the person or organisation acting on the controller’s behalf.
However, the GDPR places specific legal obligations on data processors (for example to maintain records of personal data and processing activities) which did not previously exist without at the same time relieving data controllers from their obligations where a processor is involved.
In fact, the GDPR places further obligations on controllers to ensure that their contracts with processors comply with the GDPR.
GDPR applies to personal data. The definition of what constitutes personal data is more detailed and far reaching than the old Data Protection Act. Personal data means any information relating to an identified or identifiable natural person. Even information such as an address, IP address or even a cookie can constitute personal data if it is possible to identify the subject and link it back to them.
Even indirect information such as an identification numbers, location data and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person are included.
In practice, this means that organisations that keep HR records, customer lists, or contact details will be subject to GDPR. Many organisations that previously fell outside of the old DPA will now find that they are caught. Including those who store personal data that has been made ‘anonymous’ depending on how difficult it is to attribute any pseudonym to a particular individual.
Article 9 of the GDPR also refers to “special categories of personal data”. These categories are broadly the same as those in the DPA, with some minor changes, including special categories specifically including genetic data, and biometric data where processed to uniquely identify an individual.
For processing to be lawful under GDPR you need a legal basis. All reps will need to determine that legal basis for processing personal data and document it.
Reps do not really process data in any real sense. They do not do marketing or profiling like a supermarket does. But processing data is defined so widely reps will need to conform to GDPR as well. Processing includes simply writing down a clients address.
Article 6 provides that processing is lawful only if:
• there is consent from the data subject
• it is necessary for the performance of a contract
• it is necessary for compliance with a legal obligation
• it is necessary to protect the vital interests of the data subject or another person
• it is necessary for public interest or in the exercise of official authority vested in the controller
• it is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Reps collect personal data. Reps do so lawfully. Primarily data is collected for legitimate interest but also with consent and for performance of a contract.
THE SIX PRINCIPALS OF GDPR
Article 5 of the GDPR sets out the principles relating to the processing of personal data. These equate to the 8 principles to be found in the DPA. The six principles require that personal data are:
1. processed lawfully, fairly and in a transparent manner in relation to the data subject,
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes,
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay,
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject, and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, Article 5 requires that the controller shall be responsible for, and be able to demonstrate, compliance with these six principles.
|Back to Top ↑|
GDPR has headline grabbing fines. The maximum penalty is ten million euros or two per cent of global turnover for infringements of recording keeping, security, breach notification and privacy impact assessment obligations. These penalties may be doubled for violations relating to legal justification for processing, lack of consent, data subject rights and cross-border data transfers. In reality ICO will issue smaller fines for smaller breaches.
Consent has to be freely given, specific, informed and an unambiguous indication of the individual’s wishes. There must be a clear affirmative action on the part of the person whose data is being processed. Implied consent arising from silence, pre-ticked boxes or inactivity does not constitute consent.
Consent must be verifiable which means that some form of record must be kept of how and when consent was given. Consent can be implied to the extent that it can be implied from the data subject’s relationship with the company.
Thus, if a firm was providing services then it is assumed that the data can be used for the purposes of carrying out those services.
Individuals have a right to withdraw consent at any time. Finally, if the organisation has previously obtained consent, that can only be relied upon if the standard of that consent meets the new requirements under GDPR and if not an alternative legal basis must be found or the organisation must cease or not start the processing in question.
Every organisation will need to implement a risk-based approach to privacy and must, where appropriate, implement controls which take account of the degree of risk associated with a particular data processing activity.
This may require the organisation to carry out privacy impact assessments, put in place data protection safeguards (which must be designed into products and services from the earliest stage of development), adopt privacy-friendly techniques such as pseudonymisation and generally ensure that systems are sufficiently robust and flexible to allow for opting out by data subjects.
DATA PROTECTION OFFICERS
Data Protection Officers must be appointed where there is regular and systematic monitoring of data subjects on a large scale or where the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like).
Although this will only affect large organisations and you will not need to appoint a DPO the job of a DPO must still be done.
The data protection officer’s role is to:
• to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
• to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
• to cooperate with the supervisory authority; and
• to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
INFORMING DATA SUBJECTS
GDPR also sets out the areas of information that must be made clear to data subjects when data is being collected. These include:
1. the identity and the contact details of the organisation seeking the data;
2. the reason the data is required and the uses to which it will be put;
3. the legal basis of the processing and, where relevant, the legitimate interests that the organisation or a third party are pursuing;
4. who will be receiving the personal data and whether or not the organisation intends to transfer the personal data internationally:
5. for how long the personal data will be stored, or if not known the criteria used to determine that period;
6. the fact that the data subject has a right to access, rectify or erase the personal data, the right to portability of the data and the right to withdraw consent at any time;
7. the right to lodge a complaint.
So far as access to the data by the data subject is concerned, the GDPR makes it clear that the reason for allowing individuals to access their personal data is so that they can be sure the data is being used lawfully.
The organisation using the data must provide a copy of the information free of charge (the £10 subject access fee under the DPA having been removed. However smaller organisations will be able to make a charge for providing access where requests are either unfounded or excessive.
Where a legitimate request is made, it must be carried out “without undue delay and at the latest within one month of receipt of the request.” The right to data portability has yet to be fully clarified but will probably apply to a right for the data subject to have their information sent between providers of services such as banks, utilities companies and telecoms providers.
RIGHT TO BE FORGOTTEN
Data subjects need to be told for how long their information needs to be kept. Once that date has elapsed, then the subject can apply for the data to be removed and erased, placing duties upon those controlling the data to ensure that any third parties who have been provided with the data to do likewise.
Where services are offered directly to a child, then there is a duty to ensure that any privacy notice is written in such a clear and plain way that a child would be able to understand it. If the service is an online service then the organisation will need the consent of a parent or guardian to process the child’s data.
GDPR emphasises that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles and it is not intended that parental/guardian consent be required where the processing is related to preventative or counselling services offered directly to a child.
Article 32 states that the controller and the processor shall implement appropriate (by reference to the organisation) technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” must be reported “without undue delay and, where feasible, not later than 72 hours after having become aware of it” and if this cannot be done then the controller must provide a “reasoned justification” for the delay. However, notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”.
In the event that the controller believes the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” then information must also be given to the affected data subjects “without undue delay” although this may not apply if the controller has “implemented appropriate technical and organisational protection measures” that “render the data unintelligible to any person who is not authorised to access it, such as encryption”
|EFFECT ON FIRMS AND REPS|
GDPR is effects many businesses. Its not aimed at reps but we are caught up in it. Its not fair really as reps are not obtaining, processing or utilising large quantities of data for large-scale marketing activities. All we do is record a client’s details and give legal advice.
Reps and Firms are less affected and we already abide by the DPA and the SRA Code of Conduct. Outcome O4.5 requires firms (and therefore reps) to have effective systems and controls in place to enable them to identify risks to client confidentiality and to mitigate those risks, Outcome O7.5 requires you to comply with legislation applicable to your business, including data protection legislation and Chapter 6 requires firms to act in the client’s best interests when referring clients to third parties.
You will need to continue to:
• process data fairly and lawfully and not further process it for incompatible purposes. Thus, firms must not provide the data they collect to third parties for marketing purposes (which would, in any event, be a breach of Outcome O(4.1) requiring them to keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents) and must treat clients fairly – as is required in Outcome O(1.1);
• only collect the data they specifically need – this might be difficult in some cases, especially where the scope of a retainer is unknown – so firms might want to review what data is being collected by staff on a regular basis and review whether it is all relevant and necessary;
• ensure that the data they hold is accurate and up to date. This may mean firms having a policy of contacting the client with the data they hold and checking that it is still current or giving the client access to a protected system where they can go and check their own data and make amendments as necessary
• keep data in such a way that permits identification of the data subject. This may mean ensuring that the firm has a central register of clients that contains details of the existence of and whereabouts of files and documents relating to that client.
• ensure that data is kept secure. Again, this is something which is repeated in the outcomes dealing with confidentiality and at Outcome O1.2 you provide services to your clients in a manner which protects their interests in their matter and Outcome 7.5 that you comply with legislation applicable to your business, including data protection legislation
Although most law firms and reps will not need to appoint a DPO, nevertheless it is good practice to appoint someone whose responsibility it is to take the lead on data protection.
Firms and reps also need to consider the overlap between the requirements of GDPR and issues such as the keeping and storage of files containing client data and the ownership of files.
They will also need to look at the methods by which they gain client data and need to make it clear to clients how the data is to be used, how long it is to be used for (including, for example, keeping files after the end of the retainer) and to whom the information provided will be given.
Finally, firms and reps need to think about the uses to which client data is put. For example, firms might want to consider whether utilising client details for the purposes of marketing other services comes within the legitimate use of that data.
Email us if you have any concerns. We always reply as quickly as possible. But if its urgent please call us on 07534 533 070
Its easy to go over the top with GDPR. Its all a bit nutty really. In theory you need to create an agreements with all sorts of organisations just to send an email with an instruction or report.
In strict adherence you would have to provide details of all those firms involved in the transfer and processing of that data. That would include your email hosting company as well as the details of the hosting company for the form. Its all a bit nuts! On top of that it gets weirder as we know that 90% of all emails go through New York. An email from me to you therefore leaves the UK and leaves the EU. We also know that emails go through Echelon and the CIA's Prism system. Neither are conspiracy theories any more since they are well documented by old and recent leaks. They may be secret but we know it is true. In theory we need agreements with both the CIA and Mi5!!
I think we all need to take a deep breath! GDPR is there really to stop Google being naughty. Its not here to stop us advising clients legitimately.
Email us if you have any concerns. We always reply as quickly as possible. But if its urgent please call us on 07534 533 070
|If you found our site useful please feel free to donate to help us keep it going.|