Chart and key

Data Privacy Today: Is Your House in Order?

Organizations Face Challenges and Opportunities with New Data Privacy Regulation

By Tanya Gross, Alex Dunstan-Lee

June 29, 2018

INTRODUCTION

In this report we assess the implications of the latest legal technologies on data privacy; the rights, principles, and opportunities associated with the introduction of the General Data Protection Regulation (GDPR); and discuss the results of an independent international survey of 351 legal and technology professionals.

KEY FINDINGS

  • The GDPR confers new rights on individuals who are in the European Economic Area and obligations on organizations across the world offering those individuals products or services, or are monitoring their
  • Almost 75% of survey respondents expect to invest in data privacy in
  • Only 44% of survey respondents indicated that their organization is ready for the EU’s new GDPR.
KEY RECOMMENDATIONS
  • As an initial first step, organizations need to understand the impact of the GDPR on their business operations, and effectively inventory the information flow to establish an appropriate compliance strategy.
  • GDPR offers an opportunity to update and enhance data systems and processes.
  • Compliance with the GDPR should not be measured only as of May 25, 2018, but rather on a continuous basis going forward.
SURVEY DEMOGRAPHICS

The analysis we provide in this report has come from an international survey of 351 senior legal and technology professionals, from across a broad range of industries, with annual revenues ranging from $100 million to over $5 billion.

Our survey findings have been augmented in this report by a series of market expert interviews.

Please see Appendix at the end of this report for a full summary of the survey’s demographics and interviewees

GENERAL DATA PROTECTION REGULATION

The goal of the EU’s General Data Protection Regulation (GDPR) is to address the privacy challenges related to the collection and use of personal data. Such privacy challenges have increased with the globalization of technology services and the cross- border nature of modern data flows.

By strengthening and harmonizing the pre-existing regulatory regime, the EU aims to give individuals more control over their own information, while at the same time placing more responsibilities on organizations involved in the collection and processing of personal data.

Ever since the GDPR went into effect on May 25, 2018, U.S. businesses located outside of the EU, but which access or store EU personal data, have also been compelled to treat data privacy as a right, to provide individuals with access to the information held on them, and delete personal data upon request.

DATA PRIVACY BEFORE GDPR

Prior to the introduction of the GDPR, businesses were keen to collect as much data as possible on their users and clients, to store such data as long as possible, and later determine how to monetize the data. It was common for organizations to propose broad terms of service and to ask individuals for catch-all consents, which allowed the organization to use data as it saw fit.

DATA PRIVACY AFTER GDPR

Following the introduction of the GDPR, organizations across the world that collect personal data on individuals in the EU must think much more carefully about what information they collect, and must be transparent about how they will use the personal data. The GDPR provides organizations the opportunity to rethink data privacy policies and to enhance data systems, so that they comply with the new regulatory requirements.

DATA SUBJECT RIGHTS

The GDPR includes a number of rights the data subjects possess and introduces a wide territorial scope. Some of the data subject rights include the right to erasure, sometimes referred to as the right to be forgotten; the right to data portability; and the right to be informed.

The right to erasure permits individuals to make a request that the personal data a business holds on them be deleted. In most cases, the organization holding personal data on individuals has one month to respond to such a request. The right to erasure is not absolute and only applies when certain conditions are met.The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy, or transfer personal data from one IT environment to another in a safe and secure way, without affecting its usability.

Individuals also have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. Businesses must provide individuals with information, including: the purposes for processing their personal data, the retention periods for that personal data, and whom it will be shared with. In addition, the information businesses provide to people must be concise, transparent, intelligible, and easily accessible, and it must use clear and plain language.

Other rights the GDPR provides include the right to access, to withdraw consent, the right to rectification, the right to restrict processing, the right to object and rights in relation to automated decision making and profiling. These rights will be factored into future data processing.

DATA CONTROLLERS AND DATA PROCESSORS

Organizations involved in the processing of personal data must be able to determine whether they are acting as a data controller, data processor, or a joint controller in respect to the processing. This is particularly important in situations such as  a data breach, where it will be necessary to determine which organization has breach notification responsibilities.

The data controller must exercise overall control over the purpose for which and the manner in which personal data is processed. However, in reality a data processor can itself exercise some control over the manner of processing — e.g., over the technical aspects of how a particular service is delivered.

The fact that one organization provides a service to another does not necessarily mean that it is acting as a data processor. It could be a data controller in its own right, depending on the degree of control it exercises over the processing operation.

Please see related Article 29 Working Party Guidance http://collections.internetmemory.org/haeu/20171122154227/http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf.

NEW STAFF: DATA PROTECTION OFFICER

One new role that was created under the GDPR is that of the data protection officer (DPO). Organizations appoint a DPO if, for example, their core activities require large-scale, regular, and systematic monitoring of individuals; or their core activities consist of large-scale processing of special categories of data.

The primary roles of DPOs are to help organizations monitor internal compliance, to inform and advise on data protection obligations, to provide advice regarding Data Protection Impact Assessments (DPIAs) and to act as a contact point for data subjects and the supervisory authority.

The DPO must be independent, an expert in data protection and adequately resourced, and must report to the highest management level. The DPO can be an existing employee or externally appointed.

Fundamentally, a DPO acts as a translator of the GDPR for the company, provides guidance necessary for the C-suite, and acts as a designated point of contact for regulators.

TRANSFORMATION OF PRIVACY PROGRAMS

Organizations face huge challenges in simply ensuring that they comply with the new rules attached to the GDPR. Once companies comply with the basic requirements of the GDPR, they can move on to the next phase of maturing their privacy programs, which includes transitioning from a policies and procedures-driven program to a technology-driven program.

The results of our survey indicate that these new compliance requirements are triggering industrywide investments in the modernization of existing privacy programs and the creation of new privacy programs.

Some of the key elements of the GDPR compliance strategy should include:
  • Maintain records of company processing activities and identify those that present a higher risk
  • Assign legal basis for each processing operation
  • Develop transparent privacy notices
  • Implement third-party due diligence and data processing agreements
  • Confirm whether the designation of a DPO or a representative in the EU is required
  • Implement appropriate safeguards when personal data is transferred outside Europe
  • Ensure a security program is in place to protect integrity, confidentiality, and availability of information, considering privacy by design, encryption, pseudonymization, and anonymization techniques
  • Develop a data retention policy and appropriate processes to address data subjects’ rights, to provide notification of data breaches when appropriate, and to conduct DPIAs
  • Provide privacy training to improve privacy awareness
  • Focus on monitoring compliance with privacy rules on a regular basis

In addition, specific provisions may apply locally, depending on the type of activity or the sensitivity of the personal data processed (e.g., when processing health, biometric, or genetic information; in the employment context; and when conducting research activities, clinical trials, or in the online context with the e-privacy directive)

CYBER RISK INSURANCE

With such value put on data security for the purpose of good, there’s an inevitability that someone will exploit this for the purpose of evil. As a consequence, the need for organizations to hold the right cyber risk insurance, ensuring adequate financial cover in the event of a serious data breach or expensive litigation, is imperative.

Shay Simkin, global head of cyber, Howden Group, one of the first in the market to offer cyber risk insurance, highlights just how much this has become a focus  of companies during recent times: “We’ve been selling cyber insurance policies for around 20 years, but they’ve only become very popular in the past three–four years. Cyber is now among the top three risks facing any business, be it a law firm, a retailer, or a hospital.”

In terms of threats, Simkin says: “We see everything and anything relating to the cyber world— ransomware, cyber espionage, business interruption, and fraud around money transfers.” With so many threats to contend with, this relatively  new form of insurance is likely to become commonplace, as the costs of poor data privacy standards go up and the chances of avoiding online thefts, ransoms, and fines go down.

Mark Camillo, head of cyber EMEA for AIG, adds to this assessment: “Hacking and human error are probably the two biggest causes of loss that we see. If a company has ignored cyber cover in the past and then had a big incident, they will realize how quickly costs can add up.”

The power that hackers possess is something companies need to take very seriously; the sums of money involved can be vast. Of over 300 claims AIG processed in 2017, “The leading cause of loss was ransomware,” Camillo says. “Claims varied in value from $3,250 to $5.2 million.” While the insurance market is still maturing in Europe, experts anticipate the GDPR to drive additional insurance offerings to help mitigate cyber risks.

THE PRINCIPLES ENSHRINED IN THE GDPR

Article 5 of the GDPR sets out seven key principles that lie at the heart of the general data protection regime. Article 5(1) requires that personal data shall be:

  1. “processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purpose when certain conditions are met (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  5. kept in a form which permits identification  of  data  subjects  for  no  longer  than  is  necessary  for  the  purposes  for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Article 5(2) adds that:

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

CRISIS COMMUNICATIONS

Reputational risk has been a growing focus of companies for some years, but how many have a communications strategy in anticipation of a data breach or cyber attack? Not surprisingly, this is a growing area of expertise and potentially a very lucrative one.

Jonathan Hawker, director at Slate Campaigns, a crisis management consultancy, says: “To have proper crisis preparedness in place requires a structured plan and everyone understanding their role.”

Few would argue the need for swift action when faced with a data breach; identifying the key decision-makers is imperative, Hawker says: “In the first crisis meeting, I don’t want to see a cast of thousands, who are using the situation as a career opportunity. I want to see a chief operations person; an HR person who can assist with staff communications; a chief information security officer; I may need a lawyer, but I don’t need a finance person, and I need the CEO, but I don’t need the chairman — although I need the CEO to engage with the chairman.”

Experts expect crisis communications to become more integrated into business activities as those holding large volumes of personal data come under ever- greater scrutiny from regulators and struggle to keep their increasingly complex technological systems safe from the many possible bad actors.

RESEARCH ANALYSIS

Investing in Data Privacy

A key finding of our survey is that 74% of all respondents expect their business to invest in data privacy during 2018.

This year, do you expect your business to invest in data privacy?

Bar graph showing genuine need is perceived to exist to enhance privacy programs to comply with the GDPR and other emerging privacy regulations.

Not surprisingly, the consistently high interest in data privacy investment across all of the countries surveyed (61%–77%) indicates that a genuine need is perceived to exist to enhance privacy programs to comply with the GDPR and other emerging privacy regulations.

As Stephen Allen, global head of legal services at Hogan Lovells, highlights, until recently: “If you’ve been working on a GDPR compliance project, you’ve been working to a fixed deadline.”

Now that the May 25, 2018, deadline has passed, organizations are treating GDPR compliance as an ongoing process.

Informally, regulators have even expressed a willingness to consider reduced penalties where organizations can demonstrate that they have taken reasonable steps to comply with the regulation.

GDPR: Consents and Legal Basis

Interestingly, our survey tells us that 57% of respondents come from companies that have taken steps to review the data they hold, to ensure that they have the necessary legal grounds (e.g., valid consents and performance of a contract) to process the personal data they handle.

Has your company reviewed the data it holds to ensure that it has the necessary consents and permissions when handling personal data that identifies individuals?

Pie chart showing well over half of the respondents come from organizations that are being proactive in engaging with the data privacy issues arising from the GDPR.

This statistic suggests that well over half of the respondents come from organizations that are being proactive in engaging with the data privacy issues arising from the GDPR.

GDPR: Totally Compliant?

Next, we asked respondents a tougher question, about whether their business has done everything necessary to continue processing personal data under the new GDPR.

As of March 2018, when the survey was released, only 44% of respondents answered in the affirmative, with the remaining 56% telling us they have not done everything necessary to ensure continued access and compliance with the GDPR.

Has your business done everything necessary to be in full compliance with the GDPR once it comes into force on 25 May 2018?

Pie chart showing with 44% of respondents telling us that their organizations have done everything necessary to comply with the GDPR

It is very difficult to measure full compliance with the GDPR; however, with 44% of respondents telling us that their organizations have done everything necessary to comply with the GDPR, that suggests that many companies are doing everything they can and perhaps many started their GDPR readiness program far in advance of the May 25, 2018, deadline. Organizations are clearly going to have to continue modernizing and strengthening their privacy programs for the foreseeable future.

Good First Steps

When attempting to get your own privacy house in order, there are a few “golden rules” worth prioritizing.

A good first step is to create a data inventory, so that you know exactly what personal data you hold is within the GDPR scope, how you obtained such data, where it is stored, how it is protected, and to where that data is being transferred.

After these basics are clear, organizations should develop a compliance strategy to document steps the company is following to comply with the GDPR. Some of the key elements of this strategy should include maintaining records of processing activities and identify those that present a higher risk, assign legal basis for each processing operation, develop transparent privacy notices, which describes how the organization uses the personal data and for what purpose, confirm whether the designation of a data protection officer or a representative in the EU is required, and implement appropriate safeguards when personal data is transferred outside of the EU.

It is also important to offer privacy training and to improve privacy awareness so that personnel know how to comply properly, as a matter of course, and are aware of why protecting and enhancing data privacy is so important.

There are many other obligations under the GDPR, but building a data inventory, creating a compliance strategy, establishing a compliant privacy policy, and pushing a training protocol are good initial steps.

CONCLUSIONS

Data Privacy Underpinning Success

Due to a combination of technological innovation and changes in regulation, data privacy is now a top priority for any business that collects personal data.

To thrive in the post-GDPR world, organizations need to be honest about their data privacy strengths and weaknesses and ensure they know exactly what personal data they are collecting, how they are protecting that personal data, and what legal basis they are relying on to process the personal data. The organizations able to master these challenges will benefit by building trust with their customers and employees.


SURVEY DEMOGRAPHICS

The analysis we provide in this report has come from an international survey of 351 legal and technology professionals that use and deliver legal technologies across a range of industries.

Geographical Coverage

In terms of geographical coverage, approximately 60% of the respondents to this report’s survey come from the US, with 30% coming from the UK and 5% each from Canada and the Middle East.

Map showing approximately 60% of the respondents to this report’s survey come from the US, with 30% coming from the UK and 5% each from Canada and the Middle East.

Direct and Indirect Roles in Legal Work

Overall, approximately 55% of our respondents consider themselves to have a direct role in the legal work their company undertakes, while 45% consider themselves to have an indirect role and functioning more as facilitators.

Pie chart showing approximately 55% of our respondents consider themselves to have a direct role in the legal work their company undertakes, while 45% consider themselves to have an indirect role and functioning more as facilitators.

Industry

Approximately 15% of the survey’s respondents come from the financial services and insurance industries, with a further 14% coming from the telecommunications and IT community, 11% from legal firms and 11% from retail. Smaller but notable percentages of the respondents come from manufacturing (10%), energy, utilities, and waste management (9%), healthcare and pharmaceuticals (9%), public sector (7%), construction (6%), agriculture (5%), plus the media and leisure industries (3%).

Bar graph showing 15% of the survey’s respondents come from the financial services and insurance industries, with a further 14% coming from the telecommunications and IT community, 11% from legal firms and 11% from retail. Smaller but notable percentages of the respondents come from manufacturing (10%), energy, utilities, and waste management (9%), healthcare and pharmaceuticals (9%), public sector (7%), construction (6%), agriculture (5%), plus the media and leisure industries (3%).

Annual Revenues

In order to ensure that this survey represents the views of  staff working at blue-chip companies, respondents were asked a screening question about the size of their global annual revenues, and only asked further questions if the answer was in the $100M to over $5B range. The asking of this screening question makes it possible to confirm that over half of this survey’s respondents come from businesses with turnovers in the $250M to $999M range, with both larger and smaller businesses also being well sampled.

Pie chart showing over half of this survey’s respondents come from businesses with turnovers in the $250M to $999M range, with both larger and smaller businesses also being well sampled.

Respondents

General counsel make up over a third of our respondents (34%), but a variety of other legal and technology roles associated with the delivery of hi-tech legal services have also been well sampled, as can be seen below.
Bar graph showing General counsel make up over a third of our respondents (34%), Other legal professionals, such as Heads of Legal, Senior Counsel, and Staff Attorneys (9%) and e-Discovery Counsel, Lawyers, Associates, and Directors, play important roles in the uptake of the latest legal technologies, so we think it is important to consider the views of different levels of seniority.

Other legal professionals, such as Heads of Legal, Senior Counsel, and Staff Attorneys (9%) and e-Discovery Counsel, Lawyers, Associates, and Directors, play important roles in the uptake of the latest legal technologies, so we think it is important to consider the views of different levels of seniority and specialist roles likely to be both heavy users and recipients of new technologies.

On the technology side, professionals such as CTOs (16%) and the Heads of Machine Learning and Analytics (5%), directly or indirectly responsible for the delivery of legal services within business, also offer a valuable perspective.

The responses of these two important groups has made it possible to compare and contrast the views and experiences of those responsible for the practical adoption and delivery of LegalTech with those that are more focused on the legal requirements of end users.