Cookies Policy

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we’ll assume that you are happy to receive cookies.

Continue

We asked attendees at our series of GDPR Roadshows across the UK “On a scale of 1 to 10, how prepared do you feel you are for the GDPR? (10 = very ready, 1 = not ready at all)” and 61% scored 5 or lower.

As the deadline draws closer, experts at Link Market Services have explored some of the myths surrounding the coming regulation, to ensure issuers have a sound understanding of what the GDPR means for their business and their shareholders.

For more information see the ICO website at https://ico.org.uk/for-organis...

GDPR v DPA

MYTH - GDPR - It's just a new name for old rules

computerThere is much in the GDPR you will recognise from the current law, but there are significant differences. The enhanced compliance plus increased sanctions of the GDPR equals a significant change in the world of data privacy. The GDPR will introduce:

  • A uniform approach across the EU
  • Data subjects will have a broader “right to be forgotten”
  • “Clear and affirmative consent” – A higher standard for obtaining consent to processing of an individual’s data
  • A right to transfer your data to another service provider
  • The right to know the security of your data has been breached with mandatory 72 hour personal data breach reporting
  • Explaining how and why a person’s data will be processed in clear and understandable language within the privacy policies
  • Both Data Controller and Data Processors have liabilities and can be fined by the Information Commissioner (ICO).
MYTH - Individuals have a long list of new protections under the GRPR

computerMany of the protections in place for data subjects exist under the current legislation. Whilst the right to data portability is new, the others have been strengthened under the GDPR.

Data subjects have eight rights under the GDPR:

  • the right to data portability;
  • the right to access their own data;
  • the right to erasure;
  • the right to rectification;
  • the right to restrict processing;
  • the right to be informed;
  • the right to object to processing; and
  • the right not to be subject to automated decision making, including profiling.

However, remember these rights are usually qualified and only arise if certain conditions are met. It may also be possible to refuse to provide these rights depending on the circumstances.

MYTH - We have been using privacy notices since the DPA was introduced in 1998. There is no need to change them now.

computerThe GDPR rules on giving privacy information to data subjects are more detailed and specific than in the current legislation and place an emphasis on making privacy notices understandable and accessible. 

The GDPR includes a longer and more detailed list of information that must be provided in a privacy notice. The GDPR says that the information you provide to people about how you process their personal data must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language; and
  • free of charge.

There is still discretion for Data Controllers to consider where the privacy information required by the GDPR should be displayed. A ‘layered’ approach may be appropriate as this would allow key privacy information to be provided immediately and have more detailed information available elsewhere for those that want it. This might consist of a short notice containing the key information, such as the identity of the organisation and the way you will use the personal information. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information. 

GDPR v Brexit

MYTH - Once Brexit happens the GDPR will not apply.

world_mapThe UK will still be in the EU at the time of the GDPR implementation and subject to this EU regulation. After Brexit the regulation will apply to UK companies and those not based in the EU who deal with the data of EU citizens. This “extra-territoriality” in the regulation would mean that the GDPR will still apply to UK companies after Brexit if they provide UK goods and services to citizens in the EU. 

Also, in August 2017 the UK Government set out its intent in relation to the forthcoming Data Protection Bill that will include and implement the changes being brought about by the GDPR to update and strengthen current data protection legislation in the UK. In effect the GDPR provisions will be included in UK law so that they will still apply post-Brexit. Ireland and other jurisdictions will be updating equivalent legislation.

Consent & the right to be forgotten

MYTH - You need consent from data subjects whenever you process their data.

personObtaining clear and affirmative consent to record, use and transfer personal data is more important under the GDPR. However, there may be another lawful condition that means that specific consent is not always required. 

Data Controllers and Processors who are looking to process data lawfully should be operating within one or more of the lawful conditions outlined in the GDPR. These include 

  • processing is carried out with the consent of the data subject;
    or 
  • processing is necessary for: 


    • performance of a contract with the data subject; 
    • compliance with a legal obligation; 
    • the purposes of legitimate interests pursued by the controller or a third party.

For example for Link Market Services to operate share registers and administer share plans for our client Data Controllers we need to record and use data about shareholders and share plan participants when shares are bought, sold or transferred. Consent for these activities may not have been specifically sought. However, these activities are necessary and usually fall within the categories of lawful processing above – legal obligation, performance of a contract, or legitimate interest. 

MYTH - There is no need to get consent. We will just use the ‘legitimate interests’ approach.

personLegitimate interest is the most flexible lawful basis for data processing, but you cannot assume it will always be the most appropriate.

It may be appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

There are three elements to the legitimate interests basis which you should consider: 

• identify a legitimate interest;
• show that the processing is necessary to achieve it; and
• balance it against the individual’s interests, rights and freedoms.

MYTH - Even if you had obtained ‘consent’ from a data subject under the old Data Protection Act, you will need to get it again to satisfy the GDPR.

personNot necessarily. If you obtained consent in the past for data processing or to issue marketing material to an individual this will continue to be valid in most cases. It may be worth reviewing the terms of such consents to ensure that they comply with the GDPR. 

It is also worth noting that another lawful processing basis might be more suitable than consent, given the ability for data subjects to withdraw consent at any time.

MYTH - The ‘right to be forgotten’ means that if a data subject wants their data to be deleted companies have to do it.

personUnder the GDPR individuals do have a ‘right to be forgotten’ or ‘right of erasure’ and can request the deletion or removal of personal data where there is no good reason for processing to continue. However, the GDPR also sets out grounds for refusing a request to remove personal data. 

One of the grounds for refusing to delete personal data is that it is being held to comply with a legal obligation. For example in our industry once a shareholder has ceased to hold shares in a company they may think that their personal data should be removed from the register records. However, there is a legal obligation under the Companies Act 2006 (s.121) that a register entry may only be removed from the register after 10 years has elapsed since the shareholder ceased to be member. 

MYTH - The rules around ‘subject access requests’ remain the same so there is no need to update any procedures.

personSARs have been part of the data protection regime for some time. However, there are changes under the GDPR which may make compliance with any SARs more onerous. The current statutory limit of 40 days to comply with a request will be changed to a response being provided ‘without undue delay’ and at the latest within one month of receiving the request. The timescales can be extended by another two months if the request is complex or there are numerous requests.
 
Other changes to SARs include 

  • No fees: an organisation will not be able to charge unless the request is ‘manifestly unfounded or excessive’. 
  • Excessive requests: A fee can be charged or the request refused. When refused it will be necessary to explain within one month why and inform the individual of their right to complain to the supervisory authority. 
  • Electronic access: it must be possible to make requests electronically (e.g. by email). 

The roles of data controllers & data processors

MYTH - The responsibilities of Data Controllers and Data Processors are just the same as they were before.

peopleNo – there are some major changes. Currently, Data Controllers have statutory obligations and can be held to account under the law by the ICO when data handling goes wrong. Data Processors have contractual obligations to the Data Controllers that have appointed them but processors have no direct statutory compliance obligations.
 
Under the GDPR, Data Processors will be liable for many more of the activities they undertake on behalf of Data Controllers. In this sense, processors will have ‘liability parity’ with controllers for the correct handling and protection of personal data. 

Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

Processors must only act on the documented instructions of a controller. They will have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they do not comply.

MYTH - Existing contracts between Data Controllers and Data Processors do not need to be changed.

peopleWhilst the GDPR is an evolution of current data protection legislation, there are some very specific changes and more onerous requirements and enforcement which will mean that all contracts between Data Controllers and Data Processors should be reviewed. There is a high probability that these contracts will need some changes. 

The GDPR makes written contracts between controllers and processors a general requirement and these contracts must now include certain specific terms, as a minimum. Contracts must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.

Contracts must also require the processor to take certain actions including that they should:

  • only act on the written instructions of the controller;
  • take appropriate measures to ensure the security of processing;
  • only engage sub-processors with the prior consent of the controller and under a written contract.

In addition to its contractual obligations to the controller, under the GDPR a processor also has direct responsibilities including:

  • to co-operate with supervisory authorities (such as the ICO);
  • to notify any personal data breaches to the data controller; 
  • to employ a data protection officer.

If a processor fails to meet any of these obligations, or acts outside or against the instructions of the controller, then it may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.

If a processor uses a sub-processor then it will, as the original processor, remain directly liable to the controller for the performance of the sub-processor’s obligations.

Consequences of failing to comply

MYTH - It’s only the major personal data breaches that need to be reported to the Information Commissioner.

question_markSome organisations are already required to notify the supervisory authority when they suffer a personal data breach. The GDPR extends this requirement to all Data Controllers in relation to certain thresholds of data breaches, and also requires individuals to be notified in some cases.

A notification must be given to the supervisory authority within 72 hours of becoming aware of a breach, if the breach is likely to result in a risk to the rights and freedoms of individuals. A notification must also be given to the affected individuals without undue delay.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. 

The legislation does give some discretion for controllers to decide not to notify a breach to the supervisory authority, if the organisation concludes that the breach is unlikely to result in a risk to the rights and freedoms of individuals. However, Data Controllers could run the risk of an administrative fine of up to €10 million or 2% of global turnover if it turns out a notification should have been made, in addition to a fine for the breach itself. If you use a Data Processor, and this processor suffers a breach, then it must inform you without undue delay as soon as it becomes aware.

MYTH - The supervisory authorities do not have the power to enforce improved data protection.

question_markUnder the GDPR, the supervisory authority (the ICO in the UK) have greater fines and enforcement powers to sanction those who do not abide by the regulation.

In addition to the power to impose fines for breaches of the GDPR requirements, the ICO will have investigative powers – the ability to request information, carry out data protection audits and access premises. They will also be able to issue warnings and reprimands, have the power to order compliance and to suspend or limit processing or data flows.

In terms of the system of fines, this will be a two-tier fine system to be applied depending on the nature of the breach or failure by the processor or controller. Tier-one infringements are subject to administrative fines of up to €10 million or in the case of an undertaking, up to 2% of the worldwide annual turnover (whichever is higher). 

Contact us