It is useful for organisations of all shapes and sizes to consider the ins and outs of data protection, not just in order to prepare compliance documents that will form part of ‘business as usual’, but to also prepare for some of the milestone events that will arise from time to time.
Here are some events or contexts in which personal data issues and risks will arise and for which there should be some degree of advance planning and specialist input.
The three events I’ve chosen are familiar enough, if not exactly everyday occurrences. They are-
- handling grievance procedures in the workplace;
- selling a business; and
- adopting new platforms or systems.
There are data handling issues unique to each of them but there are just as many that apply across the piece to varying degrees.
Handling Grievances in the Workplace
Employee grievances, as my specialist colleagues will tell me, give rise to some particular challenges in terms of ensuring that the bond of trust between the employer and the employee is not compromised. Both sides will in, all likelihood, want the relationship to continue once the grievance has been resolved. Ensuring that this can happen is not just about the outcome of the procedure but the quality of the process itself. If everyone believes that the process has been thorough and fair then they are much more likely to return to normality, even the individuals who may be found to have been at fault.
One or more parties will inevitably ask for data to be disclosed to them. The complainant in particular will almost invariably ask to be given access to their own personal data. It might not be obvious from the way a request is made that ‘personal data’ is being asked for, so the first test is whether or not the organisation will recognise a data subject access request when it comes in. The legislation does not mandate any particular form that a request must take.
Having recognised it as a data subject access request, the next test is to decide how wide to cast the net when searching for that data. Can you agree with the complainant on sensible parameters for the searches you will have to make? If not, what does the law say about how much data you must provide? An employee who has been with the organisation for several years will have a lot of data in various data sets, collected and used for a variety of difference purposes, many of which will not be relevant to the grievance.
Grievance investigations inevitably also involve handling data relating to other individuals in the organisation, not just the complainant. How should you go about collecting that? Can you disclose it to the complainant or the complainant’s advisers?
Handling data responsibly and explaining the organisation’s decisions around what to disclose and what not to disclose will play their part in ensuring a good outcome.
Selling a Business
Even at the early planning stages, the owner of a business will want to understand exactly what personal data the business holds, and why.
Any potential buyer will carry out extensive due diligence and this will include raising questions about the nature and scale of the personal data being processed. They want assurance that there are no data protection hazards awaiting them.
If the business already has a suitable data map, data register, and a full suite of compliance documents, this task will be a relatively easy. If not, then now is the time to remedy the defects. Ask for an audit that will identify gaps, and then spend time preparing the right policies, notices and procedures, or updating what already exists.
The proposed sale will also mean that the personal data of all the transferring employees will have to be shared with the potential purchaser. How much personal data should be shared, in what form, and should it all be shared at once?
In addition to data concerning employees, the due diligence questions will also seek information about how well the business has been managing its electronic marketing campaigns. How will the business demonstrate that it has managed its compliance with the Privacy and Electronic Communications Regulations? Are their cookie notices and banners compliant?
If the owners can’t give sufficient assurance on these issues then the buyer may go elsewhere, or at least price-in the risk of a potential claim or penalty.
Adopting New Platforms
Changing from one technology platform or infrastructure (such as AWS) to another (say Microsoft Azure) is not just a tricky technical project. It is also an event that requires an organisation to revisit all its assumptions about the confidentiality, integrity and availability of its personal data.
Platform providers are almost always the tech giants. Using platforms from these big companies means that it can be all too easy to assume that data protection won’t be an issue. But complacency is a dangerous thing and it is not safe to assume that whatever provider you choose, data protection compliance will have been built in. Usually, the platform provider will indeed have addressed the data protection compliance issues. But the approach they offer will not be exactly what you would want and might not be entirely tailored to UK law. They will have drafted the terms to give themselves as much flexibility as possible and may have ‘adjusted’ the UK GDPR obligations that a data controller must impose on a data processor.
As a minimum, the client organisation will need to review the data protection agreement or terms offered by the new provider to be certain that it understands what residual compliance risks there might be; can identify any serious gaps in what the provider is agreeing to and, importantly, where the personal data uploaded to the platform might be transferred to. This latter point will require a good understanding of the UK GDPR data transfer laws and in particular the question of which countries have the benefit of an adequacy regulation and which do not.
If an adequacy regulation can’t be relied on then a choice has to be made about which type of contractual safeguard (such as an International Data Transfer Agreement (IDTA)) will need to be put in place. A transfer risk assessment will also be needed. This all requires specialist advice and drafting.
The same sorts of issues arise when a business anticipates other major projects that will involve large volumes of personal data, perhaps as a result of a decision to diversify or expand into new markets. These projects will need a sensible impact assessment that will check whether the outcome will present unacceptable risks to personal data. One problem that arises is that, having originally collected personal data from customers and others, for one purpose, meeting the new project goals means subjecting the data to processing for an entirely different purpose, one the customer has not been made aware of.
Tim Heywood FRSA, Partner at gunnercooke, specialises in data protection, privacy, cyber and information law. He is also a member of the Law Society’s Technology and Law Committee.
This article is not intended nor must it be relied on as legal advice. Specific legal advice should be sought on your particular circumstances.
To receive all the latest insights from gunnercooke to your inbox, sign up below