GDPR and You – What does it all mean?
The legal position regarding any customer data you maintain was previously enshrined in the Data Protection Act 1998. The benefit of the law remaining the same for the last 20 years was that everyone involved was clear on their obligations regarding the handling of personal data. However, on 25 May 2018, the legal position changed with the implementation of the General Data Protection Regulation (GDPR). But what will this mean for SME businesses?
Does it apply to me and what exactly is ‘personal data’?
While you may not necessarily believe that you will be subject to the GDPR, it is important to understand that it is applicable to all firms providing a service where you are in the control of and/or are using ‘personal data’.
Another key concept to understand is what is considered personal data? Under the GDPR, this is broadly defined as any information relating to an identifiable person. So, by way of example, when you are appointed by the Client to provide designs for an extension to their property, you will be in possession of the Client’s name, address and potentially financial information that can clearly identify that person and, as such, falls within the scope of the GDPR.
What can I do to avoid any potential issues under GDPR?
The first step in protecting your position is to determine whether or not you are entitled to use the information provided by the Client. Within the GDPR there are six legal justifications for the use of personal data but, within the context of your profession, it is likely that the most relevant will be either ‘Consent’ or ‘Contract’. Essentially, the Client has either consented to the use of the information or your contract requires you to use the information in the performance of the contracted services (i.e. you are required to identify the Clients and the property as part of a planning application).
To ensure that you do not fall foul of the legal regulations, use of the information should be limited to the purposes for which it was provided. If you are looking to use the details provided by the Client for any other purpose, you would be required to obtain their consent for that use and this would also be the case if you are looking to share that information with any third parties. If the Client refuses to provide their consent, then the data cannot be used.
Protecting the data
In this day and age, it is likely that the majority of the information you hold in connection with the Client will be held in an electronic form which can include the drawings and e-mails you have received from them. As such, there is a requirement to ensure that you have taken measures, both in terms of your technology and organisation, to protect the data you control. In general terms, the expectation would be that any data is stored in an encrypted format and that you have adequate and appropriate security measures in place across your IT systems.
While we would not necessarily expect that the majority of SME businesses would be the target of hackers, it is easy to become the victim of a scam or virus attack. As such, if you are unsure about the systems you have in place; it may be worth contacting an IT professional to ensure that all reasonable measures have been taken, (e.g. encryption of portable devices).
What happens if there is a personal data breach?
In the event that the information is disclosed to another party or you suffer a cybersecurity breach, you may be required to report the loss to the Information Commissioners Office (ICO) within 72 hours of becoming aware of such a breach where feasible.
In relation to the affected individuals themselves, the GDPR requires that you notify them of the breach where there is a high risk that it will impact on their rights and freedoms without undue delay. However, while not strictly required in all cases, it may still be appropriate to advise the Clients of any breach as this will ensure that they have an opportunity to take steps to protect their own position.
After a breach – the insurance position
Unfortunately, as with any significant shift in the legal landscape, the impact of the GDPR is unlikely to be clear for a number of years to come and this creates a grey area in terms of any potential cover you may have in place to protect your position.
While ICO has indicated that they will take a reasonable approach to how they investigate breaches and the imposition of fines, until the first cases are raised, the application of the new rules is untested which creates a degree of uncertainty. However, it is possible that some assistance when dealing with matters could be provided under a number of insurance policies, and we will consider each in turn:
a) Professional Indemnity Insurance
While not necessarily covered under all professional indemnity policies, it may have an extension to provide cover along the lines of:
“… for Defence Costs resulting from any prosecution first brought against the Insured or any Employee and notified during the Period of Insurance which arises out of the conduct of Professional Business in respect of any offences or alleged offences under section 155(1)(b) of the Data Protection Act 2018 …”
If the breach arises in connection with your professional services, the policy may still provide cover for the costs of defending any action taken by ICO. But, as you will note, this cover is limited to defence costs only and does not contain any provisions for any fines or penalties as these are specifically excluded from the policy. You would need to check with your insurance broker to confirm the exact nature and provisions of cover provided.
Given the limitations of the Professional Indemnity policy, it may be more appropriate to consider taking additional cover with a view to protecting your position. As a result, this now leads us to:
b) Directors & Officers Liability Insurance
While the Professional Indemnity insurance is there to protect the practice in terms of the provisions of its Services, it is also possible that the practice itself may be the subject of a claim arising out of the breach of GDPR.
By way of example, if the practice is the subject to a cyber attack which results in the loss of personal data (e.g. details of employees), it is possible that any of the affected individuals may be able to argue that the practice did not take all reasonable steps to ensure that the data it holds was adequately protected. As this would create a potential liability on the part of the practice and/or the individual directors, this could result in a claim under a Directors and Officers policy as this could be considered a ‘wrongful act’ in relation to the management of the practice and its risk.
In addition, a Directors & Officers policy may also include some cover for the Practice in relation to dealing with the costs involved in dealing with an investigation by a regulatory body.
However, this type of insurance may not be appropriate in all circumstances depending on the size of the practice (e.g. a sole practitioner would not benefit from this type of cover). This then leads us to:
c) Cyber Insurance
This may be purchased as either a standalone product or as part of a package and is an insurance product designed to deal with the various claims that can arise in this increasingly connected world. These policies typically include cover for data breaches and can include assistance both in terms of any investigations undertaken by ICO and any claims made against you by the affected individuals as a result of the breach.
However, a cyber policy will also extend beyond simply dealing with a data breach and may also respond to claims relating to other matters (e.g. ‘ransomware’ attacks, e-mail phishing scams etc) all of which are, sadly, on the increase.
Unfortunately, while the intention to create a more appropriate and relevant legal framework for personal data was the guiding principle, ensuring that ICO has adequate ‘teeth’ to deal with any negligent breaches may have inadvertently created an additional problem.
While both the various insurance policies may provide cover for any costs incurred in dealing with an investigation into a breach of the GDPR, the enhanced powers provided to ICO have shifted matters from a civil matter to a possible criminal matter, which could have serious implications for the insurance position.
In order for any fines or penalties levied by ICO (or any other regulator) to be covered, they need to be ‘insurable by law’. But, as a matter of public policy, it is not possible for you to insure against your own illegal acts and if you have been found to be in breach of the GDPR and fined by ICO, the breach may be considered an illegal act. As this cannot be insured by law, there can be no cover in place for the fine itself. While this is not great news in itself, ICO has indicated that they only intend to take punitive action where a breach is negligent and, provided you have taken all reasonable steps to comply with GDPR, it seems unlikely that fines would be raised.
What does this actually mean for my Business?
While you are subject to the provisions of the GDPR, given the limited nature of any personal data you are likely to hold and the relatively low risk of breaching the regulations, it may be unlikely that any ‘high risk’ breach or misuse of personal data will occur. This may reduce the prospect of receiving a punitive fine from ICO, but does not remove the risk that they will investigate or prosecute any breaches that do occur.
As a result, we would recommend you could consider the following points:
- You take reasonable steps to ensure that your IT systems are secure and that any personal data is suitably protected (e.g. any portable devices are encrypted).
- In relation to any future projects, you advise the client that you will be holding their personal data in connection with their project and that this may be disclosed to third parties (i.e., sub-consultants) if required and agreed in advance.
- In the event that a breach of personal data occurs, you contact this office as soon as practicable to determine if any assistance is available under your current insurance arrangements.
- You take time to consider whether a ‘Directors & Officers’ or ‘Cyber’ policy may be appropriate to protect your business and reputation should a breach arise
While this article has been concentrated on the ‘personal data’ you will hold in connection with your Clients, it is important to remember that the details you hold in relation to your own employees will also amount to personal data and should be treated in a similar manner.
We hope this article has been helpful but if you would like to discuss any of the issues we have raised please do not hesitate to contact us.
Additional information is also available at