UK: W Legal Can Assist Your Firm In Navigating Data Handling Regulations

Working these days with large amounts of data, staff based remotely or using a range of devices to link with the office brings a range of technical, legal and regulatory issues and potential headaches from a data handling perspective.

We want to help you take a weight off your mind by providing a straightforward tailored service which will allow you to focus on running your business, while having the comfort of knowing that your data policies and procedures have been checked, complied and kept under review.

We are a niche specialist commercial solicitor firm with offices in London, Manchester and spread across the country via an extensive consultancy network.

From our own reviews, we believe that the main exposures that should be worrying any firm now are:

• Could we be "hacked" directly or indirectly with ransom or malware; viruses that can shut down our operations, extract valuable data or operate pirate services across our network. These hacks can occur because of an employee clicking on a link in an email that downloads a virus into their system (ie phishing email) or a hacker simply attempting to break the employee's password combination and access a database.
• What actions would we take where devices are lost or compromised, or documentation is simply lost?
• How do we address new personal data requirements under General Data Protection Regulation /Data Protection Act 2018 – carrying out impact assessments; providing for contingencies where data is lost or compromised and dealing with the UK or foreign data regulators, such as the Information Commissioner's Office (ICO). Can we evidence that senior management has considered the risks; carried out data audits/impact assessments and knows where data is stored and the contingent actions to be taken in the event of a breach.
• Are we clear on how the law and regulations operate after Brexit and new court decisions that impact sending data from the UK jurisdiction abroad to other countries and where we might have customers and employees in foreign jurisdictions. Standard clauses are expected to need further review after UK and EU authorities complete their post-Brexit considerations.

We can assist you with advice; providing the necessary policies and procedures as well as linking with partners that we have to advise on the technical issues around state-of-the-art software solutions; forensic investigations; repairing breaches; damage containment as well as dealing with the ICO. We can provide an external data protection officer/manager service if that is considered necessary.

Perhaps, most valuably, we can sit down with you for an initial evaluation meeting without fees being involved to give you an assessment of where the risks may lie; what actions to be taken now and what plans to put in place should problems arise in the future. We can then provide you with estimated costs and timescales to put solutions in place including effective policies, procedures, training and what to do when a breach occurs.

Further Background on Data Management Issues for Your Firm

Together with data security firms working with W Legal, we recently prepared a short briefing on key legal issues surrounding data handling:

• Updating IT and Data Privacy Policies and Procedures
• Dealing with the legal side arising from hacking and data breaches
• Cross border transfers of data
• Expectation of privacy – using company devices for personal use and bring your own device (BYOD)

Producing and updating IT Policies

It is key to have updated your policies for IT and data privacy in light of the changes that remote working has caused.

There needs to be clear guidelines in the IT policies regarding governance and accountability as to who is responsible for the data, and what to do with the data when it is no longer necessary and what to do in the event that data or devices are lost or hacked. The IT policy has to have a point of contact as well (ie a Data Protection Officer (DPO)), Data Protection Manager or an external entity/person who is responsible for data management within the company.

Generally, IT policies need to be reviewed at least annually as well as in the light of significant changes and in the light of new regulatory directives from the Information Commissioner's Office (ICO) as well as new legislation. Furthermore, as businesses grow and hold more data from many different parts of the world, their data policies also need to reflect these changes.

Dealing with Hacking, Data Breaches and Forensic Investigations

All the time, we can see the evidence of the growth of dangerous and illegal cyber strategies which can undermine your business, reputation and existence. Whilst cunning and powerful adversaries may succeed with an attack, there are many procedures, software tools and strategies that can be implemented to reduce the chances of a successful attack. At the very least, they will serve as some degree of mitigation in the event of a data breach or loss and a regulatory or judicial investigation or legal proceedings.

W Legal, in collaboration with IT/data forensic experts, can provide advice and guidance on revising policies and implementing software and internal governance procedures that can reduce the exposure to cyber-security risks and regulatory penalties.

Cross border transfers of data

It may be that, in the course of a firm's data breach investigation, you are required to acquire data from an endpoint located in another jurisdiction.  If this is the case, you should be mindful of what the legal implication of moving data cross border may be. One area of particular note is the GDPR and the Data Protection Act 2018, alongside the regulatory guidelines published by the ICO.

It is highly likely that data stored on an endpoint will contain personal data, whether that is data belonging to the employee or your customers, you therefore need to take GDPR into account. If data is moving from the EEA/EU to outside, then there has to be specific legal mechanisms in place under GDPR to address personal data privacy.

The EU Commission has made a number of equivalence decisions that mean it recognises other 3rd countries that have equivalent personal data protection safeguards and, as at the end of June 2021, the UK received an adequacy decision. However, UK firms handling data moving to and from the EU will have to have a European Data Representative appointed in at least one relevant EU jurisdiction. Moreover, UK businesses will have to be careful when handling data arriving from the EEA/EU and where it is being transferred to another jurisdiction that is not within the EEA/EU.

Where a 3rd country outside the EEA/EU, does not have an adequacy equivalence decision, then a special legal mechanism will need to be put in place. This includes the requirement to incorporate "Standard Contractual Clauses (SCC)" into a contract between the parties transferring the data which would mean incorporating the GDPR standard practices.  As far as the UK is concerned, the recent positive adequacy decision, will remove the need for UK firms to decide on the adequacy of protections when transferring data into and from EEA/EU countries. The decision on equivalence has a 4 year "sunset" validity which means a further review will take place in the medium term.

If data is being moved by a multi-national entity between group companies on a multi-national basis, then "Binding Corporate Resolutions (BCRs)" or "Intra-Group Agreements" have to be put in place that essentially incorporate the Standard Contractual Clauses and the GDPR best practices and standards as an internal group code of conduct. This will ensure that a transfer of data is legally permissible and should be kept under review.

W Legal can advise on the contents of such SCCs or BCRs.

As with all personal data transfers, it will be important to address which parties are Data Controllers (taking primary responsibility) and those that are Data Processors; ensuring that Data Audits and Data Privacy Impact Assessments are undertaken, with appropriate security, storage and data deletion and amendment procedures in order to protect dataholders' rights under GDPR.

Expectation of Privacy – Using Company devices for personal use & Bring your own Device

Complications may arise where an employee or a client that a firm targets could argue a reasonable expectation of privacy, a problem only exacerbated by the fact many employees are working from home.

Company's data practices may have to be updated to reflect the current reality that, when working from home, new policies and procedures will be needed.  It is important that remote collection capabilities are made clear in the firm's IT policies. Employees need to respect the fact that, when they are using a company device in their own home, it is for a specific work purpose and not personal purposes.

The employee should uphold the firm's data privacy standards when using company devices such as laptops and mobile phones at home and, as far as reasonably possible, when they are using personal devices. The IT policies should specifically outline the definition of "acceptable use" and what measures will be taken where there are breaches of the policy. Any data that is collected on those devices away from the office should be recorded and ideally put into a separate folder. This follows the ICO's recommendations of maintaining "Data Privacy Best Practices" while working from home. This can certainly prove a challenge where employees are sharing their personal equipment with other family members.  Firms may want to ensure that they provide equipment such as laptops and mobile devices to minimise problems.

Ideally, any office device or remote network should be used solely for work purposes as they may give access to confidential information.   No family members should be allowed to use a work device and all devices should use Multi-Factor Authentication.

Many companies operate a BYOD policy and some have likely been forced into a BYOD environment, if they did not have sufficient hardware to support a remote workforce at short notice. So, what rights exist for an employer to access data stored on a device owned by the employee?

This has to be looked at in the context where data is being stored on a device that is owned by an employee which is also used for working and professional purposes. An employer has the right to access that data so long as the search doesn't intrude or infringe upon an employee's personal information although this is a delicate area to tread.

Data that relates to work should be clearly stored separately and kept apart and labelled clearly.  This is a delicate balancing act for companies in order to protect data belonging to the company whilst also preserving an employee's right to privacy, as per Article 8 ECHR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.