The use of personal data by organisations is top ranked in terms of the risk as well as the opportunity it presents. By analogy, personal data is like oil – it is the most valuable but also the most vulnerable resource to an organisation and it can spill, leak and cause damage to that organisation and the data subjects to whom it belongs.
There are a number of considerations for GCs/in-house counsel and those working in the Risk and Compliance space at organisations which are processing a lot of personal data, in particular sensitive personal data (known as a special category) and the risks associated with that activity.
Those considerations include:
- where your personal data is in the organisation – are there good internal policies in place so that staff are only creating data in specific locations or is there a wider issue of staff saving documents to their own systems rather than the organisation’s central systems? When staff leave, does the organisation have a handle on what data that individual has created and where it is stored in case it is needed in the future?
- what data is being processed in the organisation – are Data Protection Impact Assessments (DPIAs) being carried out to assess and record the likely impact on the personal data concerned when special category data is being processed? Does the organisation have a privacy policy which explains why and on what legal basis, the personal data is being processed? If AI systems such as large language models are being trained within the organisation, is personal data being used for this purpose? If so, where does it come from and are you clear on the risks of using “real” personal data? Is retaining personal data to use for this training, impacting your organisation’s data retention?
- whether your organisation works with other organisations which process personal data on your behalf (data processors). If so, where is this personal data being processed and if that processing is taking place outside of Europe or the UK, is that data suitably protected by data protection legislation which is equivalent to that provided by the GDPR/UK GDPR? Does the country of processing have adequacy in this respect and if not, have you considered additional contractual protections for the personal data concerned, in the form of an International Data Transfer Agreement or equivalent?
- how well your organisation approaches information governance. Do you know what data is being stored by the organisation and is this in line with UK GDPR principles around data minimisation and purpose limitation? The more data being stored, the higher the cost and the bigger the volumes to manage. In particular, the more data being retained, the more extensive the potential search exercise when a Data Subject Access Request is made by an employee/ex-employee or customer for their personal data. Does your organisation consider the plan for data once a project has been completed so that data is not kept longer than it is needed? Do your organisation’s Record of Processing Activities (ROPAs) direct the organisation back to the original data source? Does your organisation have an up-to-date data retention policy and is there regular engagement with that policy?
- how secure your organisation is with respect to safeguarding personal data and protecting against cyber attacks and data breach incidents. Are your staff suitably trained in basic security measures to protect the personal data which they are working with? Do you have the right internal policies and procedures which set out what the organisation should do and who should do it, in the event of a security incident? Do you have trusted third party advisors on hand who you could reach out to for assistance? Does your organisation have a lot of technical “debt” (outdated software) which is raising the risk of your organisation being targeted by cyber criminals?
- how secure your supply chain is. Do you know what security measures your suppliers have in place to protect the data which you are sharing with them and guard their systems against cyber incidents? Are the relevant Data Processing Agreements in place which clearly set out the obligations of your suppliers as data processors and who will be liable in the event of a data breach involving personal data for which your organisation is responsible as the data controller? Are the data processors which your organisation is working with, clear that they need to cooperate with you in the event of a Data Subject Access Request in respect of which they might have some of the personal data, or that they need to report to you within a very short timeframe in the event of a data breach and co-operate with any reporting to the Information Commissioner’s Office?
This is a tricky area of law and one which can be costly (financially and reputationally) to get wrong. Our Data Protection & Privacy team provides a range of bespoke training and support on these questions and all aspects of data protection law and practice, through detailed legal analysis, facilitated workshops and training sessions. Our sessions are designed to be user-friendly and can be tailored to various audiences, including senior executives, leadership teams, data protection risk and compliance teams, in-house legal departments, and front-line customer service, sales and marketing staff. Should you wish to discuss any of the issues raised in this article, or wish to explore our training offering, please do not hesitate to contact Emily Aggett , Anne Todd or Tom Torkar.
