Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
The Right to be Informed & Forgotten
A practical approach to GDPR compliance
(written by Alex Matheson)
This is the first blog in a series that reviews the new data rights with particular detail given on the right to be informed & the right to be forgotten.
The spirit of the regulation
As you probably know, the GDPR regulates the processing of personal data of individuals within or from the EU and the European Economic Area (‘EEA’). Unlike UK law, EU Regulations are not subject to a doctrine of common law precedent & they are interpreted in the spirit of the regulation rather than strictly. Regulations contain Articles which set out the law and also Recitals which have no legal force in themselves but which are designed to assist with the interpretation of the Articles.
The GDPR is a regulation, so has direct effect. It is also underpinned & further incorporated in UK law by the Data Protection Act 2018 (‘DPA 2018’).
The right to be informed
Individuals have new rights under the GDPR including the right to be informed about how their data will be processed, this means that as part of the client engagement process, organisations need to provide their clients with certain information regarding the processing of their personal data.
Basic steps that many practitioners will have taken is:
- Updated their terms of business and privacy notice in line with a client’s right to be informed. The nature of the information will be generic in these documents & should cover matters such as general data processing, the typical lawful bases how rights can be asserted, how an organisation is supervised for data protection purposes & who complaints can be raised to.
- To be precise & transparent regarding the personal data they collect. For organisations selling products, generic documents will suffice, however, many professional service organisations will collect different types of data depending upon the service offered to a client & the client will have a relationship with the organisation that involves bespoke data processing. This means that professional service organisations will now need to take additional further steps to ensure that precise & transparent information is delivered to clients.
Many professional service organisations will:
- Send some form of initial letter confirming their engagement (referred to here as an engagement letter) alongside generic terms & conditions and notices. Such an engagement letter is a natural location for setting out tailored data protection information on a case-by-case basis or type-by-type basis, depending upon the level of tailoring of services that an organisation offers its clients.
- The GDPR requires prescribed information to be provided at the time personal information is collected, so a professional services organisation should consider sending a new engagement letter to an existing client with repeat work – even if an organisation would otherwise have continued working under an existing agreement.
- Practitioners may consider it helpful, as a rule of thumb, to consider a person’s right to know about how an organisation will process their data as being akin to their right to know the price before entering into an agreement. An organisation’s terms of business will rarely specify a price, so organisations often provide pricing information (by way of a fixed price, estimate or hourly rates) in the engagement letter. Similar precision is required for information relating to the processing of personal data, so if precise information is not in the terms of business then it should be provided in the parallel engagement letter.
The GDPR provides checklists of the prescribed information to be provided when personal data is collected. Many of the items of prescribed information can be provided in generic terms of business, such as information on who the supervisory authority is and how rights can be asserted, however practitioners should consider each item of prescribed information and ensure each is addressed as specifically as possible.
The 3 main areas where a professional service organisation will likely need to provide tailored information to clients are:
- the data retention period,
- the lawful basis for processing and
- data rights.
Look out for the next blog in this series from Alex on the right to be forgotten. If you would like a full length copy of this paper and/or the entire series of papers, please contact Alex – firstname.lastname@example.org
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.