Practical Aspects Of Data Protection Compliance: The Need For Properly Drafted, Comprehensive Data Protection Policies

Data protection often elicits strong responses. Some come from advocates of privacy legislation who shout from the rooftops about the need to protect the privacy of individuals from the exploitation of data by corporations and governments, while others come from detractors who believe information should be freely available in this new and technologically linked world and that data protection legislation hampers a free market. Then there are those who acknowledge the presence of applicable legislation but choose to ignore it, given its apparent lack of teeth. The latter will be choosing to break the law, since, whether an advocate or a detractor, the fact of the matter is that, when applicable legislation is in place, compliance is not optional.

This article is the second in a series of articles considering the practical impact of data protection legislation. In the first (see WDPR, June 2012, page 12), I discussed the importance of identifying data flows within a company. Compliance with any applicable data protection law is not possible unless a company fully understands the points at which data enters the organisation, the circumstances that give rise to this data flow, the conditions (if any) of collection, and how the data are then treated. Without this basic information, there is an information gap which prevents a company from asserting that it is compliant but, perhaps more seriously, reputationally at least, which exposes that company to the potential for breaches of data protection legislation which could easily end in a maelstrom of negative publicity as well as the less onerous legal penalties that may apply.

In the previous article, I considered how a data protection audit should be carried out. The information revealed by an effective audit process should enable a qualified individual, whether the company’s own data protection officer or an external third party, to identify which data protection laws may apply, whether the company is, or is not, compliant with those relevant data protection laws and to assess whether or not the company needs to take any action to improve its approach to data protection.

This article considers one of these next steps, namely, the need for a company to have properly drafted and comprehensive data protection policies, both inward-facing (instructing employees on how data is to be handled) and outward-facing (notifying its customers about its data protection practices).

This article also considers the requirement, under UK law, for companies subject to UK law to enter into contractual arrangements with their own various international entities to govern their internal treatment of data and asserting the extraterritorial nature of the UK data protection legislation. (For the purposes of this article, the requirements of UK law shall be used as a baseline. Other jurisdictions may have different requirements.) Once policies are in place, the company and its data protection officer must consider the company’s internal processes and how to maximise the chances of its policies working.

This article also considers how staff awareness of, and compliance with, data protection law can be achieved — a topic which is particularly relevant in Singapore, given its impending introduction of a new data protection law in an arena that has never known formal legislation in this area and therefore suffers from an endemic apathy towards privacy protection (see analysis by the author at WDPR, April 2012, page 10).

External Policies — Enabling and Facilitating Your Business

There is always the threat that policies simply add a level of bureaucracy and complication without any tangible benefit. The clear antidote to this is ensuring that policies are carefully constructed, practical and adequate rather than unnecessarily onerous. A well-crafted data protection policy should enable a company’s commercial endeavours, rather than hamper them. Through this policy, the company should be able to continue its collection and use of personal data in the way its business needs require, both now and in the future, but within the requirements of the law, by clarifying clearly and comprehensively to its data subjects how and why their data is collected and how it is treated once it has been collected.

The company must ensure that the policy is visible at each point of data collection or entry, so that each data subject can reasonably be assumed to have seen it and have had access to it. If the data is classified as “sensitive personal data” and is to be transferred out of the jurisdiction to a country with a lesser standard of data protection or is to be used by third parties, for example, it is preferable, and in some cases required, that the data subject must positively indicate his or her acceptance of the terms of the policy. In any event, all references to the policy must be clear and unambiguous and the link to the policy must in no way be concealed. The policy should be up to date and reflect data flows and uses that are current. It should be monitored for relevance and compliance with laws.

The policy itself must detail each use intended to be made of the data. If the data is to be sold, then the recipient must be identified, either specifically or in general terms, but with information given as to the type of organisation and the reason for the disclosure. If the data is to be used for direct marketing, then this must be identified in the policy and full details must be given, and express consent must be obtained.

Where the data is to be transferred overseas, then that should be made clear, and if the transfer involves a country that has a less robust standard of data protection, then details should be given of the steps the company is taking to ensure protection exists around the data. This should be unambiguous. The company may have to enter into separate contractual arrangements with the extraterritorial data controller in order to ensure that the data is treated in a particular way.

The data subject’s rights in respect of the data must be clearly set out. This would include the right to access the data or have it amended or indeed deleted.

If the company processes data automatically in order to make decisions regarding the data subject, then this should also be disclosed, and the data subject would be entitled to require the company to undertake a non-automated review of the data should the data subject disagree with the decision reached.

The company would be within its rights to state that a lack of consent to the policy by the data subject would mean that the data subject is unable to benefit from the company’s services, and indeed it is likely that the company would be prohibited from handling the data subject’s personal data without such consent.

The hardest task, perhaps, in drafting these client-facing policies is ensuring that their scope is comprehensive. They must identify and include all means and purposes of the collection of data. Every use and transfer of the data should be clearly stated. This must not be a wish list, but rather a lucid reflection of existing circumstances.

Having said that, it is also important that the company does not unduly fetter itself by presenting an overly prescribed policy that does not allow for the evolution of the business. Technological advances have taken the world far beyond the geographic borders that previously restricted the movement of information. First there was the telex, then the fax and now companies enjoy the ability to transfer enormous amounts of information simply by pressing “send” or, more systemically, by a pre-arranged system of back-ups that store data in servers held elsewhere.

Procedural, and economically motivated, changes in the way companies conduct their affairs have also impacted enormously. The rise in popularity of outsourcing as a business model has led to the wholesale transfer of databases beyond the “home” jurisdiction of a company. India became a particular, and well documented, success story in benefitting from the outsourcing phenomenon, but the country’s lack of data protection law risked collapsing the industry. Such was the importance of this that India now benefits from a formal data protection regime (see analysis at WDPR, May 2011, page 11).

As new technologies (consider the current favourite, the cloud) alter the way that we handle data, and as data protection laws change, companies must remain nimble in their ability to reassess their data flows and to accurately reflect these in their policies. While a certain amount of “wriggle room” can be built in, perhaps by using broad terms of reference, such as “Your data may be transferred out of the jurisdiction”, without actually specifying to which country, this will not replace the need to ensure that a company’s policy is an accurate reflection of what the company’s data protection procedures actually are, rather than a catch-all of what they may be one day.

For practical reasons alone, there should be provision made for future uses and collection of data, but these should be realistically anticipated rather than a catch-all.

The information presented by the policy must be transparent, so that no data subject can claim that he or she was not informed. In addition, as the policy is updated to keep it current, such changes must be flagged on the website, or highlighted in some other relevant manner, so that all data subjects are kept informed.

The external, data subject-facing policies are key, and a required element of compliance, but the reality is that they are nothing if not backed up by internal policies and systems that ensure the assurances offered by, and statements made in, the policy are adhered to by the company, its employees and relevant third parties.

Internal Policies — A Starting Block

Internal data protection policies can be viewed as two separate areas. First are those policies that are designed to protect the company’s external data subjects (only by reiterating internally the assurances made in the company’s external data protection policies can the policy be complied with and the assurances given within it be honoured), and I shall refer to this as the “internal data subject policy”. Second are the data protection policies that are designed to protect the data belonging and relating to the company’s own staff and held by the company. I shall refer to this as the “internal employee policy”. These are often required by law, and their content should be fairly straightforward.

Although the content will be broadly similar and much of the same wording can be used for both, for reasons of practicality and clarity, these two areas should be addressed separately. Keeping these two policies separate will facilitate the updating of the internal data subject policy. This document will need to be reviewed and changed periodically to reflect the company’s procedures and activities and to reflect changes that are made to the external policy. The internal employee policy should be a more stable document that is less likely to require updating.

The internal data subject policy should set out clearly and unequivocally those explanations of data use, collection and transfer that were set out in the external data protection policy. All the undertakings and statements made in that policy should be reiterated here, but in terms that clearly define the obligations and limits to which employees are subject in relation to their use and transfer and collection of data. Internal compliance cannot be achieved if there is no clarity regarding what employees can and cannot do.

Alongside this, and to add weight to the policy, the penalties to which the company and individuals will be subject, both by law and by the internal disciplinary proceedings of the company itself, should also be set out so that there is no doubt as to the importance of adherence to this policy.

The UK Information Commissioner’s Office allows for various mechanisms to try to facilitate data transfers between countries where the data controller is a multinational company. In this instance, whichever mechanism has been adopted, whether Binding Corporate Rules (BCRs) or Model Contracts, its consequences and obligations should be made known to employees of the company. This allows not only for profile raising for data protection issues, but is also essential in ensuring the company’s compliance with the BCRs. The system of BCRs allows a company to transfer data internationally to its affiliates outside the European Economic Area. This authorisation is given by data protection authorities on the basis of assurances that certain safeguards will be adhered to. In order to ensure adherence, not only does the company’s data protection officer have to undertake close monitoring (as well as carry out officially required audits), but also the company’s own employees must be made aware of the obligations to which they are subject.

The confidence with which a company can proclaim data protection compliance to the outside world is determined by the robustness of its own internal policies and procedures, the dedication with which it polices those policies and procedures and the commitment shown by its own employees to comply with them.

The internal employee policy, by contrast, is not a statement to the outside world but rather a statement to the employees of the company. These policies are straightforward and generally not contentious, but this does not mean that they can be overlooked. The policy must communicate all the statutorily required data to employees: What data of theirs is held, for how long and for what purposes it is retained, what is and is not done with it, and whether or where it is transferred externally. The points made above concerning model contracts and BCRs approved by regulators apply equally here, as a multinational may transfer its data out of the jurisdiction to affiliates. Data subjects are generally permitted access to their data and should be entitled to either have it amended if they feel it is incorrect or at the least to have their objections noted. This should be clearly communicated in the policy.

Of course, this internal policy is designed to communicate not only rights to employees but also obligations that those employees have in respect of personal data they have access to. The restrictions on use, the obligations to store and protect data — all these will be stated in this policy. Information technology security arrangements in place should be stated, and IT departments will be expected to ensure compliance with these statements.

This policy will also govern individuals who either never join the company (but apply, for example) and those who have left the company and in relation to whom the company still holds personal data. The latter grouping can be expected to be aware of the terms of the policy, but thought should be given to how and whether they can be kept up to date with relevant changes made to the policy over time. The former group will need to be informed of the relevant parts of the policy. The company’s data protection officer will then need to take a view as to how long the data relating to those individuals can lawfully be retained before its destruction becomes required by law — which is generally when it is no longer required for the purposes for which it was initially collected. The policy should give some sort of time line for this and detail how destruction of the data will be achieved.

And So ...

Policy drafting has almost as bad a reputation as data protection itself. Labourious, tedious, and irrelevant may be words used in some quarters to describe data protection policies, but in reality these are inaccurate. An effective, comprehensive and robust data protection policy can enable a company to hold itself up as espousing a gold standard approach to data protection. Compliance with that policy adds yet more credibility.

In a world where technology melts borders, where mass information transfers can happen in the blink of an eye and where identity theft, hacking, wire tapping, spamming and otherwise playing fast and loose with personal data are becoming endemic, data matters, and its protection matters even more.

To ensure that this valuable information with which a company is entrusted and which is vital to its ability to conduct its business is properly dealt with, companies must adopt a vigourous approach that includes audit, policies, training and enforcement, and constant vigilance.

Vivianne Jabbour is a Data Protection Consultant based in Singapore. She may be contacted at vivianne.jabbour@gmail.com.