Andrew Priest, Partner, Commercial & Technology, Birketts LLP
Q: We want to engage a company in India to help with our software development. As part of their work, they will access some personal data about our customers. Do we need to be worried about this?
A: Access by the Indian company to your customers’ personal data would be a restricted transfer under the UK GDPR. Before making any such transfer, you should consider whether the engagement with the Indian company can work without sending such personal data; for example, anonymising your customers’ personal data so that it is not possible to identify individuals. If so, the customer data would not be ‘personal data’ and the transfer would fall outside the scope of the UK GDPR.
If this is not possible, you would have to (i) put in place ‘appropriate safeguards’ and (ii) carry out a ‘transfer risk assessment’ (TRA) to determine whether, in the circumstances of the transfer and with your chosen safeguard in place, the protection of individuals under the UK data protection regime will be undermined.
There are a range of ‘appropriate safeguards’, however you might want to consider entering into an International Data Transfer Agreement (IDTA) with the Indian company. The Information Commissioner’s Office (ICO) website has a template IDTA that you can use, and also a TRA tool which sets out one way to do a TRA. If, however, you are discussing more complex international data arrangements, you should seek legal advice to ensure compliance with the UK GDPR.
Q: We have recently received a request from a customer wanting to know what personal data we have about them on our systems. Do we have to reply?
A: Yes. This is a subject access request (SAR) and the UK GDPR imposes a legal responsibility on you as a data controller to respond to such requests. You will usually have to respond to the request, at the latest, within one month. If the request is complex or if the customer has made a number of other requests relating to their individual rights, then you may extend the response time by a further two months. You must let the individual know within the one month time limit and explain why you plan to extend the response time. In most circumstances, you are not allowed to charge a fee to comply with the SAR.
Q: We believe that someone has recently gained unauthorised access to our IT systems and has downloaded details of our customers and employees. What should we do?
A: You need to quickly establish whether a personal data breach has occurred and, if it has, take steps to address it. This may include reporting details of the breach to the ICO within 72 hours of becoming aware of the breach. The ICO has a self-assessment tool to help determine if the breach needs to be reported to them. Even if you are not required to notify the ICO, you must keep an internal record of all personal data breaches.
Additionally, you may need to communicate the data breach to the individuals concerned where the breach is likely to result in a ‘high risk’ to their rights and freedoms. A breach involving special categories of data, i.e. health or medical data, or information relating to a person’s race, religion or belief, and sexual orientation, will be presumed to be high risk. However, there will be scenarios where disclosure of non-special categories of data will still represent a high risk. An assessment needs to be made on a case by case basis, and seeking legal advice early on where appropriate may assist with this assessment.
You should have in place an incident response plan (as recommended by the ICO) and that plan should be followed. You may receive a fine from the ICO if a serious data breach occurs and you do not have a plan in place. Having a plan in place will also help to mitigate against damage to your reputation as a business.