Pick and Choose: Data Protection - Annual Review 2015

United KingdomBelgiumFranceGermanySingapore

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

This article is an extract from our Annual Review 2015.

Data protection is causing sleepless nights for corporate boards. How can organisations mitigate the risks of collecting vast amounts of personal information?

By Ross McKean and Andreas Splittgerber

Having succumbed in 2013 to one of the largest data breaches in history, US retailer Target has seen a 46% drop in profits and the resignations of both its CEO and CIO. A reminder, if one were needed, of the damage that can be caused by data transgressions - even before contemplating class actions and regulatory liability.

The regulatory environment itself is toughening up. Under proposals for the EU General Data Protection Regulation, fines of up to 5% of annual global turnover could be imposed on non-compliant companies.

Companies' concerns have led to increased interest in data audits and risk assessment, ranging from full analysis of all data and procedures to mitigate legal risk, to audits of products and services that process data or data analytics - in particular, technology that monitors the behaviour of customers in order to tailor products or of employees to predict future insider threats.

Concerns over data usage have grown in line with the volume of data that is collected by companies, and the lack of understanding of how to exploit it thereafter. The problems come from not having the right analysis software in use and not having a handle on who has access to data and how secure it is, along with companies' temptation to use that data in inappropriate ways.

So how can organisations mitigate the risks without missing out on the opportunities?

Privacy by design

One solution is anonymisation or, if possible, pseudonymisation. Steering clear of collecting identifiable data minimises risk. It might not eliminate risk, because building a profile amounts to processing regulated personal data in some jurisdictions.

However, it will still help to smooth paths with customers and regulators if data has been gathered in a non-personal way, given that in the event of a breach the risk of harm to an individual is much lower.

Try to future-proof

It is hard to predict the future, but clever wording can help. Companies should try to find the right description of purpose for their data-processing activities: one that is specific enough to meet legal requirements but leaves room to manoeuvre in the future. Avoid, for example, stating that data collected will be used to send emails; saying 'electronic communication' allows greater leeway.

Don't add restrictions

A bad privacy policy is one that adds restrictions on a company for no purpose and doesn't add any transparency for the consumer. Avoid saying "we will ask for your consent before processing data for any other purpose" if it is not universally required.

A better policy tells consumers what a company will do with the data - not what it won't. More enlightened brands are using a layered approach. In addition to the general privacy policy, they will describe in a short passage how data will be used whenever specific fields are collected.

Use less data

When designing processes and launching new apps, companies should ask: "What is the minimum amount of data we need to achieve the desired result?" This makes sense from both a regulatory-compliance and financial point of view. Managing and housing large amounts of data is expensive, particularly in the event of having to comply with disclosure obligations in litigation. There needs to be a legitimate business reason for collecting the data. If it is not going to make money, don't bother.

Find out who is collecting what

The biggest internal challenge is understanding what data a business has. What is important for the business? What must be kept confidential? Who has access to it? Who is it shared with? Data scientists claim that there is no value in keeping data beyond six months. When conducting data analytics on a consumer, a statistically significant dataset can be built up within a quarter, with all the right consents.

There is a caveat: data must not be deleted before checking whether there is an overriding obligation for it to be stored - for example, for book-keeping requirements or tax returns, or if litigation is ongoing.

Click here to view an electronic copy of our Annual Review 2015.