The ICO's draft data sharing code - M&A and ethical considerations
Taking a risk-based approach to enforcement
18 July 2019
On 16 July 2019, the UK Information Commissioner's Office (ICO) issued its draft code of practice for data sharing. The code of practice, when finalised, will form statutory guidance that the ICO will be bound to consider when seeking to enforce the GDPR and UK data protection law.
The consultation follows the ICO's proposals to issue unprecedented fines under the EU General Data Protection Regulation (GDPR) of more than GBP 280 million for alleged cyber and data protection failings of two global businesses.
Against this backdrop, it is now more important than ever to consult ICO publications to understand their regulatory priorities and expectations. The draft code of practice covers many data protection areas what organisations should consider when sharing data such as transparency, data protection impact assessments and ensuring the processing is legal. This article focusses on two specific areas: (i) M&A; and (ii) data ethics.
What should organisations think about in a deal context?
The ICO's draft code provides practical guidance on areas that organisations involved in data sharing should consider to comply with the GDPR and other relevant data protection rules. Key points:
- Importance of diligence: ensure data sharing is part of due diligence / transaction scoping (not an afterthought)
- Plan and scope: the approach to data sharing should be planned (e.g. limit data shared in the first stages of a bid process, unless necessary)
- Document data sharing: contractual / policy protections should be in place, but this should be proportionate to the risks posed to data (higher risk necessitates stronger safeguards)
- Seek technical advice: particularly where different systems are involved. Post-signing / completion system integration can pose security risks that could result in the loss, corruption or degradation of the data unless carefully managed
- Transparency: consider who needs to provide notices to individuals about what is happening – e.g. under GDPR, individuals need to be informed about certain changes to how their data is processed. They may have the right to object
- Data integrity: the ICO confirm that organisations are responsible for the data they receive, and they will have to respond to any complaints about it. This concept is not new; however, it adds weight to provisions in agreements where parties agree they are each "separate controllers" of personal data they process (and therefore also responsible for dealing with issues relating to that data)
- Post-signing/completion audit: managing data immediately post-completion will be challenging, especially where different databases are used (or the businesses are seeking to integrate different systems)
The ICO's draft guidance confirms that governance and accountability remain important throughout the lifecycle of a transaction. The parties should at a minimum: (i) arrange to check the data is accurate; (ii) document everything that is done with the data; (iii) ensure appropriate security is in place.
Do you need to do anything if you just receive data?
Yes. The ICO have confirmed that the same considerations outlined above can apply in reverse to the recipient of the data.
- It will not be enough to simply request contractual provisions and do nothing further. Prior to sharing, organisations should form a view on whether the party they want to share the data with has the proper technical and organisational controls in place to handle this data safely.
- Recipients sometimes request robust contractual confirmations and controls around data provenance and handling (e.g. through warranties). The extent of confirmations required will depend on the likely risks. Proper due diligence to test any disclosures against these confirmations should help build a defensible position (i.e. if the data sharing arrangement is challenged).
The wider usefulness of these provisions will be to provoke discussions with the parties who will form part of the data sharing ecosystem. Document the outcome of these discussions (even if it does not go in a contract). The level of diligence should be proportionate to the risks posed (sometimes no personal data will be involved, so GDPR is not relevant - but considered questions need to be asked to arrive at this view).
Are there ethical considerations?
Yes. Fairness, transparency and accountability are core European data and consumer protection concepts, which increasingly pervade international regulatory sentiment.
- The ICO's view in the draft code is that ethical principles form part of proportionality and fairness considerations, and that these principles are complementary to data protection concepts.
- In a typical transaction, there are unlikely to be significant ethical questions regarding the sharing of personal data between organisations for the purposes of a deal (there may be no personal data at all, or the information is anonymised). However, the ICO's request is that organisations consider ethics alongside the legal and technical requirements of data sharing.
More complex transactions or joint ventures could create a data sharing ecosystem that is completely invisible to the individuals concerned. The ICO says issues should be considered from an ethical stance, suggesting businesses should ask whether the sharing is: (i) properly justified; (ii) the action of a "responsible organisation"; and (iii) subject to clear and strong safeguards.
Is this guidance binding?
It will be. The ICO publishes codes of practice under the UK law implementing the GDPR. They have a statutory duty to take the provisions of the code into account when enforcing the GDPR and UK implementing law.
Interestingly, this guidance (once published) will place ethics on a statutory footing in the UK. The ICO will be able to cite the guidance as informing their enforcement decisions. Risk profile in this area will be elevated significantly if deal teams do not build these considerations data sharing arrangements. Discussions for ethical use of data and AI – if in progress - should therefore filter more widely to individuals working in a transactional/supply chain context.
The UK is increasingly taking what appears to be an aggressive approach to privacy regulation. However, what we are seeing is nothing more than the ICO enforcing the rules and guidance that is available for all to understand and implement.
Helpfully, the draft code includes confirmations from the ICO that they will take a risk-based approach to enforcement, as their aim is to create an environment which protects individuals whilst ensuring that business is able to operate and innovate efficiently.
Business investment into data sharing arrangements should be commensurate to the risks posed to the shared data. But take note of the guidance in the draft code and contribute to the consultation on the paper where clarifications would be useful. The rules will be used in assessing enforcement actions and should therefore be looked at to anticipate future enforcement actions.