Notes on Presentations on Legal Protection and GDPR by Charmaine Hast, Partner and Head of the Family Department and James Castro-Edwards, Partner and Head of Data Protection respectively at Wedlake Bell (WB) LLP on 16 October, 2017 at the offices of Wedlake Bell.
Ms Sharon Constançon, Chairman of the South African Chamber of Commerce (SACC) opened proceedings and, after welcoming the audience, introduced the speakers.
Protect Your Business/Protect Yourself
Charmaine addressed a number of issues around contract law, explaining that her role was much concerned with the private aspects of wealth preservation. The WB Private Client Group provides a range of services concerned with family, taxation and cross border issues. Her ‘taster menu’ for the evening focused on the following areas, which are specialist areas for the Family Department at Wedlake Bell:
- Private Client;
- Family Law; and
- Residential Conveyancing
Charmaine referred to South African, as well as to UK law/issues and noted the importance of:
- Structuring one’s affairs in the best ways to enable non-UK firms to capitalise on reliefs and tax advantages for employees working in the UK;
- Understanding the processes for the right to work or remain in the UK, and within this, the different circumstances that may apply in relation to personal taxation for returners to UK and those who do not own a home in the UK;
- Timings, in relation to sales of assets to provide a gain; tax breaks in relation to assets held in different countries – the point being to plan well ahead and dispose of assets where necessary to reduce the tax burden in the country of origin;
- Offshore trusts in relation to movement between two countries and the potential of trustees to expose a company to UK tax – there is a need to start in UK with a clean capital account;
- Ensuring that Wills are written to ensure that overseas assets are protected. If assets are within South Africa, for example, they are dealt with in that country.
Charmaine also informed the audience about immigration and the various strands of eligibility that exist , ranging from ancestral visas to immigrant workers, whose company has a subsidiary in the UK, and sponsorships. Different levels of access exist, although the right to remain stands generally at five years.
Charmaine gave us insights into pre-nuptial agreements, the standing of common law partnerships and the precept of ‘fairness’ in judgements, citing examples of where judgements made through a court order in South Africa could be overruled in the UK.
Charmaine’s note are given in the Appendix to this report. She was thanked for a very enlightening and informative presentation.
James presented a number of slides to bring the audience up to date on this important issue that will have wide ranging impacts for us all.
- The current situation – data protection
The European Data Protection Directive (95/46/EC) applies in EU Member States
- Requires implementing legislation, e.g. The Data Protection Act 1998 (DPA) Implements its provisions into law in England & Wales
- Applies to ‘data controllers’ established or using equipment located in an EU Member State
- Pan-European: equivalent legislation in each of the 28 EU Member States
- Enforced in the UK by the Information Commissioner’s Office (ICO), who may issue fines of up to £500,000 for breaches (higher for Financial Services); and criminal offence under s.55 DPA . Fines may be greater for FCA regulated entities – e.g. in 2009 HSBC Life, HSBC Actuaries and HSBC Insurance Brokers fined a total of £3.2m for data breaches, but subject to higher fines as they were regulated by the FSA (now FCA).
- DPA s.55 – Unlawfully obtaining personal data – a person must not knowingly or recklessly, without the consent of the data controller
- (a) obtain or disclose personal data or the information contained in personal data, or
- (b) procure the disclosure top another person.
There are some variations across EU member states at present.
- Key concepts
- ‘personal data’: data by which a living individual may be identified – includes Identifiers such as name, address, email address, telephone number; HR file, appraisal record, CCTV footage; entry/exit records; Statements of opinion; browser history; Facebook / LinkedIn profile; IP address, voicemail recording, travel receipts.
- ‘processing’: defined very broadly – the obtaining, recording or holding, or carrying out any operation or set of operations and includes: organisation, adaption, or alteration; retrieval, consultation or use; disclosure, transmission, dissemination or otherwise making available; alignment, combination, blocking, erasure or destruction.
- ‘data controller’: the legal person that decides the purposes for which and the manner in which data are processed. All organisations are likely to be ‘data controllers’ in relation to their own employee and customer data.
NOTE: Data controllers: (1) Must conduct appropriate due diligence; (2) are liable for data processors’ breaches; and (3) Must appoint processors by way of a written contract. Processing arrangements frequently involve data transfers outside the EEA – ‘Safe Harbour’ is no longer valid and transfer out of the EEA is not permissible.
- ‘data processor’: processes personal data on behalf of the data controller. Data processors – process personal data, but don’t take decisions – e.g. hosted software (SAAS – PeopleSoft / Workday / Taleo / Concur); data storage providers; outsourced payroll; data destruction (including hardware). Data processors are not legally accountable.
- ‘data subjects’: individuals to whom personal data relate – – includes employees, contractors, consultants, job applicants, enquirers and ex-employees. Also customers (B2C) consumers, clients (B2B) contacts / procurement, enquirers, suppliers.
- ‘notification’: filing with the ICO describing a data controller’s activities. It was noted that the ICO’s role will be under consideration with the advent of GDRP. At present, all companies need to register with the ICO (information commissioner’s office). It was noted that the ICO will conduct sector assessments, as well as following up individual breaches, where complaints are regularly occurring. Its reviews include comprehensive inspections of data records.
Data Subjects – ‘Sensitive Personal Data’ – a subset of personal data that includes information about an individual, ie
- Race, ethnicity, physical or mental health, trade union membership, criminal records and religious beliefs.
- This data requires a higher standard of care – usually the data subject’s consent. Failure or breach of the standard of care can result in an aggravating factor in event of a breach and a greater risk of higher fines.
There must be statements of intent in relation to the capture of, the recording and holding of, and the using of individual data (this does not apply to the deceased). The nature of the data capture can be as broad as CCTV, turnstile cameras, social media, medical records, etc. This does not include financial data.
The law includes losing and manipulating data and is applicable to all – individuals and organisations – including government. Up until 2011, fines were relatively low with a maximum of £5,000. Since then, fines of up to £500,000 can be levied for misuse, loss, etc. An example of the recent attack on NHS computer systems was discussed – was this preventable? Could the appropriate software patches have prevented a malware attack? The loss of >1,000 records constitutes a serious breach.
The issue of having appropriate insurance cover was raised – could it cover the cost of a fine? It was noted that there is an emerging market for insurance, but only a broker can give information on the range of cover.
- Principles – DPA and GDPR
- Fair and lawful processing ‘lawfulness, fairness and transparency’
- Specified and lawful purpose ‘purpose limitation’ (capture and use only what is necessary)
- Adequate, relevant and not excessive ‘data minimisation’
- Accurate and up to date ‘accuracy’
- Not held for longer than is necessary ‘storage limitation’
- Processed in accordance with data
subjects’ rights [Chapter III] *
- Held securely ‘integrity and confidentiality’
- Not transferred out of the EEA [Chapter V] *
The principle of holding data indefinitely was discussed. Organisations must have in place a policy that includes deletion schedules. Organisational security is key and steps need to be taken to apply stringent security, including encryption, passwords, etc. It follows that due diligence of individuals handling data is required, eg in hiring new or temporary staff. Data must be used only for its specified purpose.
A discussion ensued in relation to how certain organisations market through the mediums of mobiles, laptops etc – and it was noted that the GDPR has been designed to tackle irregularities and annoyances.
- The GDPR came into force on 25th May 2016
- Its provisions will apply from 25th May 2018. It is a regulation, rather than a Directive and will be immediately enforceable.
We will almost certainly still be in the EU on 25 May 2018 when the GDPR comes into force. As such, the GDPR will take direct effect in the UK and we will have to adopt along with all other members of the EU.
The GDPR has an extraterritorial reach, which means that there is no requirement to have a physical presence in the EU, i.e., a branch, subsidiary or servers. Accordingly, any UK organisation that wants to sell goods or services to EU citizens will have to observe its provisions.
If and when the UK is no longer a member of the EU, it will be considered a ‘third country’ and in order for EU members to freely send data to the UK, we will need to prove that we provide ‘adequate protection’ to EU citizens’ personal data. This will require the EC to make an ‘adequacy ruling’.
- Main Changes
- Extended scope
- Accountability – The requirement to explain the ‘what, where, who, how’ etc pertaining to data captured, used and held.
- Consent – This must be freely and specifically given by data subjects – particularly in relation to marketing. Permission must be capable of withdrawal at any time. There needs to be a distinction between contracts and consent in relation to data usage.
- Mandatory data protection officers (DPOs) – This is a protected position to indicate when data protection rules cannot be breached, as the use of personal data will become a highly regulated activity.
- Privacy impact assessments (PIAs) – to ensure that risks are mitigated, eg, security within HR records.
- Breach Notification – Note: breaches apply to controllers and processors. Notifications must be made by companies to the authorities and to the persons affected.
- Enhanced individual rights – ‘The right to be forgotten’ – This enhances individual rights.
‘Non-compliance … shall … be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. ’
- For any organisation > €500M turnover, 4% > €20,000,000
- g. TalkTalk 2015 turnover = £1,795BN
- 4% = £71,800,000
- The magnitude of the fines was specifically introduced by the European Commission to escalate data protection to a corporate board-level topic. Penalties also include compulsory audit rights.
Compliance with the regulations is key – and will apply to the smallest entities, eg golf or sports clubs. Any action that puts an individual at risk is actionable – and this might include forwarding an e-mail from one person to another, unless its purpose is beneficial to the third party. Databases cannot be shared with other companies – unless there is a data sharing agreement. Data must be processed in accordance with a data subject’s rights and their understanding of the purpose for which it is captured. Under the current DPA, if the purpose is not specifically stated, there is more leeway for the ‘transgressor’. Affected individuals potentially have a right of action for misuse of private information, following Vidal-Hall v Google.
- Action to take
In terms of practical compliance – Organisations must establish:
- Who is responsible for data protection?: Board level sponsorship
- The data they hold:g. employees, customers, clients & suppliers
- Who they share it with: g. group companies, partners and service providers
- Who is a controller and who is a processor? Including sub-processor arrangements and overseas transfers
- Appropriate documentation: e. policies, privacy notices, contracts.
- In terms of undertaking business with South Africa, a data transfer solution is needed and South Africa needs to comply if it is dealing with companies within the EU. Where businesses are hosting IT systems, a data transfer agreement and due diligence is needed to assure all parties involved.
- Businesses acting as intermediaries cannot automatically provide data to other parties without consent – a contract and compliance with legal obligations are required. Data must be processed in accordance with GDPR. Intergroup transfer of data also is not permitted with certain countries – as contracts or agreements with data subjects are needed. The disclosure of personal data without permission will be a criminal offence.
- Affected individuals have a right of action for misuse of their personal information.
- Data may only be used for lawful purposes – eg, the use of CCTV is not permitted where malicious intent or encroaching on another’s privacy is the purpose of data capture.
James informed us that his book ‘EU General Data Protection Regulation’ is available from the Law Society.
James was thanked for an excellent and informative presentation.
Charmaine’s Detailed Notes
The rights of a South African who wants to move to the UK needs to fall under mainly one of the following heads:
- Commonwealth nationals with UK born grandparent
If there is a grandparent born in the UK (not just British) they can qualify for the right to live and work in the UK for a period of 5 years (any employer, any job) and at the end of that time apply for indefinite leave to remain.
- Representative of an Overseas Business
The transferee must be an employee and not a majority shareholder of the original business and the original business must remain headquartered and trading overseas. The transferee must be paid a salary. The initial permission is for 3 years extendable for a further 2 years.
- Tier 2 Sponsored Worker
This is the most popular route for workers. A trading UK company applies for a sponsor licence permitting it to sponsor overseas nationals.
- Tier 1 Investor
£2 million is required to invest in UK government bonds or UK active and trading companies (but not property development or management companies). The initial permission is given for just over 3 years and can be extended to 5. Accelerated routes for indefinite leave to remain are possible for higher levels of investment.
- Tier 1 Entrepreneur
£200,000 of their own money is needed or someone else’s money to be invested in joining, taking over or establishing the UK business. At least 2 new full time roles for UK resident workers is needed. Initial permission is for just over 3 years.
To marry someone with a British passport.
- Statutory Residence Test
It is important to work out when you become a UK resident and the year can be split if you do not have a home in the UK.
- Assets standing at a gain
Selling any assets standing at a gain before arriving or returning may assist. The exception is UK residential property if sold while you are a non-resident only the gain from the 6 April, 2015 will be subject to tax in the UK.
- Offshore Trusts
These should be reviewed on arrival or return to the UK.
If your domicile or origin is not the UK you may be able to claim the remittance basis of taxation when you are in the UK.
Domicile of origin is not always straight forward and is inherited from your father at birth and not necessarily the country you or your father originate from nor where you were born or have lived.
If you are not domiciled in the UK it is also possible to shelter foreign assets from UK inheritance tax.
- Trusteeships and company positions
If you are trustee of any offshore trusts or manage any foreign companies you should review your involvement. By carrying out duties in the UK you may inadvertently expose the trust or the company to UK taxes.
Returning to the UK may alter the jurisdiction with governs the succession of your estate on your death.
You need to ensure that you have a separate Will for South African assets failing which if it is a universal Will your South African executors may be forced to return all your assets to South Africa.
South African ANC’s are not necessarily binding in English Law. They may be credited with little or no weight. Pre-nuptial agreements are accepted in the court of England and Wales and are now often given persuasive weight in the redistribution of assets.
SA: One attorney advises both parties, can be signed a few minutes before the ceremony, governed by statute, full disclosure of assets not necessary.
England and Wales (EW): Both parties need independent legal advice, at least 28 days before the ceremony it needs to be signed, governed by judicial decision, full disclosure of assets necessary.
- Common Law Wife
No such thing in English or South African Law.
- Inheritance Act Claims
Despite what is said in the Will, if the girlfriend is supported by the deceased during his lifetime she will have a claim.
Maintenance of Surviving Spouse Act, permits a claim against an estate if you are married and disinherited.
- Part III
This procedure permits in certain circumstances foreign including South African court orders to be torn up and for the English court to start the case de novo. This is relevant in respect of both judgments and negotiated settlements.