18 June, 2018
After what feels like an age of the GDPR looming on the horizon, the new data protection regime has finally been implemented into law. There is no grace period so those who handle data must be ready to hit the ground running. But what impact will the GDPR have on claims and those who process data for the purposes of defending claims or detecting fraudulent claims.
Under the GDPR the definition of personal data has been extended and now includes any information relating to an identified or identifiable natural person, this can include a person's name, online identifiers (i.e. an IP address) and location data. Similarly, the definition of sensitive personal data has been broadened and includes genetic and biometric data as well as tightening the information about criminal convictions.
The grounds for processing data are broadly the same as under the previous Data Protection Act but the grounds for consent are stricter. The form and the method by which consent can be obtained is more onerous than before. When processing personal data, data processors must continue to comply with all six data protection principles and must also satisfy at least one processing condition. For the purposes of litigation, disclosure will need to be carefully reviewed and data controllers and their legal representatives will need to consider whether to obtain additional consent before seeking to review or disclose documents containing personal data. For the purposes of litigation, the exemption allowing data to be processed for "Necessary and incidental processing" will be crucial.
If a party to litigation is based outside the jurisdiction, it will also be necessary to consider the lawful grounds for the cross-border transfer of personal data.
When transferring disclosure from client to lawyer or lawyer to opponent, pursuant to Article 32 of the GDPR there may be a requirement to encrypt documents to provide additional protection.
One of the biggest concerns is the possible impact of the GDPR on detecting fraud. Pre GDPR, parties would share and exchange information under the remit of s.29 requests which provided an exemption to data processing rules for the purposes of the prevention or detection of crime, or the apprehension or prosecution of offenders. The Data Protection Act 2018 will allow a much narrower approach allowing "prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security" by "competent authorities". This includes a defined list of public prosecuting and law enforcement bodies only.
There is another concern troubling those involved in counter fraud, the GDPR includes the right to be forgotten. A person has the right to request that their personal data be erased without undue delay when it is no longer required for its original purpose or when compelled by law. However, this is not an absolute right and there are legal exceptions and limitations.
So despite all the scaremongering, the reality is that whilst there will be an increased focus on data protection, on a practical level claims (including those where fraud is suspected) can still be processed as before.