International transfers: what will be the effect of a no deal Brexit?

Published by Alisha McKerron on 22 August 2019

With a no deal Brexit looking like a genuine possibility on the 31st of October, it’s worth considering afresh its implications on cross border data flows, from the point of view of EEA organisations,which will continue to be subject to the General Data Protection Regulation (GDPR), and UK organisations (which shall become subject to a UK version of GDPR). The good news is that the UK government has done what it can to ease the process.

Personal data flowing into the UK from the EEA

For transfers of data into the UK, a no deal Brexit will mean that EEA organisations have to legitimise the flow of personal data into the UK. This is because the UK’s status will change (under GDPR) to that of a third country and rather importantly, cross-border transfers to third countries are prohibited (without a lawful data transfer mechanism, that is)! In other words, the UK would become like any other non-EU country with respect to data transfers any EEA organisations would need a lawful data transfer mechanism (under art. 44, GDPR) to continue to transfer personal data.

UK organisations receiving personal data from EU organisations will therefore have to request such EU organisations to use a suitable cross border transfer mechanism.

If the UK is recognised as an “adequate” country, (under art. 45(1), GDPR) the status quo could continue, without having to implement any other transfer mechanism. But achieving adequacy status requires satisfying the EU Commission that the UK has an equivalent level of protection to that of the EU. This may take some time to determine because although the UK has adopted the GDPR into its domestic legislation, it has far reaching government surveillance powers which may adversely effect data subjects privacy rights. Until this issue has been resolved, EEA organisations will have to look to other transfer mechanisms.

EU Commission approved standard contractual clauses may be a suitable choice, as they are widely used for transfers around the world and could easily be introduced into existing documentation. However their validity is currently being questioned in a case before the European Court of Justice (Schrems II) a final decision should come out around the end of this year.

A regulatory approved set of rules (under art. 47, GDPR) binding a group of undertakings, or group of enterprises engaged in a joint economic activity, could be considered, but these require time and money to set up.

Needless to say, it will be up to EU organisations to decide which mechanism to use. The European Data Protection Board’s “Information note on data transfers under the GDPR in the event of no-deal Brexit” should help them make the correct decision. But what about data flows from the UK to the EU?

Personal data flowing out of the UK to the EEA

For transfers in the other direction, what was said above pretty much applies in reverse (albeit under the UK’s version of the GDPR, instead of the real thing). The status of EU member states (from the UK’s point of view) will change to that of ‘third countries’, and a data transfer mechanism will be required, in order to continue transferring personal data. However, cross-border transfers will be easier because the UK has made it clear it intends to permit data to flow from the UK to EEA member states. It has also committed transitionally to recognising EEA member states and Gibraltar as “adequate” and so data transfer can continue as it currently is.

Personal data flowing out of the UK to countries that are not EEA member states

Transfers to third countries which are not EEA member states will stay the same too; the UK government will mirror the status quo of GDPR in the EU by adopting the same approach as the EU. It will recognise the same list of countries as being “adequate”, recognise the standard contractual clauses approved by the European Commission and any binding corporate rules approved by supervisory authorities. Interestingly, the UK’s version of GDPR will have an extraterritorial jurisdiction and apply to the EEA! This is all explained in the UK government guidance note entitled “Amendments to the UK data protection law in the event the EU Leaves the EU without a deal”. So what steps should UK organsiations take to protect themselves?

What you should do

UK organisations need to assist their EEA stakeholders/organisations in assessing their exposure to cross-border transfer to the UK. Both parties should consider the necessity of cross-border transfers. Perhaps data flows could be minimised or even temporarily stopped, pending a favourable UK adequacy decision. If their EEA stakeholders/organisations continue to transfer any personal data to them, they must use a suitable transfer mechanism under GDPR. Whilst the outcome of the Schrems II case is pending, standard contractual clauses should be avoided even though they are approved.

Organisations in the UK have somewhat less cause for concern, since the UK has committed transitionally to recognising EEA member states and Gibraltar as “adequate” and so data transfers to the EEA member states can continue as they are. However UK organisations should review their documentation (for example, what their privacy notices and data processing agreements say about international transfers, since EEA transfers will now fall into this category) and maintain organisational awareness of the issue.

Aside from cross border transfers they should also consider whether they have to appoint a representative in a EEA member state under article 27 of the GDPR- another side effect of becoming a third country. The same question needs to be considered by EEA member states in relation to the UK.

Cross Border Transfers: What should companies be doing pending the judgement of Schrems II?

Published by Alisha McKerron on 19 August 2019

International transfers

Under the General Data Protection Regulation (GDPR), we are not allowed to transfer personal data to countries outside the European Economic Area (EEA). If we do, we must use a lawful method of cross border transfer (art. 44 GDPR) which is designed to ensure an equivalent level of protection to that is in the EU.

This seems straightforward; it is merely a question of identifying what lawful methods of cross border transfers are available, and choosing the least onerous one. In reality, however, it is anything but, especially with Brexit looming and two important cases pending in the Court of Justice of the European Union (CJEU).

SCC and the EU-US Privacy Shield

Two popular methods of transfer are being challenged in the CJEU – namely, transfers on the basis of EU Commission approved standard contractual clauses (SCC) in the case of 311/18 (also known as Schrems II), and transfers on the basis of there being an adequate EU-US Privacy Shield, in the case of 511/18 La Quadrature du Net. (It’s worth noting that until either challenge is upheld, both methods continue to be valid).

La Quadrature du Net has been postponed, pending the outcome of the Schrems II case. A decision in the Schrems II case is unlikely before the end of 2019 or early 2020, although a hearing of Schrems II took place on 9 July this year. Whilst we wait for a decision, we would be foolish to ignore the fact that a successful challenge will put businesses in a hugely difficult and worrying position.

If SCC and the EU-US Privacy Shield are no longer valid

For starters, SCC and the Shield are widely used by businesses within the European Economic Area (EEA) to legitimise the transfer of personal data to countries outside the EEA. Alternative methods of transfer are not really suitable because they are either limited, expensive, take time to put in place, are not yet available or a combination of all of those things.

If either of these methods are struck down, there could be rather unpleasant consequences: the court could halt data flows outside the EU, third parties could claim for compensation, and possible GDPR revenue-based fines and regulatory sanctions could follow. Companies would also have to pay the cost of remedying the problem as soon as a solution was found.

You may be wondering why we could be placed in this situation, after using transfer methods which have, after all, been approved by the Commission. Shouldn’t data controllers or processors be found accountable only to the extent that they did not adhere to the SCC? Perhaps the CJEU will find that even if transfers to the U.S. are problematic organizations, do not have to stop using SCC or the Shield; instead, data protection authorities would have to suspend problematic data flows and the Commission would be asked to revise the SCC and reconsider the Shield.

However this line of thinking ignores a central challenge that is being made in the Schrems II case – namely, the failure of the SCC to provide EU citizens with a meaningful redress to mass surveillance by US authorities.

This failure, according to DLA Piper, has given rise to the widely held expectation amongst privacy professionals that the CJEU will reach a finding to invalidate SCC (which would be consistent with its approach in an earlier Schrems I case ). Worse still, once a decision has been made by the CJEU, it will take effect immediately and apply retroactively!

What you should do

Accordingly, it is vital that you plan for the worst – particularly given that any infringement of the of GDPR regulations has the potential to attract a fine of anything up to 4% of an organisation’s annual worldwide turnover, or €20,000,000 – whichever is largest (!).

You should assess your exposure to cross-border transfers of data (by finding out to whom, where and on what basis are you transferring personal data). You should draw up an action plan – for example, consider either stopping some types of cross border transfers, or investigate alternative methods of transfer. Perhaps you could use data centres inside the EEA. You should discuss contingency plans internally and with suppliers.

However, the principle of safety in numbers might well still apply; you will certainly not be the only one to be affected, should either the SCC or the Shield be struck down by the CJEU. There may be a period of leniency, since there are no readily available alternatives for large-scale cross border transfers of personal data to outside the EEA. In any case, contingency planning should help you assess the impact of the CJEU’s decision and enable you to hit the ground running.

Useful Article: UK – Liability Limits for GDPR in Commercial Contracts – the Law and Recent Trend

Published by Alisha McKerron on 5 March 2019

In her article (listed in the Menu of this blog) entitled GDPR is Coming: 7 Steps Processors Need to Take to be Compliant (12 December 2017), Alisha sets out mandatory provisions (concerning data processors), which must be inserted in data processing agreements (art. 28 GDPR). Consequences of contractual breaches or non compliance with GDPR are not discussed in any detail.

This important topic is discussed in DLA Piper’s article (7 February 2019) UK: Liability Limits for GDPR in Commercial Contracts – the Law and Recent Trends which looks at how to allocate the risk and liability when negotiating commercial contracts. It considers:

  • Obligations- the source of liability;
  • Types of liability;
  • Limits  of liability.

It concludes that:

“Limiting financial liability under GDPR has been made much more complex than under the Data Protection Act 1998, both because the nature of the obligations placed on both parties has changed and because the consequences of breaches are much more serious. Parties looking to limit their exposure should be realistic and not assume that it will be either possible or desirable to simply pass liability to the other party under the contract in all circumstances, instead, they will need to take a more balanced approach to liability, based on the terms of GDPR and who has caused the loss in question to arise.”

Useful article: reaching the end of your GDPR journey – what should you be thinking about now?

Published by Alisha McKerron on 27 February 2019

In his article GDPR nine months on | What should you be thinking about now? Osborne Clark lists nine items to consider:

  • Updates to existing policies and procedures
  • New policies or procedure
  • Supplier relationships
  • Privacy Impact Assessments
  • GDPR training refresh
  • Data transfers and no-deal Brexit
  • Security breaches and ICO enforcement
  • Compliance strategy
  • One year audit

This is a useful continuation of A GDPR Journey: Where to Start and What to do Next, (listed in the Menu of this blog) depending where you are on your GDPR journey.

What Impact do Search Engines have on Individual’s Reputation and does the “new” Right to be Forgotten Assist in any way?

Introduction

Published by Alisha McKerron on 25 February 2019

What would we do without modern day commercial search engines? For starters it would take us much longer and require much more effort to find answers to everyday questions. Search engines allow us to find the proverbial needle in a haystack.

At first glance this may seem like a good thing, but what if the search results produce links to incriminating information about us. What protection if any do private individuals have?

Google vs Spain

This question was considered in a landmark case of Google v. Spain (C‑131/12). The case involves an individual who requested the removal of a link to a digitized 1998 article in La Vanguardia newspaper about an auction for his foreclosed home, for a debt that he had subsequently paid. He asked the news organisation to remove the article and Google to remove any links to it. The Spanish Data Protection Agency said that the news organisation should be left alone but that Google should remove any links to the article.

On appeal the European Court of Justice affirmed the judgment of the Spanish Data Protection Agency i.e. it upheld press freedoms by rejecting a request to have the article concerning personal bankruptcy removed from the web site of the news organization. However, the Court ruled that European citizens have a right to request that commercial search firms, such as Google, that gather personal information for profit, should remove links to private information when asked, provided the information is no longer relevant. The Court found that the fundamental right to privacy is greater than the economic interest of the commercial firm and, in some circumstances, the public interest in access to information.

(It’s worth mentioning that in November 2018 Google held an 89.1% market share in the UK.)

Google subsequently set up an online removal-of-links-from-its-search-results form for customers to use. It has also published a useful guide entitled “Fix problems & request removals” on Google Search Help. The guide explains the few instances Google will remove content from Search which includes sensitive personal information, like your bank account number, or an image of your handwritten signature, or a nude or sexually explicit image or video of you that’s been shared without your consent. Interestingly the guide does not refer to data that is “inadequate, irrelevant or excessive in relation to the purposes of the processing” (para 92 Google v. Spain).

Right to erasure (“right to be forgotten”) (art. 17 GDPR)

Two years after the Google v. Spain judgement, the General Data Protection Regulations (GDPR) 2016 were published which included a right to erasure (art. 17). This is also know as the right to be forgotten and has been described as “the right to silence on past events in life that are no longer occurring.” It is distinct from a private right (which involves information which is not publicly known) because it involves removing information that was publicly known at a certain time and not allowing third parties to access the information. Although referred to as a new right it isn’t; it existed to an extended degree in EU law, and in the first data protection laws enforced in Europe.

Under GDPR, we have the right to have our personal data erased in six circumstances:

  • if the organisation no longer needs our data;
  • we initially consented to the use of our data, but have now withdrawn our consent;
  • we have objected to the use of our data, and our interests outweigh those of the organisation using it;
  • the organisation has collected or used our data unlawfully;
  • the organisation has a legal obligation to erase our data; or
  • the data was collected from us as a child for an online service.

Exemptions to the right to erasure (art. 17(3) GDPR)

Our right to erasure does not apply if processing is necessary for one of the following reasons (GDPR art.17(3)):

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation;
  • for the performance of a task carried out in the public interest or in the exercise of official authority;
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • for the establishment, exercise or defence of legal claims.

Manni

In summary our right to erasure is limited and is trumped by certain exemptions; freedom of expression and information (or the right of the public to have access to information) being one of them. This is demonstrated in the 2015 court ruling in the Manni case (C-398/15), which clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist.

Mr Manni requested his personal data to be erased from the Public Registry of Companies after he found out that he was losing clients who performed background checks on him through a private company that specialised in finding information in the Public Registry. This happened because Mr Manni had been an administrator of a company that was declared bankrupt more than 10 years before the facts in the main proceedings. In fact, the former company itself was removed from the Public Registry. The court concluded that Mr Manni did not have the right to obtain erasure from the Companies Register, but he did have a right to object.

Conclusion

Case law shows that the web and search engine results impact individual’s reputation and not always in a positive way. Privacy law does protect us.

The right to be forgotten under GDPR gives us the right to have our personal data erased but only in limited circumstances (listed above) and not if any of the exemptions (listed above) apply. One of these exemptions is freedom of expression. The effect of this is to exempt companies listed as “media” companies.

The Google v. Spain case gives us a right to request that commercial search firms, that gather personal information for profit, should remove links to private information when asked, provided the information is no longer relevant.

So, what practical steps should we take if searching our name on the internet brings back a link to information about us, and this is having a negative effect on our privacy?

Personal data

The first step we should take is to ask the publisher to remove the personal data from its website; that way it will no longer appear in search results. Should the publisher refuse to do so and we are satisfied that one of the six circumstances mentioned above applies, and none of the exemptions mentioned above apply, we should complete the Information Commissioner’s Office (ICO) online complaint form so that ICO can pursue the matter further on our behalf.

If we are not satisfied, that one of the six circumstances mentioned above apply we could ask the publisher to use the robot exclusion standard to inform web robots or crawlers not to process or scan the page with the personal data. This will stop any links appearing in search results. However, the publisher may well reject this request on the basis that its freedom of speech trumps our right to privacy.

Search result links to personal data

If the publisher refuses to remove the personal data from its website, the next step we should take is to complete Google’s an online removal-of-links-from-its-search-results form. Although the personal data shall remain on a website it will be less visible if links are removed. Should Google refuse to remove search result links we should complete ICO’s online complaint form  but only if we are satisfied that the personal data is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed” and that our right to privacy is greater than the economic interest of Google and the public interest in access to information.

If we are unsuccessful on all of these fronts, it may be worth writing an article in rebuttal or an article which others may find useful. Although searching our name on the internet will continue to bring back a link to information about us which has a negative effect on our privacy, it will now bring back our positive article as well. The more meaningful articles we publish the better.


A GDPR Journey: Where To Start and What To Do Next

Published by Alisha McKerron on 11 February 2019

The European Union’s General Data Protection Regulations (GDPR) impose many obligations on anyone who processes personal data, with substantial fines (art. 83) for any breaches. Although some of these obligations are not altogether new, they are much more extensive: having an extra material and territorial scope (art. 3), extending to data processors, (art.28) and giving data subjects enhanced rights (ch.III). The definition of personal data (art. 4) is much broader too. There is much more to worry about!

If you are non-complaint, what should you do, particularly if you do not have a budget to spent on making amends? Perhaps the starting point is for you to view privacy compliance, as the end destination of an ongoing journey. Your focus should be on travelling in the right direction and being able to demonstrate this. This way, regulators are more likely to focus less on you, and more on those who don’t comply or won’t comply. So where should one start?

The most visible starting point, for most organisations, has been the publication of a privacy notices before GDPR came into force. Less visible is the appointment of data protection officers (DPO) (art.37) which is required under the new regulations if you carry out certain types of processing activities. DPO’s can now report to one lead supervisory authority in instances of multi cross border processing which is a welcome change.

Privacy Notice

Preparing a privacy notice, is a good place for you to start, for a variety of reasons. Firstly, the content (art.13) of the privacy notice is regulated, which means you will have to find answers to the following questions, to prepare it correctly:

  • Who is collecting the data?
  • What data is being collected?
  • What is the legal basis for processing the data?
  • Will the data be shared with any third parties?
  • How will the information be used?
  • How long will the data be stored for?
  • What rights does the data subject have?
  • How can the data subject raise a complaint?

To find the answers you will need to update exiting data maps or prepare new ones. Data maps must reflect the current situation on an ongoing basis. You will need to show that you have at least one of the legal bases (art. 6) for processing. If you are relying on old consents, you will need to refresh them, so that they fall into the new definition of consent (art 4); if you are relying on legitimate interest you should complete a legitimate interest assessment. Checking your legal bases will help you better understand how you are using personal data.

You will also need to find out if the personal data you are processing is shared with others and mention this in your notice. Under the new regulations you are obliged to have a data processing agreement with every data processor you use. (Revising existing data processing agreements and/ or agreeing new ones, is an item to put on your things-to-do-next list).

The position regarding restricted transfers of personal data outside non EU countries has not changed that much: transfers continue to be restricted. There is however the thorny issue of Brexit looming. Have a look at the Information Commissioners Office guidance to help you decide if you will be effected.

If you are making international transfers of personal data, you must disclose this (art. 15(2)) and the permissible ground (ch. 5) you are relying on to do so. Grounds include: the European Commission made an “adequacy decision” about the country in which the receiver is based, or the restricted transfer is covered by appropriate safeguards (including binding corporate rules) or the restricted transfer is covered by an exception.

You must also disclose the use of cookies or similar technology under the GDPR and under the Privacy and Electronic Communication Regulation (PECR ) and ensure that you have a legal base under GDPR for any processing that ensues. (It is worth taking the time to understand the overlap between the PECR and GDPR as it can be confusing.)

GDPR provides that you must not keep personal data for longer than you need it and must disclose how long you will store the information. If you do not already have a data retention policy with a document schedule you should prepare one.

You must notify your data subjects of their enhanced privacy rights and new privacy rights and be prepared to respond if they choose to exercise their rights. New privacy rights include data portability (art. 20), the right to be forgotten (art.17) and safeguards for data processing by automated means (art. 22). (Ensuring that you have updated your policies and procedures to help your staff respond to new rights as well as the old enhanced rights (e.g., data subject access requests) in a correct and consistent way, is another item to add to your list).

Obligations with time constraints

After publishing your privacy notice, the next thing you should do is to identify any privacy obligations (whether under the regulations or by agreement) with time constraint attached. Reputational damage for non-compliance should not be underestimated.

One such obligation is the new duty to report personal data breaches (art.33) to a supervisory authority and affected individual. An internal breach register must also be maintained. GDPR requires you to notify the supervisory authority, without undue delay and not later than 72 hours after becoming aware of it, if the breach is likely to result in risks to rights and freedoms of a natural person. If the data breach is likely to result in high risk to the rights and freedoms of natural persons the data subject must be informed too, without undue delay. Questions worth considering include:

  • Do you have something in place (e.g. an API or web forms to document paper incidents) that facilitates both identifying and reporting on personal data breaches?
  • Do you have a consistent approach (i.e. risk assessment) to determine whether an incident is subject to a notification obligation or are you possibly over-notifying?
  • Are you determining jurisdictions impacted and the number of individuals involved on a consistent basis?
  • Does it make sense to create a diverse team to triage and risk rank to ensure that incidents are being escalated appropriately?

Another obligation with a time constraint, is revised subject access requests (art.12 and 15). Now a request can be communicated over the phone (art 15 (3)) and associated costs can’t be claimed. You must respond without undue delay and at the latest within one month (as opposed to the old 40 days) of receipt. The same new time period applies to the right to rectification (art.16). Again, it is worth checking that you have sufficient resources and policies and procedures in place to respond.

Conclusion

The most helpful way of tackling GDPR compliance is to view it as a journey to an end destination. Expect to discover compliance weaknesses on your journey and compile a things-to-do-next list to help propel you forward. To begin with it may feel l like your end destination is getting further away rather than closer, but don’t let this bog you down. What’s important is that you continually move forward in the right direction, are transparent with how you collect and process personal data and are constantly striving to keep your customer’s personal data secure.

Where Should I Go to Find Answers to my Privacy Questions?

Published by Alisha McKerron on 30 January 2018

screenshot 2019-01-30 at 10.58.49

It has been eight months since the General Data Protection Regulation (GDPR) came into force. But it has been five years in the making. During this time a wealth of online resources have slowly been created in response to the GDPR and people’s queries about it.

However, reviewing all the information on the web takes time, especially if you don’t know where to look. You might, therefore, prefer to use a data specialist. But if you are the-do-it yourself type, or simply do not have the money to spend on a data specialist, I may be able to help. Below is a table of useful links I have used when researching privacy questions of my own. Since January heralds the anniversary of Data Protection Day (28 January) it seems like an opportune time to share this with you .

TOPICWEBSITE
EU HandbookHandbook European Data Protection Law
The Information Commissioner’s Office (ICO) Guide; ICO is the UK’s supervisory body set up to uphold information rightsICO Privacy Guide
EU Privacy Legislation on EUR-lexGDPR 2016 easy layout GDPR
Charter of Fundamental Rights of the European Union 2016
Directive on Privacy and Electronic Communications 2002
Convention for Human Rights 1950
UK LegislationData Protection Act of 2018
Privacy and Electronic Communications (EC Directive) Regulations 2003
The Human Rights Act 1998
Summaries of privacy case lawFRA Case-law Database Companion for the gdpr professional
European Data Protection Board Guidance which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authoritiesEDPB Guidance
National Cyber Security Centre Guidance which was set up to help protect our critical services from cyber-attacks, manage major incidents, and improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisationsNCSC Guidance
The Internet Advertising Bureau Guidance in relation to digital advertisingIAB Guidance
Direct Marketing Association (UK) Ltd (DMA) in relation to advertisingDMA Guides
Webinars worth watchingGDPR Legal Facts And a Call to Action
ICO Personal Data Breach Reporting
DPN- Cookies:GDPR & e-Privacy
DPN- Legitimate Interests
https://www.radarfirst.com/resources/webinars/
Newsfeed / website worth signing up toLexology so that you can access to article like: 5 Things You Should Know About Data Protection Impact Assessments under the GDPR or How Direct Marketing is Impacted by GDPR and PECR
Data Protection Network which posts interesting articles
DMA so that you can access to articles like: eprivacy-regulation-what-will-it-change?
Vlogs worth checkingKemp IT LAW
Blogs worth checkingGiovanni Buttarelli’s blog
DLA Piper
Lexblog.com Eustaran
Association worth joining although there is an annual membership feeIAPP

Useful articles: GDPR and the relationship between clients, contractors/ temporary workers, recruiters and umbrella companies

Published by Alisha McKerron 19 November 2018

I found the two articles mentioned below interesting reads, because they each ask a similar question in relation to a specific situation. My article, When is a Data Processing Contract Required? is more general. Also interesting, is the practical implications of being a data processor which I omitted to discuss in my article, GDPR is Coming: 7 Steps Processors Need to Take to be Compliant.  I chose to highlight the regulatory position.

The first article, Is a Contractor a Processor Under GDPR?, written by John Thompson asks the question Is a Contractor a Processor under GDPR? Unable to find any official guidance and having considered both sides of the argument, John concludes that contractors are data processors.

The second article,What May Compliance With The GDPR Require of Entities Who Use Temporary Workers From Recruitment Agency to Process Personal Data? written by Emmanuel Lazarididis, supports the first article. The second article looks more closely at the relationship between clients, recruitment agencies, umbrella companies and their workers and concludes that an umbrella company is a data processor and as such should sign a data processing agreement.

What I Learnt at The November 2018 Executive Leader Network Privacy/GDPR Conference in Reading

Published by Alisha McKerron on 15 November 2018

DSC_0010 

My head was swirling with data privacy thoughts, when I left the Executive Leader Network Conference in Reading, last week. Not bad considering, I had arrived with an impenetrable head cold, which showed no signs of easing as the afternoon progressed.

By midmorning I had listened to three talks and a panel discussion with another two talks squeezed in before lunch. By the end of the day, my final tally was 9 talks and one panel debate. I certainly got my money’s worth, but would I remember all that I had learnt? Not without making some notes!

Below are the topics of each talk I attended and some information about the talks.

  1. What makes an ideal DPO?

I learnt from Christel Cao-Delebarre, that data subjects are lodging more complaints than ever. Although a company may not be obliged to appoint a data protection Officer (“DPO”), companies should consider volunteering one. Why? Because a DPO is a key contributor to transformative corporate changes, a key partner for end-user satisfaction and a key representative of the company for the EU and for non EU supervisory authorities. 

I agree with this approach, although I wonder if it would be prudent to give the office the title of Privacy Manager, in the voluntary instance. This would distinguish the office from a mandatory appointment, and allow for flexible compliance with DPO, Data Protection Regulations (“GDPR”).

When considering whether a DPO is mandatory, we should bear in mind that processing employee data or financial data is excluded from the test.

  1. The Ultimate Guide to New ePrivacy Regulations: Cookie Consent, DNT, and Online Tracking Technologies

Next up was Elliot Cranmer to talk about up- coming changes to the Privacy and Electronic Communications Regulations (“PECR”), which regulates the use of cookies in the UK.

PECR is due to be replaced by a European Regulation (“ePR) but no one knows when exactly this will happen. Although Parliament has agreed its version, the Council of Ministers has yet to agree theirs. It may be some time before the Commission, Parliament and the Council of Ministers will be able to enter a trialogue debate to agree a final version.

PECR requires for use of cookies: i) the provision of clear and comprehensive information about any cookies being used; and ii) consent to store a cookie on the users or subscriber’s device. These requirements fall away for cookies that are essential to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking).

GDPR has necessitated a higher standard of disclosure and consent in relation to cookies. Data subject are being made aware of cookies via banners. A common approach now is to categorise cookies and get consent for each, while also allowing easy withdrawal of consent.

The new ePR will apply to machine communications. It will extend the requirement of obtaining consent for storing cookies, to the processing of personal data used for tracking. It will address issues around ad-blocking and Wi-Fi location tracking. It will shift the focus from website cookie banners to users’ browser settings.

It will also tighten the rules on marketing, with the default position being that all marketing to individuals (whether a private individual (B2C) or an employee (B2B)) by phone, text or email must be opt-in. (At the moment direct marketing emails can be sent to employees working for corporates (B2B) or public authorities without consent, on an opt-out basis). In other words the new law will align B2B marketing with B2C.

The advertising industry is up in arms. If adverts are blocked because consent to tracking has been denied, it will strip European publishers of the right to monetize their content through advertising. The only other way publishers will be able to monetize content is to start charging consumers. Some publishers have begun doing this. Others have made their websites inaccessible to the EU.

The Interactive Advertising Bureau (“IAB”) is lobbying for an inclusion of a legitimate basis as a way round consent.

  1. Panel Discussion

GDPR is Here to Stay

According to the panel one of the biggest mistake’s companies are making, is to underestimate the ongoing importance of GDPR. GDPR policies need to become part of businesses’ DNA.

ePR and Consent

 At first, I found the comments the panel were making about consent, contradictory: either is was needed for direct marketing, or it was not. Once I realised the importance of distinguishing between businesses and individuals and which channel of marketing is being used (mail/ sms, phone/fax or post) things became clearer. So that you don’t fall into this trap the position is: consent is not required for marketing emails or texts to businesses (i.e. first name.last name@company.com), so long as there is a lawful basis together with an opt out. (Apparently, it is good practice to keep a ‘do not email or text’ list of any companies that object). Consent is required for marketing emails or texts to individuals although there are some exceptions (see below).

If the ePR comes into effect, consent will be required for the processing of electronic personal data used for tracking. This requirement will have a catastrophic effect on the advertising industry because it relies on the processing of this type of personal data. The Direct Marketing Association (“DMA”) is lobbying hard to have an exception included.

Direct Marketing Emails

The DMA has had past success in lobbying for changes in draft laws. It managed to get an exception to the rule that individuals must have given their consent to received direct marketing emails. If the individual is a previous customer and the marketing is in relation to a similar product, consent is not required, because there is a ‘soft opt-in.

It is also important to distinguish between informative emails and advertising emails. I am not persuaded by the argument that no consent is required in the instance of an informative email which has a bit of advertising in it.

Legitimate Interest and Marketing

If e-privacy laws do not require consent, legitimate interests may be relied on. For example, direct marketing by post. This seems to have been lost in translation post GDPR.

 Data Subjects Right to be Informed

Data subjects have the right to be informed via a privacy notice whenever their personal data is being processed. This is still the case, if personal data is sourced from the public domain or if public personal data is aggregated with private personal data. This is especially relevant to recruitment agencies.

 Data Processors and Data Controllers

The role of data processors and data controllers is more equivalent. It is important to always be considering the risks associated with processing personal data and potential harm to data subjects.

Provenance of Personal Data

Companies must know the provenance of third-party personal data i.e. where it comes from, how it was collected, the legal basis for collection, whether the data subjects have been correctly informed etc. Consider whether the communication made at collection is sufficient further down the line. If data has been improperly collected, it may damage a company’s branding. Sellers of personal data need to be careful who they sell to, for example Life Cycle Marketing (Mother and Baby) Limited was fined for selling personal data to a political party.

  1. Email Marketing in a Post – GDPR World

 Jenna Tiffany took us back in time, when the first Nokia mobile phone came on the market. She pointed out how much has changed since then. She observed, that the GPPR journey thus far has been an emotional one, beginning with denial, and ending with acceptance with everything in between.

What we should not lose sight of, is the consumers desire to protect their personal data and the importance of building up a relationship of trust. Some companies have understood this better than others and been more successful in rolling out their new GDPR policies. They have used this to differentiate themselves from their competitors.

We should view the changes in privacy law as a wonderful marketing opportunity to strengthen our relationship with our customers.

  1. Privacy, Compliance in a Fast-Changing Landscape

Ivana Bartoletti extolled the virtues of good governance with sound data protection policies. For example, policies which will trigger Data Protection Impact Assessments (DPIA) analysis. The policies should set out how DPIA’s should be done and by whom and how frequently they should be reviewed. Ivana suggested preparing a matrix of criteria using WP248 as a source. Only two criteria need to be met. Ivana discussed other tools including data minimisation (do I really need this data?), threat analysis (what is the harm on the data subject?), privacy by design and default and procedures in place for data breaches.

  1. Life after GDPR….. Accountability Transparency and What is Still to Come

Towards the end of the lunch break, Christine Andrew gave us 6 tips about life after GDPR.

  • Don’t Panic: Not everyone is GDPR compliant
  • Check Breach Management

The Information Commission (“ICO”) is only really concerned with systematic breaches rather than individual breaches. If ICO does not respond quickly it is almost always good news. Complaints have increases and so ICO has had to prioritise more severe breaches over less severe. What is important is that businesses are able to show that they have clear internal processes to pick up every breach, no matter how minor. Look at ICO’s webcast on How to Report Data Breaches

  • Subject Access Reports

 Subject accesses reports are nothing new and are best dealt with by engaging with the data subject to determine their motivation. Are they a vexatious employee or do they no longer want to receive direct marketing?

  • Make sure you know where all personal data is processed
  • Audit third parties

Companies should ensure that third party processors which are processing personal data on their behalf, have been audited. Check that there is continual data mapping and that correct records of processing are being kept.

  • Rate yourself

 Use ICO’s Guide to Audits to understand what  evidence (existence of committees, minutes, risk register, PIA’s, staff training, art 30 records etc)  CO will be looking for and what controls they would expect to see in place.

  1. Creating a Culture of Privacy Compliance

Ben Westwood spoke about creating a culture within a business of privacy compliance. The first thing a business needs to do is set about defining its mission. ICO’s mission statement is a useful precedent to look at. Next is getting everyone on board from senior management right down to a single contact person. Seeking endorsement and support is crucial. Proactive engagement is necessary. DPO’s should seek out an audience via privacy events, training, information lunches and competitions. Adopting an open-door policy and appointing brand ambassadors should help too. They must introduce a methods of demonstrating compliance, for example how many subject access requests the business has dealt with. A record of data processing is essential. ICO’s template is a useful tool. Another very useful tool is the guide created by the American Institute of CPAs and the Canadian Institute of Accountants with help from ISACA. It is based on the Generally Accepted Privacy Principles (GAPP) and aims to assist organizations in strengthening their privacy policies, procedures and practices.

  1. Breach Markers: How to be Certain that Your Data Has Been Breached and Know Where the Breach Originated

Jeremy Hendy extolled the virtues of breach markers particularly when a business’s personal data sits on a third party server outside the businesses control.

  1. Can Email Marketing Survive GDPR?

Dean Seddon went to great lengths to correct the misconception that direct marketing emails can no longer be used without consent. This is only the case in relation to B2C direct marketing emails. PECR does not require consent for B2B direct marketing emails. Legitimate basis can be relied on instead so long as there is an opt out. ICO’s guide explains when this legitimate interest may be relied on.

Direct marketing’s biggest challenge is consumers ire and the work of trolls. Consumers may have forgotten that they opted in to direct marketing emails or may not have fully understood what they were consenting to. Full disclosure is essential. It’s also important to develop a policy on how to handle complaints to prevent brand damage further down the line.

  1. Defence Against Malicious Data Subject Requests.

Shane Reed explained the various steps business should take upon receipt of a data subject request. The first step is to alert all the various departments that may be involved and complete an office 365 search in share point. Next identity of the data subject. Bear in mind that you have 30 days to respond. If business have a clear data retention policy designed to minimise personal data this should reduce the amount of personal data that may need to be handed-over.

 

 

 

 

 

 

 

 

 

 

 

 

 

When is a Data Processing Contract Required?

Published  by Alisha McKerron on 3 October 2018

In today’s privacy climate, it is easy for companies to rush into signing data processing contracts with their service providers, for a variety of reasons. The most obvious reason is that, no one wants to breach the General Data Protection Regulation (“GDPR”) (art 28(3)) and Data Protection Act 2018 (s 59(5)), which provide that processing done by a processor on your behalf (as data controller) must be governed by a written contract between you and the data processor. The new sanctions under GDPR for breaches are too severe to be ignored.

Another reason for companies rushing to sign is an increased likelihood of breaches; the new definition of processing is all encompassing, and the definition of personal data is much wider. The new regime also requires that certain  mandatory provisions be present in data processing contracts, which has meant that old data processing contracts might need to be updated by new ones, if not compliant with the new provisions.

However, is it always necessary to sign data processing contracts? Yes, service providers may have historically preferred to be classified as data processors as opposed to data controllers, in order to benefit from the less onerous obligations imposed on them by pre-GDPR laws. However, since the GDPR is far stricter on data processors, this argument no longer makes sense – and so it’s now necessary to consider whether your service providers really are data processors under this new law. The question is best answered with firstly a clear understanding of GDPR and secondly an understanding of the service being provided.

Understanding GDPR

Starting with GDPR, the official guide from the Information Commissioner’s Office (ICO) (the relevant Supervisory Authority for the UK), although not up to date, is helpful in explaining the difference between the two roles and provides various examples of service providers including a market research company, a payment service company, a mail delivery company, solicitors, accountants, IT services  (a vehicle tracking company) and a cloud provider (a storage service provider). In its examples its concludes that only one out of the seven is a data processor: the storage service provider; five out of seven are data controllers: the market research company, the payment service company, solicitors, accountants and the vehicle tracking company; and the mail delivery service is neither a data controller or data processor.

What is interesting is that, if you asked a person with no knowledge of GDPR, to classify each provider as either a data controller or a data processor, they would probably guess that the storage service provider is the data controller and all the rest are data processors! This is because, it seems logical to assume that the first six service provider will be processing personal data on behalf of their clients, and therefore are data processors, and that the storage service provider, which stores and seemingly controls the data, must therefore be a data controller.

IT service providers can be difficult to classify correctly. This is because of the technical complexity involved, and different ways the information technology services are delivered e.g. on-premises (where software is run on your premises) or off-premises (where software is run on the service provider’s servers, which aren’t under your control). There are also many different IT services providers such as hosting service providers, managed service providers, storage service providers and application service providers to name a few.

The only way to come up with the correct answers is to carefully consider the GDPR definitions.

“ ’processor’ means a natural or legal person,……….. which processes personal data on behalf of the controller;” art 4(8) of GDPR

“ ‘controller’ means the natural or legal person,……….. which, alone or jointly with others, determines the purposes and means of the processing of personal data;”  art 4(7)  of GDPR

Every instance needs to be considered on its own, for example ICO concludes that a vehicle tracking provider is a data controller, which might lead you to conclude that a video conferencing service provider is too, when it is not.

A vehicle-tracking provider installs hardware (devices in cars) and monitors them (on its servers) so that cars can be recovered if they go missing. Although the service it provides, is to track and send back location data in certain circumstances, the vehicle-tracking provider is a data controller in its own right. This is because it has sufficient freedom to use its expertise to decide which information to collect about cars (and their drivers) and how to analyse them for its own purpose i.e. making decisions in relation to purpose and means.

A video conferencing service provider installs hardware (screens and computers) for example in your conferencing suites and uses its own software and technical expertise to allow people to videoconference with each other. Unlike the vehicle tracking provider there is not the same freedom to decide which information to collect and use. This is because all the personal data the service provider holds in connection with the service, would be provided by yourselves- therefore the video conferencing provider has no scope to use the data for any of its own purposes. Unlike a vehicle tracking provider, the video conferencing provider is a data processor.

What about IT Managed Service Providers (MSP’s) which retains responsibility for the functionality of IT services and equipment and allow you to benefit from predictable pricing and the ability to focus on core business concerns rather than IT management chores?

Although a MSP may decide such matters as what IT system to use to collect personal data, and how to store, secure, and transfer it, (all seemingly control functions)  these are technical decisions which a data processor is free to make. You would retain exclusive control over the purpose for which the data is processed and the manner in which the processing takes place. As in the example above, all the personal data the MSP holds in connection with the service would be provided by you. Accordingly, the MSP is a data processor.

There are many other examples that can be considered; so long as one is constantly considering who exercises overall control over the ‘why’ and the ‘how’ of a data processing, the distinction between the roles should become clear.

Understanding the services being provided

With regards the second leg namely understanding the services being provided, this is largely dependent on the relationship you have with our service providers. Where service contracts have been agreed some time ago, this can be a real challenge; memories fade, personal may have moved on to another department or company and the service provider is not incentivised to co-operate fully since it has a service contract in place.  Accordingly, it is important not to neglect the relationship you have with your service providers.

It is also useful to bear in mind, uncertainty about each party’s role can not only result in unnecessary data processing contracts, but more worryingly, prevents each party from determining where responsibility lies. This is essential to know, for example in the event of personal data being hacked.

Conclusion

In summary, in today’s privacy climate, one should not rush into signing data processing contracts or to update existing data processing agreements without a good understanding of GDPR and an understanding of how the delivery of services impacts the collection and processing of personal data. Since this is not so easy to do on one’s own, it seems prudent to make every effort to forge an open and collaborative relationship with one’s service providers.