Year: 2019

Act Now launches Law Enforcement Data Processing Policy Pack (Part 3 DPA 2018)

LED Policy PackOrganisations with a role in preventing and detecting crime (e.g. councils, police, regulatory bodies etc.) not only have to comply with GDPR but also Part 3 of the Data Protection Act 2018 (DPA 2018) which applies to the processing of personal data for law enforcement purposes. This is a complex task requiring, amongst other things, a set of policies, procedures and notices; a daunting task especially for organisations “starting from scratch”.

Act Now has applied its 16 years of information governance experience to create a policy pack containing essential document templates to help you meet the requirements of the DPA 2018. It will save you hours of drafting and research time. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent ICO fine notices issued against British Airways and Marriott International.

We have also included template letters to deal with Data Subjects’ rights requests, including subject access. This is another hot topic. On 25thJune 2019, Enforcement Notices (under Part 3 of the DPA) were served by the ICO on the Metropolitan Police, for sustained failures to comply with individuals’ rights in respect of subject access requests.

Contents

Template policies

  • Data Protection Policy – providing an overarching framework for compliant processing of personal data for law enforcement purposes as required under s56 DPA 2018
  • Sensitive Data Processing Policy – as required under s42 of DPA 2018

Procedures

  • Data breach reporting
  • Data Protection Impact Assessment template
  • Data Subject rights request response templates
  • System requirements specification – Summary of requirements to meet the audit and record keeping requirements of Part 3 of DPA 2018
  • International transfers

Privacy Notice templates

  • General (for publication)
  • Specific (for tailoring privacy information to particular individuals as required by s 44(2) of DPA 2018)

Records and Tracking logs

  • Information Asset Register
  • Record of Processing Activity (s 61)
  • Record of Sensitive Data processing
  • Data Subject Rights request tracker
  • Information security incident log
  • Personal data breach log
  • Third country transfer logs
  • Data protection advice log

The above documents are inter-related and contain cross references, particularly across the various tracker logs.

The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format) following payment. Sequential files and names make locating each document very easy.

Click here to read sample documents.

For only £249 plus VAT (Special Introductory Price), the policy pack gives a useful starting point for organisations of all sizes who have a law enforcement function and will save hours of drafting time and research time.

This LED processing policy pack complements the Act Now GDPR Policy Pack which covers the general processing of personal data. The GDPR policy pack has been bought by public and private organisations including local authorities, utility companies, universities and charities

To learn more about Part 3 of the DPA 2018, see our full day workshop and webinar on this topic. For a full GDPR update please see our new advanced workshop.

The BA and Marriot Data Breaches: The ICO takes its gloves off!

sam-truong-dan--rF4kuvgHhU-unsplash.jpg

This week we saw the Information Commissioner’s Office (ICO) finally signal its intention to use its powers to issue to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR).  Two Notices of Intent have been issued.  Both relate to cyber security incidents but are for different reasons and amounts.

Under the GDPR, supplemented by the Data Protection Act 2018 (DPA18), the ICO has a number of statutory duties and powers with regards to regulating Controllers’ and Processors’ obligations. Article 58 gives the ICO its powers. Article 83(2) sets out the criteria that have to be taken into account by the ICO when issuing fines. These include the nature, gravity and duration of the breach, the number of data subjects affected, level of damage and action taken to mitigate the damage. All this is outlined in the ICO’s Enforcement Policy.

British Airways Notice of Intent – £183 Million

According to the statement from the ICO:

“The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

According to various sources at the time, for a period of two weeks BA’s systems were compromised. Hackers took the personal and financial details of customers who made, or changed, flight bookings on www.BA.com or its app during that time. Names, email addresses and credit card information were stolen – including card numbers, expiration dates and the three-digit CVC code required to authorise payments.

According to an article from wired.co.uk, the BA vulnerability was a well-known one and could have been prevented with a simple fix. While we don’t know the exact details yet, perhaps that is why the ICO wants to fine BA a whopping £183 Million!

What this also appears to show is that because the BA breach resulted in customers of BA being stuck in various holiday locations unable to get home the effect on “the rights and freedoms of individuals” was certainly far more concrete (and some could say worse) than what we currently know about the Marriott data breach (see below). Perhaps this is why the fine amount is so high.

As soon as the notice of intent was filed BA announced they were going to appeal, either because they see themselves as the victim here (as stated in various press statements about the incident) or they believe that the ICO has acted disproportionately. We shall see…

Marriott Hotels Notice of Intent – £99 Million

According to the statement from the ICO:

“The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

According to various sources (see the BBC article at the time) this specific cyber security breach related to one of the booking databases belonging to Starwood hotels. A vulnerability in the database was exploited in 2014 and has been exploited ever since then until an internal security tool detected suspicious activity in 2018. The database in question contained records of up to 500 million customers of which 339 million were compromised including names, addresses and encrypted payment card information.

In  2016 Starwood (and all its assets and liabilities) were bought by Marriott. Part of the ICO statement accuses Marriott of not completing effective due diligence on Starwood and that appears to be the main reason for the intention to fine. One would conclude therefore that when purchasing a company a full security assessment and penetration test on the IT network and systems should be completed.  Marriott have also announced their intention to appeal the notice of intent. Not surprising when it is £99 Million!

What does this mean?

As with the Metropolitan Police announcement a few weeks ago, I’m sure these announcements will go down in Data Protection history but until the action is confirmed and the money exchanges accounts, what it exactly means for the regulatory landscape is yet to be seen. These are just intentions to fine, not the actual fine itself. The press (and some people that still don’t understand Data Protection when they claim to) got all excited about it at the time (and were corrected by many on social media). I think someone used the phrase (which I now cannot find so I can’t credit you – sorry!) “it’s basically like me saying I have an intention to buy my lunch”. But your lunch currently isn’t bought, and you are, indeed, still hungry!

What it means in terms of what you can practically do in your day jobs however is quite clear. GDPR emphasises the need to have ‘effective organisational and technical measures’. So, if you are going to buy a business (or just build a new system) ensure you have done your due diligence and testing on it to help mitigate any potential risks. You can’t catch everything (especially in a cyber security context) but at the very least you must be seen to be trying. Doing nothing, or ‘ignorance is bliss’, will ultimately land you in trouble.

Secure systems, privacy by design, effective cyber security and a half decent data culture will help you on your path and is a fair size more beneficial than the world of ignorance.

Scott Sammons is a trainer with Act Now. More on these and other developments will be in our GDPR Update webinar and full day workshop presented by Ibrahim Hasan. Looking for a GDPR qualification, our practitioner certificate is the best option.

Photo: Thanks to Sam Truong Dan for making this photo available freely on @unsplash 🎁 https://unsplash.com/photos/-rF4kuvgHhU 

Act Now’s FOI Practitioner Certificate: The Story So Far

FOI Certificate Banner

At the end of 2018 Act Now announced the launch of its new FOI Practitioner Certificate. In keeping with the company’s ethos of delivering on the ground practical training, the new course is designed to meet the needs of practitioners and to enable them to fulfil their roles as FOI Officers.

Act Now is pleased to inform readers that in May and June the first two cohorts of delegates attended our fully booked courses in London and Manchester respectively.
The courses were designed and delivered by Susan Wolf, formerly a senior lecturer on the University of Northumbria’s LLM in Information Rights Law.

The course has so far attracted delegates from a range of public authorities, including the Crown Prosecution Service, Department for Environment, Food and Rural Affairs (Defra), Maritime and Coastguard Agency (MCGA), Nursing and Midwifery Council, University of West London, Dudley CCG, Land Registry, Lancashire Council, Cheshire Police and St Leger Homes,

Susan says:

 “I have looked at every aspect of this revised course to ensure it equips FOI officers with the knowledge they need to tackle FOI in a practical way.”

The course uses the same format as our very successful GDPR Practitioner Certificate.
It takes place over four days (one day per week) and involves lectures, discussion and practical drafting exercises. All delegates are encouraged to actively participate and share their experiences, in order to create an inclusive environment.  Over the coming months, further courses will be delivered by Susan, Ibrahim Hasan and Philip Jones.

What’s new?

The new course offers several innovations, which Act Now believes makes the it distinctive and highly relevant to FOI Officers and other practitioners with responsibility for providing access to public information. One innovation is that time is made available each day for delegates to reflect on what they have learned and how it will inform their practice. From her experience of delivering of training the first two cohorts, Susan noted:

Delegates were able to share their experiences and problems, and more importantly offer suggestions for tackling problems.  This was particularly useful for delegates with limited FOI experience, or from smaller organisations, who were able to take away practical suggestions about how to handle requests and deal with the exemptions.

The course also encourages delegates to become independent learners and provides guidance on ‘keeping up to date’ and understanding how cases are handled by the First Tier Information Rights Tribunal.  Susan says:

The law isn’t static; we keep getting new ICO guidance, based on Tribunal and Court decisions. It is important that FOI practitioners understand the importance of keeping up to date, and how to do this.”

The assessment of the course is innovative and modern. The assessment model will be very familiar to people who have undertaken our GDPR Practitioner Certificate. First delegates must complete a one-hour MCQ test. This is  worth 30% of the overall assessment. The remaining 70% involves a written project.  Delegates are given a practical scenario which requires them to draft a Refusal Notice and explain how they would handle the request and their selection of exemptions. All delegates receive detailed feedback on their written projects. Our Scottish FOISA course also now follows the same format.

Susan says:

The assessment has been designed to be relevant and useful; I can see little point in giving delegates a task that has no meaning to their practice.  Instead we want our delegates to feel like the assessment will inform their practice and enable them to enhance and develop their skills. Writing a robust refusal notice is an essential skill for FOI practitioners and lies at the heart of our assessment on this course.”

The delegate feedback so far has been excellent and it seems that this course has plugged a gap in the market:

An excellent course taught by someone with all the relevant knowledge and experience to impart to the delegates. Also very useful course materials which have proved to be helpful to me on a day to day basis in my job. I would really recommend this course to anyone who is dealing with FOI’s in their job.
JC, Department for Environment, Food and Rural Affairs (Defra)

Ibrahim Hasan (Director of Act Now Training) says:

“We are pleased that this new FOI certificate course is meeting the training needs of FOI officers. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future FOI Officers and advisers.”

More venues have been added for this course including Belfast. All our courses can be delivered at your premises at a substantially reduced cost.

Contact us for more information.

Freedom of Information comes to Scottish Registered Social Landlords

jack-anstey-XVoyX7l9ocY-unsplash

The social housing sector already prides itself on being open and accountable to tenants. But from  11 November 2019, registered social landlords (RSLs) in Scotland will acquire new transparency obligations under the Freedom of Information (Scotland) Act 2002 (FOISA).

After years of debate and the robust recommendation of successive Scottish Information Commissioners, that housing associations should be in scope of FOISA, a designation order (under Section 5) adds RSLs to the list of public authorities in Schedule 1 of FOISA. The last such order  (S.I. 2016/139) came into force on 2ndMarch 2016and extended coverage of FOISA to contractors overseeing and managing private prisons, bodies providing secure accommodation for children and young people, grant-aided schools, independent special schools and Scottish Health Innovations Limited.

Housing associations are already subject to the Environmental Information (Scotland) Regulations 2004 (EISR) as their scope is broader than FOISA. However, awareness of the EISR is low among the public, and even some housing associations were probably unaware of them. Many of the types of requests which RSLs are likely to receive – around construction and repairs for example – will continue to fall under the EISRs.

Unlike other Scottish public authorities, the scope of FOISA does not apply to all the activities that an RSL may undertake. The designation order only extends FOISA to “housing services” as defined in the Housing (Scotland) Act 2010, which would include activities in support of:

  • the prevention and alleviation of homelessness,
  • the management of housing accommodation (but only where RSL has issued a Scottish secure tenancy or short SST)
  • the provision and management of sites for gypsies and travellers

Other activities undertaken by RSLs – such as factoring for owner-occupiers, repairs and maintenance for non-tenants and care services – would not be in scope. Identifying how much of the organisation is subject to FOISA will be an ongoing challenge for RSLs.

GDPR Implications

And there is a double whammy for RSLs. Under section 7 of the Data Protection Act 2018, schedule 1 of FOISA is the basis in Scotland for designating public authorities under GDPR. Therefore, from November, RSLs will be subject to the obligation, under Article 38 and 39 of GDPR, to designate and provide appropriate support for a Data Protection Officer. While many larger RSLs have already done so, this is going to be a challenge to resource for smaller associations.

So, in preparation for November, RSLs should “Act Now” to:

  • Gain senior management support and buy-in for the compliance tasks;
  • Identify and designate a Data Protection Officer if they haven’t already done so;
  • Designate a lead officer for FOISA compliance;
  • Develop procedures and guidance for staff, including a log for tracking requests and templates for responses;
  • Ensure training is in place: Specific compliance training for DPOs and FOI leads and awareness training for all staff;
  • Review records management procedures to ensure appropriate retention periods are applied and records are retrievable;
  • Inform tenants and the wider public of their rights, including having a guide to information on their website.

FREE WEBINAR

Our FOISA expert, Frank Rankin, is delivering a free webinar for RSLs in Scotland to bring them up to speed with FOISA and what they need to do now before the implementation date. Book now as places are limited.

Act Now can support RSLs with our range of public training courses, including the only FOISA practitioner certificate course and our GDPR practitioner course, geared towards supporting DPOs. We can also provide in-house training and consultancy support.

GDPR: One Year on

canstockphoto16138153

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force on 25th May 2018 with much fanfare. The biggest change to data protection law in 20 years, with GDPR carrying a maximum fine of 20 million Euros or 4% of gross annual turnover (whichever is higher), the marketing hype, emails and myths came thick and fast.

There has been no avalanche of massive fines under GDPR. According to a progress report by the European Data Protection Board (EDPB), Supervisory Authorities from 11 EEA countries imposed a total of €55,955,871 in fines. This is not a large amount when you consider it includes a 50 million euro fine on Google issued by the French National Data Protection Commission (CNIL). It followed complaints from two privacy groups who argued, amongst other things, that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes, as they were in effect forcing users to consent.

EPDB figures also show:

  • 67 % of Europeans have heard of GDPR
  • Over 89,000 data breaches have been logged by the EEA Supervisory Authorities. 63% of these have been closed and 37% are ongoing
  • There have been 446 cross border investigations by Supervisory Authorities

Despite the warnings of data armageddon, Year one of GDPR has mostly been a year of learning for Data Controllers and one of raising awareness for Supervisory Authorities. The Information Commissioner’s Office (ICO) in the UK, has produced a GDPR progress report in which it highlights an increased public awareness.In March it surveyed Data Protection Officers. 64% stated that they either agreed or strongly agreed with the statement ‘I have seen an increase in customers and service users exercising their information rights since 25 May 2018’.

The ICO has not issued any fines yet but has used its other enforcement powers extensively. It has issued 15 Assessment Notices and 11 Information Notices in conjunction with various investigations including into data analytics for political purposes, political parties, data brokers, credit reference agencies and others. Two Enforcement Notices have been issued against a data broking company and the HMRC respectively (read our blog) as well as warnings and reprimands across a range of sectors including health, central government, criminal justice, education, retail and finance. (25/6/19 STOP PRESS  – Enforcement notices have been served (25th June), under the 1998 and 2018 Data Protection Acts on the Metropolitan Police, for sustained failures to comply with individuals’ rights in respect of subject access requests.)

The ICO is planning to produce four new codes of practice in 2019 under GDPR. Here are the dates for your diary:

  • A new Data Sharing code. A draft code for formal consultation is expected to be launched in June 2019 and the final version laid before Parliament in the autumn.
  • A new Direct Marketing code to ensure that all activities are compliant with the GDPR, DPA 2018 and the Privacy and Electronic Communications Regulations (PECR). A formal consultation on this will be launched in June 2019 with a view to finalising the code by the end of October.
  • A Data Protection and Journalism code. A formal consultation on this will be launched in June 2019 with a view to laying the final version before Parliament in the summer.
  • A code of practice on political campaigning. The code will apply to all organisations who process personal data for the purpose of political campaigning, i.e. activity relating to elections or referenda. A draft will be published for consultation in July 2019.

Year 2 of GDPR will no doubt see more enforcement action by the ICO including the first fines. According to its progress report though, it will continue to focus on its regulatory priorities which are cyber security, AI Big Data and machine learning, web and cross device tracking for marketing purposes, children’s privacy, use of surveillance and facial recognition, data broking, the use of personal information in political campaigns and Freedom of Information compliance.

Finally, depending on whether there is Brexit deal, we may see some changes to GDPR via the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which came into force in March this year.

More on these and other developments will be in our GDPR Update webinar and full day workshop presented by Ibrahim Hasan. For those seeking a GDPR qualification, our highly popular practitioner certificate is the best option. Read our testimonials here.

First Two GDPR Enforcement Notices – Lessons Learnt

Fingerprint scanning provides security access biometrics identification with Business Technology Safety Internet Network Ui.

The Information Commissioner’s Office (ICO) recently served only its second Enforcement Notice for breaches of the GDPR.

The first Enforcement Notice was issued in July 2018 against a Canadian company, AggregateIQ Data Services Ltd (AIQ). Strangely it was not published on the ICO’s website but was mentioned in the ICO’s report: “Investigation into the use of data analytics in political campaigns“. Pursuant to section 149 of the Data Protection Act 2018, the notice required AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”

The ICO found that AIQ had violated Article 5 and 6 of the GDPR, by processing personal data unbeknown to the data subjects, for undeclared purposes and without a lawful basis for such processing. It had also failed to provide the transparency information, as required under Article 14 of the GDPR.

On 9thMay 2019, the Second Enforcement Notice was served on Her Majesty’s Revenue and Customs (HMRC) ordering it to delete personal data it collected unlawfully as part of a Voice ID system. The background to the notice is thatHMRC adopted a voice authentication, in January 2017, which asked callers to some of its helplines to record their voice as their password. A complaint from Big Brother Watch to the ICO revealed that callers were not given further information or advised that they did not have to sign up to the service. There was no clear option for callers who did not wish to register. In short, HMRC did not have adequate consent  from its customers to collect the data.

In the notice, the Information Commissioner says that HMRC appears to have given “little or no consideration to the data protection principles when rolling out the Voice ID service.” She highlights the scale of the data collection – seven million voice records – and that HMRC collected it in circumstances where there was a significant imbalance of power between the organisation and its customers. It did not explain to customers how they could decline to participate in the Voice ID system. It also did not explain that customers would not suffer a detrimental impact if they declined to participate.

It was also found that a data protection impact assessment (DPIA), that appropriately considered the compliance risks associated with processing biometric data, was not in place before the system was launched. The ICO plan to follow up the enforcement notice with an audit that will assess HMRC’s compliance with good practice in the processing of personal data.

  • Recording voices which can be used to identify the speaker is biometric data. This is classed as Special Category Data under GDPR.
  • If Data Controllers are planning to rely on consent as a legal basis to process such data, then they must remember that any consent obtained must be explicit (see the ICO guidance on informed consent).
  • Large scale use of biometric data is also “high risk” processing and will require a DPIA.
  • Data Controllers must be able to demonstrate their GDPR compliance by putting appropriate technical and organisational measures in place.

Steve Wood says:

“With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights addressed alongside any organisational benefit. The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data.”

More on these and other developments will be in our GDPR Update webinar and full day workshop presented by Ibrahim Hasan. Act Now runs a full day workshop which can teach you how to do a DPIA. For those seeking a GDPR qualification, our practitioner certificate is the best option.

 

The Data Protection Act 2018 – Pre and Post Brexit

adobestock_85090086.jpeg

The Data Protection Act 2018 (DPA 2018) came into force on 25th May 2018, alongside the General Data Protection Regulation (GDPR). Much has been written about it, both right and wrong.

The purpose of the DPA 2018 is nicely summarised by the Information Commissioner in her blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) … The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions. This part has to be read alongside the GDPR.

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by FOI). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Read a full summary of the Act here.

What will happen to the Act and indeed GDPR post Brexit? Well this depends on whether we have a deal or no deal! More on our blog post here.

Act Now’s series of workshops on the DPA 2018 are proving very popular amongst GDPR practitioners. The next course in Belfast is fully booked. Forthcoming venues include London, Edinburgh, Leeds and Manchester. Our experts will explain the Act in detail in plain English busting some myths on the way and discussing what lies ahead in the post Brexit situation.

Book early to avoid disappointment. Click on the flyer below to see what we cover on the course.

DPA Image for Blog

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)

GDPR Practitioner Certificate: New Course For London

Act Now The GDPR Programme Mailing 250219_Page_4

By popular demand Act Now Training has added an extra course in London for its GDPR Practitioner CertificateThis course is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.It will teach delegates essential GDPR skills and knowledge.

The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The new London course starts on 1st April 2019. Subsequent dates are 8th April, 15th April and 29th April.

This course has been super successful since launch. We ran it over 60 times in 2018 alone with over 900 delegates being trained. You can read some of the feedback here.

Make 2019 the year you achieve a GDPR qualification. Book early to avoid disappointment. 

BREXIT UPDATE: If you want to know more about how a No Deal Scenario will impact on GDPR and the DPA 2018, Ibrahim Hasan is presenting a webinar on 18th March 2019. We also have a new webinar on international transfers pre and post Brexit.

Lessons from the Google GDPR Fine

person holding white ipad
Photo by Pixabay on Pexels.com

On 21st January 2019, theFrench National Data Protection Commission (CNIL) fined Google 50 million euros for breaches of the General Data Protection Regulation (GDPR). This is the biggest financial penalty issued so far by any European regulator under the new law. But the decision goes far beyond Google or even the tech sector.

In May 2018 CNIL received complaints from two privacy groups;  None Of Your Business and La Quadrature du Net. They argued, amongst other things, that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes, as they were in effect forcing users to consent.

CNIL agreed citing a “lack of transparency, inadequate information and lack of valid consent” regarding ad personalisation for users. It said users were “not sufficiently informed” about what they were agreeing to. Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”, by splitting them across multiple documents, help pages and settings screens. That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads.

GDPR (Article 4) standard consent must be, amongst other things, “specific” and “unambiguous”. Google consent failed as users were not asked specifically to opt in to ad targeting but were asked simply to agree to Google’s terms and privacy policy bundled together.

Google is appealing the decision. Meanwhile the Swedish data protection the Swedish Data Protection Authority (Datainspektionen) has also announced an investigation Google’s slurping of location and web histories.

This decision requires all Data Controllers to think carefully how they go about obtaining consent for personal data processing. Article 7 and 8 of GDPR must be considered as well as the Article 29 Working Party guidance.

Article 13 and 14 set out what information should be given to data subjects when processing their personal data. This is a stand-alone right but it also helps to ensure that the processing is fair and transparent as per Article 5(1)(a). Our blog on what to include in a privacy notice (including examples) will help those revising their notices in the light of this decision.

BREXIT UPDATE: Draft regulations have been laid before Parliament to amend GDPR and the Data Protection Act 2018 will change as a result of Brexit. If you want to know more, Ibrahim Hasan is presenting a webinar on 12th and 21st February 2019 at 10am.

Make 2019 the year you achieve a GDPR qualification. Our GDPR Practitioner Certificate courses are filling up fast.

Making GDPR British: New Regulations set out the UK’s post Brexit DP landscape

On 19thDecember 2018, just when you thought that you have finally made sense of the UK’s data protection regime, the government published new regulations with the catchy title, “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.” There are sixty one pages of regulations to navigate, before 29thMarch 2019, with only one page of explanatory notes. And you though Theresa May had problems!

robert-tudor-704838-unsplash

On 19th December 2018, just when you thought that you have finally made sense of the UK’s data protection regime, the government published new regulations with the catchy title, “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.” There are sixty one pages of regulations to navigate, before 29th March 2019, with only one page of explanatory notes. And you thought Theresa May had problems!

Before you start reaching for the highlighters, marker pens and sticky notes (and maybe even smelling salts) it is important to bear in mind that the primary aim of the new regulations is “to make GDPR British” (my phrase). Yes dear readers, we will soon have our own (red, white and blue) version of GDPR. All the pain and cost of Brexit will have been worth it!

To understand the new regulations, we have to go “back to basics” (not my phrase). The General Data Protection Regulation (GDPR) came into force on 25th May 2018. Despite the UK leaving the EU on 29th March (or later – you never know! – or never, in which case ignore everything and wait for more blog posts!!!!), all EU laws, including GDPR, will automatically become part of UK domestic law due to the provisions of the European Union (Withdrawal) Act 2018.

The EU version of GDPR, which the UK is bound by until exit day, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 amend GDPR to remove these references and replace them with British equivalents where applicable. From exit day this new amended version of GDPR will be imaginatively titled, the “UK GDPR”.

The new regulations also amend the Data Protection Act 2018 (DPA 2018) which must be read alongside GDPR. (Read our summary and blog post busting some of the myths).

Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). The DPA 2018 applies GDPR standards to such data whilst adjusting those that would not work in the national context. Amongst other things, the new regulations merge this part into the UK GDPR.

Other provisions to note include:

  • Regulation 5 makes provision concerning interpretation in relation to processing that prior to exit day was subject to the applied GDPR.
  • Regulation 6 introduces Schedule 3, which makes consequential amendments to other legislation.
  • Regulation 8 makes amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) in light of provision made by the GDPR relating to the meaning of “consent”.

Part 3 of the DPA 2018 regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. This part will continue to apply, even after exit day, to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc. Some minor amendments will be made to reflect the UK GDPR. Similarly Part 4 of the Act (processing of personal data by the Intelligence Services) and Parts 5 and 6 (Information Commissioner Powers and Enforcement) will remain in force.

The new regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. However for the lawful transfer of personal data from the EU into the UK without additional safeguards being required, the UK will need to apply to the EU for adequacy status and join a list of 12 countries. These regulations attempt to make the UK version of GDPR as robust as the EU version. We will have to wait and see if the EU agrees.

The new regulations are currently in draft (you can follow their progress here). If approved they come into force on exit day, which is currently scheduled to be 29th March 2019, although it could be later. With all the uncertainties over the Brexit deal, I would not get the markers out just yet nor tear up your Act Now GDPR handbook!

STOP PRESS – The Regulations were made on 28th February 2018 and will come into force as set out in Regulation 1.

If you want to know more about the new regulations, Ibrahim Hasan is presenting a webinar soon.

Make 2019 the year you achieve a GDPR qualification. Our next few GDPR Practitioner Certificate courses are almost fully booked!