Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

GDPR: Goodbye Notification, Hello More Fees!

canstockphoto7747142

By Ibrahim Hasan

Currently under the Data Protection Act 1998 (DPA), most Data Controllers have to go through a process of Notification with the Information Commissioner’s Office (ICO). This is a simple process, which involves completing an online form telling the Commissioner about their data processing activities. This appears on a publicaly searchable online register. It costs £35 or £500 to notify depending on the type of organisation.

Failure to notify is a criminal offence under section 17 of the DPA. In September 2016, a recruitment company was found guilty of this offence and ordered to pay a fine of £5,000, costs of £489.85 plus a victim surcharge of £120.

The General Data Protection Regulation (GDPR) come into force on 25th May 2018 replacing the DPA. There is no notification process under GDPR. However Article 30 does require Data Controllers as well as Data Processors to keep detailed records of their data processing activities depending on the size of the organisation. There are some similarities with “registrable particulars” under the DPA which must be notified to the ICO:

  • Name and details of the organisation (and where applicable, of other controllers, any representative and data protection officer)
  • Purposes of the processing
  • Description of the categories of individuals and categories of personal data.
  • Categories of recipients of personal data
  • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place
  • Retention schedules
  • Description of technical and organisational security measures

If the organisation has less than 250 employees it is only required to maintain records of activities related to higher risk processing, such as:

  • processing personal data that could result in a risk to the rights and freedoms of individual; or
  • processing of special categories of data or criminal convictions and offences.


These records must be made available to the ICO upon request.

With the absence of Notification in GDPR, Data Controllers looked set to save some money. (Not a lot but every little helps!) In contrast, the ICO seemed set to lose a lot of money. It is currently funded partly from the annual Notification fees. Last year it collected more than 17 million pounds.  So how to plug the funding gap?

Enter the Digital Economy Bill, which is currently making its way through Parliament. Amongst other things, it contains provisions which will give public authorities (including councils) more power to share personal data with each other as well as, in some cases, the private sector.

But in a good week to bury bad news (aka Brexit and the Scottish Referendum), the Government published a memo, which indicates its intention to amend the Bill to include clauses giving Ministers the power to introduce regulations setting out new charges to be levied by the ICO on Data Controllers (See Para 45 – 53 entitled: Power to make regulations about charges payable to the Information Commissioner).

Note in particular paragraph 49 and 50 of the memo:

“49. The fees regulations may include provision for a free-standing charge – that is, where the charge does not relate to any service provided by the Information Commission to the data controller. They may also make provision about the times or periods within which a charge must be paid; and may make provision for different charges to be payable in different cases (including no charge or a discounted charge).

“50.The clause also confers a related power for the Secretary of State by regulations to require a data controller to provide information to the Information Commissioner, or to enable the Commissioner to require a data controller to provide information, for the purposes of determining whether a charge is payable and the amount of any such charge.”

This development should not surprise Data Controllers.  A few years ago “the Justice Committee found changes to EU data protection laws could leave the taxpayer with a multi-million pound bill if the government does not find a new way to finance the Commissioner.” “Spreadsheet Phil” has enough on his hands without having to worry about filling the ICO funding gap with government money! What is to be seen is what the new charges will be and whether they will impose a further financial burden on Data Controllers when they will already be spending substantial resources implementing GDPR.

Want to know more about GDPR?  Attend our full day GDPR workshop.  

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

iPhone -> abcPhone

82b54e6dd1d42e1fbfaa6bac4f93f66c

By Paul Simpkins

First the joke

I had a friend who played in a band. When he got his new smart phone he put all his gigs for the next 12 months into his calendar with an alert set for the day before so he knew when he was needed and he could plan the rest of his life.

A few days later his fellow band members rang him from a venue saying “Where are you, we’re on stage in 3 hours…”.

He looked at his phone and found that almost all the dates except 8 that he’d typed in hadn’t gone into his calendar. Only 8 were listed. The rest had disappeared. He dashed down to the phone shop and asked why to which the teenage assistant replied ”Sorry mate you’ve only got an 8 gig phone” [groan…]

But do you really need a phone with massive capacity and hundreds of apps? Do you need two level security or thumbprint login or many of the fancy apps that make your life so complicated efficient?

Is there a market for a simpler smartphone (maybe a dumbphone) that just has 8 key apps built in and no possibility of adding any more. We could call it the 8 app phone to remind us of the old joke. There would only be one home screen so we could call it… the screen.

Many old people don’t use 99% of the functionality of a smartphone. Yes youngsters are in constant contact with every social media platform that exists and are forever uploading and viewing videos of their friends eating junk food in branded outlets while streaming Spotify tunes but do we need all this connectivity?

This revolutionary concept crossed my mind this morning. I’d installed an update on my i-phone and instead of getting on with being my faithful companion my phone reverted to Hello Hola mode. All I had to do was set it up again and all my data would mysteriously flow back through the air to fill it up again. The problem was that I couldn’t remember my i-Cloud code as I’d bravely migrated to (see I can speak the lingo) two level authentication a few days ago. The phone wasn’t playing until it had the code. (I know I should have written it down on a yellow post it note but most of my reminders are in Notes on my phone). I also know that apple groupies will now be screaming “you stupid old git” at their screens and I acknowledge that I don’t know the front end of a universal serial bus from the back end but I’m happy in my own way. I just don’t see the point of unasked for updates that add on features I don’t think I’ll ever use. I’m often quite a few updates late and I still don’t know why I accepted this one so readily.

I went on the web and signed in with my Apple ID and it said no problem we’ll send a 6 letter code to your trusted device and you can type it in and you’ll be fine. Unfortunately my trusted device was the phone that the update had turned into a small door stop so the code I needed to unlock it was stopping at the door and not going in.

I rang Apple support and pointed out the problem and they ummed and ahhhed for 30 minutes before deciding that I had to take the SIM out of the phone, put it into another phone, set it up as a clone of my small doorstop, look in the text inbox, retrieve the code I’d been sent, take the SIM out, return it to my small doorstop and type in the code which would make my door stop suddenly metamorphose into a beautiful smartphone and fly off into the sunset.

The local phone shop refused to do it as it might lock the donor phone so I went home to find an old i phone. Soon I had no i-cloud code and 2 locked phones.

Fortunately I also had a macbook and an IT literate partner and for 3 hours we trawled the web, switched off this, switched on that, reset the donor phone and through trying every possible route through the Hello Hola roadblock finally made it work. Then we saw 9 texts each containing a 6 letter unlock code.

With feverish glee we put the SIM back where it belonged and tried to replicate the process. We did at one stage receive an email message saying that someone in Middlesbrough had tried to sign into my account but ignored as it was so obviously a ruse de guerre. (Heckmondwike yes but Middlesbrough no way…). An hour later we’d made it. It involved changing an apple ID password and several cups of coffee and a few cookies but we made it. By now darkness had fallen and we were both too tired to actually use the phone.

Back to the brilliant idea. The next development for Apple after the i-phone should (obviously) be the j-phone. The J stands for ‘just a few things on the” phone. Essentials are phone, text, web, calendar, maps, settings, camera, contacts and nothing else. (There will be a focus group later to decide which 8 are essential). {We’ll make them big icons while we’re at it}. But lets make even simpler and to save a law suit, just call it the abc-phone. Being as there’s no video or music or social media this can be produced cheaply and only sold to anyone who can produce a bus pass or a senior rail card (with photo ID  – we’re not letting any spotty youngsters in on the secret). There’ll be no real security on the phone – if someone pinches it there will be no value to sell on and the user can just buy another.

Over to you Apple…

Regards

A grumpy old man.

 

Make 2017 the year you achieve a GDPR qualification? See our full day workshops and new GDPR Practitioner Certificate.

 

 

 

image credits: http://www.techradar.com/reviews/phones/mobile-phones/iphone-6-1264565/review

The Subject Access Right Under GDPR

canstockphoto710053

When the General Data Protection Regulation (GDPR) comes into force on 25th May 2018, it will introduce a number of new obligations on Data Controllers which will require them, amongst other things, to review their approach to personal data breaches, privacy notices and overall GDPR compliance responsibility. Some new Data Subject rights, including the right to erasure and the right to data portability, will also be introduced.

So there is a lot to learn and do within a short space of time. However the good news is, whilst GDPR will replace the UK’s Data Protection Act 1998 (DPA), it still includes familiar concepts such the right of the Data Subject to request a copy of his/her data, known as a Subject Access Request (SAR) in DPA parlance.

In brief, Article 15 of GDPR gives an individual the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and
  • other supplementary information

The supplementary information mentioned above is the same as under section 7 of the DPA (e.g. information about the source and recipients of the data) but now also includes, amongst other things,  details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.

Fees

Under the DPA, Data Controllers can charge £10 for a SAR (£50 for a health record). GDPR allows most requests to be made free of charge. This is a significant change and will hit the budgets of those who receive voluminous or complex requests e.g. local authority social services departments.  However, a “reasonable fee” can be charged for further copies of the same information and when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee must be based on the administrative cost of providing the information.

Time Limit

The DPA allows Data Controllers 40 calendar days to respond to a SAR.  Under GDPR the requested information must be provided without delay and at the latest within one month of receipt. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request and explain why the extension is necessary.

All refusals must be in writing setting out the reasons and the right of the Data Subject to complain to the ICO and to seek a judicial remedy.

Format of Responses

Where the Data Subject makes a SAR by electronic means, and unless otherwise requested by the Data Subject, the information should be provided in a commonly used electronic format. Before providing the information, the Data Controller must verify the identity of the person making the request using “reasonable means”.

The GDPR (Recital 63) introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information This will not be appropriate for all organisations, but there are some sectors where this may work well e.g. local authorities may look to providing secure online access to social work records.

Article 15 makes it clear that the right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others. Therefore, as is the case under section 7(4) of the DPA, careful thought will need to be given to whether third party personal data needs to be redacted before disclosing information.

Exemptions

Data Protection Officers will be familiar with the exemptions in the DPA, set out in Part 4 and Schedule 7, some of which allow a Data Controller to refuse a SAR. There is currently no such list in the GDPR. However Article 23 allows national governments to introduce exemptions to various provisions in GDPR, including SARs, by way of national legislation based on a list set out in that article. This contains the same categories as in the DPA e.g. national security, crime prevention, regulatory functions etc. My guess is that the UK Government will enact the same exemptions as currently exist in the DPA.

Recital 63 states the purpose of the SAR is to make Data Subjects aware of and allow them to verify the lawfulness of the processing of their personal data. This seems to suggest that requests for other purposes e.g. to assist in litigation may be rejected. Compare this to the recent case of Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 in which the Court of Appeal said that there was nothing in the EU Data Protection Directive (which the DPA implements into UK law) which “limits the purpose for which a data subject may request his data, or provides data controllers with the option of not providing data based solely on the requestor’s purpose.” (More on this case here.)

The GDPR does not introduce an exemption for requests that relate to large amounts of data, but a Data Controller may be able to consider whether the request is manifestly unfounded or excessive. Recital 63 also permits asking the individual to specify the information the request relates to.

Subject Access and Data Portability

How different is the Subject Access Right to the Right to Data Portability set out in Article 20? The latter also allows for Data Subjects to receive their personal data in a structured, commonly used and machine-readable format. In addition it allows them to request it to be transmitted to another Data Controller.

Unlike the subject access right, the Data Portability right does not apply to all personal data held by the Data Controller concerning the Data Subject.  Firstly it has to be automated data. Paper files are not included. Secondly the personal data has to be knowingly and actively provided by the Data Subject. By contrast personal data that are derived or inferred from the data provided by the Data Subject, such as a user profile created by analysis of raw smart metering data or a website search history, are excluded from the scope of the right to Data Portability, since they are not provided by the Data Subject, but created by the Data Controller. Thirdly the personal data has to be processed by the Data Controller with the Data Subject’s consent or pursuant to a contract with him/her.

In contrast, the subject access right applies to all personal data about a Data Subject processed by the Data Controller, regardless of the format it is held in, the justification for processing or its origin.

It is important to note that both rights do not require Data Controllers to keep personal data for longer than specified in their retention schedules or privacy polices. Nor is there a requirement to start storing data just to comply with a request if received.

To discuss this and other GDPR issues, come and say hello to us on stand 15 at the ICO Conference on Monday 6th March in Manchester. 

Make 2017 the year you achieve a GDPR qualification? See our full day workshops and new GDPR Practitioner Certificate.

IRMS Certificate in Information Governance Proving Very Popular

banner

In April 2016, Act Now in partnership with the Information and Records Management Society (IRMS) launched IRMS Foundation Certificate in Information Governance. This is the first fully online certificated course on Information Governance and is proving extremely popular amongst public and private sector professionals.

In difficult economic times, traditional face-to-face learning is often the first activity to fall victim to budget cuts. However the area of Information Governance is currently the subject of rapid change. After four years of negotiation, the new General Data Protection Regulation (GDPR) has now been formally adopted by the European Parliament and will come into force on 25th May 2018. The Government recently confirmed that it will be adopting the Regulation despite the Brexit vote. The FOI Commission’s report, published in March, will lead to additional obligations for public authorities under the Freedom of Information Act. With recent high profile hacks, records management and information security are now top of the corporate risk agenda.  And the list goes on…

Employees and managers need timely and cost effective IG training.  The IRMS Foundation Certificate in Information Governance is the solution. This is an online certificated course designed for information management professionals who need to know about the basics of information rights and information management in their job role. It is an ideal starter qualification for those who wish to progress to more advanced qualifications such as the as the Act Now Practitioner Certificate In Data Protection and the BCS FOI and DP Certificates.

There are four learning modules (Records Management, Security and Information Assurance, Data Protection and Freedom of Information). Using the latest web based technology, delegates will be able to learn from the comfort of their own desk by attending four live online webinars. In addition they will be able to tailor their learning through doing four recorded modules from a choice of six. Finally they will do a short online assessment to achieve the certificate endorsed by the excellent reputation of the IRMS.

Since its in inception in April 2016, 70 delegates have successfully completed the course. They represented a diverse range of organisations from the public and private sector including,  HMRC, Prudential Regulation Authority, Ropes and Gray International LLP, 14 local councils, Scottish Government, University of the Arts London and Creative Scotland to name but a few.

Feedback from delegates has been very positive:

“The IRMS Foundation Certificate is a great way to cement a base knowledge, plus I found it useful to update some details and understand what changes may be on the horizon.” LK, Isle of Man Government

“Modules were interesting and packed full of useful content. As someone relatively new to the sector, this was the perfect course for me.” JH, Healthcare Improvement Scotland

“The course was really interesting, I have been in the profession for many years but still found a lot of new content throughout the course that built upon my existing knowledge but also explained some topics much more in depth which was very engaging. The webinars were very useful and gave a good insight into the topics as well as giving a good opportunity to ask any questions and engage with other students and tutors. The course has certainly expanded my knowledge and interest in Information Governance and is very relevant to my work. I will be taking the information I have gained on this certificate further to enhance my career.” RD, Ministry of Defence

Ibrahim Hasan, Director of Act Now Training, has developed the course with IRMS colleagues. He said:

“I am pleased that this ground breaking online qualification is proving a big hit with information governance professionals. We are committed to continuous improvement and hope to add more such qualifications to our training portfolio in the future. “

Scott Sammons, the Chair of the IRMS, recently wrote in the IRMS magazine:

“I am very pleased that the online course is proving extremely popular amongst public and private sector professionals. Bookings have been received from a diverse range of organisations including local authorities, Government departments, Academy Trusts, the NHS, universities and even overseas governments!”

The qualification is also suitable for Scottish delegates who can choose to learn about the Freedom of Information (Scotland) Act instead of the Freedom of Information Act 2000.

IRMS members receive a 10% discount off the normal price of the course (£449 plus vat).

If you would like to know more about this course please see Act Now’s dedicated IRMS Certificate webpages or e mail info@actnow.org.uk.  You can also compare all our certificated courses here.

The Right to Data Portability under GDPR

canstockphoto11651619

The new General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Whilst it will replaces the UK’s Data Protection Act 1998 (DPA), it still includes the right of the Data Subject to receive a copy of his/her data, to rectify any inaccuracies and to object to direct marketing. It also introduces new rights, one of which is the right to Data Portability.

Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had accessed to. This in turn may lead to an increase in competition driving down prices and improving services (so the theory goes; we live in hope!).

When the Right Can Be Exercised

Unlike the subject access right, the Data Portability right does not apply to all personal data held by the Data Controller concerning the Data Subject.  Firstly it has to be automated data. Paper files are not included. Secondly the personal data has to be knowingly and actively provided by the Data Subject. For example account data (e.g. mailing address, user name, age) submitted via online forms, but also when they are generated by and collected from the activities of users, by virtue of the use of a service or device.

By contrast personal data that are derived or inferred from the data provided by the Data Subject, such as a user profile created by analysis of raw smart metering data or a website search history, are excluded from the scope of the right to Data Portability, since they are not provided by the Data Subject, but created by the Data Controller.

Thirdly the personal data has to be processed by the Data Controller with the Data Subject’s consent or pursuant to a contract with him/her. Therefore personal data processed by local authorities as part of their public functions (e.g. council tax and housing benefit data) will be excluded from the right to Data Portability.

It is important to not that this right does not require Data Controllers to keep personal data for longer than specified in their retention schedules or privacy polices. Nor is there a requirement to start storing data just to comply with a Data Portability request if received.

Main elements of Data Portability

Article 20(1) gives a Data Subject two rights:

  1. To receive personal data processed by a Data Controller, and to store it for further personal use on a private device, without transmitting it to another Data Controller.

This is similar to the subject access right. However here the data has to be received “in a structured, commonly used, machine readable format” thus making it easier to analyse and share. It could be used to receive a playlist from a music streaming service, information about online purchases or leisure pass data from a swimming pool.

  1. A right to transmit personal data from one Data Controller to another Data Controller “without hindrance”

This provides the ability for Data Subjects not just to obtain and reuse their data, but also to transmit it to another service provider e.g. social networking sites and cloud storage providers etc. It facilitates the ability of data subjects to move, copy or transmit personal data easily. In addition it provides consumer empowerment by preventing “lock-in”.

The right to Data Portability is expected to foster opportunities for innovation and sharing of personal data between Data Controllers in a safe and secure manner, under the control of the data subject.

Time Limits

Data Controllers must respond to requests for Data Portability without undue delay, and within one month. This can be extended by two months where the request is complex or a number of requests are received. Data Controllers must inform the individual within one month of receipt of the request and explain why the extension is necessary.

Information is to be provided free of charge save for some exceptions. Refusals must be explained as well as the right to complain to the Information Commissioner’s Office (ICO).

Notification Requirements

Data Controllers must inform Data Subjects of the right to Data Portability within their Privacy Notice as required by Article 13 and 14 of GDPR.  (More on Privacy Notices under GDPR here.  See also the ICO’s revised Privacy Notices Code.)

In December 2016, the Article 29 Data Protection Working Party published guidance on Data Portability and a useful FAQ. (Technically these documents are still in draft as comments have been invited until the end of January 2017). It recommends that Data Controllers clearly explain the difference between the types of data that a Data Subject can receive using the portability right or the access right, as well as to provide specific information about the right to Data Portability before any account closure, to enable the Data Subject to retrieve and store his/her personal data.

Subject to technical capabilities, Data controllers should also offer different implementations of the right to Data Portability including a direct download opportunity and allowing Data Subjects to directly transmit the data to another Data Controller.

Impact on the Public Sector 

Local authorities and the wider public sector might be forgiven for thinking that the Data Portability right only applies to private sector organisations which processes a lot of personal data based on consent or a contract e.g. banks, marketing companies, leisure service providers, utilities etc. Major data processing operations in local authorities (e.g. for the purposes of housing benefit, council tax etc.) are based on carrying out public functions or statutory duties and so excluded. However a lot of other data operations will still be covered by this right e.g. data held by personnel, accounts and payroll, leisure services and even social services. An important condition is that the Data Subject must have provided the data.

The Government has confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union. All Data Controllers need to assess now what impact the right to Data Portability will have on their operations. Policies and Procedures need to be put into place now.

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.

New Webinar on GDPR and the Right to Data Portability. Register onto the live session or watch the recording.

GDPR and the Role of the Data Protection Officer

canstockphoto16242260_thumb.jpg

The clock has started on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) will take effect on 25th May 2018.

In the UK, it will replace the Data Protection Act 1998 (DPA). With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

You might be forgiven for thinking that the Brexit vote means that there is no need to worry about GDPR (being a piece of EU legislation) or that its effect will be time limited. The Government has now confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union.

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The Article 29 Data Protection Working Party has now clarified this in its recently published guidance (the A29 Guidance) and a useful FAQ. Technically these documents are still in draft as comments have been invited until the end of January 2017.

Who needs a DPO?

For the first time Data Controllers as well as Data Processors are required to appoint a Data Protection Officer in three situations (Article 37(1)):

  1. where the processing is carried out by a public authority or body

Public authorities and bodies are not defined within the legislation. The guidance says that this is a matter for national law. It’s fair to say that all bodies subject to the Freedom of Information Act or the Freedom of Information (Scotland) Act will be covered by this requirement e.g. councils, government departments, the health sector, schools, emergency services etc.  However it is likely to also cover private companies that carry out public functions or deliver public services in the area of water, transport, energy, housing etc. (See also the decision in Fish Legal v Information Commissioner and others [2015] UKUT 0052 (AAC) which considers the definition of public authorities under the Environmental Information Regulations 2004.)

Purely private companies not involved in public functions or delivering services will only need to appoint DPO if they engage in certain types of data processing operations explained in Article 37:

  1. where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale

Under this provision companies whose primary activities involve processing personal data on a large scale for the purposes behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programs, running CCTV systems, monitoring smart meters etc. will be caught by the DPO requirement.

c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and  offences

The A29 Guidance states that the “and” above should be read to say “or” (a diplomatic way of saying the proof-readers did not do their job!). Special categories of data are broadly the same as Sensitive Personal Data under the Data Protection Act 1998 e.g. ethnic origin, political opinions, religious beliefs, health data etc. This provision will cover, amongst others, polling companies, trade unions and cloud providers storing patient records.

Unless it is obvious, organisations that don’t need to appoint a DPO should keep records of their decision making process. The A29 Guidance suggests that it will be still be good practice to appoint a DPO in some cases; for example, where private organisations carry out public tasks. This could include companies delivering core public services under an outsourcing arrangement e.g. housing maintenance companies, charities delivering social services etc. A group of undertakings may appoint a single DPO provided that he/she is easily accessible and there are no conflicts of interests.

Even organisations not based in the EU may be caught by GDPR and the requirement to appoint a DPO. GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

The DPO’s Tasks

According to Article 37(5), the DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39. These are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to this Regulation;
  • to monitor compliance with this Regulation, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • to cooperate with the supervisory authority (the ICO in the UK);
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Qualities

The A29 Guidance states:

“Although Article 37 does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.”

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. The necessary skills and expertise include:

  • expertise in national and European data protection laws and practices including an in depth
  • understanding of the GDPR
  • understanding of the processing operations carried out
  • understanding of information technologies and data security
  • knowledge of the business sector and the organisation
  • ability to promote a data protection culture within the organisation

Act Now has recently launched its GDPR Practitioner Certificate aimed at up skilling existing and future DPOs in both the public and private sector. To learn more please visit our website or download the flyer.

The DPO must be allowed to perform tasks in an independent manner and should not receive any instructions regarding the exercise of their tasks. He/She reports to the highest management level in the organisation and cannot be dismissed or penalised for doing their job.

Article 38(2) of GDPR requires the organisation to support its DPO by “providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” The A29 Guidance says that, depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:

  • Active support of the DPO’s function by senior management
  • Sufficient time to for DPOs to fulfil their duties
  • Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
  • Official communication of the designation of the DPO to all staff
  • Access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
  • Continuous training

The DPO will be at the heart of the data protection framework for many organisations, facilitating compliance with the provisions of the GDPR. Now is the time to appoint one to ensure that you get the most suitably qualified. Some say 28,000 will be required in the UK and US. Others have even suggested there will be a skills shortage!

There is certainly a lot to learn and do in less than 18 months when GDPR comes into force. Training and awareness at all levels needs to start now.

Do you think mandatory Data Protection Officers under GDPR will lead to higher salaries for DPOs?
Participate in our Twitter survey:

https://twitter.com/ActNowTraining/status/816980420357132290

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.

Google rang me!

google_2015_logo_detail

The world of information is shrinking. Here’s a heart warming story about a very large organisation and an individual who pays a funny game called petanque.

In our efforts to broaden our appeal and get ourself on the map (the only map that matters – Google maps) – we dropped a pin at our ground in a park in Huddersfield and asked Google for a business listing. They were happy to list us. All we had to do was fit into their strict model. We had to choose what business we were involved in. Petanque club wasn’t a valid answer, we had to select sports complex which sounds very grand for a 30m by 12m pitch composed mostly of gravel but no matter.

Next step was to verify the location and the business. This is where it went wrong again. There were 2 options verify by phone or verify by postcard. Strangely phone verification wasn’t available so we had to opt for postcard. Trouble is, our patch of gravel doesn’t have a regular post delivery. It doesn’t have a building let alone a door or a letterbox. So Google couldn’t contact us by mail. They had driven past us and photographed the hedge alongside our pitch but maybe they were on automatic pilot at the time.

A quick trawl through the support pages provided a solution. Give another address for the postcard – any address will do a long as you receive post at it. Once you have received the postcard, verified that the club is at an address where it isn’t then change the address to what you really want. Strange that a multi zillion dollar international company would allow this simple ruse but that’s what their customer support recommended so I did it. Google said it would have to check my change of address before re-verifying it.

Today Google rang me.

I knew it was them as my phone said +1(650) 253-2000 and helpfully suggested the call was coming from Mountain View, CA, United States. Someone over there asked if I was Huddersfield Petanque Club and did I live at  xxxx Road to which I replied yes and no. They asked me to explain and I told them the story.

They asked 2 tough security questions. What’s Greenhead Park? Is it a neighborhood or an estate? (It’s a park). They repeated the question not understanding my reply so I added it’s a green space in the middle of a town. That did the trick. Next question was what is Marsh Gates.  Is it a Neighborhood or an estate? (it’s a set of gates at the entrance to the park). They understood this.

So they verified the club and we should now be on Google Maps. Next step is changing our picture from a street view image of my front door to a picture of our playing area.

If you want to see our website try https://huddersfieldpetanque.wordpress.com

Happy Christmas and a peaceful new year to all our readers.

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new  GDPR Practitioner Certificate.

 

 

GDPR: The Rise of Information Risk?

canstockphoto25958576

By Scott Sammons

Risk Management is one of the things that many people claim to know about. Often though, their lack of knowledge is exposed when they end up either focusing on the wrong risks or creating some complicated process that educates no one and leads everyone on a merry dance. And truth be told it can be quite difficult to understand; which may explain why people switch off it or create complex processes to support the basic principles of managing risk.

However, the future is here and managing risks to information is about to go from a reasonably unknown practice into a full blown framework and way to help manage your GDPR compliance. (And selfishly as someone that has done Information Risk Management for a few years now I can finally say, “Yippeeee!”).

The General Data Protection Regulation (GDPR) is going to be implemented in May 2018. Throughout the GDPR there are references to the capturing and management of data protection risks. Combine that with the need under GDPR to demonstrate compliance, and therefore demonstrate the management of risks to that compliance, we are likely to see a quick rise in Information Risk as a discipline / practice / skill.

‘Information risk’ up until today has been a varied discipline. If you were to Google the term, or speak to any recruitment agency they would say that Information Risk was the domain of ‘Cyber Security’. Currently, outside of the NHS toolkit, the only other country wide frameworks that make reference to information risk management is ISO27000 and 27001. But not everyone goes for these, or indeed has a need to, so what we are left with, is an information risk management practice that varies greatly in approach and usefulness.

The GDPR doesn’t give you chapter and verse on how to implement it. However, it does in several areas, reference the need to do it and indeed as it starts to become embedded we will start to see further standards on what it should look like.

Firstly, and in the most obvious place, is Article 25 ‘Data Protection by Design and Default’. This article outlines the requirements for embedding Data Protection principles into the very core of new designs and ideas for products and services. Article 25(1) outlines that Data Controllers should implement appropriate technical and organisational measures to mitigate the risks posed against the rights and freedoms of the natural person by the processing proposed. Now, in order to determine what is ‘appropriate’ as a control you need to have first determined the likelihood and impact of that particular threat materialising.

Voila! A risk management process is born.

Similarly Article 35, ‘data protection impact assessment’ (DPIA) talks about a very similar process with regards to risks to Data Protection. In a DPIA, a Data Controller would assess the risks to the rights and freedoms of natural persons by the processing in scope and determine, with the DPO where appropriate, what controls should be put in place that are appropriate to the level of risk. This assessment shall contain at least;

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Or, in other words, everything that you would expect to see in a risk assessment under current risk assessment practices (especially if you already engage in information risk as a discipline).

Article 32 ‘Security of Processing’ goes a little further and states the below;

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  1. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Here we see the familiar areas of Information Security Risk Management, with some little tweaks to make it relevant for GDPR. But again, the principle of knowing what your threats and vulnerabilities are so that you can assess them and then ensure your technical and organisational measures are appropriate to the level of risk. You can’t effectively know one without the other.

Another key area that risk and risk assessments come into play relates to Breach Notification in Article 33 (the Authority) and 34 (the data subject). In both articles the requirement to notify is necessary unless the breach is ‘unlikely to result in a risk to the rights and freedoms of natural persons’.

Please note however that in article 34 wording swaps this around and says the duty to inform the data subject is there if there is a high risk to the rights and freedoms of natural persons.

In other areas that either reference the need to risk manage or instances where as above only become necessary where a risk management process determines it are;

  • Prior Consultation (article 36)
  • Tasks of the Data Protection Officer (article 39)
  • Derogations for specific situations (international data transfers) (article 49)
  • Tasks of the Supervisory Authority (Article 37)
  • Tasks of the Data Protection Board (Article 70)

As we all know the GDPR is long and has the potential to become infinitely complicated depending on what processing you are doing, therefore you cannot possibly hope to comply with 100% of it 100% of the time. Find me someone that can and I’ll show you a magician. Therefore you need to ensure that you have a robust and easy to understand risk management process in place to manage your GDPR risks and determine what areas need more focus and what areas are ‘low risk’.

If you’ve not started your GDPR implementation programme yet, one thing that has worked well for me when determining where on earth to begin with this is to complete a data inventory, which includes why information is being processed, and to do a risk assessment on that inventory. What areas show up as massive gaps in current compliance let alone GDPR and what show up as minor tweaks? Once you have a reasonable level of overview you can then start to prioritise and logically see how things fit into place leading up to 2018. You can also see what areas of risk you can carry forward past May 2018 as currently there is no expectation from any of the supervisory authority that you will have / be 100% compliant by day 1.

Scott Sammons CIPP/E, AMIRMS is an experienced Data Protection & Information Risk practitioner and blogs under the name @privacyminion. He is on the Exam Board for the GDPR Practitioner Certificate.

Read more about the General Data Protection Regulation and attend our full day workshop.

New GDPR Practitioner Certificate Launched!

2017-gdpr-flyer-001

 New GDPR Practitioner Certificate Launched

Act Now Training Limited is pleased to announce the launch of its new GDPR Practitioner Certificate (GDPR.Cert).

The General Data Protection Regulation (GDPR) is going to be implemented in May 2018 despite the Brexit vote. Indeed the Government has confirmed that GDPR is going to be part of UK law even after the UK leaves the EU. So say hello to Breach Notification, the Right To Be Forgotten, the joys of Privacy Impact Assessments and, in some cases, the mandatory Data Protection Officer.

The GDPR Practitioner Certificate (GDPR.Cert) is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector. This is going to be a challenging role. In November, the new Information Commissioner (Elizabeth Denham) said in a speech at the NADPO annual conference:

“I think the role of DPO can be one of the toughest jobs around. You have to help your organisations deliver, but you have to do it in a privacy responsible and transparent way. That’s really challenging in lots of varied situations.”

This course will teach delegates essential GDPR skills and knowledge. It builds on the success of the Act Now Data Protection Practitioner Certificate (launched in April 2014), which it replaces, by focussing on GDPR. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The course tutor is Tim Turner who says:

“GDPR is the biggest change to Data Protection in a generation. I have looked at every aspect of this revised course to equip Data Protection officers with the knowledge they need to tackle GDPR in a practical way.”

Tim will share his vast experience gained through years of helping organisations comply with their DP obligations. This, together with a comprehensive set of course materials and guidance notes, will mean that delegates will not only be in a position to pass the course assessment but to learn valuable DPO skills which they will be able to apply in their workplaces for years to come.

This new course builds on Act Now’s reputation for delivering high quality practical training at an affordable price:

This new course widens the choice of qualifications for DP practitioners and advisers. Ibrahim Hasan (Director of Act Now Training) said:

“We are pleased be able to launch this new qualification with less than 18 months to go to GDPR implementation. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future Data Protection Officers.”

To learn more please visit our website or download the flyer.

Practitioner Certificate in FOISA: Another Successful Year

canstockphoto9203213_thumb

Act Now Training is pleased to report that it has completed another successful year of delivering the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. Now in its fourth year the course is the only certificated FOI course specifically designed for Scottish delegates.

Two courses were delivered in 2016 with 22 very strong candidates from a variety of backgrounds including the local government, education, health, government and regulatory sectors. All the delegates passed the course. Of these 3 achieved a distinction and 14 achieved a merit. The delegate feedback has been extremely positive:

“I really enjoyed the course and thought that Tim Turner really brought the subject to life.  He was an excellent tutor and made this subject both interesting and informative with amusing anecdotes throughout.  I would certainly go on another course being delivered by Tim Turner and I would recommend him to my peers.”  LC, Glasgow Kelvin College

“Tim was an excellent tutor. His knowledge of the subject was vast and impressive. I learned a lot.” JM, Fife Council

“This is the most useful course I have participated in for a long time.” JT, Crofting Commission

Read a previous successful candidate’s observations here.

The course is endorsed by the Centre for FOI based at Dundee University. The Chair of the independent Exam Board , Professor Kevin Dunion (formerly the Scottish Information Commissioner and now the Executive Director of the Centre for FOI).

The most recent course was delivered by Frank Rankin who has many years of experience working in the Scottish public sector. Frank said:

 “The Act Now certificate brings together a fantastic cross section of FOISA practitioners from a range of organisations, large and small, across all parts of the public sector. I love sharing ideas and experience with these colleagues, and learning from their campaign stories as well.”

The Act Now Practitioner Certificate in FOISA is now the qualification of choice for FOISA professionals in Scotland. The next course is in February 2017 runs over five weeks and is already filling up. For those who are time poor we also have a one-week intensive option. More details here: http://www.actnow.org.uk/content/113

Following a consultation last year, 1st September 2016 saw FOISA being extended to cover more organisations. Act Now has a full programme of FOISA workshops in Scotland.