Category: Brexit

The GDPR, the Data Protection Bill and Complaints

canstockphoto16242260.jpg

By Scott Sammons

The General Data Protection Regulation (GDPR) and the recently announced Data Protection Bill (DP Bill) are bigger pieces of legislation than the old Data Protection Act 1998. We already know that remedies and complaints under the Regulation are more wide ranging and entities, in effect, are now to be seen as guilty until proven innocent (reference the need to be able to ‘demonstrate compliance’ in Article 5(2)).

Both the GDPR and the DP Bill give the Data Subject the right to lodge a complaint with the Information Commissioner if the Data Subject considers that, in connection with personal data relating to him or her, there is an infringement of the GDPR (GDPR Article 57 and DP Bill Section 156).

In Article 38 (4) of the GDPR, it implies that Data Subjects can raise matters (complaints) with the Data Protection Officer but doesn’t explicitly state that Data Subjects can ‘lodge a complaint with the controller or processor’. The GDPR outlines that they can exercise their rights on the controller/processor (some of which, like the right to object to automated decision making, are often only really used if the Data Subject is unhappy about something). Therefore, as with today, you will want to encourage Data Subjects (should they have a concern) to bring it to you directly rather than go to the Information Commissioner. It is likely that the ICO will continue their stance of referring complainants back to the organisation concerned first if they have just gone straight to the ICO, but I wouldn’t rely on this if I was you. The world is changing, and in order to truly embed the transparency and accountability requirements of GDPR it is far better to have a visible complaints process for Data Subjects up front.

Also, neither the GDPR nor the DP Bill explicitly states that the Data Protection Officer should be the one to investigate and resolve GDPR related complaints. They do however, in Article 39 (1)(b) and Section 69 (1)-(3) respectively, state that the DPO should ‘monitor compliance’ with the GDPR and DP Bill. Therefore the DPO should definitely be part of the complaints process, especially for ‘high risk’ complaints, but as for investigating every single complaint, I can’t see an explicit requirement for that. Therefore if you’re the DPO for your organisation reading this or the IG/DP team member that will investigate DP complaints from data subjects then this may be of use to you.

Due to the above, however, this does mean that when investigating complaints and/or accusations of non-compliance with the GDPR (or the DP Bill), you will need to be more thorough and more specific in determining exactly where a ‘breach’ may or may not lie.

For many of you this will be old news and you are most probably already doing this, but to many people formal training in ‘complaint handling’ and investigation is something new. Hopefully you’ll find this useful, and it should follow the same sort of process and standards many organisations (especially those that are regulated) will have in place.

Firstly, many people will accuse you / your organisation of wrong doing and often provide a list of areas where they believe you have gone wrong. Some will be genuine and some will be utter nonsense. But you will need to be thorough to ensure that you can genuinely separate out what is a valid complaint and what is someone’s misunderstandings/ventings/vendettas. Always start from a position of an ‘accusation is not a fact’, regardless of the ICO position of ‘guilty until proven innocent’, any failing in your compliance controls will need evidencing and a thorough complaint investigation will determine that. Each accusation should be taken seriously but it will need to be investigated and evidenced to determine whether or not it is a valid complaint and there is a ‘case’ to be answered.

When investigating the matter at hand start at the very beginning. What started this person down this path to lodge a complaint? What were the interactions with your service? Were things done correctly? Can you evidence that a particular action (either good or bad) was actually carried out or is it a case of a staff member’s word vs the complainants? As you would with a legal case look for evidence to establish facts, the less evidence you have the more likely you are to have a weak case to defend. The more evidence you have the more you can prove one way or another what occurred and if the complaint has merit.

It is likely that during your investigation you’ll determine that x process was not followed or y system failed resulting in the errors causing the complaint. If you are able to come to the conclusion that processes, systems or any controls have indeed failed it may also be worth logging an ‘adverse incident’ on the controls that have failed.

For those that have seen any of my previous post on Information Risk, when you put things in place to prevent your risks from materialising these are referred to as “controls”. These controls can range from policies, procedures, training, technical solutions, and system design to anything really that helps you control that risk. When a control or controls fails this should be recorded as an ‘incident’ so that  you can monitor the effectiveness of your controls and ensure whatever remedy you put in place to stop it re-occurring, actually helps that control (and isn’t just a default response of punish or train the staff member).

But I digress; let us go back to the complaint. Once your investigation is complete and for each aspect of the complaint you can conclude what has and what has not occurred you can start to draft a response and determine what parts of the complaint are ‘upheld’, ‘not upheld’ or ‘partially upheld’. If you imagine the ‘shopping list’ of accusations I referenced above, for each item on that list you should have a position of upheld, not upheld or partially upheld. If at any point:

Upheld is where you agree with the complainant and there is a case to be answered for. It is then up to you how you want to proceed with that complaint based on what standards and approach your organisation takes to resolving complaints. Where a complaint does look like it is to be upheld (and indeed with any ‘high risk’ complaints) you will also need to agree the outcome and actions with the Data Protection Officer.

Partially upheld are, as it says on the tin, areas where there is some merit to their complaint but it didn’t occur as they outline and/or the impacts they describe are heavily inflated / incorrect. This may still be a ‘high risk’ area even though it may only be partially upheld, therefore you may still need to ensure you have DPO sign off before issuing the response.

Not upheld are simply where you cannot evidence that what the complainant says occurs actually occurred or you have evidence to the contrary therefore their complaint is unfounded and can be, for want of a better word, rejected.

When responding back to the complainant you will need to run through each aspect of their complaint and outline your findings and why you have upheld or not upheld that aspect of their complaint. There could, for large complaints, be a mixture of upheld, partially upheld, and not upheld for the various different areas they are claiming you have not complied with the law.

If you can record all of the above, with the supporting evidence, should the complainant indeed then take their complaint to the ICO the majority of your investigative work should be complete. It can then be quickly investigated or even ‘reviewed’ by another party if that’s what your organisation prefers. In any event, if you’re the DPO or the person supporting the DPO in their tasks, this should make it easier to log, track, resolve and learn from complaints if and when you get them. Of course the ideal would be to not get any complaints, but in this world however that is never going to happen.

Life is far too imperfect, but a ‘close to perfect’ complaints and incidents process should help you manage your GDPR compliance and give you useful insight into what is going right and wrong in your organisation.

 

Scott Sammons FIIM, CIPP/E, AMIRMS is Chair of the Information and Records Management Society (IRMS) and sits on the Exam Board for our GDPR Practitioner Certificate courses (3 out of the next 5 are fully booked).

 

We have added a new course on the Data Protection Bill to our programme.

The Data Protection Bill: A Summary

canstockphoto11598539

By Lynn Wyeth

The text of the new Data Protection Bill has finally been published by the Government and at 218 pages, 194 clauses, 18 schedules and 112 pages of explanatory notes, it is a huge chunk of legalese spaghetti. You can find the main Bill in pdf form here.

As with the 1998 Data Protection Act (DPA98), the Bill is cumbersome and repeatedly refers to clauses within itself. This is compounded this time by references also to the General Data Protection Regulation (GDPR) and other pieces of European legislation. To translate all this and join all the dots you need to flick between many texts and screens, but here’s a quick summary of some of the key issues and where to find them in the Bill:

Structure of the Bill

There’s nothing hugely unexpected in the Bill, as long as you are familiar with the DPA98, additional orders added to the DPA98 over the years, the GPDR and the Law Enforcement Directive (EU) 2016/680! This has all been merged into one large Bill to try and keep what we have now plus any new requirements of GDPR and the Directive. The Bill is set out in Parts, some of which may not be relevant to all organisations.

Part 1 & 2 – Definitions and General Processing

Part 3 – Law Enforcement

Part 4 – Intelligence Services

Part 5 – Information Commissioner’s Office

Part 6 – Enforcement

Part 7 – Miscellaneous!

Law Enforcement 

Part 3 of the Bill deals exclusively with Law Enforcement under Clauses 27 -79. Organisations will only be subject to these clauses if they are

  • a Competent Authority, or
  • processing for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Schedule 7 lists the Competent Authorities and this includes organisations such as Government departments, Police, Fraud Office, Probation, Youth Offending Teams etc. If you don’t meet the criteria above, you don’t need to worry about this large part of the Bill.

There are some differences in Part 3 that organisations do need to be aware of if they fall into the law enforcement category. The Data Protection Officer (DPO) has extra specified tasks in clause 69, namely the ability to assign responsibilities, promote policies, undertake audits and deliver training. There is also an additional requirement to have specific audit trails (clause 60 – logging) on automated processing ensuring a log of who collected, altered, erased and transferred data amongst other things.

Public Authorities

The Bill confirms in clause 6 that where it refers to public authorities or public bodies, it means those organisations that are currently subject to Freedom of Information Act provisions. Interestingly it means any organisations brought under FOI in the future may need to consider issues such as DPOs and use of legitimate interests in future too. Housing associations and companies delivering public contracts may need to watch the FoI Private Member’s Bill going through parliament next year or the ICO’s push for extending FOI through its reports to Parliament.

Data Protection Officers

For those organisations not involved in law enforcement, their DPO will only have to undertake the tasks set out in GDPR, not the additional ones set out in clause 69. There are no extra surprises here and the Article 29 Working Party guidance on this is comprehensive about when one is required by law, the tasks it carries out and on the issue of conflict of interest. Senior managers, SIROs, Caldicott Guardians, Heads of IT or HR… none of them can be the DPO.

 Data Breaches

As expected in order to implement the GDPR requirements, any personal data breaches must be reported to the Information Commissioner’s Office (ICO), where there is a risk to an individual, within 72 hours unless there is reasoned justification (breach notification). The potential derogation for public authorities has not been taken advantage of and they, like all other organisations, could face Civil Monetary Penalties (CMPs) of up to £17m or 4% of the equivalent of annual global turnover (although the ICO can change this – perhaps due to currency fluctuation or after Brexit). The reality is that the ICO, as stated in its myth busting blog, will continue to use CMPs as a last resort and they will be proportionate.

 Children

The Bill also confirms that in the UK the child’s age in relation to information society services will apply if the child is under 13 years old rather than 16 years old. Providers of such services will have to take reasonable steps to get the consent of a parent or guardian to offer a child under 13 years the service. The definition of information society services can be found in the E-Commerce Directive and it should be noted this specific age of consent is only for this type of service. For all other data protection issues, children can make their own decisions if they have capacity or Gillick competency. Data Protection practitioners in Scotland have the added complexity in clause 187 of separate rules for age of consent for Scottish children to reflect the existing provision there now that “a person aged 12 or over is to be presumed to be of sufficient age and maturity to have such understanding, unless the contrary is shown”.

 Fees

As previously discussed on this blog, GDPR removes the obligation for data controllers to notify with the ICO. The ICO had expressed concerns about this and the loss of income if they could not continue with notification fees (currently £500 per annum for large organisations, £35 per annum for smaller data controllers). The Data Protection Bill therefore makes provision for the ICO to continue to require a form of notification fees under clause 129. In fact, the Bill looks like it allows the ICO to charge fees for other services too. The ICO will have to publish these fees and have them agreed by the Secretary of State. The DCMS is currently consulting on a 3-tier system with the top tier (businesses with over 250 staff) having to pay up to £1000 (with a direct marketing top up of £20).

 Conditions for processing

 The ICO has already stressed in its myth busting blog that consent is not the only condition for processing despite misleading stories elsewhere. As before, the Bill lists several conditions for processing non-sensitive personal data and sensitive (now called special category in GDPR) personal data. As we already knew from GDPR, Public Authorities can no longer rely on legitimate interests but all of the other conditions from the existing DPA98 have been brought across e.g. counselling, insurance. There’s even one explicitly for anti-doping in sport. Schedule 1 lists all of these conditions for processing special category data.

 Complaints and compensation

Clause 157 sets out what individuals can expect if they submit a complaint to the ICO and the ICO fails to address it adequately, and how the Tribunal can then become involved. Clause 159 provides for compensation claims for ‘damage’ and that can include financial loss, distress and other adverse effects. Consumer support groups are disappointed that they are not able take class actions and seek redress without the data subject’s consent, as the Government has decided against the use of that derogation.

 New Criminal Offences

There will be a new criminal offence under the Bill where anyone uses anonymised data “knowingly or recklessly to re-identify information that is de-identified personal data”. Researchers and IT testers will need to be careful that they can demonstrate anything accidently re-identified or deliberately tested is done in the public interest and doesn’t trigger this offence. Data theft will also be a recordable offence on the national police computer, as will unlawfully obtaining personal data and altering personal data in a way to prevent it being disclosed.

 Certification

Clause 16 allows for the accreditation of certification providers. The only organisations that can award certification are the ICO and the National Accreditation Body (which looks set to be UKAS). No organisation has been awarded certification yet so beware of organisations claiming they can make you a ‘certified’ GDPR practitioner at this time!

 Exemptions

 All of the familiar exemptions have been brought across from the current DPA98 e.g. crime and taxation, journalism, references, examination marks, honours, parliamentary privilege, management forecasts, legal professional privilege and negotiations. Also added is immigration, and clarity is given on archiving and research. They can all be found in Schedules 2-4, with Schedule 3 focussing on detail on health and social care, and schedule 4 on education, child abuse and adoption.

Subject Access Requests

The Bill confirms the requirements in the GDPR. You cannot charge for a Subject Access Request unless repeated or manifestly unfounded or excessive, and you must answer in one month (unless it’s excessive and it can be extended for another two months).

 What happens next?

The 2nd reading of the Bill will take place in the House of Lords on October 10th 2017. Its passage through Parliament can be tracked here. There may be some amendments made as it works its way through the parliamentary process. Several Regulations will also need to be made by the Secretary of State to implement some parts of the Bill.

STOP PRESS – 25th May 2018

The Data Protection Act 2018 received Royal Assent yesterday afternoon and comes into force on Friday.

http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted/data.htm

We have a workshop in Leeds in July:

http://www.actnow.org.uk/courses/2618

If you want a brief summary, I am doing a webinar soon:

http://www.actnow.org.uk/courses/2601

Lynn Wyeth is the Head of the Information Governance function of a large unitary public authority and has over 10 years’ experience as a Data Protection and FOI practitioner. She also delivers some of our external GDPR and GDPR Practitioner Certificate courses.

The Data Protection Bill: It’s not what you think it is!

canstockphoto16666262

Yesterday the DCMS published the long awaited Data Protection Bill 2017. Accompanying the 203 pages of the Bill there are 112 pages of explanatory notes, a 4-page factsheet and a 5-page impact assessment. With detailed cross referencing to the provisions of the General Data Protection Regulation (GDPR), this Bill is a gift to purveyors of highlighters and sticky notes!

The Bill has many aims (see below). It does not though, contrary to popular belief, incorporate the GDPR into UK law. GDPR is a Regulation and so directly applicable when it comes into force on 25th May 2018. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit the GDPR will still be the law because of the provisions of the European Union (Withdrawal) Bill (previously the Great Repeal Bill.) Paragraph 6 of the explanatory notes confirms this:

“While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament.”

So why do we need a Data Protection Bill? Section 1 explains:

To fill in some of the gaps in GDPR – what are known as “derogations”; where Members states are allowed to make their own rules. The Bill mirrors the Government’s Statement of Intent which was published a few weeks ago. Amongst many other things, we are now clearer on the minimum age at which a child can consent to certain types of data processing, the definition of a public authority/public body, new offences, rules on automated decision making and exemptions (including for research and freedom of expression in the media.)

To make provision for a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Article 2(2)) including the processing of unstructured, manual data held by an FOI public authority.

To implement Directive (EU) 2016/680 (the Law Enforcement Directive) on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Unlike the GDPR, the Law Enforcement Directive is not directly applicable EU law; accordingly Part 3 of the Bill, amongst other things, transposes the provisions of the Directive into UK law.

To make provision for the processing of personal data by the Intelligence Services

To make provisions about the role of the Information Commissioner

To make provisions for the enforcement of data protection legislation

The second reading of the Bill will be on 10th October. Its passage through Parliament can be tracked here.

Want to know more? Attend our Data Protection Bill workshop.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate courses are filling up fast.

We also offer a GDPR health check service.

GDPR and the Data Protection Bill: Myths and Misunderstandings

Man Reading Book and Sitting on Bookshelf in Library

On Monday, the Government published a Statement of Intent about the forthcoming Data Protection Bill. The idea behind the Bill is to fill in some of the gaps in the General Data Protection Regulation (GDPR), which will come into force on 25th May 2018. The full text of the Bill is likely to be published in September.

The Bill follows a consultation exercise run by the DCMS earlier this year calling for views on implementation of the “derogations” under GDPR. These are areas where EU member states are left to produce their own laws to fit their circumstances while keeping within the GDPR framework. Notable derogations, amongst others, include the minimum age at which a child can consent to data processing, when data about criminal convictions and offences can be processed and exemptions (including for freedom of expression in the media.)

That’s the real background to Monday’s statement. But this did not stop the media from peddling myths and misunderstandings. Upon reading the headlines, a layman or woman would get the impression that:

The Bill gives people new rights (No it does not, the GDPR does.)

The Bill is designed to sign European privacy rules into British law

(GDPR is a Regulation and so directly applicable. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit it will still be applicable because of the provisions of the Great Repeal Bill (More here.))

The BBC even reported that “the new law was drafted by Digital Minister, Matt Hancock.” Yesterday the story was changed to state that it was “drafted under Digital Minister, Matt Hancock.” (I have asked them about this.)

Then again the media is not entirely at fault. The Government’s statement is drafted (or spun) in such a way as to give the impression that GDPR is all their idea rather than the EU’s. Mr. Hancock, in his foreword, even suggests that the Bill is part of the Government’s grand Brexit plan (if there is a plan!):

“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU.”

All this myth peddling has led to some official myth bashing too. (See the ICO’s latest blog post.)

So what have we actually learnt about the Government’s GDPR intentions? Much of the statement explains the provisions of the GDPR or states the obvious. For example that the Data Protection Act 1998 (DPA) will be repealed. As if there was any choice!

The DCMS has today published (HT Bainsey1969 and the Open Rights Group) a list of derogation in the Bill and there proposed stance (Read here). The following stand out:

  • Children and Consent – The UK will legislate to allow a child aged 13 years or older to consent to their personal data being processed (rather than 16 which is GDPR’s default position).
  • Exemptions – The GDPR allows the UK to introduce exemptions from the transparency obligations and individuals’ rights. The Government will make the same exemptions available under GDPR as currently under the Data Protection Act (see S.29-35 and schedule 7 of the DPA).
  • New Offences – The Bill will create a number of new criminal offences:

Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and knowingly handling or processing such data

Altering records with intent to prevent disclosure following a Subject Access Request (just like under S.77 of FOI)

Retaining data against the wishes of the Data Controller, even where the data was originally obtained lawfully (this would constitute a widening of the current offences provided for in s. 55 DPA)

  • Journalism – There will be a journalistic exemption in GDPR similar to S.32 of the DPA (balancing data protection rights with journalistic freedoms). The Information Commissioner’s Office (ICO) will have wider powers to take enforcement action in media cases.
  • Automated Decisions – There will be an exemption from the general rules in GDPR about automated decision making and profiling where such processing is in the legitimate interests of the Data Controller.
  • Research – There will be exemptions to the general rules in GDPR about Data Subjects’ rights. Research organisations and archiving services will not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with Data Subjects’ rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.

Data Controllers should not wait for the Data Protection Bill to be published before starting their GDPR preparations. There is so much to do now:

  1. Raise awareness about GDPR at all levels. (Check out our full day workshop and our GDPR poster).
  2. Consider whether you need a Data Protection Officer and if so who is going to do the job.
  3. Review compliance with the existing law as well as the six new DP Principles.
  4. Review how you address records management and information risk in your organisation.
  5. Revise your privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
  6. Review your information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  7. Write polices and procedures to deal with new and revised Data Subject rights including Data Portability and Subject Access.
  8. Consider when you will need to do a Data Protection Impact Assessment

STOP PRESS – the Bill has now been published.  Attend our Data Protection Bill workshop.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast. We also offer a GDPR health check service.

GDPR Guidance finalised and more published

Stack of Files and Papers

Unless you live on the planet Zog, you will be aware that the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Neither Brexit nor the recently announced General Election will have an impact on this date; GDPR is here to stay. There has been a flurry of activity from the Information Commissioner’s Office (ICO) and the Article 29 Working Party (A29WP) on the GDPR front of late.

Consent

Consent under GDPR is a thorny issue. Compare the old and the new definitions below:

Using opt out boxes and inaction as proof of individuals’ consent to processing will no longer be allowed (if indeed they ever were!). Last month the ICO launched its GDPR consent consultation. The deadline for responses has now passed but the document is still worth reading to understand how the landscape is changing.

Profiling

GDPR introduces stricter provisions to protect individuals from a type of data processing known as “profiling”. This is defined in Article 4:

“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

The GDPR gives individuals a right to know profiling is taking place and in some cases allows them to object to it or require human intervention.

The ICO’s discussion paper on this topic highlights the key areas it feels need further consideration. This includes subjects like marketing, the right to object and data minimisation. The deadline for feedback is 28th April 2017. The A29WP guidelines on profiling are due to be published later this year and any feedback the ICO receives will inform that work.

Data Portability

Article 20 of GDPR gives individuals the right to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. This is known as the right to data portability.

In December 2016, the A29WP published draft guidance on this right and a useful FAQ. The final version was published on 5th April 2017. The key themes are the same but the latest version does clarify a few points and gives better examples. Here are the two documents compared.

Data Protection Officer

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The A29WP has now produced the final version of its DPO guidance, which was published for comments in December. Here are the two documents compared. Again the main themes of the documents are the same with some welcome clarifications in the final version.

Lead Supervisory Authority

Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data. For those that have multiple processing operations in the EU or where a breach occurs in many countries there will be a need to identify a lead supervisory authority, which will be charged with investigating the breach. The A29WP has now finalised its guidance on this topic.

Data Protection Impact Assessments

Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA). In some cases Data Controllers will be required to do a DPIA in relation to one or more data processing operations. It will help them assess necessity and proportionality and to manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).

Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). In certain situations a DPIA will be mandatory (see Article 35(3)).

The A29WP is requesting comments on the data protection impact assessment guidelines it recently published. The deadline is 23rd May 2017. Even if you don’t want to comment its still a useful document to read to understand what steps need to be taken to raise awareness of the DPIA processes and what training will be required for those undertaking this task.

Finally, the A29WP recently published its work programme for 2016 – 2018 accompanied by a supplementary statement explaining GDPR specific priorities.  As from 2018 it will become the European Data Protection Board.

 

Our full day workshops and new GDPR Practitioner Certificate courses are filling up fast. We also offer a GDPR health check service.

The Right to Data Portability under GDPR

canstockphoto11651619

The new General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Whilst it will replaces the UK’s Data Protection Act 1998 (DPA), it still includes the right of the Data Subject to receive a copy of his/her data, to rectify any inaccuracies and to object to direct marketing. It also introduces new rights, one of which is the right to Data Portability.

Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had accessed to. This in turn may lead to an increase in competition driving down prices and improving services (so the theory goes; we live in hope!).

When the Right Can Be Exercised

Unlike the subject access right, the Data Portability right does not apply to all personal data held by the Data Controller concerning the Data Subject.  Firstly it has to be automated data. Paper files are not included. Secondly the personal data has to be knowingly and actively provided by the Data Subject. For example account data (e.g. mailing address, user name, age) submitted via online forms, but also when they are generated by and collected from the activities of users, by virtue of the use of a service or device.

By contrast personal data that are derived or inferred from the data provided by the Data Subject, such as a user profile created by analysis of raw smart metering data or a website search history, are excluded from the scope of the right to Data Portability, since they are not provided by the Data Subject, but created by the Data Controller.

Thirdly the personal data has to be processed by the Data Controller with the Data Subject’s consent or pursuant to a contract with him/her. Therefore personal data processed by local authorities as part of their public functions (e.g. council tax and housing benefit data) will be excluded from the right to Data Portability.

It is important to not that this right does not require Data Controllers to keep personal data for longer than specified in their retention schedules or privacy polices. Nor is there a requirement to start storing data just to comply with a Data Portability request if received.

Main elements of Data Portability

Article 20(1) gives a Data Subject two rights:

  1. To receive personal data processed by a Data Controller, and to store it for further personal use on a private device, without transmitting it to another Data Controller.

This is similar to the subject access right. However here the data has to be received “in a structured, commonly used, machine readable format” thus making it easier to analyse and share. It could be used to receive a playlist from a music streaming service, information about online purchases or leisure pass data from a swimming pool.

  1. A right to transmit personal data from one Data Controller to another Data Controller “without hindrance”

This provides the ability for Data Subjects not just to obtain and reuse their data, but also to transmit it to another service provider e.g. social networking sites and cloud storage providers etc. It facilitates the ability of data subjects to move, copy or transmit personal data easily. In addition it provides consumer empowerment by preventing “lock-in”.

The right to Data Portability is expected to foster opportunities for innovation and sharing of personal data between Data Controllers in a safe and secure manner, under the control of the data subject.

Time Limits

Data Controllers must respond to requests for Data Portability without undue delay, and within one month. This can be extended by two months where the request is complex or a number of requests are received. Data Controllers must inform the individual within one month of receipt of the request and explain why the extension is necessary.

Information is to be provided free of charge save for some exceptions. Refusals must be explained as well as the right to complain to the Information Commissioner’s Office (ICO).

Notification Requirements

Data Controllers must inform Data Subjects of the right to Data Portability within their Privacy Notice as required by Article 13 and 14 of GDPR.  (More on Privacy Notices under GDPR here.  See also the ICO’s revised Privacy Notices Code.)

In December 2016, the Article 29 Data Protection Working Party published guidance on Data Portability and a useful FAQ. (Technically these documents are still in draft as comments have been invited until the end of January 2017). It recommends that Data Controllers clearly explain the difference between the types of data that a Data Subject can receive using the portability right or the access right, as well as to provide specific information about the right to Data Portability before any account closure, to enable the Data Subject to retrieve and store his/her personal data.

Subject to technical capabilities, Data controllers should also offer different implementations of the right to Data Portability including a direct download opportunity and allowing Data Subjects to directly transmit the data to another Data Controller.

Impact on the Public Sector 

Local authorities and the wider public sector might be forgiven for thinking that the Data Portability right only applies to private sector organisations which processes a lot of personal data based on consent or a contract e.g. banks, marketing companies, leisure service providers, utilities etc. Major data processing operations in local authorities (e.g. for the purposes of housing benefit, council tax etc.) are based on carrying out public functions or statutory duties and so excluded. However a lot of other data operations will still be covered by this right e.g. data held by personnel, accounts and payroll, leisure services and even social services. An important condition is that the Data Subject must have provided the data.

The Government has confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union. All Data Controllers need to assess now what impact the right to Data Portability will have on their operations. Policies and Procedures need to be put into place now.

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.

New Webinar on GDPR and the Right to Data Portability. Register onto the live session or watch the recording.

New GDPR Practitioner Certificate Launched!

2017-gdpr-flyer-001

 New GDPR Practitioner Certificate Launched

Act Now Training Limited is pleased to announce the launch of its new GDPR Practitioner Certificate (GDPR.Cert).

The General Data Protection Regulation (GDPR) is going to be implemented in May 2018 despite the Brexit vote. Indeed the Government has confirmed that GDPR is going to be part of UK law even after the UK leaves the EU. So say hello to Breach Notification, the Right To Be Forgotten, the joys of Privacy Impact Assessments and, in some cases, the mandatory Data Protection Officer.

The GDPR Practitioner Certificate (GDPR.Cert) is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector. This is going to be a challenging role. In November, the new Information Commissioner (Elizabeth Denham) said in a speech at the NADPO annual conference:

“I think the role of DPO can be one of the toughest jobs around. You have to help your organisations deliver, but you have to do it in a privacy responsible and transparent way. That’s really challenging in lots of varied situations.”

This course will teach delegates essential GDPR skills and knowledge. It builds on the success of the Act Now Data Protection Practitioner Certificate (launched in April 2014), which it replaces, by focussing on GDPR. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The course tutor is Tim Turner who says:

“GDPR is the biggest change to Data Protection in a generation. I have looked at every aspect of this revised course to equip Data Protection officers with the knowledge they need to tackle GDPR in a practical way.”

Tim will share his vast experience gained through years of helping organisations comply with their DP obligations. This, together with a comprehensive set of course materials and guidance notes, will mean that delegates will not only be in a position to pass the course assessment but to learn valuable DPO skills which they will be able to apply in their workplaces for years to come.

This new course builds on Act Now’s reputation for delivering high quality practical training at an affordable price:

This new course widens the choice of qualifications for DP practitioners and advisers. Ibrahim Hasan (Director of Act Now Training) said:

“We are pleased be able to launch this new qualification with less than 18 months to go to GDPR implementation. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future Data Protection Officers.”

To learn more please visit our website or download the flyer.

Brexit, Article 50 and the Great Repeal Bill: GDPR means GDPR

canstockphoto16138153

On Sunday Theresa May finally fired the starting gun for the process for the UK to leave the European Union. Article 50 of the Lisbon Treaty will be invoked “no later than the end of March next year” she told the Tory Party conference in Birmingham. This will give negotiators two years from the date of notification to conclude trading arrangements with Europe. Unless an earlier date is negotiated (very unlikely given the scale of the task), by April 2019 the UK will be on its own and no longer subject to EU laws.

The Prime Minister also promised a “Great Repeal Bill” in the next Queen’s Speech, to remove the European Communities Act 1972 from the statute book and enshrine all existing EU law into British law on the day of exit. There will then be a process whereby the vast amount of domesticated EU legislation will be sifted. The “good laws” will be retained, some laws amended and some excised from UK law altogether.

What impact do these announcements have on UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The answer in a nutshell (as I said in my July GDPR and Brexit blog post) is; keep calm and carry on (preparing)!

We now know that, whatever happens, UK Data Controllers will have to comply with GDPR for at least ten months. GDPR comes into force on 25th May 2018 but the Article 50 announcement means we will be in the EU (and subject to all its laws including GDPR) until at least the end of March 2019. Article 50 (3) states:

“The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period.”

However it seems now much more likely that UK Data Controllers will have to comply with GDPR for much longer beyond March 2019 (perhaps even indefinitely). The Great Repeal Bill  (if it is passed by Parliament) will implement the GDPR along with other EU legislation into our law on exit day. The Government must then decide to keep GDPR, amend it or go back to the drawing board. Practically speaking, keeping GDPR is the only option. Civil servants will have their work cut out examining 80,000 pages of EU agreements. At least with GDPR there is broad agreement amongst stakeholders including the ICO (see below) that it is a force for good.

Recently, in her first speech as the new UK Information Commissioner, Elizabeth Denham extolled the virtues of GDPR and reiterated the need to prepare for it regardless of the uncertainly about what the future relationship with the EU will look like. She also said in a BBC interview:

“The UK is going to want to continue to do business with Europe”.

“In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.

“The UK was very involved in the drafting of the regulation – it will likely be in effect before the UK leaves the European Union – so I’m concerned about a start and stop regulatory environment.”

Many of GDPR’s key provisions provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky. Brexit from the EU does not mean Brexit from the GDPR. 

Act Now Can Help

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our GDPR Practitioner Certificate (GDPR.Cert), with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

Data Protection Reform after Brexit. Does GDPR still matter?

gdprAccording to the new Prime Minister “Brexit means Brexit.” But what does Brexit mean for UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The short answer is keep calm and carry on.

GDPR received formal adoption by the European Parliament in April 2016 and was published on 4th May in the Official Journal. This means that it will be directly applicable throughout EU member states (without the need for implementing legislation) from 25th May 2018. Following the referendum result, you might be forgiven for thinking that you can shred your copy of the Regulation or indeed cancel your place on our very popular GDPR workshop.

The UK may have voted to leave the EU but formal divorce proceedings cannot begin until it notifies the EU of its intention to invoke Article 50 of the Lisbon Treaty. This gives negotiators two years from the date of notification to conclude new arrangements. The newly appointed Secretary of State for Exiting the European Union, David Davis, has said Article 50 should be “triggered before or by the beginning of next year.” Therefore the UK could leave the EU by December 2018 at the earliest. Consequently there would be at least six months where UK Data Controllers would have to abide by all the provisions of GDPR. In reality exiting the EU could take much longer than two years and so we could be stuck with GDPR for much longer.

In the unlikely event that Brexit negotiations are concluded before May 2018, the DPA is still living on borrowed time. Immediately after the Brexit vote the Information Commissioner’s Office (ICO), released a statement saying:

“If the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’—in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

In a speech on 4th July 2016 the then Minister for Data Protection, Baroness Neville-Rolfe, touched on the future of data protection: (HT Panopticon Blog)

One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward….”

The law firm, Bird and Bird, have set out the options available to the UK in terms of exiting the EU and its implications for data protection. Each of these options makes it likely that either the GDPR or a very close cousin will be required in the UK after Brexit takes effect.

Regardless of what data protection path the UK chooses, UK companies with European customers and operations have to continue with preparations. This is because GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

Recently on the ICO’s Blog,  the message was reiterated that GDPR is still relevant and preparation must continue:

“We’ve been working hard on producing a set of guidance on GDPR, with an overview of the law being the first substantive part of that. We still think it will be useful to publish this overview. This is because once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example breach notification and data portability. Therefore, we thought it would still be useful to familiarise information rights professionals with the GDPR’s main principles and concepts.”

 Data Controllers have two years to prepare for the biggest change to the EU data protection regime in 20 years.  Many provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky.

How Act Now can help

The next two years need to be spent wisely. Training and awareness (see our poster) at all levels needs to start now. We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our GDPR Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

And if you like our image, it, as well as some others are available as A3 Posters for the office for only £5 for three!  Take a look at the link below.

http://www.actnow.org.uk/posters

The GDPR Practitioner Certificate (GDPR.Cert) is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

DP and #GDPR after #Brexit

brexit-1477615_1920

For the last six months, Data Protection experts, novices and agnostics have talked of little else but the General Data Protection Regulation, the new version of Data Protection law that will hold sway consistently across the 28 members of the European Union from the 25th May 2018.

Well, about that. 28 now becomes 27, as the United Kingdom has decided on a slim margin to vote ourselves out of the European Union, and sail off into the Atlantic. So what does this mean for the GDPR? Do we wave goodbye to the mandatory Data Protection Officer, the Right to Be Forgotten and the joys of impact assessments?

The short answer is no. The Information Commissioner has already announced that the only way forward for the UK’s creaking Data Protection legislation and its relationship with Europe is UK legislation as close to the GDPR as we can get. Every serious commentator in the Data Protection world (and all the others) are saying the same thing. The consensus is impressive but unsurprising – the redoubtable Max Schrems has proved how much creative mischief can be wrought if a country does not have a sound data protection relationship with the EU. Some of the comments coming out of the EU today make it clear how difficult it will be to achieve that relationship, so the one thing we cannot be certain of is when things will become certain.

Sooner or later, the GDPR or a close relation of it will replace the DPA in the UK. However, it is impossible to say when. Every business that offers services to EU citizens will be caught in limbo from the moment the Regulation goes live in the EU, struggling to balance the DPA in the UK and the GDPR abroad, or just succumbing to the GDPR on the basis that operating the higher GDPR standards will not cause them problems here.

In the meantime, what should organisations do? Our advice – keep your eyes peeled for the timetable for GDPR’s inception here, but look to your DP compliance now.

Consent

Whether you’re UK based or operating across the EU, the version of consent popular in the UK (implied, opt-out, buried in terms and conditions) isn’t consent. The ICO has taken enforcement action under both the DPA and the Privacy Regulations to this effect. Look everywhere that you rely on consent – you need freely given, specific and informed consent.

Fair processing

Linked to this is the issue of privacy policies and fair processing. It’s clear that the ICO does not think that long, legalistic fair processing notices are acceptable, so concentrate on communicating clearly with your customers, clients and service users.

Impact assessments

The difference between the ICO’s code on Privacy Impact Assessments and the Regulation’s requirements on impact assessments are very thin. Although the Regulation’s bold demands for Data Protection by Design (bold but not especially well explained) will only bite when we implement it, the ICO has been advocating for pro-active impact assessments in advance of new projects for a long time. We strongly advise you to look the ICO code now – it’s current good practice (and sometimes the ICO will enforce if you don’t). Moreover, it’s a dry run for the impact assessments and design principles that the GDPR will ultimately require.

Data Processors

Find every contractor and agent that your organisation does business with. Make sure there is a binding legal agreement between you and them. Like other steps we are mentioning here, this is self-preservation for the present as much for the future. If cloud computing is “your data on someone else’s computer”, then processors are “your data in the hands of someone who isn’t covered by the Data Protection Act”. Find them. Get contracts in place. Make sure they’re being followed.

Deletion

The GDPR Right to be Be Forgotten is a different beast to anything that the European courts have created under the current regime, and it is underpinned by a need to delete data from systems that process personal data. It’s well worth looking at how you might delete data and finding out where deletion / overwriting of data is difficult. When the GDPR lands, deletion will be a massive headache, but if you can’t delete now, you can’t comply with the existing Data Protection principle on retention.

Security

Every organisation needs a viable, appropriate, effective and validated security framework. Data Protection compliance under the DPA and the GDPR isn’t about incidents, it’s about effective and verified methods to prevent them, whether technical or organisational. Security isn’t everything that Data Protection is about, but there is no question that the highest penalties will still apply to poor security frameworks. The extra detail in the GDPR about security – especially what good security requires – is essential guidance and well worth implementing.

And that’s definitely not now!

BUT WHAT ABOUT….

Act Now is not predicting when the GDPR will come to the UK. Anyone who predicts confidently when it will arrive is fooling you, or themselves. The GDPR also contains a mandatory Data Protection Officer, mandatory breach notification and a whole lot else besides. It might be that the UK Government acts quickly to bring in legislation to introduce the whole package. However, while we might be confident that the GDPR is on its way, we’re not certain about when. Our advice is to work on the foundations now, and get ready to put the new GDPR structures on top when the timetable is a little clearer.

And that’s definitely not now!

Act Now continues to receive bookings for its GDPR workshops for which new dates and venues have been added. Our Data Protection Practitioner Certificate is ideal for those who want a formal qualification in this area. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.