By popular demand Act Now Training has added an extra course in London for its GDPR Practitioner Certificate. This course is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.It will teach delegates essential GDPR skills and knowledge.
The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.
The new London course starts on 1st April 2019. Subsequent dates are 8th April, 15th April and 29th April.
This course has been super successful since launch. We ran it over 60 times in 2018 alone with over 900 delegates being trained. You can read some of the feedback here.
Make 2019 the year you achieve a GDPR qualification. Book early to avoid disappointment.
For the last six months, Data Protection experts, novices and agnostics have talked of little else but the General Data Protection Regulation, the new version of Data Protection law that will hold sway consistently across the 28 members of the European Union from the 25th May 2018.
Well, about that. 28 now becomes 27, as the United Kingdom has decided on a slim margin to vote ourselves out of the European Union, and sail off into the Atlantic. So what does this mean for the GDPR? Do we wave goodbye to the mandatory Data Protection Officer, the Right to Be Forgotten and the joys of impact assessments?
The short answer is no. The Information Commissioner has already announced that the only way forward for the UK’s creaking Data Protection legislation and its relationship with Europe is UK legislation as close to the GDPR as we can get. Every serious commentator in the Data Protection world (and all the others) are saying the same thing. The consensus is impressive but unsurprising – the redoubtable Max Schrems has proved how much creative mischief can be wrought if a country does not have a sound data protection relationship with the EU. Some of the comments coming out of the EU today make it clear how difficult it will be to achieve that relationship, so the one thing we cannot be certain of is when things will become certain.
Sooner or later, the GDPR or a close relation of it will replace the DPA in the UK. However, it is impossible to say when. Every business that offers services to EU citizens will be caught in limbo from the moment the Regulation goes live in the EU, struggling to balance the DPA in the UK and the GDPR abroad, or just succumbing to the GDPR on the basis that operating the higher GDPR standards will not cause them problems here.
In the meantime, what should organisations do? Our advice – keep your eyes peeled for the timetable for GDPR’s inception here, but look to your DP compliance now.
Whether you’re UK based or operating across the EU, the version of consent popular in the UK (implied, opt-out, buried in terms and conditions) isn’t consent. The ICO has taken enforcement action under both the DPA and the Privacy Regulations to this effect. Look everywhere that you rely on consent – you need freely given, specific and informed consent.
Linked to this is the issue of privacy policies and fair processing. It’s clear that the ICO does not think that long, legalistic fair processing notices are acceptable, so concentrate on communicating clearly with your customers, clients and service users.
The difference between the ICO’s code on Privacy Impact Assessments and the Regulation’s requirements on impact assessments are very thin. Although the Regulation’s bold demands for Data Protection by Design (bold but not especially well explained) will only bite when we implement it, the ICO has been advocating for pro-active impact assessments in advance of new projects for a long time. We strongly advise you to look the ICO code now – it’s current good practice (and sometimes the ICO will enforce if you don’t). Moreover, it’s a dry run for the impact assessments and design principles that the GDPR will ultimately require.
Find every contractor and agent that your organisation does business with. Make sure there is a binding legal agreement between you and them. Like other steps we are mentioning here, this is self-preservation for the present as much for the future. If cloud computing is “your data on someone else’s computer”, then processors are “your data in the hands of someone who isn’t covered by the Data Protection Act”. Find them. Get contracts in place. Make sure they’re being followed.
The GDPR Right to be Be Forgotten is a different beast to anything that the European courts have created under the current regime, and it is underpinned by a need to delete data from systems that process personal data. It’s well worth looking at how you might delete data and finding out where deletion / overwriting of data is difficult. When the GDPR lands, deletion will be a massive headache, but if you can’t delete now, you can’t comply with the existing Data Protection principle on retention.
Every organisation needs a viable, appropriate, effective and validated security framework. Data Protection compliance under the DPA and the GDPR isn’t about incidents, it’s about effective and verified methods to prevent them, whether technical or organisational. Security isn’t everything that Data Protection is about, but there is no question that the highest penalties will still apply to poor security frameworks. The extra detail in the GDPR about security – especially what good security requires – is essential guidance and well worth implementing.
And that’s definitely not now!
BUT WHAT ABOUT….
Act Now is not predicting when the GDPR will come to the UK. Anyone who predicts confidently when it will arrive is fooling you, or themselves. The GDPR also contains a mandatory Data Protection Officer, mandatory breach notification and a whole lot else besides. It might be that the UK Government acts quickly to bring in legislation to introduce the whole package. However, while we might be confident that the GDPR is on its way, we’re not certain about when. Our advice is to work on the foundations now, and get ready to put the new GDPR structures on top when the timetable is a little clearer.
And that’s definitely not now!
Act Now continues to receive bookings for its GDPR workshops for which new dates and venues have been added. Our Data Protection Practitioner Certificate is ideal for those who want a formal qualification in this area. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.
To leave or to remain. What a difficult question and the citizens of the UK are wrestling daily with this issue under an intense barrage of claim and counter claim.
But sneaking under the radar are hundreds of breaches of Data Protection law some involving thousands or millions of data subjects. Not noticed them? If you work for a large organisation like BT or JCB your boss will have communicated to you that you should vote the way he thinks. He’s not the only one. Large companies are using the email address they hold for payroll purposes to communicate a political message to their staff. Principle 1 says
“Personal data shall be processed fairly and lawfully (and according to a condition from Schedule 2 and/or 3)”
They could look for a justification in Schedule 2 but they’d be better looking in Schedule 3 as political data is sensitive. So consent turns into the slightly more difficult informed consent but which employee ever consents that his data will be used to tell him which way to vote and which employer ever thought he’d need to help his employees with voting. Old faithful Schedule 2 (6) allows
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”
Which data subject would accept that political lobbying is warranted with his payroll data and who would ever say that voting recommendations were a legitimate interest of your boss. So all schedules are out of the window. So they can’t do it lawfully and/or fairly. Principle 1 breached.
Principle 2 says
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”
Specified means in fair processing and notification sent to Commissioner. So if an organisation hasn’t said to its employees that it will use their personal data for pushing a political end they can’t do it. Principle 2 breached.
It may be that these companies are stretching the definition of personnel & payroll to include ‘what might happen to your pay if we left the EU’ but it’s quite a long stretch. It may end up with someone in authority making a judgement one day. But time is short and it’s unlikely anyone will be interested after the polling stations close.
And these employers trying to influence people’s opinions or beliefs drops into the ICO definition of direct marketing.
Quite a few of these fit neatly with the leave/remain issue. If employers are doing it by electronic means then PECR applies. You could argue that a corporate email address isn’t personal data but there are plenty who will argue that it is. (But PECR’s only concerned with subscribers isn’t it?)
Further afield European businessmen are trying to help us make up our mind as well.
An email sent to a few million people recently (all the people who’ve ever flown with Ryanair) was brazenly labelled Brexit Special. Even with a public service announcement thrown in it clearly used email addresses collected for administration of air travel to influence voting intentions.
So there’s a possibility that millions of data subjects are having their rights infringed and Breaches of the DPA are legion. Captains of industry could argue that it’s their personal view to leave/remain not the corporate body that holds the payroll data but that just opens up another can of worms doesn’t it. We may get as far as a criminal offence of procuring or unauthorised obtaining if the boss uses the company data for a personal purpose.
At least it’s only a few breaches of the Data Protection Act. It could be worse – they could be lying to us.
It’ll all be forgotten on Friday morning. (Until the next referendum)
Act Now can help you prepare for the Regulation. Our one day GDPR workshops are ideal for those wanting to get a headstart in their preparations.
The Regulation will take effect twenty days from its post-vote publication in the Official Journal (May 2018) giving Data Controllers two years to prepare for the biggest change to the EU data protection regime in 20 years.
The Regulation will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.
For some breaches of the Regulation (e.g. failing to comply with Data Subjects’ rights or the conditions for processing) Data Controllers can receive a fine of up to 4% of global annual turnover for the preceding year (for undertakings) or 20 million Euros. For other breaches (e.g. failing to keep records or complying with security obligations) the fine can be up to 10 million Euros or 2% of global annual turnover (for undertakings).
The Regulation replaces the previous EU Data Protection Directive (95/46/EC), upon which the UK’s Data Protection Act 1998 (DPA) is based, without the need for further national legislation. It does though allow for substantial national derogations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance, the Government and the Information Commissioner’s Office(ICO) will be working to finalise their positions on key issues such as exemptions, workplace privacy, healthcare services and biomedical research.
The ICO has set up a new GDPR microsite and published a 12 step guide to preparing for the Regulation. Read the Assistant Information Commissioner’s blog here about what more they are planning.
All Data Protection practitioners and lawyers need to read the Regulation and consider its impact on their organisation and clients. The good people at Covington & Burling LLP have published an automated comparison here to allow readers to see how the Regulation has changed from its previous version.
Training and awareness at all levels needs to start now. Here is a nice video to get you started.
Act Now has a dedicated GDPR section on its website containing articles as well as details of our GDPR webinars and workshops. If you are looking for an up to date DP qualification with a focus on GDPR, have a look at our Data Protection Practitioner Certificate.
The new EU General Data Protection Regulation contains an obligation on Data Controllers to notify supervisory authorities of personal data breaches. In some cases this extends to the Data Subjects as well.
Article 4 of the Regulation defines a personal data breach:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Under the Data Protection Act 1998 (DPA) there is currently no legal obligation to report such breaches to anyone. However the Information Commissioner’s Office (ICO) guidance recommends that serious breaches should be brought to its attention. Last year telecoms company Talk Talk was the subject of a cyber attack in which almost 157,000 customers’ personal details were hacked. The company was criticised for its slow response especially the time it took to inform the ICO and customers.
Article 31 of the Regulation states that as the Data Controller becomes aware that a personal data breach has occurred it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (in the UK the ICO). There is no need to do this where the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. For example a very minor data breach involving innocuous information about a few individuals. Where the 72 hour deadline cannot be achieved, an explanation of the reasons for the delay should accompany the notification.
The notification must contain the following minimum information:
a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects data records concerned;
the name and contact details of the Data Controller’s Data Protection Officer (now a statutory position) or other contact point where more information can be obtained;
a description of the likely consequences of the personal data breach;
a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.
Where it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.
The new Regulation will require all personal data breaches, no matter how insignificant, to be documented by Data Controllers. This should include the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with Article 31. Some, if not all of it, will also be accessible via Freedom of Information requests, as many local authorities have already found.
Article 32 of the new Regulation states that Data Subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms (e.g. fraud or identity theft), in order to allow them to take the necessary precautions. The notification will be similar to the one to the supervisory authority (discussed above) and should describe, in clear and plain language, the nature of the personal data breach as well as recommendations for the individuals concerned to mitigate potential adverse effects.
Notifications to individuals should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the need to mitigate an immediate risk of damage would call for a prompt notification whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
There is no need to communicate a personal data breach to individuals if:
(a) the Data Controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or
(b) the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or
(c) it would involve disproportionate effort. In such case, there will instead have to be a public communication (e.g. press release) or similar measure whereby the Data Subjects are informed in an equally effective manner.
Even where a Data Controller has chosen not to information Data Subjects, the supervisory authority can instruct it to do so. No doubt there will be more detailed rules setting out what kinds of breaches require notification and to whom.
Article 77 states that:
“Any person who has suffered material or immaterial damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
This together with the new breach notification provisions (discussed above) will no doubt see an increase in Data Subjects taking legal action against Data Controllers as a result of data breaches. There may even be more class actions like the one against the London Borough of Islington in 2013 when 14 individuals settled for £43,000 in compensation after their personal data was disclosed without their authority. This action followed an ICO investigation which resulted in the council being fined £70,000.
Currently the ICO can issue fines (Monetary Penalty Notice’s) of up to £500,000 for serious breaches of the DPA. When the Regulation comes into force, this will be increased to 4% of global annual turnover for the preceding year (for businesses) or 20 million Euros.
The Regulation will have a big impact on all sectors. Whilst it is unlikely to come into force until the middle of 2018, all Data Controllers should be examining their approach to data breaches now and be putting into place processes to comply with the new rules.
But we’re not quite at the finish line yet. You can even choose whether you think the finish line is when the Regulation gets its rubber-stamped approval (which is imminent), or when it is finally implemented (which is probably two years away).
Nevertheless, the notorious Trilogue negotiations are over. The EU Council and Parliament have agreed a compromise text. Years of uncertainty about whether there would be a new EU law, and what it would look like, are over.
What should you make of it? First, we did mean ‘texts’, as the Regulation (a new Data Protection law applying equally across all EU member states) is accompanied by a Directive (new rules for Data Protection when applied to crime and justice, implemented by each state with greater flexibility). Second, many of the headline-grabbers survive intact – many organisations will require a Data Protection Officer, mandatory breach reporting is coming, and the maximum monetary penalties are 4% of an organisation’s annual turnover, which represents something of a defeat for the EU Council, who aimed much lower.
Proposals to remove charges for subject access may make many organisations wince. Even at first glance, there are some surprises; most notably a requirement for parents to consent for their children to access some web services if under 16 – although this age can be lowered by national governments to 13. This proposal surfaced late in the negotiations, and its implications still need to be unpicked.
The Regulation is about identifying and dealing with risk, about building structures within your organisation, and taking a more organised, more proactive approach to Data Protection. The fundamentals remain largely unchanged; what the Regulation does is build a whole new set of structures and routines on top of those foundations.
The final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter.
Now is the time to Act!
There is a lot to learn and a lot to do in the next few years. Firstly, all Data Protection Officers and information professionals need to read the Regulation and consider its impact on their organisation. Here are the key points of the Regulation to get you started.
Secondly training and awareness at all levels needs to start now. This is where Act Now can help. Whether you want a relevant DP qualification or a short briefing on the Regulation to kick-start your preparation.
For Data Protection Officers (new and old), who need to get a formal qualification, our Data Protection Practitioner Certificate is ideal. The course looks at the current law as well as the forthcoming changes set out in the Regulation particularly the issues of consent, privacy impact assessments and data subjects’ rights. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.
We are also running a series of full day workshops throughout the UK which are filling up fast. More dates will be added soon. We can also offer full or half-day in-house briefings on the Regulation from the middle of January 2016.
Finally, for those whose budgets were depleted by the Christmas party or may just not have the time, we have planned a series of one hour webinars looking at various aspects of the Regulation in detail.
The future of Data Protection throughout the EU has now been decided. The text of the new EU Data Protection Regulation has been finalised. This will be formally adopted by the European Parliament and Council at the beginning of 2016. It will come into force two years thereafter.
Most of the big talking points over the last few years have been survived in one form or another but with some surprises. In this blog post I’ll give you and overview of some of these, then over the next few months we’ll start looking at individual areas in subsequent posts and see what this means for us here in the UK.
The Regulation does indeed apply to any entity offering goods or services (regardless of payment being taken) and entity monitoring the behaviours of citizens residing within the EU. There is still the requirement to establish a representative within the EU but it means that entities are now directly responsible for compliance with this regulation (and not just their EU based entity) if they are processing in any way EU citizen personal data.
Pseudonymisation, Profiling, Genetic Data, Biometric Data are all specifically defined in the regulation and very much as you would expect. There is however a new definition for health data that now outlines not only that health data is anything relating to the mental or physical health of a person but also any information that can reveal information about their health status. This means that it is very clear that, for example, if a list of email addresses on a mailing list for people who receive HIV treatment is disclosed that is a definite and clear disclosure of health data and not just personal data.
There are now six Data Protection principles which broadly cover the same themes as previously. Personal data must be:
1. Processed fairly, lawfully and in a transparent manner. Now as previously discussed this transparent manner now requires controllers to provide more information to the data subject at point of collection but also when any changes to that processing occurs as well. For example, if the information is used for a purpose other than that for which it was originally collected (which doesn’t go against other rules of the regulation of course)?
2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose. Which some exceptions for further processing for archiving, public interest or research purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes. This now brings in the talked about “data minimisation” principle which we have already seen, but not quite as explicit as this new regulation lays out.
4. Accurate & kept up to date. No real changes here, this remains the same.
5. Kept in a form that permits identification no longer than is necessary. Again with exceptions for archiving and research purposes.
6. Processed in a way that ensure appropriate security of the personal data. So no major change here except an explicit reference to “integrity and confidentiality” of the personal data.
Where consent is required in order to legitimise the processing (which is limited under the regulation) then the controller must be able to demonstrate clearly that he has clear & unambiguous consent for each purpose that consent is required.
The regulation now also states that for “Information Services” if information is to be processed on a child of under 16 years of age then consent must be obtained from the parent. The regulation does however allow member state laws to lower this threshold where appropriate but not below the age of 13 years.
Special Categories of Personal Data:
So the “Sensitive Personal Data” as known under the Data Protection Act as a term has now gone and instead been replaced with the term that a few EU countries use which is “special categories”. These are broadly similar to the current list however the definition is now any data “revealing” racial or ethnic origin, political opinions, religions or philosophical beliefs, trade-union membership, genetic or biometric data (processed for the purpose of identifying someone), data concerning health or sex life and sexual orientation.
Data Subjects Rights:
The list of rights that a Data Subject can exercise has been widened (sort of). There are some new things in here but most of this is a reshuffling of existing rights. It’s also worth noting that controller must also provide clear, transparent and electronic methods of the data subject exercising said rights. The list now includes;
Restriction of processing,
Right to object (to marketing, profiling, research)
Right to object to automated individual decision marking (including profiling).
Right to lodge a complaint with a supervisory authority
Data Protection by design & Data Protection Impact Assessments:
Data Controllers are expected to include data protection controls at the design stage and can certify that they have such controls via approved certification schemes.
Where a new technology etc is looking to collect personal data that poses potentially high risks to personal data the controller shall, prior to the processing, carry out a Data Protection Impact Assessment. Supervisory Authorities can then also produce lists as to what sort of processing would warrant such an assessment and what ones would not. These assessments, where appropriate, may also need the input from Data Subjects and indeed the supervisory authority.
While notification to a regulator has gone Article 28 now requires controllers to keep a similar record of all purposes, joint controllers, data categories, recipients (can be categories), transfers to third countries, time limits for erasure and a general description of the technical & organisational measures in place protecting this data.
That highly discussed breach notification point has finally come down to 72 hours. So the regulation now outlines that controllers have 72 hours from being made aware of the breach to notify the supervisory authority. You can however notify later providing you have a “reasoned justification”.
And now the really juicy stuff. Fine amounts. As predicted these are “staggered” so that not all breaches will result in 20 million Euros.
For breaches / non-compliance of the following you can receive a fine of up to 2% of global annual turnover (for undertakings) or 10 million euros. The regulation doesn’t outline automatic fines for single breaches but instead allows supervisory authorities (through their cooperation mechanism) to agree a framework for ‘qualification’ for fine amounts based on the extent of the non-compliance.
Consent for children’s data (article 8)
Processing not requiring identification (article 10)
Data Protection by Design (article 23)
Joint Controllers (article 24)
Representatives of the controller within the EU (article 25)
Processors (article 26)
Processing under the authority of the controller and processor (article 27)
Records of processing activities (article 28)
Co-operation with the supervisory authority (article 29)
Security of processing (article 30)
Notification of the breach (article 31)
Communication to data subject of the breach (article 32)
Data Protection Impact Assessment (article 33)
Prior consultation (article 34)
Designation of the Data Protection Officer (article 35)
Position of the Data Protection Officer (article 36)
Tasks of the Data Protection Officer (article 37)
Certification (article 39)
For breaches of the following you can receive a fine of up to 4% of global annual turnover for undertakings or 20 million euros.
Principles of Data Protection (article 5)
Lawfulness of processing (article 6)
Conditions for Consent (article 7)
Processing special categories of personal data (article 9)
Rights of the Data Subject (articles 12-20)
Transfer of personal data to third countries (article 40-44)
Powers of the Supervisory Authority (article 53)
Data Protection Officer:
Good news DPOs we have a future! Our future isn’t as “all powerful” as the first text but it does pretty much cement the Data Protection Officer as a key role within a public body and medium to large private enterprises. Key points are;
Controllers can have 1 appointed to multiple entities taking into account their structure and size.
Officer shall have expert knowledge in Data Protection law & practices.
Can be a staff member or contractor.
Their contact details must be published to data subjects and the supervisory authority.
Should be involved in all matters affecting personal data.
Shall be protected from being dismissed / coerced while performing their duties under the regulation.
DPOs are to inform staff of the controller of their responsibilities under the regulation & monitor the controller’s compliance with its responsibilities.
International Data Transfers:
So, no major changes here but some key emphasis that is worthy of being aware of. The Commission retains the right to decide on the “adequacy” of third countries and will continue to publish and control the safe list. Standard Model Contract Clauses are also a viable method for transfer and now Binding Corporate Rules are explicitly outlined as a method of transfer too.
The bulk of the wording here is nothing new. They need to be independent, monitor compliance, and be proactive in producing guidance and standards etc. but there are some subtle changes. The authority has the powers to;
Order the controller, processor or representatives of either to provide information in relation to its objective.
Carry out investigations in the form of audits.
Notify of infringements
Obtain from the controller / processor access to any personal data in relation to its objective
Obtain access to premises including access to equipment (in line with local law)
Issue warnings, reprimands, orders to comply, order controller to inform a subject of a breach, impose a ban on processing, order a rectification, issue a fine and order a suspension of international data flows
That’s it for this post but there is a lot more content in the DP regulation and I should imagine a few more discussions and blogs to come looking at specific areas and what this means for the future. As always it will be a practical discussion on what this means in real terms.
All that’s left is to wish you a peaceful and restful festive period and I very much look forward to discussions and working with you as we go into 2016 and ever closer to the regulation being here!
I recently took part in an ‘Information Awareness’ week for a local council. This was an event for council staff involving various training sessions revolving around a certain theme. Last year the sessions were on the theme of game shows and this year the theme was films.
I was lucky enough to draw the session title ‘Per-mission Impossible’ which would be looking at the subject of consent and permissions in their various forms. I make a point of not naming organisations I work with but credit for the title of this blog must go to them.
We had some really interesting discussions around what people believe are the current pitfalls and benefits with consent and what people think of the new world of consent as proposed by the European Union (EU) in their Data Protection Regulation.
We started with the current world and looked at the guidance from the Information Commissioner’s Office (ICO). Their Guide to Data Protection states;
“Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as: …any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
This is primarily aimed at Data Controllers who are looking to use consent as a justification for the processing of personal data especially, and more explicitly, where that data is sensitive in nature.
Bearing this in mind there is then a conversation to be had around what that actually means in the real world. You know, that world where you have a Data Subject on the phone or sat in front of you more interested in resolving their query or issue than understanding what is happening with their personal data. Personally I’ve always seen the matter of consents and permissions as a customer service issue. Yes, there are things that we must do as part of compliance and demonstrate as part of our compliance. However the method and delivery should very much be aligned with the customer service standards and processes of the organisation. As the phrase goes “tax doesn’t have to be taxing.” Well “permissions don’t have to be a mission”. (I know, it was the best I could come up with on short notice!).
If you treat the gaining and subsequent management of permissions as a “compliance task” then that mind-set will be to always see it as a nightmare and a hurdle to overcome. However if you approach it as you would any other aspect of customer service and apply good customer service principles, you will get much closer to a compliant permissions model. It also puts you in something of a good position for the future.
Another aspect of the discussion around permissions and consent management involves the question of how to effectively manage a consent or permission regardless of the channel in which it is being obtained.
Regardless of the channel in which you communicate with the Data Subject, the only effective method for tracking consents/permissions is an electronic database that either forms part of or interacts with your main customer database. But with that comes a series of concerns around ensuring that this system is kept relevant and up to date. For example, in a large organisation where a customer speaks to some random part of the organisation and expresses a preference how do you ensure that the preference is captured and updated accordingly throughout the organisation?
These are important discussions to be had now because, as I run through below, the requirement to effectively and clearly demonstrate that you are doing the above becomes more important when the proposed EU Data Protection Regulation comes into force.
Permissions of the Future: All roads lead to explicit…?
So in my last blog post I gave an update on the General Data Protection Regulation and said that I’d start to focus on individual parts. Well this is the first one (and apologies that it’s taken me a while).
In the Commission’s proposal for a new General Data Protection Regulation, it proposed that whenever a business relies on consent as a valid ground for processing personal data, that consent should be ‘explicitly’ given. This changes the current position where consent only needs to be ‘explicit’ where a business wants to rely on it as a basis for processing sensitive personal data. Put simply, for processing for marketing purposes for example (which is almost always on the basis of consent) everyone will be required to “opt in” rather than opt out under the current regime (for phone and post at least). [References:European Commission Regulation Text CH I ART 4: General Provisions – definitions (8), CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (1-4)]
When the draft text made it through the European Parliament, the Parliament gave its backing to the new definition of ‘consent’ suggested by the Commission. It too believed that consent needs to be “freely given specific, informed and explicit” and provided “either by a statement or by a clear affirmative action”. And, in contrast to today’s requirements, the burden of demonstrating that the legal standard of ‘consent’ has been achieved would lie with organisations. [References:European Parliament Regulation TextCH I ART 4: General Provisions – definitions (8), CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (2)]
In contrast, the Council said there was broad support for rules which would require organisations seeking to rely on consent to process personal data to ensure that the consent is “unambiguous”. This seems to back the broad legal standard for consent that exists under current EU data protection laws and not a radical change to explicit consent regardless of context. [References:European Council Regulation Text Comparison (so far)CH I ART 4: General Provisions – definitions, CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (1)]
This post does not explore the requirements around children’s data. However the principle of “informed and explicit” consent is replicated there. This will be the subject of a different post so watch this space.
Which of these texts is likely to survive, I hear you ask? Well like most things in the world of politics that is unclear. However, if you look at it from a numbers point of view then 2 of the 3 approving bodies favour explicit consent and a requirement to demonstrate when and where that consent was collected. If I was a betting man I’d say that some shift towards explicit consent is going to happen, but how far is anybody’s guess.
More importantly organisations should be looking at how they currently manage and capture consents. If this is something that they don’t do (for whatever reason) then it’s time to start looking at how this can be factored into processes and staff trained so it gets woven into customer service standards.
In case you missed it over the last week or so it has been confirmed that the European Council have agreed a text of the Draft EU Data Protection Regulation. You would think that would be the final stage but alas no. Instead we now present this version back to the Commission & Parliament for tri-partide discussion and agreement. This really is the final stage of the legal process in which the Council, the EU Parliament and the EU Commission will now negotiate on this document to agree a final text that can become law (promise… it really is the last stage).
There is still some discussion to be had however and in the comments version the Council acknowledges this. First up, with regards to police processing of personal data the regulation now includes as a purpose for processing “safeguarding against and the prevention of threats to public security”. Which, at face value, seems rather wide and “loose” in its wording. We all know that defining a “threat to public security” can be open to various interpretations therefore this may meet with some stiff opposition.
The Council has also said that there needs to be some discussion around the “lawfulness of processing” under Article 6 recital (40 and Article 19 (1). The Council is looking to approve final wording on legitimacy of processing data that is incompatible with the original purpose for which it was collected. The current proposal looks to allow such processing but as a condition allows the data subject a means to legitimately object. Again, how this will work in the real world is open to interpretation but given that this is a move away from the current Directive’s standards then it will be interesting to see if the Council and Parliament accept that.
The Council also appears to be looking for further discuss on the right to compensation and liability outlined in Article 77 and recitals (112), (113a), (118), (118b). The current proposal clarifies the roles and liabilities for processing that is not compatible with the regulation. Namely it is looking to narrow the extent of liability for a processor or controller where it can be demonstrated that the controller or processor concerned is not fully liable (IE, it can be clearly demonstrated that it wasn’t their fault). It makes sense but again, how that will go down with the Parliament and Commission will be interesting.
I’ve now had the chance to read through this updated text and in short it smells an awful lot like a beefed up Directive. A lot of the stricter wording that was in the initial draft proposed by the Commission & indeed the Parliament draft have been replaced with general expectations, the finer details of which member state law or local codes of practice are encouraged to work out. Some of the aspects of the regulation even invite member states to write complimentary laws so that those sections can be properly enacted within that member state. (I’m sure that’s the purpose of a Directive you know…).
Here’s a quick summary for you;
Member states can create their own laws on conditions for processing certain types of data (national ID numbers for example). (Article 9 (5)). This also extends to the conditions for processing HR data which can be defined by local member state work agreements.
Member states can decide if fines are to be used on public sector bodies.
Article 79a – Fines of up to 250,000 euros or 0.5% of previous year global annual turnover for deliberate or negligent breaches & not responding to SARs.
Article 79a – Fines of up to 500,000 euros or 1.0% of previous year global annual turnover for any of the above or;
Does not provide information in a timely manner to a data subject
Does not provide access or rectify data belonging to the data subject
Does not erase personal data belonging to the data subject
Processing data in violation of an restrictions on processing outlined in article 17 (Notification obligation regarding rectification, erasure or restriction).
Does not communicate any rectification, erasure or restriction requests to 3rd parties
Does not provide the data subject with their personal data.
Processing of data of objection to processing received and no viable reason for legitimate processing.
Does not provide data subject with information about the right to object to processing of information for marketing purposes.
Does not sufficiently determine responsibilities of joint controllers.
Does not maintain sufficient documentation pursuant to Articles 28 (Records of categories of personal data processing activities) & 34 (Prior consultation).
Article 79a – Fines of up to 1,000,000 euros or 2.0% of previous year global annual turnover for any of the above or;
Processes information without a legal basis for doing so or does not obtain appropriate consent.
Does not comply with conditions for automated decision making & profiling.
Does not implement measure to demonstrate compliance with articles 22 (Obligations of the controller) and 30 (Security of processing).
Does not designate a representative in violation of Article 25 (Representatives of controllers not established in the Union).
processes or instructs the processing of personal data in violation of Articles 26 (Processor).
does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 (Notification of a personal data breach to the supervisory authority) and 32 (Communication of a personal data breach to the data subject).
does not carry out a data protection impact assessment in violation of Article 33 (Data protection impact assessment) or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2) (Prior consultation).
misuses a data protection seal or mark in the meaning of Article 39 (Certification) or does not comply with the conditions and procedures laid down in Articles 38a (Monitoring of approved codes of conduct) and 39a (Certification body and procedure).
carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44 (Transfer of Personal Data to third countries or international organisations).
does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1) (Powers).
Article 38 – Member states can create their own codes of practice and standards for data protection for specific sectors. This need approval by the EU Data Protection Board but can be developed per member per sector.
Article 54a – One stop shop concept for regulatory action and complaint handling amongst supervisory authorities remains.
Article 12 – Removal of charging for SARs remains.
Article 70 – Removal of need to register all processing of personal data remains but instead only high risk processing must be registered (at no charge) and will be published by the supervising authority.
Data portability now does not apply to the public sector or any processing for the enactment of a contract. (General Text, paragraph 55)
Article 31 – Breach notification to a supervisory authority is now 72 hours or “without undue delay” if longer than that period.
This Regulation is as close to a final version as we are going to get for the moment. As we’ve seen in recent weeks and months the majority of Data Protection regulators and even the EU Commission are saying that elements of the Regulation should start to be implemented from this point onwards (e.g. Netherlands are implementing a general DP breach notification law from next year). Some are even using the principle of the Regulation in the interpretation of current law (the ‘right to be forgotten’ for example).
I intend to do a few more articles over the coming weeks to look in more detail at some of the wording and what this could mean if the Parliament and Commission accept the current draft (which is a realistic possibility).
So time has gone on a little bit and we are now 3 years down the line from when the European Commission released its proposed revised Data Protection framework on January 25th 2012. Some may say that progress has been slow but is that truly the case? We appear to have come a long way from a proposal that was written off as a “non-starter” to a piece of legislation that has seen more political discussion and campaigning than any other piece of legislation in the EU’s history.
So where are we then? In my last post (and apologies that it has been a while since my last post) we went through some of the key agreed texts from the European Parliament and outlined what the next steps in the Regulation’s journey might be. On the whole the ‘official’ actions coming out of the EU have been quiet over the last 10 months or so mainly due to the changes in Parliament Members and the change to the European Presidency.
On December 4-5 2014 at the Justice and Home Affairs Council meeting several of the key points around the Regulation were discussed. While official statements were limited there were some key areas that were discussed and some ‘formal’ stances announced.
‘One Stop Shop’: On the whole the Council and Parliament seem in favour of this idea however there is still intense discussion around how this will be implemented in practice. What is certain however is that both the Parliament and Council won’t allow for the Commission to have the final say on EU wide Data Protection issues as proposed in the Commission’s text. Very much a “we will have anything except that” view point. All institutions however have agreed that DP Authorities will and indeed do need more resources and technical capability.
Right to erasure, data access, and correction: The contested so-called “right to be forgotten” has been limited by the Parliament so that only those publishing personal data in breach of data protection law are obliged to ensure every copy is deleted. The regulation currently seems to call for a meaningful balance between freedom of expression and freedom of information on the one hand, and the protection of personal data on the other. While there is an understanding in Parliament that the “right to be de-listed” as spelt out in the Google Spain judgement of the European Court of Justice in May 2014 is already contained in the text, the Council is still discussing the need to add specific wording.
Informed consent: Data Subjects essentially must be informed about what happens with their data, and they must (in principle at least) consciously agree to the data processing that is outlined (or indeed reject it without suffering harm by doing so). While the Parliament text insists on “explicit” consent as proposed by the Commission, the Council’s current version of the draft law proposes a more vague “unambiguous” consent, which seems to allow for interpretation on obtaining consent.
Legitimate Interest: The Parliament has narrowed down the “legitimate interest” of the data controller (which would allow for data collection and processing without consent) to what can reasonably be expected by the data subjects affected. The Council however are currently discussing allowing a change of the purpose of the data processing based on “legitimate interest” of the data controller. There are calls from supporters of the original text for this notion to be dropped as they state it weakens the individual’s rights under the regulation however such a hardening of legitimate interests does has massive impacts for industries that currently use legitimate interests under the current EU Directive. For example, the credit referencing industry in the UK.
Data Transfers: The Parliament continues to insist that companies are not allowed to hand over data from Europe directly to third countries´ authorities unless it is under a mutual legal assistance treaty or similar instrument based on European law. The original text contained wording to enhance this protection however this was removed after a period of lobbying by the US government. It made it back in to the Parliament’s text however doesn’t seem to be accepted for inclusion in the Council’s draft. After the Snowden revelations however there appears to be agreement that something is needed to protect against unlawful transfers of personal data.
Sanctions: The Commission originally proposed sanctions of up to two per cent of global annual turnover, and the Council seems to want to stick to this. The Parliament text looked to raise the possible sanctions to up to five per cent of the global annual turnover, or 100 Million Euros. It is unclear if the Council will support such a high percentage however it is widely accepted that such tough sanctions will discourage companies wilfully or neglectfully breaching data protection laws.
Coming up for 2015 so far we know that in March 12-13 the Council has issued a provisional agenda for the Next Justice and Home Affairs Council meeting and the DP Regulation is on there for further discussion (as it a lot of other legislation due for discussion). The Council still has not committed to a concrete timeline for coming to an approved updated Regulation text but given the current timelines and activity over that time I wouldn’t expect an agreed text until either late this year or early 2016.
Once the Council has agreed the text we then go into a ‘tri-party’ negotiation between the Council, the Parliament and the Commission. So we have come a long way, but still not far enough to have a good or ‘reasonably solid’ idea of what a final draft of the Regulation will look like. One thing is certain however, is that far from this being a “non-starter” or an elephant in the room, Data Protection is very much on everyone’s mind and this will come into force one way or another.
Scott Sammons is Senior Privacy Consultant at Ernst and Young and blogs under the name @privacyminion . Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.