DP and #GDPR after #Brexit

brexit-1477615_1920

For the last six months, Data Protection experts, novices and agnostics have talked of little else but the General Data Protection Regulation, the new version of Data Protection law that will hold sway consistently across the 28 members of the European Union from the 25th May 2018.

Well, about that. 28 now becomes 27, as the United Kingdom has decided on a slim margin to vote ourselves out of the European Union, and sail off into the Atlantic. So what does this mean for the GDPR? Do we wave goodbye to the mandatory Data Protection Officer, the Right to Be Forgotten and the joys of impact assessments?

The short answer is no. The Information Commissioner has already announced that the only way forward for the UK’s creaking Data Protection legislation and its relationship with Europe is UK legislation as close to the GDPR as we can get. Every serious commentator in the Data Protection world (and all the others) are saying the same thing. The consensus is impressive but unsurprising – the redoubtable Max Schrems has proved how much creative mischief can be wrought if a country does not have a sound data protection relationship with the EU. Some of the comments coming out of the EU today make it clear how difficult it will be to achieve that relationship, so the one thing we cannot be certain of is when things will become certain.

Sooner or later, the GDPR or a close relation of it will replace the DPA in the UK. However, it is impossible to say when. Every business that offers services to EU citizens will be caught in limbo from the moment the Regulation goes live in the EU, struggling to balance the DPA in the UK and the GDPR abroad, or just succumbing to the GDPR on the basis that operating the higher GDPR standards will not cause them problems here.

In the meantime, what should organisations do? Our advice – keep your eyes peeled for the timetable for GDPR’s inception here, but look to your DP compliance now.

Consent

Whether you’re UK based or operating across the EU, the version of consent popular in the UK (implied, opt-out, buried in terms and conditions) isn’t consent. The ICO has taken enforcement action under both the DPA and the Privacy Regulations to this effect. Look everywhere that you rely on consent – you need freely given, specific and informed consent.

Fair processing

Linked to this is the issue of privacy policies and fair processing. It’s clear that the ICO does not think that long, legalistic fair processing notices are acceptable, so concentrate on communicating clearly with your customers, clients and service users.

Impact assessments

The difference between the ICO’s code on Privacy Impact Assessments and the Regulation’s requirements on impact assessments are very thin. Although the Regulation’s bold demands for Data Protection by Design (bold but not especially well explained) will only bite when we implement it, the ICO has been advocating for pro-active impact assessments in advance of new projects for a long time. We strongly advise you to look the ICO code now – it’s current good practice (and sometimes the ICO will enforce if you don’t). Moreover, it’s a dry run for the impact assessments and design principles that the GDPR will ultimately require.

Data Processors

Find every contractor and agent that your organisation does business with. Make sure there is a binding legal agreement between you and them. Like other steps we are mentioning here, this is self-preservation for the present as much for the future. If cloud computing is “your data on someone else’s computer”, then processors are “your data in the hands of someone who isn’t covered by the Data Protection Act”. Find them. Get contracts in place. Make sure they’re being followed.

Deletion

The GDPR Right to be Be Forgotten is a different beast to anything that the European courts have created under the current regime, and it is underpinned by a need to delete data from systems that process personal data. It’s well worth looking at how you might delete data and finding out where deletion / overwriting of data is difficult. When the GDPR lands, deletion will be a massive headache, but if you can’t delete now, you can’t comply with the existing Data Protection principle on retention.

Security

Every organisation needs a viable, appropriate, effective and validated security framework. Data Protection compliance under the DPA and the GDPR isn’t about incidents, it’s about effective and verified methods to prevent them, whether technical or organisational. Security isn’t everything that Data Protection is about, but there is no question that the highest penalties will still apply to poor security frameworks. The extra detail in the GDPR about security – especially what good security requires – is essential guidance and well worth implementing.

And that’s definitely not now!

BUT WHAT ABOUT….

Act Now is not predicting when the GDPR will come to the UK. Anyone who predicts confidently when it will arrive is fooling you, or themselves. The GDPR also contains a mandatory Data Protection Officer, mandatory breach notification and a whole lot else besides. It might be that the UK Government acts quickly to bring in legislation to introduce the whole package. However, while we might be confident that the GDPR is on its way, we’re not certain about when. Our advice is to work on the foundations now, and get ready to put the new GDPR structures on top when the timetable is a little clearer.

And that’s definitely not now!

Act Now continues to receive bookings for its GDPR workshops for which new dates and venues have been added. Our Data Protection Practitioner Certificate is ideal for those who want a formal qualification in this area. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

Nationwide breaches of DPA

clip_image002

To leave or to remain. What a difficult question and the citizens of the UK are wrestling daily with this issue under an intense barrage of claim and counter claim.

But sneaking under the radar are hundreds of breaches of Data Protection law some involving thousands or millions of data subjects. Not noticed them? If you work for a large organisation like BT or JCB your boss will have communicated to you that you should vote the way he thinks. He’s not the only one. Large companies are using the email address they hold for payroll purposes to communicate a political message to their staff. Principle 1 says

“Personal data shall be processed fairly and lawfully (and according to a condition from Schedule 2 and/or 3)”

They could look for a justification in Schedule 2 but they’d be better looking in Schedule 3 as political data is sensitive. So consent turns into the slightly more difficult informed consent but which employee ever consents that his data will be used to tell him which way to vote and which employer ever thought he’d need to help his employees with voting. Old faithful Schedule 2 (6) allows

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

Which data subject would accept that political lobbying is warranted with his payroll data and who would ever say that voting recommendations were a legitimate interest of your boss. So all schedules are out of the window. So they can’t do it lawfully and/or fairly. Principle 1 breached.

Principle 2 says

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”

Specified means in fair processing and notification sent to Commissioner. So if an organisation hasn’t said to its employees that it will use their personal data for pushing a political end they can’t do it. Principle 2 breached.

It may be that these companies are stretching the definition of personnel & payroll to include ‘what might happen to your pay if we left the EU’ but it’s quite a long stretch. It may end up with someone in authority making a judgement one day. But time is short and it’s unlikely anyone will be interested after the polling stations close.

And these employers trying to influence people’s opinions or beliefs drops into the ICO definition of direct marketing.

clip_image004

Quite a few of these fit neatly with the leave/remain issue. If employers are doing it by electronic means then PECR applies. You could argue that a corporate email address isn’t personal data but there are plenty who will argue that it is. (But PECR’s only concerned with subscribers isn’t it?)

Further afield European businessmen are trying to help us make up our mind as well.

An email sent to a few million people recently (all the people who’ve ever flown with Ryanair) was brazenly labelled Brexit Special. Even with a public service announcement thrown in it clearly used email addresses collected for administration of air travel to influence voting intentions.

clip_image006

So there’s a possibility that millions of data subjects are having their rights infringed and Breaches of the DPA are legion. Captains of industry could argue that it’s their personal view to leave/remain not the corporate body that holds the payroll data but that just opens up another can of worms doesn’t it. We may get as far as a criminal offence of procuring or unauthorised obtaining if the boss uses the company data for a personal purpose.

At least it’s only a few breaches of the Data Protection Act. It could be worse – they could be lying to us.

It’ll all be forgotten on Friday morning. (Until the next referendum)

Act Now can help you prepare for the Regulation. Our one day GDPR workshops are ideal for those wanting to get a headstart in their preparations.

To Brexit or not to Brexit…

canstockphoto35750834

 

 

 

 

 

 

 

 

 

That is the question on everyone’s lips right now. With the EU referendum looming, the next big question is, How will the GDPR affect us should we decide to leave the EU? The majority opinion is that we will be definitely affected in some way or other by the regulation and most likely will have to adopt all of it, maybe in a slower timeframe… But there’s no escaping it!

There’s three likely outcomes should we leave the EU…

  1. We remain in the European free trade association or Economic area (EEA) of the EU similar to Norway in which case we would then be subjected to GDPR, in order to trade with the EU
  1. We leave all trade agreements and become similar to the USA – a ‘safe third country’, in which case we would have to have a suitable level of DP Regulation which for all intents and purposes will be the GDPR
  1. We completely go solo like Geri Halliwell, Robbie Williams, Zayn Malik…okay i’ll stop. Even in this scenario, we would have to make our own singles, do our own world tours… sorry, i mean have our own equivalent GDPR, or update our existing one and where better to find one? (I can sense a Blue Peter moment coming on…)

So in short… and forgive me for my Hunger Games level of enthusiasm of being selected in the games, but GDPR is coming one way or the another…The Real Question is… Are You Ready?

Let the Games Begin!

 

Act Now can Help you prepare for the regulation. We have full day courses on the regulation as well as courses available online. Please visit our website here to find out more.

 

 

Let the Fun Begin! New EU Data General Protection Regulation #GDPR is Adopted

eu falg.jpg

After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has today been formally adopted by the European Parliament. The Regulation will soon be available in all the official EU languages.

The Regulation will take effect twenty days from its post-vote publication in the Official Journal (May 2018) giving Data Controllers two years to prepare for the biggest change to the EU data protection regime in 20 years.

The Regulation will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

For some breaches of the Regulation (e.g. failing to comply with Data Subjects’ rights or the conditions for processing) Data Controllers can receive a fine of up to 4% of global annual turnover for the preceding year (for undertakings) or 20 million Euros. For other breaches (e.g. failing to keep records or complying with security obligations) the fine can be up to 10 million Euros or 2% of global annual turnover (for undertakings).

The Regulation replaces the previous EU Data Protection Directive (95/46/EC), upon which the UK’s Data Protection Act 1998 (DPA) is based, without the need for further national legislation. It does though allow for substantial national derogations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance, the Government and the Information Commissioner’s Office(ICO) will be working to finalise their positions on key issues such as exemptions, workplace privacy, healthcare services and biomedical research.

The ICO has set up a new GDPR microsite and published a 12 step guide to preparing for the Regulation. Read the Assistant Information Commissioner’s blog here about what more they are planning.

The Regulation is accompanied by the EU Policing and Criminal Justice Data Protection Directive which contains new rules for Data Protection when applied to crime and justice, but which can be implemented by each Member State through its own laws with greater flexibility.

 All Data Protection practitioners and lawyers need to read the Regulation and consider its impact on their organisation and clients. The good people at Covington & Burling LLP have published an automated comparison here to allow readers to see how the Regulation has changed from its previous version.

Training and awareness at all levels needs to start now. Here is a nice video to get you started.

Act Now has a dedicated GDPR section on its website containing articles as well as details of our GDPR webinars and workshops. If you are looking for an up to date DP qualification with a focus on GDPR, have a look at our Data Protection Practitioner Certificate.

Information Commissioner Congratulates Act Now DP Practitioner Certificate Candidates

ChristopherGraham_1546629c

 

 

 

 

Act Now Training’s Data Protection Practitioner Certificate continues to go from strength to strength. In Autumn 2015, a total of 16 delegates from the local government, health, education and private sectors passed the course with flying colours. 9 delegates achieved a merit and 3 achieved a distinction.

The Information Commissioner, Christopher Graham, said:

“Congratulations to all the successful candidates. It was worth all the slog, as I am sure you will find in your future careers. And it’s good to know that there is another cohort of qualified professionals looking after our data in the increasingly competitive digital world. All organisations need to take data protection and data security seriously or risk losing their reputation – not to mention customers. The new EU data protection framework brings these issues into even sharper focus – which makes your expertise even more essential.”

Over the years this course has produced many satisfied customers:

This was an excellent course specifically designed for the day to day practical use of DP. It demystified the subject in a way which I could understand. Tim Turner is an excellent tutor with a good sound knowledge and ability to put it across. HC, West Yorkshire Police

Tim broke the course down into manageable chunks and gave useful, practical examples that illustrated his points. This course has given me not only the knowledge but also the confidence to improve at my job and make my organisation better too! Thanks Tim! DH, Cheshire West and Chester Council

This course was designed to be more learner friendly in the way it is examined. It shows your practical knowledge in the assessment along with your ability to use the legislation in your project. A worthwhile course for the modern day data protection officer. DJ, Northumberland CC

Since commencing in my role I was expected to develop a knowledge of and interpret the DPA. This course has embedded my understanding of the act and given me the confidence to challenge existing and new practices to ensure compliance.  SD, NYFRS

I would thoroughly recommend the course, which has a sensible, practical focus and deals with the application of an otherwise abstract and complex piece of legislation to real life situations.
AG, Parliamentary and Health Service Ombudsman

The Data Protection Practitioner Certificate is our own qualification for those who work with Data Protection and privacy issues on a day-to-day basis. The course, designed in consultation with a panel of experts from the UK and Europe, takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The emphasis of the course is on practical skills which a Data protection Officer needs to do their job and raise DP standards in their organisation. The course syllabus has been recently revised to include more themes covered by the new European General Data Protection Regulation (GDPR) expected to come into force in 2018.

Candidates also now have the option to take our specially designed GDPR webinars after completion and up to 12 months in the future as part of their course. This has been included for our Certificate candidates free of charge (normally £49+Vat each) allowing them to customise their learning with the greatest flexibility and ensure their preparations for GDPR are assisted with the most up to date information.

To learn more please visit our website or get in touch.

 

Data Breach Notification and the New EU Data Protection Regulation

 

DPA20The new EU General Data Protection Regulation contains an obligation on Data Controllers to notify supervisory authorities of personal data breaches. In some cases this extends to the Data Subjects as well.

Article 4 of the Regulation defines a personal data breach:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Under the Data Protection Act 1998 (DPA) there is currently no legal obligation to report such breaches to anyone. However the Information Commissioner’s Office (ICO) guidance recommends that serious breaches should be brought to its attention. Last year telecoms company Talk Talk was the subject of a cyber attack in which almost 157,000 customers’ personal details were hacked. The company was criticised for its slow response especially the time it took to inform the ICO and customers.

Article 31 of the Regulation states that as the Data Controller becomes aware that a personal data breach has occurred it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (in the UK the ICO). There is no need to do this where the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. For example a very minor data breach involving innocuous information about a few individuals. Where the 72 hour deadline cannot be achieved, an explanation of the reasons for the delay should accompany the notification.

Notification Contents

The notification must contain the following minimum information:

  • a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects data records concerned;
  • the name and contact details of the Data Controller’s Data Protection Officer (now a statutory position) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.

Where it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.

The new Regulation will require all personal data breaches, no matter how insignificant, to be documented by Data Controllers. This should include the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with Article 31. Some, if not all of it, will also be accessible via Freedom of Information requests, as many local authorities have already found.

Individuals’ Rights

Article 32 of the new Regulation states that Data Subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms (e.g. fraud or identity theft), in order to allow them to take the necessary precautions. The notification will be similar to the one to the supervisory authority (discussed above) and should describe, in clear and plain language, the nature of the personal data breach as well as recommendations for the individuals concerned to mitigate potential adverse effects.

Notifications to individuals should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the need to mitigate an immediate risk of damage would call for a prompt notification whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.

There is no need to communicate a personal data breach to individuals if:

(a) the Data Controller has implemented appropriate technical and organisational protection 
measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or

(b) the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

(c) it would involve disproportionate effort. In such case, there will instead have to be a public communication (e.g. press release) or similar measure whereby the Data Subjects are informed in an equally effective manner.

Even where a Data Controller has chosen not to information Data Subjects, the supervisory authority can instruct it to do so. No doubt there will be more detailed rules setting out what kinds of breaches require notification and to whom.

Compensation

Article 77 states that:

“Any person who has suffered material or immaterial damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

This together with the new breach notification provisions (discussed above) will no doubt see an increase in Data Subjects taking legal action against Data Controllers as a result of data breaches. There may even be more class actions like the one against the London Borough of Islington in 2013 when 14 individuals settled for £43,000 in compensation after their personal data was disclosed without their authority. This action followed an ICO investigation which resulted in the council being fined £70,000.

Currently the ICO can issue fines (Monetary Penalty Notice’s) of up to £500,000 for serious breaches of the DPA. When the Regulation comes into force, this will be increased to 4% of global annual turnover for the preceding year (for businesses) or 20 million Euros.

The Regulation will have a big impact on all sectors. Whilst it is unlikely to come into force until the middle of 2018, all Data Controllers should be examining their approach to data breaches now and be putting into place processes to comply with the new rules.

Act Now Training can help. Please see our one-day EU DP Regulation workshops and our 1 hour webinars. We can also conduct DP audits and assessments.

New EU Data Protection Regulation. Are you ready for the biggest change to data protection in 20 years?

eu

The text of the new EU Data Protection Regulation has now been finalised.

But we’re not quite at the finish line yet. You can even choose whether you think the finish line is when the Regulation gets its rubber-stamped approval (which is imminent), or when it is finally implemented (which is probably two years away).

Nevertheless, the notorious Trilogue negotiations are over. The EU Council and Parliament have agreed a compromise text. Years of uncertainty about whether there would be a new EU law, and what it would look like, are over.

What should you make of it? First, we did mean ‘texts’, as the Regulation (a new Data Protection law applying equally across all EU member states) is accompanied by a Directive (new rules for Data Protection when applied to crime and justice, implemented by each state with greater flexibility). Second, many of the headline-grabbers survive intact – many organisations will require a Data Protection Officer, mandatory breach reporting is coming, and the maximum monetary penalties are 4% of an organisation’s annual turnover, which represents something of a defeat for the EU Council, who aimed much lower.

Proposals to remove charges for subject access may make many organisations wince. Even at first glance, there are some surprises; most notably a requirement for parents to consent for their children to access some web services if under 16 – although this age can be lowered by national governments to 13. This proposal surfaced late in the negotiations, and its implications still need to be unpicked.

The Regulation is about identifying and dealing with risk, about building structures within your organisation, and taking a more organised, more proactive approach to Data Protection. The fundamentals remain largely unchanged; what the Regulation does is build a whole new set of structures and routines on top of those foundations.

The final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter.

Now is the time to Act!

There is a lot to learn and a lot to do in the next few years. Firstly, all Data Protection Officers and information professionals need to read the Regulation and consider its impact on their organisation. Here are the key points of the Regulation to get you started.

Secondly training and awareness at all levels needs to start now. This is where Act Now can help. Whether you want a relevant DP qualification or a short briefing on the Regulation to kick-start your preparation.

For Data Protection Officers (new and old), who need to get a formal qualification, our Data Protection Practitioner Certificate is ideal. The course looks at the current law as well as the forthcoming changes set out in the Regulation particularly the issues of consent, privacy impact assessments and data subjects’ rights. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

We are also running a series of full day workshops throughout the UK which are filling up fast. More dates will be added soon. We can also offer full or half-day in-house briefings on the Regulation from the middle of January 2016.

Finally, for those whose budgets were depleted by the Christmas party or may just not have the time, we have planned a series of one hour webinars looking at various aspects of the Regulation in detail.

%d bloggers like this: