Happy New Year!
While participation in dry January is optional, compliance with ever-evolving data protection law isn't. Here are DWF's Data New Year's Resolutions for you to consider so that you can ensure that you meet your data protection obligations in 2020. In a privacy-friendly "layered" way, we've set out the resolution, and then below set out more detail as to the requirements and recommendations of each resolution!
Here is more detail of each resolution:
If you updated your privacy notices and policies around May 2018 to comply with GDPR, it is worth reviewing them in the light of guidance issued by the ICO and EDPB (Information Commissioner's Office and European Data Protection Board) since then.
Look at how and when you present them to your customers. Do you use a "layered" approach to make them easy to navigate? Do you make good use of pop-ups / text areas to present "just in time" information? If you process special category data (e.g. data about health, race or sexual orientation), the ICO has recently updated its guidance on the lawful bases you can rely on to justify this, so you may need to update your notices to reflect these (as well as the operational practices behind them). If you process children's personal data, you need to review your notices and how you share them with children in the light of the Age Appropriate Design Code of Practice, which the ICO has just submitted to the government.
Contact us to discuss how we can update your privacy notice and help you to structure your customer journey to present it in a user-friendly, but legally compliant, way.
We have been consulted by some clients who prepared for GDPR by updating their data protection policies in line with what they believed to be best practice or indeed their own operational protocols. It is important that you are able to comply with your own policies and that they are compliant, as well as accurately reflecting your operational practice – as that is what you will be judged by if they are ever scrutinised. We can help you to revise your policies appropriately. This needs to be done with care and sensitivity, which our experienced data protection specialists can offer.
Contact us to find out how we can support you with the process of reviewing and updating your policies.
The ICO has recently issued an updated draft Data Sharing Code of Practice for consultation. This has been revised to cover various changes introduced by the GDPR, including transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities.
Contact us to discuss how we can help to review and update your data sharing arrangements, including drafting any necessary data sharing agreements, reviewing your privacy notices to check that they are consistent with your sharing activities and ensuring that all necessary safeguards for international transfers are in place.
The ICO has also issued updated draft guidance on dealing with SARs (subject access requests). This guidance includes the special rules on certain categories of personal data, how to deal with requests involving the personal data of other people and how to apply the exemptions.
Contact us to discuss how we can help you to optimise your SAR process, including advice on the relevant exemptions and document redaction.
The ICO has recently launched a campaign to contact all companies to remind them of their legal responsibility to pay the data protection fee. Note that this is a requirement under UK data protection law, not the GDPR. Most businesses which process personal data will have to pay the fee, unless an exemption applies. The fee ranges between £40 and £2,900, depending on the size of the organisation. While fines for non-payment are modest (150% of the applicable fee), failure to pay could result in bad publicity and reputational damage.
Clients have asked whether payment of the fee now will bring them to the ICO's attention, resulting in increased scrutiny. Over 600,000 organisations have registered to pay it, so payment is very unlikely to draw attention to your organisation. If you are concerned about your level of compliance, paying the fee is a step in the right direction, and then we can help you prioritise your compliance steps.
Contact us for advice on whether you need to pay the data protection fee, and prioritising your data protection compliance steps.
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has recently fined a telecoms provider €9,550,000 for failing to take sufficient technical and organisational measures to prevent unauthorised persons from being able to obtain customer information, in breach of Article 32 of the GDPR. People calling the telco's customer service helpline could obtain extensive personal data about a customer simply by providing the customer's name and date of birth. While businesses are understandably keen to avoid excessive ID checks which may annoy customers, these checks must be sufficient to prevent unauthorised access, and you should only provide details about people which are appropriate.
Contact us for advice on the ID requirements of GDPR and how to implement them in practice.
Given the Conservative majority in the UK's December 2019 election, it appears likely that the UK will leave the EU on 31 January 2020 on the basis of the New Withdrawal Agreement and the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations (the "Regulations") will come into effect.
The Regulations provide for a transitional period until 31 December 2020, so data transfers from the EEA to the UK can continue as normal until then. You will need to prepare for the end of that transitional period by making sure that safeguards are in place for the future transfer of personal data from the EEA to the UK. This includes situations where you transfer the data to a processor in the EEA, who then transfers it back to you. The situation is complicated by the fact that it is by no means certain that the EU will grant an "adequacy decision" to allow data to flow from the EEA to the UK without other safeguards in place, and also that we are awaiting the decision of the Court of Justice of the EU on whether standard contractual clauses (the most frequently used safeguard) remain a valid safeguard for such transfers.
However, the Advocate General has delivered an opinion (which the Court is likely to follow) that the clauses are valid, although he expressed concerns about the EU-US Privacy Shield, which is currently a safeguard for the transfer of personal to US organisations which have self-certified under the scheme. You also need to identify whether your organisation needs an EU representative and appoint one if necessary.
The Regulations create a "UK GDPR" and amend the Data Protection Act 2018. The key practical points are:
Contact us to discuss your international data transfers and for up-to-date advice on the most appropriate safeguards for your organisation to put in place.
We often find that fundamental principles are missed when dealing with data breaches. Human error, rushing and stress account for a significant proportion of data breaches. As with the New Year's Honours List spreadsheet, it is often attachments or emails and attachments that are sent to the wrong person, or contain too much detail.
We can help you by providing focused and memorable data essentials training for your teams to ensure they remember data protection before doing something, and that if there is a breach, they know how to handle it.
We've seen a range of data breaches and incidents where initial breach reports to data subjects have overplayed the severity of them. Clearly, it is important that data subjects are aware when there are material risks to them, but conversely if you exaggerate the risks in a breach report to data subjects, it is likely you will receive these back by way of one of the increasing number of data breach compensation claims, and be asked to pay compensation based on the risks you identified (even if they have not materialised).
Contact us for the best way to handle data breaches and data breach compensation claims.
There are lots of developments to watch for this year, including increasing regulation, the application of the Accountability principle (i.e. showing and recording how you comply, not just stating you do so), the Schrems decision regarding the model clauses and much more. Tell us what kind of updates you would like about data protection matters!