Monthly Archives: October 2019

The Countdown Clock Stalls

Shortly after he was installed in post, the new Chancellor, Sajid Javid, announced that three million new 50 pence coins celebrating Brexit would be issued on 31st October to mark the UK’s exit from the EU.  Millions more were set to be minted in the following months. The move was supposed to underline the Government’s determination to conclude Brexit by their Halloween deadline. Events of the last week mean that the Chancellor may have to shelve plans to issue millions of shiny new 50 pence coins.  How did we get to this situation?

The Prime Minister bought back his version of the Withdrawal Agreement hotfoot from Brussels cutting short his time at the European Summit of EU heads of state.   As widely predicted a Saturday sitting of Parliament was called to vote on the deal. Despite the Government’s best intentions, the Withdrawal Agreement Bill failed to reach its 2nd Reading (the first hurdle for any Bill) derailed by Sir Oliver Letwin’s amendment.

A new week saw another attempt to progress the Withdrawal Agreement Bill (now referred to as “WAB”).  On Tuesday the Bill returned to Parliament and, remarkably, for the first time in four attempts it won a majority in Parliament. But that wasn’t the end of the story. In order to progress the Bill needs to secure time for Parliamentary scrutiny.   The Government had proposed two days of Parliamentary time. This proposal drew considerable opposition – and not just from official Opposition MPs.  As a result, this Programme Bill containing the timetable was rejected. The vote brought the progress of the WAB to a juddering halt.  Suddenly the Government was forced to seek an extension from the EU to the passage of the WAB, possibly for as long as three months. The 31st October deadline for Brexit now looks very unlikely.  Treasury officials so far remain tight-lipped on the fate of the three million commemorative 50 pence coins.

We are now in a period of political stand-off. The Prime Minister has offered considerably more Parliamentary time to scrutinise and debate the 130-odd pages of the WAB provided they agree to a General Election on 12th December. Meanwhile the EU has yet to decide on the length of the extension they are prepared to grant the UK to agree the terms of withdrawal. Opposition parties in the UK will not agree to a General Election until they know the terms the EU are prepared to offer. The stand-off will surely resolve itself but, at the time of writing, it is hard to predict the precise terms of this resolution.   

Data Protection and the WAB

The Withdrawal Agreement Bill and accompanying Explanatory Notes are very light on data protection provisions. Each contains a single paragraph on data protection making clear that none of the current arrangements will change. This is good news for businesses planning for the future.

A good deal of the WAB is concerned with the trading status of Northern Ireland and its relationship with the remaining 27 EU Member States.

As it stands the WAB makes Northern Ireland a member of the EU Customs Union while remaining in the United Kingdom.  This is a significant advantage for Northern Irish businesses that seek to move goods or services cross border with EU Member States.  The legislation is still in draft form and remains subject to amendment but if UK business wish to avoid difficulties in receiving data from other EU members they could derive significant advantage from locating their data processing capabilities in Ulster rather than on mainland UK.  Just a thought…

Please contact us if you have any queries or concerns about how Brexit will affect your business.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 25th October, 2019

How to conduct a Data Protection Impact Assessment (DPIA) in 8 simple steps

Many business activities these days will entail significant amounts of data processing and transference. It’s not always clear-cut as to what your organisation does that legally requires, or does not legally require, an impact assessment on the use of personal data – i.e. a Data Protection Impact Assessment (DPIA).

People may be familiar with Privacy Impact Assessments (PIAs), which were advised as best-practice by the Information Commissioner before the EU’s GDPR made DPIAs mandatory for certain activities. Now the focus is not so much on the obligation to meet individuals’ privacy expectations, but on the necessity to safeguard everyone’s data protection rights.

DPIAs are crucial records to demonstrate compliance with data protection law. In GDPR terms, they are evidence of transparency and accountability. They protect your clients, your staff, your partners and any potential third parties. Being vigilant against data protection breaches is good for everyone – with cybercrime on the rise, it’s important that organisations prevent unscrupulous agents from exploiting personal information.

In this blog, we’ll go through a step-by-step guide for conducting a DPIA. But first, let’s see what sort of things your organisation might be doing that need a DPIA.

When is a DPIA required?

The regulations are clear: DPIAs are mandatory for data processing that is “likely to result in a high risk to the rights and freedoms” of individuals. This can be during a current activity, or before a planned project. DPIAs can range in scope, relative to the scope of the processing.

Here are some examples of projects when a DPIA is necessary:

  • A new IT system for storing and accessing personal data;
  • New use of technology such as an app;
  • A data sharing initiative in which two or more organisations wish to pool or link sets of personal data;
  • A proposal to identify people of a specific demographic for the purpose of commercial or other activities;
  • Using existing data for a different purpose;
  • A new surveillance system or software/hardware changes to the existing system; or
  • A new database that consolidates information from different departments or sections of the organisation.

The GDPR also has a couple more conditions for a DPIA to be mandatory, namely:

  • Any evaluation you make based on automated processing, including profiling, as well as automated decision-making especially if this can have significant or legal consequences for someone; and
  • The processing of large quantities of special category personal data (formerly known as sensitive personal data).

An eight-step guide to your DPIA

  • Identify the need for a DPIA
    • Looking at the list above should give you an idea of whether a DPIA will be required. But there are also various ‘screening questions’ that should be asked early on in a project’s development. Importantly, the data protection team should assess the potential impacts on individuals’ privacy rights the project may have. Internal stakeholders should also be consulted and considered.
  • Describe the data flows
    • Explain how information will be collected, used and stored. This is important to redress the risk of ‘function creep,’ i.e. when data ends up getting used for different purposes, which may have unintended consequences.
  • Identify privacy and related risks
    • Identify and record the risks that relate to individuals’ privacy, including clients and staff.
    • Also identify corporate or organisational risks, for example the risks of non-compliance, such as fines, or a loss of customers’ trust. This involves a compliance check with the Principles of the Data Protection Act 2018 (the UK’s GDPR legislation).
  • Identify and evaluate privacy solutions
    • With the risks recorded, find ways to eliminate or minimise these risks. Consider doing cost/benefit analyses of each possible solution and consider their overall impact.
  • Sign off and record DPIA outcomes
    • Obtain the appropriate sign-off and acknowledgements throughout your organisation. A record of your DPIA evaluations and decisions should be made available for consultation during and after the project.
  • Consult with internal and external stakeholders throughout the project
    • This is not so much a step as an ongoing process. Commit to being transparent with stakeholders about the DPIA process. Listen to what your stakeholders have to say and make use of their expertise. This can include both employees as well as customers. Being open to consultation with clear communication channels for stakeholders to bring up data protection concerns or ideas will be extremely useful.
  • Ongoing monitoring
    • The DPIA’s results should be fed back into the wider project management process. You should take the time to make sure that each stage of the DPIA has been implemented properly, and that the objectives are being met.
    • Remember – if the project changes in scope, or its aims develop in the project lifestyle, you may need to revisit step one and make the appropriate reassessments.

This brief outline should help you to structure as well as understand the appropriateness of DPIAs. Eventually, these assessment processes will be second nature and an integral part of your project management system. Good luck!

If you have any questions about the data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 21st October 2019

Brexit. 14 Days to Go – A Declaration of Intent

Well who saw that coming? Suddenly at about 10.30 on Thursday morning came the announcement that the UK Government and the EU have agreed a Brexit deal. It came as something of a surprise as public pronouncements from both sides of the negotiations had been suggesting a deal was increasingly unlikely. Maybe this was expectation management in action because out of the blue on Thursday morning was a revised Withdrawal Agreement.  Importantly the Agreement was accompanied by a new version of the Political Declaration which outlines the direction of future UK/EU negotiations (more of this below).

Shortly after the announcement of a deal came the news that the Westminster Parliament had voted to sit on Saturday in order to ratify the Withdrawal Agreement that has been hammered out. With the Democratic Ulster Unionists and others refusing to support the agreement it is far from clear that the Agreement will win Parliamentary backing.

The Importance of Data Flows

The Political Declaration that sits alongside the draft Withdrawal Agreement is a statement of intent and is not legally binding on either the UK or the EU.  Nevertheless, it is worthwhile pointing out that right up front in the Political Agreement is a section on Data Protection. The prominence of this section – second in the list of “Initial Provisions” – suggests a genuine wish to secure a basis for the transference of data between the UK and EU once the UK has exited.  The opening paragraph of the section reads as follows: 

In view of the importance of data flows and exchanges across the future relationship, the Parties [the UK and EU] are committed to ensuring a high level of personal data protection to facilitate such flows between them.

It continues

The Union’s data protection rules provide for a framework allowing the European Commission to recognise a third country’s data protection standards as providing an adequate level of protection, thereby facilitating transfers of personal data to that third country. On the basis of this framework, the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal, endeavouring to adopt decisions by the end of 2020…

Positive Data Protection News for Businesses

For businesses transferring data to or from EU Member States this is encouraging. It has always been clear that should the UK leave the EU it would become a “Third Country” for data protection purposes. Transfers of data to EU member states would have to meet an EU assessment of equivalent levels of data protection.  We have seen several of counties struggle to achieve equivalence standards.

While the UK has written the provisions of GDPR into UK law it would appear, on the face of it, to be a formality to pass the European Commission’s assessment. Here, with the publication of the Political Declaration the EU’s intention to make the equivalence hurdle as easy as possible to negotiate has been signalled. 

It is currently unclear if the Withdrawal Agreement will pass through Parliament but the crucial importance of efficient and secure data flows between the UK and Europe has been underlined by this week’s Political Declaration.

Please contact us if you have any queries or concerns about how Brexit will affect your business, or if you need help with your data protection.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 18th October, 2019

Chief Constable responds to controversy over Prevent database

If a company or public organisation is holding personal or otherwise sensitive data, it is naturally to be expected that they would maintain high standards of security and data protection. This applies regardless of the context in which the data is being processed.

Of course, there are certain categories of data that carry greater risk to the data subjects concerned than others. Personal financial details, medical records and political affiliation collected by the state all come to mind. Under the GDPR, such information is considered ‘special category data.’

You could say that all forms of data are sensitive, but some are more sensitive than others.

The Prevent database

Take for example, the database of the government’s ‘Prevent’ scheme. Prevent compiles information on potential terrorist and other dangerous extremists.

The Prevent database naturally contains special category data alongside state security secrets. It also has the potential to seriously affect the lives of those whose data is being stored. There are all sorts of reasons why we would expect extremely high security standards from Prevent, and dread the prospect of a data breach.

On the 7th of October, The Guardian broke a story about this database. It claimed that it had discovered that the police were maintaining a ‘secret’ database of highly sensitive counter-terrorist information. The existence of the database was alleged to have human rights and data protection implications for the thousands of individuals suspected of being vulnerable to radicalisation listed on it.

Chief Constable Simon Cole response to The Guardian Story

Chief Constable Simon Cole responded to this news story on the 9th of October, claiming that the existence of the database was not a secret and that details had already been officially published online. He said:

‘These records can only be accessed by a small number of trained Prevent police professionals. Details would only be shared with mainstream colleagues or other agencies on request and in exceptional circumstances.’

‘Documents are regularly updated and deleted if it is no longer necessary or proportionate to keep them.’

It is significant to see a public authority quoting what essentially amounts to the Prevent data protection policy in response to media queries. No doubt a Prevent DPO was consulted before this statement went to press.

Where not only data protection rights, but also national security are at stake, it is reassuring to hear that sound data protection protocols are being observed. This is a case where even the publicly-known existence of a database carries risks.

If you have any questions about the data protection policies, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Brexit pathway

Brexit at 20 Days. A pathway emerges

This was the week in which Brexit positions hardened.  Last Monday it became clear that EU leaders were not won over by the UK Government’s Protocol.  The Protocol was launched amid high expectations on 2nd October.  It was designed to break the deadlock and introduce a new approach to the problem of customs checks between the UK and the Republic of Ireland.

Clearly, the lukewarm response of the other EU leaders to the Protocol makes the prospect of a “No Deal” Brexit more likely.  The unattributed response from Number 10 was unequivocal.  The spokesman was quoted as saying:

“(the Government) will not negotiate further (with the EU) so any delay would be totally pointless.  They think now that if there is another delay we will keep coming back with new proposals. This won’t happen. We’ll either leave with no deal on 31 October or there will be an election and then we will leave with no deal.”

A Pathway Emerges

Nevertheless, detailed discussions between Boris Johnson and his Irish counterpart, Leo Varadkar, have taken place. The tone of the joint statement from both Heads of State sounded very different from the anonymous Number 10 spokesman.  The statement said that the two had “agreed that they could see a pathway to a possible deal”.  Discussions on the “pathway” are set to continue in Brussels.  But now, with only barely 20 days to go we are running out of road. 

What lies beyond the Summit?

The subject of Brexit looms large on the agenda for the meeting of the European Council – often referred to as the Summit.  It will take place on 17th and 18th of this month, and will be attended by all the EU Heads of State (including Boris Johnson).It is difficult to predict the direction that the Summit will take. 

The next day, on 19th October, is the critical date for the Benn Act (or Surrender Bill as the Prime Minister prefers to call it).  If by 19th October a Withdrawal Agreement has not been passed by Parliament, the Benn Act requires the Government to request an extension to the Brexit negotiations.  The Act suggests an extension until 31st January 2020, but this would be at the discretion of the EU. 

Significantly the Government has called a special sitting of Parliament on 19th October – the first sitting on a Saturday since the outbreak of the Falklands War.  It is unclear whether the purpose of the “Super Saturday” special sitting is to vote on a Withdrawal Agreement or to map out the Government’s strategy for a no-deal exit. 

Businesses with Clients in the EEA

It is perhaps notable that in recent days the Cabinet Office has been ramping up its communications programme on the consequences of no deal. A number of these are aimed at specific business sectors including data processors and data controllers with clients in EEA countries.

Although the Cabinet Office advice was originally published in February this year it is worthwhile taking another look in the light of the shifting political situation.

Government Advice

The Government’s advice is very clear. In summary organisations that receive personal data from the EU/EEA should

  • review your organisation’s contracts for data transfer
  • Consider including Standard Contractual Clauses (SCC) or Alternative Transfer Mechanisms (ATM) to ensure continuation of legal receipt of personal data from the EU/EEA.
  • Businesses that are part of a multinational group may be able to rely on binding corporate rules (BCRs), for intra-group transfers as an appropriate safeguard

The full Cabinet Office advice can be found here 

 www.gov.uk/guidance/using-personal-data-after-brexit#what-we-mean-by-receiving-personal-data

Data Protection Representatives

If you are processing EEA personal data, you will have to consider whether or not you need to appoint a European ‘representative’ in an EEA Member State.  For example, you will need to appoint a representative if you:

  • have a regular client base in one or more countries the EEA
  • and don’t have an establishment in the EEA
  • and you are transferring personal data from the EEA to the UK for processing

A European representative will act as a contact for individuals and the EU and EEA supervisory authorities in the specific countries in which you operate.  

It is worth noting that current advice from the UK supervisory authority the ICO says that:

‘You do not need to appoint a representative if either:

  • you are a public authority; or
  • your processing is only occasional, of low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.

This is not a straightforward issue.  It is advisable to seek advice from your data protection officer or legal advisor when conducting as assessment of whether or not you need to appoint a data protection representative in the EU or EEA Member States.

Please contact us if you have any queries or concerns about how Brexit will affect your business, or if you need help with your data protection.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 11th October, 2019

Brexit Landing

Brexit “landing zone” in sight? Less than 30 days to find out …

So now we have it. On Wednesday the Prime Minister wrote to Jean-Claude Junker, President of the European Commission, with the Government’s proposals for a new “Protocol on Northern Ireland/Ireland”. This is an attempt to break the logjam of the Northern Ireland backstop which has held up progress on a Brexit deal for so long in the UK Parliament.   

Perhaps PM Johnson’s key line in his covering letter to Juncker is that the Proposal offers “a broad landing zone”. This suggests that the paper is a step in the direction of further talks and not necessarily the take-it-or-leave-it offer which had been briefed in advance. This clearly indicates the intention to secure a Brexit deal remains. But there is very little time left with only 27 days remaining on the Brexit countdown clock. 

The fact that Parliament is sitting following last week’s Supreme Court ruling gives the Government an opportunity to test the waters with MPs, particularly those that objected fundamentally to the backstop arrangements.   This is important as the EU are only likely to re-enter into negotiations if they feel the resultant deal has a chance of passing with a majority in the Westminster Parliament.

Data Transfer has moment in the limelight

Meanwhile Secretary of State for Exiting the EU, Steve Barclay, has been on manoeuvres stressing the importance of a deal, but also the importance of flexibility in negotiations.  A speech in Madrid on 19th September 2019 contained a rare reference to data protection and the status of data sharing if there is a no deal Brexit. Barclay said:

“even though the UK has adopted in full the EU aquis [the body of EU law] on data, the Commission position is businesses here in Spain will be restricted in what data they can share with the UK

That affects not just the tourism industry, not just the 45 million flights from the UK to Spain each year, that affects businesses much more widely, and I wonder within this audience how confident it is that small and medium sized businesses across Spain are fully prepared for that sort of change.”

Clearly there is still a lot to play for in the Brexit negotiations. As the Secretary of State points out it is vital that the outcome is mutually beneficial for all parties.   To quote the text of his Madrid speech

“A rigid approach now – at this point – is no way to progress a deal – the responsibility sits with both sides to find a solution. We [the UK Government] are committed to carving out a landing zone.”

Data Compliance – Impact on UK Businesses

The UK government’s approach to transfers, is to recognize existing EEA countries as offering adequate data protection from the point at which the UK leaves the EU. Any formal discussion of the UK’s adequacy, in contrast, will not take place until after the UK has left the EU.

To ensure that data continues to flow businesses must act to:

  • review data flows from the EU,
  • ensure that all data transfers from the EU are covered by the appropriate transfer mechanism such as the standard contract clauses;
  • ensure internal documentation states that transfers will be made to the UK; and
  • update privacy notices to inform individuals that transfers will be made to the UK;
  • Consider whether not you need to appoint a Data Protection Representative in the EU.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 4th October 2019