Category Archives: General Information

The GDPR and Profiling

Profiling is a very useful tool which marketers have been using for decades to understand their customers better and to target them appropriately.  However, the GDPR does make some changes to how profiling is considered which should be considered carefully before profiling is undertaken.  For the first time, profiling has been included with automated processing decision-making and the same rights apply to the individuals whose information is being profiled. So how does this affect businesses?

Profiling 2018Profiling Benefits

There are obvious benefits both to businesses and consumers in relation to profiling, which is used in a broad number of sectors from healthcare to insurance, retail to publishing, leisure to recruitment.

It is also an extremely useful tool for marketers, providing benefits of increased efficiency, savings in resource, and the financial and reputational benefits of understanding customers and establishing more personal, relevant communications with them.  The customer or individual benefits in turn from receiving fewer communications, and far more relevant messages.

What is profiling?

The GDPR defines profiling as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”

Profiling can be as simple as segmenting your own customers into groups based on gender, purchase history, and other data that the customer has provided to you during your relationship.  It becomes more complex when additional data is added to the mix, for example, adding to the information your customer has provided you, by applying data from external sources such as social media, or providers of geo-demographic or lifestyle data.

Profiling and the GDPR

As with all processing under the GDPR, those who profile individuals have responsibilities to those individuals.  Profiles must be accurate, relevant, and non-discriminatory.  All 6 GDPR Principles become critical as profiles are evolutionary, and over time, individuals’ profiles will change. So accuracy and retention are critical.  Privacy by design is key.  As is the requirement that individuals must be made aware of such profiling and of their right not to be subject to such decisions.

It’s worth noting that automated decisions can be made with or without profiling.  And the reverse is also true – profiling can take place without making automated decisions.  It’s all a matter of how the data is used.  Where manual decisions are made, Article 22 does not apply.

Consent or Legitimate Interests?

The legal basis under which profiling takes place is a matter for careful consideration.  There has been debate over whether profiling requires the consent of the individual who is being profiled, or whether legitimate interest may apply.

There will be instances where the impact of the profiling will have a legal or significant effect – for example, in financial services (mortgage yes or no), or when marketing to vulnerable customers – for example, gambling products to those in financial difficulty.  Where profiling is considered to have a legal or significant effect, an organisation will need to rely on the legal basis of Consent before profiling and making decisions on the basis of such profiling.

However, in many cases, marketing will not have such an impact, and in those cases, consent will not be required.  Instead it may be possible to rely on Legitimate Interests.  BUT before such a decision is made, a Legitimate Interest Assessment will need to be conducted.  This will need to consider the necessity of the profiling, the balance of benefits to the individuals versus the business, and the measures taken to protect the personal data and profiles involved.

The Legitimate Interest Assessment will not only help you determine whether it is appropriate to conduct the profiling on this basis, it will also provide evidence that the individuals’ rights have been considered, contributing to the business’s need to meet the GDPR’s new principle of Accountability.

 

Victoria Tuffill  7th March 2018

New GDPR Guidance in the Data Compliant Data Protection Roundup

The Information Commissioner’s Office (ICO) releases GDPR guidance on “contracts and liabilities between controllers and processors.”

GDPR 7 Months and Counting

Organisations only have until May 2018 to review, redraft and negotiate controller / processor contracts

Ahead of the May 2018 deadline for GDPR enforcement, the ICO has released a 28-page document providing “detailed, practical guidance for UK organisations on contracts between controllers and processors under the GDPR.” The document aims to explain the requirements and responsibilities of data controllers as well as the new liabilities of processors. The document points out that many of the requirements may already be covered by existing contracts, but that the expansion and clarification of contractual clauses to evidence compliance with all aspects of the new regulations will likely be necessary.

Under the new regulations, contracts will be required between data controllers (the organisations responsible for the holding and use of the data) and data processors (those involved in the collection and ‘processing’ of data). This written contract or “other legal act” is to “evidence and govern” the working relationship of both parties. Under the current rules, these contracts are only advised as a measure to demonstrate compliance when necessary.

iStock_000030770786Medium

EU Commission encourages standard contractual clauses and certification schemes (yet to be drafted)

It is noted that “standard contractual clauses” as well as certification schemes for contractual codes of conduct provided by the EU Commission or a supervisory authority such as the ICO will be allowed and encouraged by the GDPR, but that as yet none have been drafted.

Emphasis is given to the GDPR’s expansion of liability to include data processors as well as controllers, the former now liable to pay damages or become subject to penalties if not found compliant. On top of this, processors will need to have contracts with other processors (sub-processors) if they are to utilise their services, with written authorisation from the controller.

What needs to be included in the contract:

Contracts must explain:

Contract

Contracts must explain several key points – if not, you will be fined!

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The obligations and rights of the controller

Contracts must, as a minimum, require the processor to:

  • Only act on the written instructions of the controller
  • Ensure that people processing the data are subject to a duty of confidence
  • Take appropriate measures to ensure the security of processing
  • Only engage sub-processors with the prior consent of the controller and under a written contract
  • Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
  • Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
  • Delete or return all personal data to the controller as requested at the end of the contract
  • Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Common Thread Network (CTN) announces Patricia Poku as new co-chair alongside Information Commissioner Elizabeth Denham

The CTN, the forum for data protection and privacy authorities among Commonwealth countries, has appointed a new co-chair to sit alongside the incumbent UK Information Commissioner. The decision was made at the CTN Annual General Meeting on 25th September. The organisation promotes cross-border co-operation for data security and privacy objectives.

Patricia Poku, also recently appointed as Executive Director and Member of the Board for the Data Protection Commission of Ghana, has worked as Head of Data Protection for the 2012 London Olympic Games and Global Director for Data Protection & Privacy at World Vision International.

cyber attack

Increasing cybercrime is driving transational cooperation

With the rise of cybercrime and data abuse as international phenomena, not only on the level of government operative activities but also syndicate-level action usually involving the use of malware and the new universal digital currency Bitcoin, transnational co-operation is more important than ever, and gaining in participants. In July, South Africa joined the CTN and in August, the Cayman Islands issued its first Data Protection Bill, working for “adequacy with the EU directive,” the GDPR.

Policies and Procedures Cropped

Global traction for best-practice polices

That the GDPR necessitates organisations outside the EU fulfilling data protection adequacy standards with EU member states if they wish to do business or in any way process data in Europe indicates that the best-practice policies encouraged by the GDPR may find global traction – and organisations such as the CTN have an important role to play in these processes. GDPR-level policies and practices will be especially desirable given the emphasis the ICO has been putting on the benefits to consumer trust that robust data protection provides. It should be viewed that in a global digital economy, data protection best-practice makes commercial sense.

Written by Harry Smithson

GDPR and Accountants

Tax returns onlineGDPR Debate

On Monday, 16th October, Data Compliant’s Victoria Tuffill was invited by AccountancyWeb to join a panel discussion on how GDPR will impact accountants and tax agents.

The other members of the panel were our host, John Stokdyk, Global Editor of AccountingWEB, who kept us all on the straight and narrow, while asking some very pertinent questions; Ian Cooper from Thomson Reuters who gave strong insights into technical solutions; and Dave Tucker from Thompson Jenner LLP, who provided a very useful practitioner viewpoint.

GDPR in General

There is a presumption that every professional body is fully informed of all compliance regulations within their field of expertise.  But the continuing barrage of changes and adjustments to European and British law makes it easy to drop the ball.

GDPR is a typical example.  To quote the Information Commissioner, Elizabeth Denham, it’s “The biggest change to data protection law for a generation”. Yet for many accountants – and so many others – it’s only just appearing on the radar.   This means there’s an increasingly limited amount of time to be ready.

GDPR has been 20 years coming, and is intended to bring the law up to date – in terms of new technology, new ways we communicate with each other, and the increasing press coverage and consumer awareness of personal data and how it’s used by professional organisations and others.  GDPR has been law for 17 months now, and it will be enforced from May 2018.

GDPR and Accountants

So what does GDPR mean for accountants in particular?

  • Accountants will have to deal with the fact that it’s designed to give individuals back their own control over their own personal information and strengthens their rights.
  • It increases compliance and record keeping obligations on accountants. GDPR makes it very plain that any firm which processes personal data is obliged to protect that data – for accountants that responsibility is very significant given the nature of the personal data an accountant holds.
  • There are increased enforcement powers – I’m sure everyone’s heard of the maximum fine of E20,000 or 4% of global turnover, whichever is higher. But also, the media have a strong hold on the whole area of data breaches – and often the reputational damage has a far greater impact than the fine.
  • Accountancy firms must know precisely what data they hold and where it’s held so they can they assess the scale of the issue, and be sure to comply with the demands of GDPR.

The video covers key points for practitioners to understand before they can prepare for compliance, and summarises some initial steps they should take today to prepare their firms.

The other members of the panel were our host, John Stokdyk, Global Editor of AccountingWEB, who kept us all on the straight and narrow, while asking some very pertinent questions; Ian Cooper from Thomson Reuters who gave strong insights into technical solutions; and Dave Tucker from Thompson Jenner LLP, who provided a very useful practitioner viewpoint.

The session can be found here:  Practice Excellence Live 2017:  GDPR.

It is a 45 minute video, so for those with limited time, I have broken down the areas covered into bite-size chunks:

video accountants timingsData Compliant is working with its clients to help them prepare for GDPR, so if you are concerned about how GDPR will affect your firm or business, feel free to give us a call and have a chat on 01787 277742 or email dc@datacompliant.co.uk if you’d like more information.

 

 

 

Victoria Tuffill  19th October, 2017

 

 

 

Data Compliant News Blog: Cyberattack threatens over 400,000 British consumers, Data Protection Bill 2017 published and fines levied on councils mishandling data

Equifax data breach – hackers may have access to hundreds of thousands of British consumers’ personal details

The Information Commissioner’s Office (ICO) is investigating a hack on Equifax, a large credit rating agency based in Atlanta, USA, to find out whether and to what extent the company’s British consumers’ personal details have been obtained by the hackers. The FBI is also said to be monitoring the situation.

The cyberattack, reported earlier this month, occurred in May and July. The company has already admitted that 143 million American customers’ personal details have been obtained by the hackers.

Credit Cards

400,000 UK customers may be affected by Equifax breach

The US information that the hackers may have accessed includes names, social security numbers, dates of birth, addresses and driving licence details, as well as over 200,000 credit card numbers.

The ICO told Equifax that the company must warn British residents of the data breach and inform them of any information relating to them which has been obtained by the cyber attackers. The credit agency promptly issued alerts to the affected Britons, stating however that an ‘identity takeover’ was unlikely.

Britons would do well to be mindful that, once a hacker has  name, date of birth,  email addresses, and telephone numbers, it takes little effort to acquire the missing elements, which is why the ICO has warned members of the public to remain vigilant against unsolicited emails and communications.  They should also be particularly wary of unexpected transactions or activity recorded on their financial statements.

Shares in Equifax saw considerable reductions throughout the week, and two of the company’s senior executives, the Chief Information Officer and Chief Security Officer have resigned with immediate effect..

The Data Protection Bill 2017, which includes GPDR, has been published

New Law 2

GDPR is included in its entirety in the UK’s Data Protection Bill 2017, now going through Parliament

On 14th September, the Department for Digital, Culture, Media and Sport published the Data Protection Bill 2017. The Bill has been anticipated since the Queen’s speech in June, in which the government outlined its plan to implement the European-wide data protection game-changer GDPR into British law.

Culture secretary Karen Bradley explains: “The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit.  In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”

While the Bill inculcates the GDPR, and therefore provides the basis for data-sharing and other adequacy agreements with the EU after Brexit, the government has stated that it managed to negotiate some ‘vital’ and ‘proportionate’ exemptions for the UK.

Some of the exemptions are provided for journalists accessing personal data to expose wrongdoing or for the good of the public; scientific and research organisations such as museums if their work is hindered; anti-doping bodies; financial firms handling personal data on suspicion of terrorist financing; money laundering; and employment where access may be neededs to personal data to fulfil the requirements of employment law.

The second reading of the Bill in Parliament will take place on 10th October, after which a general debate on Brexit and data protection takes place on the 12th.

As yet, there have been few critics of the proposed legislation outside certain industries whose use of big data makes them particularly susceptible to possible data protection breaches and massive fines (£17m or 4% annual global turnover). Some industry leaders have called for exemptions, including the private pension giant Scottish Widows, who claimed GDPR-level regulations would make it impossible for them to contact some of their customers without breaking the law. However, according to the government, 80% of Britons do not believe that they have control over their information online, and the Bill enjoys widespread support at this point. The Shadow Cabinet has yet to offer any official response or criticism.

Islington Council fined £70,000 

The Information Commissioner’s Office (ICO) fined Islington Council £70,000 for failing to secure 89,000 peoples’ personal information on an online parking ticket system.

Design faults in the Council’s ‘Ticket Viewer’ system, which keeps CCTV images of parking offences, compromised the security of 89,000 peoples’ personal data. Some of this data is under the category of sensitive personal information, e.g. medical details disclosed for the sake of appealing against a parking fine.

Harry Smithson 23rd September 2017

EU & UK Data Protection Post Brexit

GDPR is a key component of the Government’s data protection paper released yesterday, relating to how a partnership between the UK and the EU could be structured in relation to the ‘exchange and protection’ of personal data post Brexit.

Regardless of Brexit, the UK intends to continue to play a leading global role in promoting data protection standards, and plans to work side by side with the EU and other global partners to protect:

  • individuals’ rights to privacy and control over their own data
  • the ability of individuals, companies and other organisations to share data to create services valued by consumers
  • the ability of law enforcement bodies to protect citizens from crime and terrorism

The government paper restates that the UK’s new Data Protection Bill (definitely needed – current legislation is now some 20 years old) will include not only the EU’s General Data Protection Regulation (GDPR), but also the Data Protection Directive (DPD) which relates to personal data being processed for law enforcement purposes.

This means that, when we leave the EU, both its and our own UK data protection law will be aligned.   This is important because it provides the UK with a sound base from which to achieve “adequacy status” to avoid the detrimental economic impact of any disruption in cross-border data flows.

What is Adequacy Status?

Adequacy

It is likely that the UK will require adequacy status in order for data to flow freely between UK and EEA

Each EEA country is allowed to transfer personal data freely, because all states have to comply with GDPR.

For countries that are not members of the EEA (and it is likely that the UK will fall into this category post-Brexit), the EU Commission may decide that a country’s data protection framework is “adequate”.  In these cases, data may also flow freely between EEA members and “adequate” third party countries – for example, Switzerland, Isle of Man, New Zealand.

Adequacy is probably the simplest method of achieving the free flow of data between the EU and UK post Brexit.  Other methods are available, but they are significantly more onerous in time, paperwork and cost for organisations.

How to achieve Adequacy Status

Any third country (eg UK) can request that the Commission considers them for an adequacy decision.  The Commission may then, if it wishes, assess the nature of that country’s data protection rules, enforcement, supervision and practices to satisfy themselves that they are sufficient to provide an adequate level of protection – ie “essentially equivalent” to those applied in the EU.

In order to achieve adequacy post Brexit, the UK will need to be compliant, not only with EU data protection law, but also with wider global data protection standards.  As the UK’s data protection law fully implements the EU’s GDPR and DPD, the government hopes “to agree, early in the process, to mutually recognise each other’s data protection frameworks as a basis for the continue free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit”.

  • GDPR will, in any case, continue to apply to any UK businesses offering goods or services to individuals within the EEA.
  • The UK intends to remain a safe destination for personal data with some of the strongest data protection standards in the world
  • The ICO may continue to play an active role in promoting understanding of the regulatory challenges faced both by organisations and individuals; being involved in future EU regulatory discussion;  and sharing its expertise with other EU Data Protection Authorities.

It’s worth noting that the Government paper makes it quite plain that both sides will benefit from such an arrangement.  The paper suggests that (based on various reports) around 43% of all large EU digital companies are started in the UK, and that 75% of the UK’s cross-border data flows are with EU countries.  The implication is that any disruption in cross-border data flows could harm the economies of both parties.

Clearly building a new relationship is a key element of the Brexit negotiations.  And adequacy is a vital part of that relationship.

Victoria Tuffill    25th August, 2017

Data Compliant advises on GDPR compliance. If you’d like more informaiton, please call 01787 277742 or email dc@datacompliant.co.uk

Data Compliant GDPR panic

GDPR – panic … or not?

myth or fact

GDPR – don’t get bogged down by fear-mongering and myth

GDPR is beset with myth, rumour, and so-called experts. The amount of confusion and misinformation provided is incredibly detrimental. And this is largely because many organisations and individuals who are trying to promote their services are using fear tactics to do so.

But they’re missing the point.

We have a Data Protection Act currently in place, and Privacy and Electronic Communication Regulations to support it.  Any organisation which is ignoring the current data protection legislation has every reason to panic about GDPR. Ignorance is no excuse.  And they won’t be able to get away with ignoring GDPR willfully just because they consider data protection an inconvenient restriction preventing them taking unethical actions to make more money.

On the other hand, organisations who conform to the current legislation have a head-start when addressing how to comply with the new regulation.

GDPR – a simple summary

At its simplest, GDPR is a long-overdue evolution which is primarily about all organisations (whether data controllers or data processors):

  1. putting the individual first
  2. being held accountable for protecting that individual’s data

At the same time, GDPR addresses the vast changes to the data landscape since the original data protection legislation of the 1990s:

  • it takes account of technological advances – bear in mind, there was barely an internet in the early ’90s!
  • it seeks to protect EU citizens from  misuse of their personal data wherever that data is processed
  • it addresses (at least in part) the disparity in data protection legislation throughout the EU and its members

GDPR increases both compliance obligations on the part of organisations, and enforcement powers on the part of the regulator.

Compliance Obligations:  The principle of Accountability puts a heavy administrative burden on data controllers and data processors.  Robust record-keeping in relation to all data processing is essential; evidenced decisions around data processing will be critical.

Enforcement Powers:  Yes, there are massive fines for non-compliance.  And yes, they will go up to £20,000,000 or 4% of global turnover.  But is that really the key headline?

GDPR’s Key Message:  Put the Individual First

Rights human rights

As GDPR comes closer, individuals are going to become increasingly aware of their rights – new and old

All organisations who process personal data need to understand that individuals must be treated fairly, and have, under GDPR, greater rights than before.  This means that organisations need to be transparent about their data processing activity, and take full responsibility for protecting the personal or personally identifiable data they process.

What does that mean in practice?

  • Tell the individuals what you intend to do with their data – and make it absolutely plain what you mean
  • Explain that there’s a value exchange – by all means help them understand the benefits to providing the data and allowing the processing – but don’t tell lies, and don’t mislead them
  • If you don’t want to tell them what you’re doing … you probably shouldn’t be doing it
  • If you need their consent, make sure you obtain it fairly, with simple messaging and utter clarity around precisely what it is to which they are consenting
  • Tell them all their rights (including the right to withdraw consent; to object to processing where relevant; to be provided with all the information you hold about them, to be forgotten, etc)
  • Always balance your rights as an organisation against their rights as an individual

Look out for your Reputation

shame

Never underestimate the reputational damage caused by a data breach

The Information Commissioner, Elizabeth Denham, states clearly that, while the ICO has heavy-weight power to levy massive fines, “we intend to use those powers proportionately and judiciously”.  So the ICO may issue warnings, reprimands, corrective orders and fines, but that could be the least of your worries.

Something that tends to be overlooked when talking about penalties of non-compliance is reputational damage.  All the ICO’s sanctions (from warnings to fines) are published on the ICO website.  And the press loves nothing more than a nice, juicy data breach.

So even if no fine is levied, reputations will suffer.  At worst, customers will be lost.  Shareholders will lose confidence.  Revenues will decline.  Board members will lose their jobs.  And, to quote Denham again, “You can’t insure against that.”

Victoria Tuffill     18th August 2017

Data Compliant advises on GDPR compliance – if you’d like more information, please call 01787 277742 or email dc@datacompliant.co.uk

 

GDPR – ICO Puts Trust at the Heart of Data Processing

Trust & data

Information Commissioner’s Annual Report

The Information Commissioner’s Office (ICO) published its annual report on the 13th July. It is the first time the Information Commissioner Elizabeth Denham has compiled an annual report, having taken up the post a year ago.

The report highlights the increased powers and expanding caseload and capacities  of the regulator. At a time of increasing concern about the use (and abuse) of personal information, the ICO is seeing a great deal more work.  This is, in part, reflected by an increase in staff numbers of around 8% year on year.

GDPR and Public Trust

The ICO’s foreword emphasises its commitment to regaining public trust in data controllers and processors. It is hoped that changing laws provide the regulator with an opportunity to enable individuals to trust in large organisations handling personal information. The Commissioner  states that “trust” will be “at the heart of what the Information Commissioner’s Office will do in the next four years.” Confidence in the digital economy is a consideration that the regulator acknowledges and aims to encourage, especially since the digital sector is growing 30% faster than any other part of the economy.

This echoes the government’s concerns regarding the digital economy and its relation to data protection principles that were enumerated in the Queen’s Speech and addressed by several measures including a Data Protection Bill, which is designed to implement the General Data Protection Regulation (GDPR).

In a year characterised by the impending replacement of the Data Protection Act 1998 (DPA) with the GDPR in May 2018, the report’s outline of major work undertaken leads with a nod to the many public, private and third sector organisations that will be preparing for the new legislative framework.

Consent

‘Consent,’ which has become one of the watchwords for the GDPR (and a word that will be increasingly found on the bulletin boards and coffee mugs of marketing departments) will take on a stricter legal definition soon – a marketing monolith for which the ICO anticipates organisations will seek detailed guidance.

Data Breaches

But the GDPR by no means eclipsed the ICO’s other responsibilities. Nuisance calls, unsolicited marketing and data sharing have routinely seen organisations facing fines and other civil measures. Breaches of the DPA and Privacy and Electronic Communications Regulations 2003 (PECR) such as these by a number of charities, of which the Daily Mail reported allegations in 2015, have led the ICO to issue 13 civil monetary penalties to the value of £181,000.

Indeed, some companies, Honda (whom we reported about last month) being an explicit example, have been issued fines for unsolicited marketing in breach of the DPA due to emails which asked for clarification regarding customers’ marketing preferences – which Honda for example maintained were a means of preparing for the GDPR. So while preparation for the GDPR is something to which the ICO has committed a great deal of resources, they have by no means neglected upholding the current law. The ICO has consistently made clear that it is not acceptable to break the law in preparation for another.

Monetary penalties

Overall, the ICO issued more civil monetary penalties for breaches of PECR than ever before (23), to the value of £1,923,000. It has also issued 16 fines for serious breaches of data protection principles totalling £1,624,500. It cannot be stated enough that after May 2018, these figures could skyrocket if organisations do not find ways of being compliant with the new, more expansive and rigorous legislation. Criminal prosecutions have seen a 267% increase, and the ICO has received 18,300 concerns regarding data protection brought to them – 2,000 more than last year.

Subject Access Requests (SARs)

Data controllers or organisations handling a wide range of personal data may have increasing requests for Subject Access Requests (SARs). The report states that 42% of all concerns brought to the ICO where the nature was specified were related to subject access. While these requests for data are provided under the DPA (and will be upheld with more rigour as one the data subject ‘rights’ by the GDPR) and not the freedom of information legislation, it nonetheless falls upon organisations of whatever size to be co-operative and compliant when the disclosure of information is required. It is important for organisations to train their staff to be able to recognise a SAR and act promptly.  Data controllers must recognise the importance of compliance not only with the law but with ICO audits and investigations, as well as of the necessity for efficient and conscientious data handling.

For information about how DC can help you meet the requirements of GDPR,  please email dc@datacompliant.co.uk.

Harry Smithson, July 25th 2017