Tag Archives: data protection

What does Brexit Mean for GDPR?

brexit eggBritain has voted to leave the EU, and at this stage it seems that Parliament is going to honour the results and take us out of the EU. So what does this mean for data protection?

I don’t think there has ever been such uncertainty, confusion, difficulty and high risk over data compliance.  So I thought this might help clarify what Brexit is likely to mean in relation to the UK’s data protection legislation.

  1. If Article 50 is invoked in or after October 2016 (as suggested by David Cameron this morning) it will take at least two years and four months for the UK to leave the EU. And, given the complexities of the exit negotiations involved, it may well take longer than that.
  2. EU law will continue to apply until the moment the UK actually leaves the EU, which means that, for a minimum of 5 months, UK organisations – even those which do not process data in Europe – will be required to comply with GDPR. 
  3. If Britain leaves the EU and remains a part of the EEA (like countries such as Switzerland, Norway, Iceland and Lichtenstein), it will be required to comply with GDPR.     
  4. If Britain does not want to be part of the EEA, once it has left the EU it will NOT be required to comply with GDPR.
  5. However, if the UK wants to trade equally with the EU (to quote the Information Commissioner’s Office)UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”  To achieve this end, the ICO has already stated its intention to speak to the UK government to explain that reform of the UK law remains necessary Having clear laws with safeguards in place is more important than ever given the growing digital economy”

Although it’s too early to know exactly what will happen to UK Data Protection law, what is quite clear is that all UK businesses need to continue making preparations for GDPR compliance.  An excellent starting place is to ensure that you understand and comply with current legislation right now.  I’d suggest the following process:

brexit compliance process

If you have any questions about data protection governance, compliance or security and would like a no-strings chat, please don’t hesitate to call on 0203 815 8003 or email dc@datacompliant.co.uk.

GDPR is here – Data Protection is Changing

shutterstock_128215814The General Data Protection Regulation (GDPR) will become law on 25th May 2018.  This is the biggest data protection shake-up for twenty years and impacts every organisation in the world that processes the personal data of UK and European citizens.

GDPR is designed to strengthen individuals’ rights and give them greater control over their data.  Data breaches and data theft … and the catastrophic publicity that goes with them … are now everyday events.  Just ask Morrisons, Talk Talk, eBay, Altzheimers Society and VTech. Under GDPR, these, and all other organisations will face fines of up to 4% of worldwide turnover or 20 million euros (whichever is higher).

The onus is on Boards, individual directors and management to understand and comply with the Regulation, and to make the critical changes required to the way in which organisations handle personal data.  And the clock is already ticking – there are only 24 months available to make the vital procedural, technical and resource changes required for compliance.

shutterstock_14154718The first issue is to understand exactly what personal data you hold.  This is not always simple. Data’s a bit like a river, and sometimes the flow can just be too fast to control. It may flow down the main stream, pause in a deep pool, join another river at a junction,  then wander off down tributaries, streams and burns, and disappear – only to bubble up unexpectedly in the middle of an isolated moor.  Like a river, data can be full of good and exciting things, or stagnant and disgusting.

 

It is essential to know what personal data you hold, where it is held, where it came from, how it was collected, what evidence you have that it has been collected and processed legally, with whom it has been shared (internally and externally), on what terms it has been bought or licensed, whether and where it has been archived or deleted, and who is responsible for its safekeeping.

Until all that information is in place, there is no chance that you can keep it clean, up-to-date and protect it from external or internal threats.  And there’s absolutely no chance you can comply with the Data Protection Act as it stands now – let alone GDPR.

Data Compliant has developed a quick GDPR Compliance Checker – if you’d like to know more about where you are compared to where you need to be for GDPR compliance, just click here, answer the questions, and we’ll send you a free report, including:

–  your topline level of compliance by category
–  a benchline summary of how you compare with other UK organisations
–  a summary of the key steps you need to take to become compliant
Remember, enforcement begins on May 25th, 2018 – now’s the time to start to get ready.

GDPR and Data Processors – a New World

data processors

Now that GDPR has been approved, companies need to start work on preparing their governance, employees and technology for the new legislation.

Among those organisations most affected by GDPR are Data Processors.    Data processors process data on behalf of, and under the instruction of their data controller.  Now data processors must comply with the statutory requirements of GDPR and, for the first time, can be held accountable.

Failure to meet the requirements of GDPR carries significant sanctions, up to 4% of global turnover OR 20 million euros – whichever is the greater.   In addition, processors still run the risk that, in the event of non-compliance or breach, their data controller can sue for breach of contract – all eye-wateringly expensive to the point of breaking the business.

So it’s a new world for data processors, who need to take steps immediately to protect themselves against compliance and security risk. For example:

  • They must have appropriate technical and organisational measures to ensure security of the data they are processing.
  • They must maintain written records relating to all personal data processing carried out for each of its data controllers
  • They may no longer appoint new or alternate sub-processors without the authorisation of the data controller
  • They must cooperate with the relevant supervisory authority
  • They must notify the data controller without undue delay in the event of a data breach
  • They must comply with GDPR in relation to cross-border data transfers

So what kind of organisation does this affect? Data processors include a multitude of businesses from call centres, to data providers, to data service providers – cleansing, hygiene, analysis – to cloud providers and technology vendors.

Mandated contract clauses have been specified in detail under GDPR, so all existing and future contracts will need review and are likely to need revision as negotiations between controllers and processors become ever tougher as each party tries to tie down the areas of liability and responsibility.

There is an argument that the costs of processing may increase, which will have a negative impact for data controllers.  But there’s no doubt – data processors are now firmly in a new world of liability and penalty.

Safe Harbour out .. EU-US Privacy Shield in

eu us privacy seal

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield

On Tuesday 2nd February an agreement was reached after several months of negotiations between Europe and the USA. This has come about following the Schrems case and the European Court of Justice ruling on 6th of October 2015 which declared the old so called ‘Safe Harbour’ framework invalid.  The Safe Harbour expiry deadline was 31st January.

The EU-US Privacy Shield

Some of the key elements of the new framework are listed below:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
  • Effective protection of EU individuals’ rights with several redress possibilities: Any individual who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

EU-US Privacy Shield Next Steps

 Vice-President Ansip and Commissioner Jourová   have been mandated to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the EU Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsperson.

Safe Harbor Framework ruled “Inadequate”

global transfers

What was Safe Harbour?

The Safe Harbour Framework was a cross border transfer mechanism which complied with EU data protection laws and allowed the transfer of personal data between the EU and the USA.  More details on how Safe Harbour worked can be found here.

Why was the Safe Harbour Framework invalidated?

After the recent Facebook case ruling, on 6th October, the Court of Justice of the European Union (CJEU) judged that “US Companies do not afford an adequate level of protection of personal data” and therefore the Safe Harbour Framework is now invalid.

The CJEU indicated that US legislation authorises on a general basis, storage of all personal data of all the persons whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access and use of this data by public authorities.

The CJEU further observed that the Safe Harbour Framework does not provide sufficient legal remedies to allow individuals to access their personal data and to obtain rectification or erasure of such data. This compromises the fundamental right to effective judicial protection, according to the CJEU.  You can read the European Court of Justice Press Release here.

There have been concerns about the Safe Harbour Framework for some time and the European Commission and the US authorities have been negotiating with a view to introducing an arrangement providing greater protection of privacy to replace the existing agreement.

How can I now transfer my data to US?

Organisations that have been using Safe Harbour will now have to review how they transfer personal data to the US and come up with alternative solutions.  However, it is worth noting that the Information Commissioner’s Office has recognised that this process will take some time.  And James Milligan at the DMA states that data already transferred to US-based companies under Safe Harbour will be unaffected.

In the meantime multi-national companies transferring data to their affiliates can look at using Binding Corporate Rules which allow the transfer of data from the EEA to be in compliance with the 8th data protection principle.

Another legal method of transferring personal data to the US is to use the Model Contract Clauses produced by the EU for transfers of personal information outside the EU.

Michelle Evans, Compliance Director at Data Compliant Ltd.

If you are planning to transfer data between the EU and the US, and would like help on how to do so in the light of this new ruling, just call Michelle or Victoria on 01787 277742 or email dc@datacompliant.co.uk

Charities … data protection … reputation

The ongoing stories in the press are hurting charities who are being seen to be treating decent people – particularly vulnerable people – monstrously unfairly.  The press and media are giving consumers an ever clearer perception of the charity sector as being irresponsible, uncaring and aggressive  in their treatment of donors.  And it does the data industry no favours at all.

Charity Data

EU Data Protection Laws – why it’s time to get ready

EU dpaEU Data Protection – Change is Coming

The  new EU data protection law is getting ever closer.  The clock is ticking, with major changes on the horizon relating to the way businesses will be allowed to collect, hold, store and use personal data.

New EU Regulation – what will change?

The changes to the law fall into two main areas

  • Responsibility and Accountability …

    … which will require organisations to demonstrate stringent data governance and robust data protection policies, procedures, processes and training, starting with the Board.

  • Marketing …

    … which will  impact consent (which must be obtained fairly, and be unambiguous and explicit), and will impose restrictions around tracking and profiling.

You’ll find more information about the upcoming DPA changes in relation to marketing and accountability in the guest blog I wrote for All Response Media.

When will the new EU Regulation become Law?

This has been the subject of much discussion. Justice and Home Affairs Ministers agreed amendments to the Commission Text in June, and three-way negotiations are now taking place between the EC, Parliament and Justice and Home Affairs Ministers.

It is expected that this process will be completed by December 2015, in which case the Regulation will be passed in Brussels in early 2016, and become UK law in late 2017 / early 2018.

So why do I need to start now?

While it may seem that a couple of years is plenty of time to get ready, failing to react until the big shake-up actually arrives is likely to cause chaos and confusion throughout all areas of your business.

Responsibility and accountability for the new legal requirements around data protection must lie with the Board in order to be embedded throughout all areas of the business – from sales and marketing to IT, HR to Customer Services. With that in mind, and given the huge emphasis on accountability and governance, preparation and planning are essential, and businesses need to start looking at their data governance, compliance and security measures right now.

How can Data Compliant help?

The protection of the personal data your company holds needs to be of paramount importance – it will no longer be acceptable to fall short in terms of accountability, or responsibility, or to rely on loopholes in the current legislation. So please get in touch if you you would like to discuss the implications of the new legislation, and to understand your obligations around data governance, security and compliance. Have a look at our website, call 01787 277742, or email victoria@datacompliant.co.uk

Data Breaches UK – Key Stats at a Glance

The 2015 UK data breaches report shows significant rises in numbers and costs of data breaches, with growth shown in my previous blog, Data Breaches – OUCH! .  The infographic below summarises the key data breach stats from 2014, including a nod to the impact of new technology.

Data breach

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Security and the Internet of Things

I was invited by ComputerScienceZone to share this fascinating infographic on my site – so here it is – a fascinating insight into the diversity and number of “things”, combined with the risks associated with the rapid growth and poor security.

Security-and-the-Internet-of-Things