Tag Archives: eprivacy

Politics. Fines. Data Deletion.

GDPR Regulations begin to bite

We are now beginning to see the impact of the GDPR regulations across politics, businesses and public services.  With the upcoming UK general election, the ICO is issuing timely reminders.  In Europe we are starting to see large fines being levied for GDPR breaches.

ICO Issues Letter to UK Political Parties

In a timely reminder the Information Commissioner has written to 13 political parties in the UK. The letter reminds them of their legal obligations regarding the use of Personal Data in the lead-up to the General Election. The ICO letter highlights the need for parties to:

  • provide individuals with clear and accessible information about how their personal data is being used.  This includes

    • data obtained directly from individuals

    • data obtained from third parties, including data brokers 

    • inferred data – ie data that is inferred from observed behaviour, such as reading or buying habits, responses to advertising and so on 

  • demonstrate compliance with the law. The scope here includes any third-party data processors.  For political parties, this specifically includes data analytics providers and online campaigning platforms
  • have the appropriate records of consent from individuals (where consent is the legal basis for processing) to send political messages through electronic channels (texts, emails)
  • identify lawful bases for processing special category data, such as political opinions and ethnicity.

This places political parties on the same basis as commercial organisations under UK law. 

Record Fine in Austria

The Austrian Data Protection Authority has imposed an €18 million fine on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”).  After an investigation, the Austrian DPA established that ÖPAG processed and sold data regarding its customers’ political allegiances amongst other violations.This is a violation of the GDPR.

The fine is subject to an appeal.

Record Fine in Germany

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information announced that it had imposed the highest fine issued in Germany since the EU GDPR became applicable.  Deutsche Wohnen SE, a real estate company, was fined  €14.5 million.

After onsite inspections, the Berlin Commissioner noticed the company was retaining personal data of tenants for an unlimited period. It had not examined whether the retention was legitimate or necessary.

Data should be removed without delay. once it is no longer needed for the specific purpose for which it was collected. Deutsche Wohnen SE was using an archiving system that did not enable the removal of such data. Affected data related to financial and personal circumstances, such as bank statements, training contracts, tax, social and health insurance data.

This fine should act as a strong reminder to all companies to review and update their data retention and deletion policies, processes and supporting procedures.

More news later this week. In the meantime, if you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.  You can find more blogs here.

Gareth Evans, 11th November 2019

How to conduct a Data Protection Impact Assessment (DPIA) in 8 simple steps

Many business activities these days will entail significant amounts of data processing and transference. It’s not always clear-cut as to what your organisation does that legally requires, or does not legally require, an impact assessment on the use of personal data – i.e. a Data Protection Impact Assessment (DPIA).

People may be familiar with Privacy Impact Assessments (PIAs), which were advised as best-practice by the Information Commissioner before the EU’s GDPR made DPIAs mandatory for certain activities. Now the focus is not so much on the obligation to meet individuals’ privacy expectations, but on the necessity to safeguard everyone’s data protection rights.

DPIAs are crucial records to demonstrate compliance with data protection law. In GDPR terms, they are evidence of transparency and accountability. They protect your clients, your staff, your partners and any potential third parties. Being vigilant against data protection breaches is good for everyone – with cybercrime on the rise, it’s important that organisations prevent unscrupulous agents from exploiting personal information.

In this blog, we’ll go through a step-by-step guide for conducting a DPIA. But first, let’s see what sort of things your organisation might be doing that need a DPIA.

When is a DPIA required?

The regulations are clear: DPIAs are mandatory for data processing that is “likely to result in a high risk to the rights and freedoms” of individuals. This can be during a current activity, or before a planned project. DPIAs can range in scope, relative to the scope of the processing.

Here are some examples of projects when a DPIA is necessary:

  • A new IT system for storing and accessing personal data;
  • New use of technology such as an app;
  • A data sharing initiative in which two or more organisations wish to pool or link sets of personal data;
  • A proposal to identify people of a specific demographic for the purpose of commercial or other activities;
  • Using existing data for a different purpose;
  • A new surveillance system or software/hardware changes to the existing system; or
  • A new database that consolidates information from different departments or sections of the organisation.

The GDPR also has a couple more conditions for a DPIA to be mandatory, namely:

  • Any evaluation you make based on automated processing, including profiling, as well as automated decision-making especially if this can have significant or legal consequences for someone; and
  • The processing of large quantities of special category personal data (formerly known as sensitive personal data).

An eight-step guide to your DPIA

  • Identify the need for a DPIA
    • Looking at the list above should give you an idea of whether a DPIA will be required. But there are also various ‘screening questions’ that should be asked early on in a project’s development. Importantly, the data protection team should assess the potential impacts on individuals’ privacy rights the project may have. Internal stakeholders should also be consulted and considered.
  • Describe the data flows
    • Explain how information will be collected, used and stored. This is important to redress the risk of ‘function creep,’ i.e. when data ends up getting used for different purposes, which may have unintended consequences.
  • Identify privacy and related risks
    • Identify and record the risks that relate to individuals’ privacy, including clients and staff.
    • Also identify corporate or organisational risks, for example the risks of non-compliance, such as fines, or a loss of customers’ trust. This involves a compliance check with the Principles of the Data Protection Act 2018 (the UK’s GDPR legislation).
  • Identify and evaluate privacy solutions
    • With the risks recorded, find ways to eliminate or minimise these risks. Consider doing cost/benefit analyses of each possible solution and consider their overall impact.
  • Sign off and record DPIA outcomes
    • Obtain the appropriate sign-off and acknowledgements throughout your organisation. A record of your DPIA evaluations and decisions should be made available for consultation during and after the project.
  • Consult with internal and external stakeholders throughout the project
    • This is not so much a step as an ongoing process. Commit to being transparent with stakeholders about the DPIA process. Listen to what your stakeholders have to say and make use of their expertise. This can include both employees as well as customers. Being open to consultation with clear communication channels for stakeholders to bring up data protection concerns or ideas will be extremely useful.
  • Ongoing monitoring
    • The DPIA’s results should be fed back into the wider project management process. You should take the time to make sure that each stage of the DPIA has been implemented properly, and that the objectives are being met.
    • Remember – if the project changes in scope, or its aims develop in the project lifestyle, you may need to revisit step one and make the appropriate reassessments.

This brief outline should help you to structure as well as understand the appropriateness of DPIAs. Eventually, these assessment processes will be second nature and an integral part of your project management system. Good luck!

If you have any questions about the data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 21st October 2019

European Council Presidency gets closer to finalising the ePrivacy Regulation

On the 18th September, the Presidency of the European Council published its proposed amendments to the draft ePrivacy Regulation which will replace the current ePrivacy Directive framework. With the new regulation in place, the EU’s framework for data protection and confidentiality of electronic communications will be complete.

ePrivacy and GDPR

How is the ePrivacy Directive and its forthcoming replacement separate to the General Data Protection Regulation (GDPR) and any other privacy regulations? Well, the Directive uses the same legal definitions of privacy and data that were brought in by the GDPR, but it attempts to make coherent legal protocols across Member States for phenomena such as unsolicited marketing and confidentiality breaches or other forms of potentially harmful electronic communication outside the personal information purview of the GDPR. In the UK, the ePrivacy Directive is implemented by the Privacy and Electronic Communications Regulations (PECR), which operates alongside the Data Protection Act 2018 (which is itself derived from the GDPR).

Draft ePrivacy Regulation

Currently provides:

  • Rules for ‘spam’ or unsolicited marketing

Unsolicited commercial communications via electronic media are prohibited under the ePrivacy Directive, unless the recipient has prior informed consent. Consent is not required, however, to send commercial emails to existing customers to advertise similar services or products (although each communication must include an opt-out option).

  • Tougher rules for the use of cookies and tags

The new rules for cookies and online identifiers in the Regulation will be tougher than the incumbent ePrivacy Directive. The Regulation now recognises the ‘storing or processing capabilities of the device,’ not just the storage and retrieval of data. This means that specific scripts and tags, currently unrecognised by the Directive’s cookie rules, will be referred to in the Regulation. Cookies usually require consent but there some exemptions, for instance in (certain forms of) analytics, essential software updates and security.

  • Secrecy requirements for ‘machine-to-machine’ and ‘Internet of Things’ communications

The Regulation attempts to differentiate between secrecy requirements on:

  • electronic communications content;
  • electronic communications metadata (data that provides information about other data); and
  • electronic communications data (common rules for both content and metadata).

Peoples’ electronic communications are generally protected by a right to secrecy, although rules may differ slightly between these categories. For instance, the Regulation finds that processing metadata is permissible for the purposes of:

  • network management,
  • network optimisation,
  • or statistics.

These rules don’t just apply to human interaction, they also apply to M2M (machine-to-machine) communication processing. The European Council Presidency’s recent amendments to the draft legislation particularly concerned the secrecy requirements for the metadata communications.

On the 24th September, the amended draft will be further discussed by the Council’s Working Party on Telecommunications and Information Society.

If you have any questions about ePrivacy and GDPR regulations, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 22nd September 2019