Tag Archives: GDPR

Lessons from Darts: Team Dynamics in Data Protection

Teams are an essential part of life – from school to adulthood, from sports to business.  A well-functioning team leads to extraordinary achievements, whether in a local darts league or a data governance team.

The Darts Team Triumph

Consider my local darts team, which recently won the team title, along with individual singles titles. This victory wasn’t just about individual knowledge and talent; it was the result of shared goals, a strategy to achieve them, collaboration, strong mentoring, and mutual support. Each of our players’ unique skills, camaraderie and collective effort all contributed to the team’s overall success. 

Transferring Team Dynamics to Data Governance

The same principles apply to data protection governance teams. Every member of the Team must understand its overall objectives ensuring that they are responsible and accountable for data management and governance. The Team will need a framework for success, including communication and collaboration, and creating and maintaining policies and procedures around data collection, privacy, compliance, integrity and security. And it must provide regular reports to senior management who are ultimately accountable. 

Roles, Goals and Data Stewardship

Individuals within the team will take on data stewardship roles.  In essence they will oversee the entire lifecycle of personal data from collection to deletion, and be accountable for compliance and security at all stages. All team members will support each other, sharing knowledge and expertise to help manage challenges and foster a culture of continuous improvement. And each will have their own individual areas of responsibility including embedding data protection throughout their own area of the business.

Education and Continuous Improvement

Like in darts, governance team members learn from each other’s techniques, and share knowledge, best practices and insights. This knowledge is then used to help build awareness throughout the organisation about data protection and data security, and to educate employees about crucial data protection principles.

Risk Management

Sports and business both carry risks, and the team must take responsibility for identifying, assessing and mitigating them – in data governance, for example through Data Protection Impact Assessments (DPIAs).  The team must also develop and execute its response plans so that it knows how to respond if there is a data breach or security incident.

Enabling Team Leaders

Team Leaders are crucial. They are pivotal in flowing down information to their specific areas of the business – in data governance, for example, it’s helpful to have leaders from IT, HR, Marketing, Operations, Payroll and so on. It’s those Team Leaders who will then ensure that everyone in their team understands their roles and responsibilities, and who provide the resources and training so that every individual in an organisation can thrive and contribute effectively.

Conclusion

Effective teams enable the individuals in your organisation to achieve more together than they ever could alone. With a data governance team that fosters collaboration, shared problem-solving and continuous education, your organisation will benefit from strong and highly successful outcomes.

Data Compliant International

If you would like help or assistance with any of your data protection obligations, please email dc@datacompliant.co.uk or call 01787 277742.  And for more information about how to meet your Accountability and Governance obligations, please see here. 

EU Standard Contractual Clauses – Public Consultation

This month (September 2024), the European Commission has announced that it plans to ask for public feedback on the EU Standard Contractual Clauses (SCCs) under the General Data Protection Regulation. The public consultation will take place in the fourth quarter of 2024, giving you an opportunity to have your views and opinions heard.

This is not unexpected – the GDPR’s Article 97, requires the Commission to review the GDPR’s implementation every four years (see the 2020 Evaluation Report here).  The upcoming 2024 review was expected to include an evaluation of the practical application of the SCCs.

New SCCs in 2025

According to the timeline, the public consultation is imminent and due to take place in the 4th quarter of 2024. This would be followed by a draft act, planned for Commission adoption in 2nd quarter of 2025.  You can find more information and a timeline here.

What are SCCs?

Standard contractual clauses are standardised, pre-approved model data protection clauses, which allow controllers and processors to meet their obligations under EU and / or UK data protection law. 

They are widely used as a tool for data transfers to third countries (which means those countries outside the EEA or the  UK who do not have adequacy status).  It is quite a simple matter for controllers and processors to incorporate them into their contractual arrangements.

The clauses contain data protection safeguards to make sure that personal data benefits from a high level of protection even when sent to a third country.  By adhering to the SCCs, data importers are contractually committed to abide by a set of data protection safeguards.

Can I change the text?

The core text can not be changed. If parties do change the text themselves, they will no longer have the legal certainty offered by the EU act.  If you amend the clauses, then they can no longer be used as a basis for data transfers to third countries, unless they are approved by a national data protection authority as “ad hoc clauses”

Even so, there are areas where the parties can make choices:

  • To select modules and / or specific options offered within the text
  • To complete the text where necessary (eg to specify time periods, supervisory authority and competent courts
  • To complete the Annexes
  • To include additional safeguards that increase the level of protection for the data. 

Impact on UK use of SCCs

There is not yet any indication of the potential impact on the UK’s international data transfer Agreement (IDTA) or the Addendum to the EU’s SCCs; we would expect to hear more after the EU’s public consultation.

Victoria Tuffill – 13th September 2024

If you have any questions or concerns about how and when to use SCCs, please call 01787 277742 or email dc@datacompliant.co.uk

And please take a look at our services.

Google’s British service users’ data to get US oversight

Amid perceived (or professed) uncertainty around the UK’s future GDPR adequacy status, Google executives have opted to transfer oversight of their UK data subjects from their EU subsidiary Google Ireland Limited to their American HQ Google LLC.

Cited by outlets such as Reuters and The Guardian, Lea Kissner, Google’s former lead for global privacy technology, has stated,

“There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy. […] Never discount the desire of tech companies not be caught in between two different governments.”

It’s important to remember that the UK doesn’t yet retain GDPR adequacy status, which is subject to current Brexit negotiations. Officially, the Government is seeking adequacy status, and data protection regulations are not expected to constitute an obstacle to any UK-EU departure deal.

Harry Smithson, 28th February 2020

Government expands Ofcom’s role to combat ‘Online Harms’

Online harms can take a variety of forms, privacy violations being among the most notorious. Regardless of how we categorise negative internet user experiences, we know from a recent Ofcom study that 61% of adults and 79% of 12-15 year olds have reported at least one potentially harmful online experience in the last 12 months.

As part of the government’s response to public consultation on the Online Harms White Paper, the DCMS announced on the 12th February that the UK’s telecoms and broadcasting regulator will also be the new online harms regulator. The Home Office and DCMS have been working together with Barnardo’s charity to provide greater protection for vulnerable internet users, particularly children, building upon growing institutional and regulatory oversight of digital services.

Unlike the General Data Protection Regulation (GDPR), which has far-reaching purviews, the regulation will likely only apply to fewer than 5% of UK business, as Ofcom will only be responsible for monitoring organisations that host user-generated content (comments, forums etc.).

But from a data protection perspective, it’s interesting to see how GDPR terminology and values have shaped this initiative – consider, for instance, former secretary of state Nicky Morgan’s statement on the government’s response to the white paper:

“We will give the regulator the powers it needs to lead the fight for an internet that remains vibrant and open but with the protections, accountability and transparency people deserve.”

We can expect to see the official anointing of the new Ofcom coming into force under Nicky Morgan’s recent successor, Oliver Dowden.

In the meantime, the Information Commissioner Elizabeth Denham, head of the UK’s enforcer for GDPR, has welcomed this expanded Ofcom as “an important step forward in addressing people’s growing mistrust of social media and online services.”

She continues, in an ICO press release on the heels of the DCMS announcement, “the scales are falling from our eyes as we begin to question who has control over what we see and how our personal data is used.”

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Harry Smithson, 14th February 2020

How to conduct a Data Protection Impact Assessment (DPIA) in 8 simple steps

Many business activities these days will entail significant amounts of data processing and transference. It’s not always clear-cut as to what your organisation does that legally requires, or does not legally require, an impact assessment on the use of personal data – i.e. a Data Protection Impact Assessment (DPIA).

People may be familiar with Privacy Impact Assessments (PIAs), which were advised as best-practice by the Information Commissioner before the EU’s GDPR made DPIAs mandatory for certain activities. Now the focus is not so much on the obligation to meet individuals’ privacy expectations, but on the necessity to safeguard everyone’s data protection rights.

DPIAs are crucial records to demonstrate compliance with data protection law. In GDPR terms, they are evidence of transparency and accountability. They protect your clients, your staff, your partners and any potential third parties. Being vigilant against data protection breaches is good for everyone – with cybercrime on the rise, it’s important that organisations prevent unscrupulous agents from exploiting personal information.

In this blog, we’ll go through a step-by-step guide for conducting a DPIA. But first, let’s see what sort of things your organisation might be doing that need a DPIA.

When is a DPIA required?

The regulations are clear: DPIAs are mandatory for data processing that is “likely to result in a high risk to the rights and freedoms” of individuals. This can be during a current activity, or before a planned project. DPIAs can range in scope, relative to the scope of the processing.

Here are some examples of projects when a DPIA is necessary:

  • A new IT system for storing and accessing personal data;
  • New use of technology such as an app;
  • A data sharing initiative in which two or more organisations wish to pool or link sets of personal data;
  • A proposal to identify people of a specific demographic for the purpose of commercial or other activities;
  • Using existing data for a different purpose;
  • A new surveillance system or software/hardware changes to the existing system; or
  • A new database that consolidates information from different departments or sections of the organisation.

The GDPR also has a couple more conditions for a DPIA to be mandatory, namely:

  • Any evaluation you make based on automated processing, including profiling, as well as automated decision-making especially if this can have significant or legal consequences for someone; and
  • The processing of large quantities of special category personal data (formerly known as sensitive personal data).

An eight-step guide to your DPIA

  • Identify the need for a DPIA
    • Looking at the list above should give you an idea of whether a DPIA will be required. But there are also various ‘screening questions’ that should be asked early on in a project’s development. Importantly, the data protection team should assess the potential impacts on individuals’ privacy rights the project may have. Internal stakeholders should also be consulted and considered.
  • Describe the data flows
    • Explain how information will be collected, used and stored. This is important to redress the risk of ‘function creep,’ i.e. when data ends up getting used for different purposes, which may have unintended consequences.
  • Identify privacy and related risks
    • Identify and record the risks that relate to individuals’ privacy, including clients and staff.
    • Also identify corporate or organisational risks, for example the risks of non-compliance, such as fines, or a loss of customers’ trust. This involves a compliance check with the Principles of the Data Protection Act 2018 (the UK’s GDPR legislation).
  • Identify and evaluate privacy solutions
    • With the risks recorded, find ways to eliminate or minimise these risks. Consider doing cost/benefit analyses of each possible solution and consider their overall impact.
  • Sign off and record DPIA outcomes
    • Obtain the appropriate sign-off and acknowledgements throughout your organisation. A record of your DPIA evaluations and decisions should be made available for consultation during and after the project.
  • Consult with internal and external stakeholders throughout the project
    • This is not so much a step as an ongoing process. Commit to being transparent with stakeholders about the DPIA process. Listen to what your stakeholders have to say and make use of their expertise. This can include both employees as well as customers. Being open to consultation with clear communication channels for stakeholders to bring up data protection concerns or ideas will be extremely useful.
  • Ongoing monitoring
    • The DPIA’s results should be fed back into the wider project management process. You should take the time to make sure that each stage of the DPIA has been implemented properly, and that the objectives are being met.
    • Remember – if the project changes in scope, or its aims develop in the project lifestyle, you may need to revisit step one and make the appropriate reassessments.

This brief outline should help you to structure as well as understand the appropriateness of DPIAs. Eventually, these assessment processes will be second nature and an integral part of your project management system. Good luck!

If you have any questions about the data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 21st October 2019

Brexit pathway

Brexit at 20 Days. A pathway emerges

This was the week in which Brexit positions hardened.  Last Monday it became clear that EU leaders were not won over by the UK Government’s Protocol.  The Protocol was launched amid high expectations on 2nd October.  It was designed to break the deadlock and introduce a new approach to the problem of customs checks between the UK and the Republic of Ireland.

Clearly, the lukewarm response of the other EU leaders to the Protocol makes the prospect of a “No Deal” Brexit more likely.  The unattributed response from Number 10 was unequivocal.  The spokesman was quoted as saying:

“(the Government) will not negotiate further (with the EU) so any delay would be totally pointless.  They think now that if there is another delay we will keep coming back with new proposals. This won’t happen. We’ll either leave with no deal on 31 October or there will be an election and then we will leave with no deal.”

A Pathway Emerges

Nevertheless, detailed discussions between Boris Johnson and his Irish counterpart, Leo Varadkar, have taken place. The tone of the joint statement from both Heads of State sounded very different from the anonymous Number 10 spokesman.  The statement said that the two had “agreed that they could see a pathway to a possible deal”.  Discussions on the “pathway” are set to continue in Brussels.  But now, with only barely 20 days to go we are running out of road. 

What lies beyond the Summit?

The subject of Brexit looms large on the agenda for the meeting of the European Council – often referred to as the Summit.  It will take place on 17th and 18th of this month, and will be attended by all the EU Heads of State (including Boris Johnson).It is difficult to predict the direction that the Summit will take. 

The next day, on 19th October, is the critical date for the Benn Act (or Surrender Bill as the Prime Minister prefers to call it).  If by 19th October a Withdrawal Agreement has not been passed by Parliament, the Benn Act requires the Government to request an extension to the Brexit negotiations.  The Act suggests an extension until 31st January 2020, but this would be at the discretion of the EU. 

Significantly the Government has called a special sitting of Parliament on 19th October – the first sitting on a Saturday since the outbreak of the Falklands War.  It is unclear whether the purpose of the “Super Saturday” special sitting is to vote on a Withdrawal Agreement or to map out the Government’s strategy for a no-deal exit. 

Businesses with Clients in the EEA

It is perhaps notable that in recent days the Cabinet Office has been ramping up its communications programme on the consequences of no deal. A number of these are aimed at specific business sectors including data processors and data controllers with clients in EEA countries.

Although the Cabinet Office advice was originally published in February this year it is worthwhile taking another look in the light of the shifting political situation.

Government Advice

The Government’s advice is very clear. In summary organisations that receive personal data from the EU/EEA should

  • review your organisation’s contracts for data transfer
  • Consider including Standard Contractual Clauses (SCC) or Alternative Transfer Mechanisms (ATM) to ensure continuation of legal receipt of personal data from the EU/EEA.
  • Businesses that are part of a multinational group may be able to rely on binding corporate rules (BCRs), for intra-group transfers as an appropriate safeguard

The full Cabinet Office advice can be found here 

 www.gov.uk/guidance/using-personal-data-after-brexit#what-we-mean-by-receiving-personal-data

Data Protection Representatives

If you are processing EEA personal data, you will have to consider whether or not you need to appoint a European ‘representative’ in an EEA Member State.  For example, you will need to appoint a representative if you:

  • have a regular client base in one or more countries the EEA
  • and don’t have an establishment in the EEA
  • and you are transferring personal data from the EEA to the UK for processing

A European representative will act as a contact for individuals and the EU and EEA supervisory authorities in the specific countries in which you operate.  

It is worth noting that current advice from the UK supervisory authority the ICO says that:

‘You do not need to appoint a representative if either:

  • you are a public authority; or
  • your processing is only occasional, of low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.

This is not a straightforward issue.  It is advisable to seek advice from your data protection officer or legal advisor when conducting as assessment of whether or not you need to appoint a data protection representative in the EU or EEA Member States.

Please contact us if you have any queries or concerns about how Brexit will affect your business, or if you need help with your data protection.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 11th October, 2019

legitimate interests and consent

GDPR. Legitimate Interests and Consent.

In this blog, we’ll discuss the pros and cons of legitimate interests and consent. It can be tricky working out the lawful basis (or bases) with which the data processing activities of your organisation are best defined and justified. They will vary across different business areas and between – and even within – industries.  Legitimate interests and consent tend to be most relevant to the private and third sectors and have become the subject of much discussion among marketing and other data-centric professionals.

But first, a bit of context. The General Data Protection Regulation (GDPR) provides six lawful bases for processing, a couple of which are fairly straightforward to understand. For instance, legal obligation is an obvious lawful basis in some circumstances, such as processing accident information for a report to comply with Health & Safety regulations. Almost all professionals will have some experience with this lawful basis of processing. But what about legitimate interests and consent? These have very specific requirements under the GDPR, and it’s important to be familiar with them.

What are the Legal Bases?

The six lawful bases under the GDPR are as follows:

  • Consent:  the individual (data subject) has provided clear, positive consent for you to process their personal data for a specific purpose.
  • Contract:  the processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation:  the processing is necessary for legal compliance (other than contractual obligations).
  • Vital interests:  the processing is necessary to protect someone’s life.
  • Public task:  the processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests:  the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

These are not hierarchical.  You must select the single most appropriate legal basis for the activity and purpose for which you are conducting the processing. There are simple steps you can take to help you decide between legitimate interests and consent.

When and How do I Use Legitimate Interests?

Article 6 of the GDPR grants legitimate interests as a lawful basis if the processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate interests is widely used for marketing and some areas of HR.

So how do we know if this is the case? Well there’s a three-step test, which has been approved by the Information Commissioners Office (ICO) summarised below.  This is known as a Legitimate Interests Assessment (LIA).

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is this processing necessary? Crucially, could this legitimate interest be pursued without the processing of personal data?
  3. Balancing test: do the individual’s rights override the organisation’s legitimate interests?

It’s important to have these LIAs established and documented prior to any processing. But if you think your organisation could use genuine legitimate interests, here are some benefits:

  • It is the most flexible lawful basis for processing. There are a wide range of legitimate interests, including commercial.
  • Going through an LIA is always useful: you may find ways of streamlining your data processing to what is strictly necessary and limiting your privacy impact.
  • You don’t need to be disruptive or pestering to a data subject with a consent request to which no one would reasonably object.
  • It can also be used for some routine internal processes such as HR.

When and How May I use Consent?

More and more people will be aware of the GDPR’s tightening of the consent definition, but here’s a quick recap: consent is a lawful basis for data processing if…

“The data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

It is the specificity of the purpose for which a data subject’s information is being processed that’s important to remember. Consent must be informed, which means you must tell the individual what data you are collecting, the reason why, and what you will do with it.  Evidence of consent must be captured. And remember, data subjects may withdraw consent at any time they wish.

Some other benefits of using consent include:

  • It’s a very strong, unambiguous ground for processing. You asked, and they said yes. As long as you have evidence, it is difficult to argue with.
  • Consumers, in certain contexts, may trust you more for having asked, and may appreciate your concern for data protection rights.
  • It allows individuals to understand and engage with how their own data is being used, fostering a mutual respect for data rights.

If you have any questions about the legal basis for processing, including LIAs or Consent requirements, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 29th September 2019

 

Brexit. 35 days to go … and stormy times at Westminster

Well nobody saw that coming! On Tuesday, as storm clouds descended on Westminster, the Supreme Court delivered its own thunderbolt.  In a unanimous decision, all 11 Supreme Court Justices ruled that, in the circumstances, it was unlawful for the Government to advise the Queen to prorogue Parliament. The suspension of Parliament was void and the session should resume as soon as possible. In effect the Court overruled the legal basis for the prorogation.

Parliament duly resumed on Wednesday morning with renewed antagonism (even toxicity) on all sides of the political and Brexit divide.    

In the opening exchanges Government made it clear that it accepted the ruling of the Court. Nevertheless, Ministers, including the Attorney General, Geoffrey Cox, made it clear that they profoundly disagreed with the ruling.   The Attorney General stated he is “considering” releasing his original advice to Government on prorogation. It will be interesting to see the legal basis for his advice.

Still the Brexit clock is ticking…

Parliament will now resume work on the legislative programme of Bills that had been put aside when prorogation was announced. Meanwhile all the work on a revised Withdrawal Agreement with the EU is taking place elsewhere as the shuttle-diplomacy between London and other EU capitals continues.

New deadline?

One piece of legislation that did pass in the brief period between the end of summer recess and the “prorogation that never was” has introduced a new deadline.  The European Union (Withdrawal) (No.2) Act focuses attention on 19th October, a full two weeks before the Hallowe’en witching hour.   

This Act – more commonly referred to as the “Benn Act” and more recently, by the Prime Minister himself, as the “Surrender Bill” – requires Parliament to pass a new Brexit Withdrawal Agreement by the 19th October deadline.  If a Withdrawal Agreement has not been passed with a Parliamentary majority by 19th the law demands that the Government writes to the EU Commission to request a further extension to EU membership.  A draft of letter is included within the Act.

Clearly the provisions of the Act fly in the face of the PM’s commitment to leave the EU, with or without a deal, by 31st October or “die in a ditch”.  When asked directly if he would comply with the Act if he cannot secure a Withdrawal Agreement by 19th October, he answered with a single word. A categoric “No”.

If it turns out that the Prime Minister refuses to obey the provisions of the new Act, the legal basis for his decision will surely be challenged.  But that is a legal challenge that is yet to come…

Deal or No Deal the Data Protection Act & GDPR will apply

Last week we talked about the legal basis for processing personal data. Businesses are concerned about the free flow of personal data.  This will still be possible so long as there is a valid legal basis for processing such as ‘for the performance of a contract’. Contracts, data processing, and data sharing agreements must be up to date including, where applicable, the so-called standard contract clauses.  These are also known as the EU Model Clauses.

Legitimate Interests Processing

Another legal basis is Legitimate Interests which can be the most flexible legal grounds for companies to use.  However, it cannot be assumed that it will always be the most appropriate. In business it’s sometimes used instead of Consent for example certain forms of direct marketing, web analytics or routine internal activities such as HR.

As with all aspects of data protection compliance the rights of the individual and the security of the data are paramount and should be built into any processing operation.  This is known as Privacy by Design and Default.

Legitimate Interests Assessment (LIA)

As part of ‘Privacy by Design and Default’, it is essential to assess the impact of any processing on the individuals concerned.  So the scope, purpose and security of the processing must be considered before using Legitimate Interests as a legal basis for processing personal data. This can be achieved by conducting a legitimate interests assessment, which consists of:

  1. Establishing a use case which identifies the legitimate interest
  2. Conducting a necessity test – is the processing really needed/is there an alternative
  3. Conducting a balancing test – this will help to identify the impact of your processing and whether this overrides the interest you have identified
  4. Safeguards – having adequate technical and organisational safeguards in place to protect the confidentiality and integrity of the data

It is advisable to use a LIA Framework or template for this purpose and seek the advice of a data protection officer or advisor who has the expertise to guide you through this process.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 27th September 2019

European Council Presidency gets closer to finalising the ePrivacy Regulation

On the 18th September, the Presidency of the European Council published its proposed amendments to the draft ePrivacy Regulation which will replace the current ePrivacy Directive framework. With the new regulation in place, the EU’s framework for data protection and confidentiality of electronic communications will be complete.

ePrivacy and GDPR

How is the ePrivacy Directive and its forthcoming replacement separate to the General Data Protection Regulation (GDPR) and any other privacy regulations? Well, the Directive uses the same legal definitions of privacy and data that were brought in by the GDPR, but it attempts to make coherent legal protocols across Member States for phenomena such as unsolicited marketing and confidentiality breaches or other forms of potentially harmful electronic communication outside the personal information purview of the GDPR. In the UK, the ePrivacy Directive is implemented by the Privacy and Electronic Communications Regulations (PECR), which operates alongside the Data Protection Act 2018 (which is itself derived from the GDPR).

Draft ePrivacy Regulation

Currently provides:

  • Rules for ‘spam’ or unsolicited marketing

Unsolicited commercial communications via electronic media are prohibited under the ePrivacy Directive, unless the recipient has prior informed consent. Consent is not required, however, to send commercial emails to existing customers to advertise similar services or products (although each communication must include an opt-out option).

  • Tougher rules for the use of cookies and tags

The new rules for cookies and online identifiers in the Regulation will be tougher than the incumbent ePrivacy Directive. The Regulation now recognises the ‘storing or processing capabilities of the device,’ not just the storage and retrieval of data. This means that specific scripts and tags, currently unrecognised by the Directive’s cookie rules, will be referred to in the Regulation. Cookies usually require consent but there some exemptions, for instance in (certain forms of) analytics, essential software updates and security.

  • Secrecy requirements for ‘machine-to-machine’ and ‘Internet of Things’ communications

The Regulation attempts to differentiate between secrecy requirements on:

  • electronic communications content;
  • electronic communications metadata (data that provides information about other data); and
  • electronic communications data (common rules for both content and metadata).

Peoples’ electronic communications are generally protected by a right to secrecy, although rules may differ slightly between these categories. For instance, the Regulation finds that processing metadata is permissible for the purposes of:

  • network management,
  • network optimisation,
  • or statistics.

These rules don’t just apply to human interaction, they also apply to M2M (machine-to-machine) communication processing. The European Council Presidency’s recent amendments to the draft legislation particularly concerned the secrecy requirements for the metadata communications.

On the 24th September, the amended draft will be further discussed by the Council’s Working Party on Telecommunications and Information Society.

If you have any questions about ePrivacy and GDPR regulations, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 22nd September 2019

42 days and counting….

With the countdown to Brexit clock still ticking it seems that all has gone (relatively) quiet on the Brexit front. Parliament is not sitting and won’t be back until 14th October but this has not stopped politicians and commentators on all sides of the debate from re-iterating their deeply-held positions.   

Behind the scenes, it is reported, there is a great deal of shuttle-diplomacy taking place. Both the Prime Minister and his chief negotiator, David Frost, have become frequent passengers on the Eurostar as they dash between London, Brussels and the other capitals of Europe.  Yet the details of the discussions are still far from clear.

The “non-paper”

On Thursday it emerged that apparently the Government has issued a ”non-paper” to the EU outlining some thoughts on how an acceptable Brexit deal can be achieved.  “Non paper” is a particularly bizarre EU concept for written proposals that have no formal status. At the risk of sounding like something from Alice through the Looking Glass, it is a paper that is not a ”paper”. 

The details contained in the non-paper are unlikely to be officially released. But, if past experience is anything to go by, non-papers tend to see the light of day through unofficial and unattributable leaks.

The Law’s Delay

With little information to go on it is perhaps unsurprising that attention has turned to the other burning issue in UK politics – the judgement of the Supreme Court on the legality of the decision to prorogue Parliament.   Whilst this is not a Brexit issue in itself, the plaintiffs in the two cases before the Court clearly suspect that Parliament was suspended in order to prevent scrutiny of the Brexit negotiations. 

At the time of writing the judges are still out and the judgement is yet to be issued. Whatever the decision it is clearly going to have an impact on the course of the Brexit countdown. 

With attention focussed on legal matters it is perhaps worthwhile spending a little time looking at an often misunderstood aspect of data protection law, specifically the legal basis for processing data. 

On what legal basis can companies process personal data?

The collection and processing of personal data must be first and foremost be lawful under the GDPR and Data Protection Act 2018.  There are six legal grounds for processing and one of them MUST apply.  They are summarised below in no particular order:

  • Consent – a person must have given their consent for one or more specific purpose(s) (e.g. for consumer electronic marketing purposes)
  • Contract – the processing is necessary for the performance of a contract to which a data subject is a party or has requested before entering into a contract (e.g. for employee, client or third-party contracts)
  • Legal obligation – for compliance with a legal obligation such as HMRC
  • Vital interests – processing is necessary to protect a data subject or another person (e.g. medical records in the case of an accident)
  • Legitimate interests – where data processing is necessary for the purposes of the legitimate interests of the data controller, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual (a Legitimate Interests Assessment must take place e.g. for some direct marketing purposes)
  • Public interest – for a task carried out in the public interest or in the exercise of official authority vested in the controller

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 20th September 2019