International Data Transfers Guide

March 2024

A top-level overview of international data transfers

There are restrictions under UK and EU data protection law when transferring personal data to organisations in other countries, and between the UK and EU.

The rules regarding restricted transfers can be an enigma to the uninitiated and their complexity has been magnified by Brexit and by an infamous 2020 European Court ruling known as ‘Schrems II’.

This guide aims to give an overview of what international data transfers are and the key data protection considerations. It does not cover all the intricacies, nor data transfers for immigration and law enforcement purposes. Also please be aware there may be specific restrictions in place under laws in other territories around the world.

As a general rule, controllers based in the UK or EU are responsible for making sure suitable measures are in place for restricted transfers to other controllers, or to processors. A processor will be responsible when they initiate the transfer, usually to a sub-processor.

Some might be thinking; what would be the impact if we just put all of this into the ‘too difficult’ tray? It’s certainly an area which many feel has become unduly complicated and an onerous paperwork exercise.

However, getting the detail right will pay off should things go wrong. For example, if a supplier you use based overseas suffers a data breach, the consequences may be more significant if you have not covered off legal requirements surrounding restricted transfers. It’s an area likely to come under regulatory scrutiny, in the event of a breach or should a complaint be raised.

What is an international data transfer?

An international data transfer refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity (‘third party’) located in another country; in other words, the personal data can be accessed from overseas.

There are specific rules about the transfer of personal data from a UK sender to a receiver located outside the UK (under UK GDPR) and similar transfers from EEA senders (under EU GDPR); these are known as restricted transfers. A receiver could be separate company, public body, sole trader, partnership or other organisation.

EU GDPR

Personal data can flow freely within the European Economic Area (EEA). A restricted transfer takes place when personal data is sent or accessible outside the EEA. Where such a transfer takes place, specific safeguards should be in place to make the transfer lawful under EU GDPR.

UK GDPR

A restricted transfer takes place when personal data is transmitted, sent or accessed outside the UK, and safeguards should be in place to ensure the transfer is lawful.

The reason for these rules is to protect people’s legal rights, as there’s a risk people could lose control over their personal information when it’s transferred to another country.

Examples of restricted transfers would be:

  • Sending paper or electronic documents, or any kind of record containing personal data, by email or post to another country
  • Giving a supplier based in another country access to personal data
  • Giving access to UK/EU employee data to another entity in the same corporate group, based in another country.

There are some notable exceptions:

  • Our own employees: A restricted transfer does not take place when sending personal data to someone employed by your company, or them accessing personal data from overseas. However, it does cover the sending, transmitting or making personal data available to another entity within the same corporate group, where entities operate in different countries.
  • Data in transit: Where personal data is simply routed via several other countries, but there is no intention that this data will be accessed or manipulated while it is being routed via other countries, this won’t represent a restricted transfer. ICO guidance says; Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country, but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.

What are the safeguards for restricted transfers?

A. Adequacy

Adequacy is when the receiving country has been judged to have a similar level of data protection standards in place to the sender country. An Adequacy Decision allows for the free flow of personal data without any additional safeguards or measures.

Transfers from the EEA
The European Commission has awarded adequacy decisions to a number of countries including the UK, Japan, New Zealand, Uruguay and Switzerland. A full list can be found on the European Commission website – Adequacy Decisions.

Therefore personal data can flow freely between EEA countries and an ‘adequate’ country. These decisions are kept under review. There are some concerns UK Government plans to reform data protection law could potentially jeopardise the UK’s current EC adequacy decision.

EU-US Data Privacy Framework: The EC adopted this framework for transfers from the EU to US in July 2023.  It allows for the free flow of personal data to organisations in the US which have certified and meet the principles of the DPF. A list of self-certified organisations can be found on the U.S Department of Commerce DPF website.

Transfers from the UK
There are provisions which permit the transfer of personal data between the UK and the EEA, and to any countries which are covered by a European Commission ‘adequacy decision’ (as of January 2021). Therefore personal data can flow freely between UK and EEA and any of the countries awarded adequacy by the EC.

The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems suitable for transfers from the UK. More information about UK adequacy decisions can be found here.

UK-US Data Bridge: The UK-US ‘Data Bridge’ was finalised on 21st September 2023 and goes live 12th October 2023. Like the EU-US Data Privacy Framework, organisations based in the US must self-certify to the DPF but they must also sign up to the ‘UK extension’. Read more about the Data Bridge

B. EU Standard Contractual Clauses

In the absence of an EC adequacy decision, Standard Contractual Clauses (SCCs) can be used which the sender and the receiver of the personal data both sign up to. These comprise a number of specific contractual obligations designed to provide legal protection for personal data when transferred to ‘third countries’.

SCCs can be used for restricted transfers from the EEA to other territories (including those not covered by adequacy). The European Commission published new SCCs in 2021 which should be used for new and replacement contracts. The SCCs cover specific clauses which can be used for different types of transfer:

  • controller-to-controller
  • controller-to-processor
  • processor-to-processor
  • processor-to-controller

There’s an option for more than two parties to join and use the clauses through a docking clause. More information can be found on the European Commission website – Standard Contractual Clauses

Two points worth noting:

  • The deadline to update contracts which use the old SCCs has passed – 27th December 2022.
  • Senders in the UK cannot solely rely on EU SCCs, see the point below about the UK Addendum.

C. UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs

Senders in the UK (post Brexit) have two possible options here as a lawful tool to comply with UK GDPR when making restricted transfers.

  • The International Data Transfer Agreement, or
  • The Addendum to the new EU SCCs

ICO guidance stresses; the new EU SCCs are not valid for restricted transfers under UK GDPR on their own, but using the Addendum allows you to rely on the new EU SCCs. In other words the UK Addendum works to ensure EU SCCs are fit for purpose in a UK context.

In practise, if the transfer is solely from the UK, the UK ITDA would be appropriate. If the transfer includes both UK and EU personal data the, EU SCCs with the UK Addendum would be appropriate, to cover the protection of the rights of EU as well as UK citizens.

It’s worth noting, contracts signed on or before 21 September 2022 can continue to use the old SCCs until 21 March 2024. Contracts signed after 21 September 2022 must use the IDTA or the Addendum to new EU SCC, in order to be effective. See ICO Guidance

The additional requirement for a risk assessment

The ‘Schrems II’ ruling in 2020, invalidated the EU-US Privacy Shield (predecessor of the Data Privacy Framework) and raised concerns about the use of EU SCCs to protect personal data. Concerns raised included the potential access to personal data by law enforcement or national security agencies in receiver countries.

As a result of this ruling there’s a requirement when using the EU SCCs or the UK IDTA to conduct a written risk assessment to determine whether personal data will be adequately protected. In the EU this is known as a Transfer Impact Assessment, and in the UK, it’s called a Transfer Risk Assessment (TRA).

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA.

D. Binding Corporate Rules (BCR)

BCRs can be used as a safeguard for transfers within companies in the same group. While some global organisations have gone down this route, it can be incredibly onerous and takes a considerable amount of time to complete BCRs.

BCRs need to be approved by a Supervisory Authority (for example the ICO in the UK, or the CNIL in France).  This has been known to take years, so many groups have  chosen to use EU SCCs (with UK Addendum if necessary) or the IDTA, in preference to going down the BCR route.

E. Other safeguards

Other safeguards measures include;

  • Approved codes of conduct
  • Approved certification mechanisms
  • Legally binding and enforcement instruments between public authorities or bodies.

What are the exemptions for restricted transfers?

It may be worth considering whether an exemption may apply to your restricted transfer. These can be used in limited circumstances and include:

  • Explicit consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.
  • Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.
  • Public interests – the transfer is necessary for important reasons of public interest.
  • Legal necessity – the transfer is necessary for the establishment exercise or defence of legal claims.
  • Vital interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give their consent.

The ICO makes the point most of the exemptions include the word ‘necessary’. The Regulator says this doesn’t mean the transfer has to be absolutely essential, but that it “must be more than just useful and standard practice”. An assessment needs to be made as to whether the transfer is objectively necessary and proportionate, and can’t be reasonably achieved another way.

The regulatory guidance says exemptions, such as contractual necessity, are more likely to be proportionate for occasional transfers, a low volume of data and where there is a low risk of harm when the data is transfer.

The above is not an exhaustive list of the exemptions, further details can be found here.

There is no getting away it, international data transfers are a particularly complex and onerous area of data protection law! It pays to be familiar with the requirements and understand the potential risks.

Sometimes organisations will have little control over the terms under which they do business with others. For example, large technology providers might be unwilling to negotiate international transfer arrangements and will only proceed if you agree to their existing safeguards. A balance might need to be taken here on the necessity of entering the contract and the potential risks should restricted transfers not be adequately covered.

Managing how employees use their own devices for work

November 2023

How to mitigate the security risks of Bring Your Own Device (BYOD)

The switch to remote working due to the COVID pandemic, and subsequently, means even more employees now use their own devices to access work emails, systems and files. This can make practical sense for many organisations, but the use of personal devices can pose a serious security risk if appropriate measures are not in place. A risk to personal information, as well as other confidential or commercially sensitive information.

Some organisations (particularly those handling sensitive data) might take the step of banning the use of any personal devices for work purposes. But for others there are good reasons for allowing personal devices to be used. The key is making sure security risks have been considered and appropriate measures are in place to protect the organisation and those whose personal data is held.

It’s essential for any organisation which allows employees to use their own devices for work purposes, to have robust security measures in place to address security risks, along with appropriate measures to protect personal data. Furthermore, employees need to know what’s expected of them and this is where having a Bring Your Own Device (BYOD) Policy is crucial.

What are the risks, what key security measures should be in place, and what should a BYOD Policy cover?

Key BYOD risks

1. Loss or theft of devices – we’re all human, and I suspect many of us have lost a mobile before, or perhaps even left a laptop somewhere. There’s a clear risk if it’s possible for someone else to access valuable or sensitive information on the device.

2. Use of public wi-fi services – connecting to open public wi-fi when employees are out and about can leave personal devices vulnerable to hackers. There’s also a risk if home networks aren’t secure.

3. Malware and viruses – employees can view any website and download any app on their own device, raising the risk these could contain damaging malware or viruses.

4. Former employees – failing to remove access and data from devices when people leave the organisation could come back to haunt the organisation. I know of cases where this has caused a data breach.

Key steps to mitigate BYOD risks

Here are some methods to reduce or eliminate the risks. This is by no means an exhaustive list, but will hopefully give you some useful pointers.

  • Require employees to use appropriate authentications settings when accessing their devices. For example, access via a passcode or fingerprint.
  • Restrict which business applications and data employees can access via their own device.
  • Implement enhanced user authentication for business apps – multi-factor authentication (MFA). That includes access to their business email account (e.g. via Outlook) which may include personal information in the content or in attachments.
  • Consider measures to make sure personal data from business apps can’t be downloaded, stored or shared via personal devices. Don’t allow staff to share data or screenshots from any business app they use with any other app they may have on their device (e.g. social media or file sharing apps).
  • Put clear procedures in place for lost or stolen devices. For example, reporting the loss and the capability to remotely delete data from a lost or stolen device.
  • Make sure clear procedures are in place to update access controls when people leave the business. or change roles.
  • Prohibit the use of public wi-fi services, which may be insecure.
  • Provide advice on making sure your home wi-fi is secure.
  • Ask employees to update apps regularly to make sure any security vulnerabilities are ‘patched’.
  • Ask them to run antivirus / malware checks regularly.

Creating a Bring Your Own Device Policy

A BYOD Policy sets out the rules for employees when using their personal devices – be it laptops, smartphones or tablets in for work purposes. It should set out the organisations expectations and the security measures required. When employees are accessing the organisation’s information, it’s okay to insist employees comply with a BYOD Policy.

Such a policy would cover all the measures in place to mitigate the risks above, making sure employees’ responsibilities are clearly laid out. You’d also want it to include, or point to, clear onboarding, leavers and procedures for lost or stolen devices.

In addition, a BYOD Policy is also likely to cover;

  • Types of device permitted.
  • Establishment of company rights on devices (this can be a tricky area and may be worth seeking legal advice.
  • List of company systems / apps allowed to be accessed via personal devices.
  • An explanation of acceptable use and behaviours. For example, what employees are not permitted to do may include;
    – Allowing others (e.g. family members) to access work systems and apps
    – Storing or transferring copies of organisation’s information onto their own devices
    – Using private email accounts for work purposes
    – Uses which may be illegal or bring the organisation into disrepute
  • Details of the IT support available to employees.
  • Any necessary sanctions should employees fail to follow the policy.

By the way, whilst we refer to employees above, you should bear in mind you may also have contractors who access the organisation’s systems / apps via their own devices. If so, the Policy should apply to contractors too.

Recently the Information Commissioner’s Office took action against a company following a data breach. It’s worth noting one of the key failings found was the lack of a BYOD policy. We’ve written more about this here: Information Security Tips

Seven top information security tips

November 2023

How to be vigilant against cyber attacks

The UK’s Information Commissioner’s Office (ICO) has recently issued reprimands to two companies who failed to have appropriate technical and organisational measures in place to protect personal data. Both cases provide helpful insight and serve as a reminder to others to be vigilant.

One case involved a ransomware attack on a company which provides accountancy, tax and employment solutions. In the other case an unauthorised third party gained access to and exfiltrated personal data from a recruitment company’s systems twice within a 12-month time frame.

I’m not going to get into the hot debate about whether the ICO should issued reprimands or fines. What I would say is no company wants to have to go through the painstaking and embarrassing ordeal of an ICO investigation, fine or no fine. Needless to say, the regulator took into account some mitigating factors.

Key findings

I’ve summarised and combined the key findings from both cases, just to give a broad picture of the areas where failures were identified. These are failings by either company, not by both.

  • Lack of multi-factor authentication
  • No clear Bring Your Own Device Policy
  • Inadequate ‘account lockout policy’
  • Personal data held longer than necessary
  • Significant delay in notifying those affected by the breach
  • Lack of awareness in relation to patch management and associated risks
  • Unsupported software
  • Insufficient system logging, resulting in limited analysis of the attack

For many small and medium sized businesses, it’s not always obvious how to address cyber security threats. There are some core security arrangements which can really help to address the most obvious threats.

We’d highly recommend looking at Cyber Essentials or Cyber Essentials Plus accreditation. These are information assurance schemes operated by the National Cyber Security Centre (NCSC). They provide a framework for organisations to carry out a review of their security arrangements, and to make sure basic controls are introduced to protect networks/systems.

7 information security tips

1. Control who has access to your data and services

  • Role-based access – give people access to only the specific data they need based on their job role.
  • Separate administrative accounts from accounts which are also using email or browsing the web, to minimise the damage caused by an attack.

2. Choose the most secure settings for your devices and software

  • Check your device settings, make sure they’re providing a higher level of security.
  • Always password protect your devices and change any default passwords.
  • Wherever it’s available, always use Multi-Factor Authentication on your accounts.

3. Protect yourself from viruses and other malware

  • Make sure antivirus software is in place and updated regularly.
  • Create a list of applications which are allowed to be installed on a device.
  • Only use software from official sources and control who can install software. In other words stop staff downloading dodgy apps!

4. Keep your devices and software up to date

  • Make sure all software is up-to-date with the most recent version – known as patching.
  • If software becomes obsolete or is no longer supported, upgrade to a more modern version.

5. Logging and monitoring

  • Make sure you have suitable logs and monitors in place to detect and investigate any information security incidents.

6. Control use of USB / memory drives

  • Block access to external storage/upload devices – as the NSCS warns us it only takes one person to plug an infected memory stick containing malware to devastate the whole organisation.
  • Only allow approved drives and cards to be used.

7. Back up your data

  • Make sure you make backups of your important data very regularly and make sure backups can be restored very quickly, e.g. in the event of a malware attack. This will help your business get back on its feet quickly in the event of a critical data incident.

These are just a few key security steps to take and the above is by no means an exhaustive list. The NCSC has published a wide range of resources to help understand Cyber Essentials and become accredited: Cyber Essentials Overview. NCSC has also published helpful guidance on matters such as passwords, bring your own device and multi-factor authentication.

Any company whose suffered a cyber attack will know all too well how damaging they can be on so many different levels. We’d just stress you can’t prioritise enough doing all you can to reduce this risk to your business.

Ransomware attacks continue to plague businesses

March 2023

How damaging could an attack be? How prepared are we? Should we pay or not?

Ransomware attacks are a significant concern as more organisations fall victim. Non cyber-attacks may account for more than two-thirds of data breaches reported to the UK’s Information Commissioner’s Office (ICO), but being held to ransom can bring a business to a standstill.

What is Ransomware?

Ransomware is a malicious software used by bad actors to encrypt a target an organisation’s system folders or files. Sometimes the data may be exfiltrated (exported) too.

A ransom demand often follows, asking for payment. This could be a huge sum of money, paid in exchange for the decryption key and an assurance the data, the attacker claims to have, will be deleted. In other words, it will not be published on the dark web or shared with others. But there are no guarantees!

These attacks are becoming increasingly sophisticated. It’s now possible for a bad actor to buy an ‘off the shelf’ cyber-attack via the dark web, or tailor a package to suit their needs. A really unwelcome development.

Robert Bond, Senior Counsel, Privacy Partnership Law:

“My experience is that ransomware attacks are not necessarily aimed at personal data but rather any information that is an asset. Often what is attacked contains confidential data such as business secrets and so personal data is the least concern.”

Ransomware attacks could cause a personal data breach, but this may be only one of a number of risks to the business.

Recent high-profile ransomware attacks

  • Royal Mail were hit by a LockBit ransomware attack on 10th January 2023 and had to suspend their overseas letter & parcel services. LockBit threatened to publish Royal Mail’s data and the ransom was set at £65 million!

Royal Mail notified the ICO and engaged help from the National Cyber Security Centre (NCSC) and National Crime Agency (NCA). Royal Mail refused LockBit’s demands.

LockBit then released the entire negotiation history with Royal Mail. No data appears to have been leaked via LockBit’s blog at the time of writing. Links to data dumps were included in the chat history, but the links quickly expired.

  • Ion Group, a supplier of software to the financial services industry, were also attacked in February 2023. The incident crippled the ability of many City of London traders to do their jobs.

LockBit threatened to publish Ion’s data. A LockBit spokesperson later confirmed that a ransom had been paid by a “very rich unknown philanthropist”.  We can’t be sure if this is true, as Ion refused to comment. But if a ransom was paid, this goes against accepted cyber security best practice.

These are big organisations, but there’s evidence all businesses small and large are potential targets.

Last year a solicitor’s firm was issued with £98K ICO fine after they fell victim to an attack. In its ruling the ICO made it clear while primary culpability rested with the attacker, a lack of sufficient technical and organisational measures gave the attacker a weakness to exploit.

Be prepared

These increased threats are persuading some organisations to invest more time and money into additional security measures aimed at preventing attacks. It’s also worth making sure you have robust procedures to follow should the worst happen. Incident response playbooks (procedures) are being created and simulations being run.

The ICO’s fine demonstrates organisations need to take ‘appropriate steps’ to protect their systems from a ransomware attack. In addition to updated cyber security and penetration testing, having a robust backup and disaster recovery plan can prove critical to getting business operations up and running quickly following an attack.

Our employees are vital too. Making sure they understand and follow information security best practice and are able to recognise security risks. The absence of knowledge and a clear procedure for reporting incidents and breaches, could mean a cyber-attack initially goes unnoticed, causing more damage.

Download DPN Data Breach Guide

Ransomware demands – to pay or not to pay?

A crucial consideration for businesses which suffer an attack and receive a ransomware demand, will be whether to pay or not.

For it’s part, the ICO is urging businesses not to pay. The Regulator says ‘Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.’

In reality a business might find its operations crippled following an attack and paying the ransom can feel like the only option to keep the business afloat. The problem is, the more ransomware demands that are paid, the more bad actors will continue to make demands. And as said, there are no guarantees the data will not be leaked.

It’s definitely worth noting the ICO wouldn’t expect you to pay, it urges those effected to engage with them and the National Cyber Security Centre at the earliest possible opportunity.

Ransomware attack impacts

So what could be the impact if our business is targeted?

1. Financial loss

The costs can be substantial. There’s the sum of the ransomware payment itself, if a business decides to pay it. Plus, costs to resolve the issues the attack has left behind, such as contracting specialist expertise to investigate the attack, restoring data from backups, and implementing additional security measures. Not to mention lost revenue…

2. Disruption to normal business ops

An organisation’s routine business operations can be massively disrupted by a ransomware attack if it limits or entirely prevents access to data and systems, needed to perform basis day-to-day tasks.

Delays, missed deadlines, and lost business can follow, as well as firefighting to placate upset customers, business partners and so on. In the worst cases, businesses may have to shut down completely until the data is decrypted or reloaded to systems via back-ups.

3. Reputational damage

We’ve all seen the headlines; a ransomware attack can damage a business’s reputation and harm customer trust. Customers naturally expect organisations to take all appropriate measures to protect their data. A ransomware attack could indicate to customers, staff and trade partners that a business has failed in its duty to protect the data.

A ransomware attack can have legal consequences, especially where particularly sensitive or special category data is affected. An attack could lead to a regulatory investigation, a possible fine and potential class actions.

Final thoughts

We know ransomware attacks can cause an enormous amount of harm and pose considerable risks to organisations. They are costly, disruptive and can be reputationally damaging.

Robust measures are needed to protect organisations. Patch management, encryption, pen testing… the list goes on. Alongside this, a well-developed playbook enabling you to react quickly and decisively to an attack can only help to minimise the impact.

 

Data protection and our suppliers

February 2023

How to manage the third parties we work with

One of the more challenging aspects of data protection compliance has been identifying and managing all our suppliers.  Those acting as our processors, supporting our business.

Making sure appropriate contractual terms are in place, whilst doing all we can to protect the business from supply chain data breaches (which are all too common) can become onerous. It can help to take a risk-based approach, focusing on the suppliers which represent the biggest business risk first.

Alongside this, for any new suppliers we need to make sure we carry out appropriate and robust due diligence.

Years after GDPR was implemented, many projects to tackle supplier management remain unfinished, representing an ongoing risk. If we have limited visibility into how our data is processed by our suppliers (and any sub-processors) it clearly leaves the business exposed.

What does good supplier management look like?

In short, we need to make sure our suppliers are doing what they say they’ll do to protect personal data, using risk assessments and audits. This includes knowing how our suppliers will respond when it comes to the crunch– a data breach. How quickly and fully will they notify us, how will they assist us?

Seven-point supplier management checklist

1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place? Is there evidence to prove this? It’s good practice to request meaningful answers to certain questions, such as:

  • Do they have a DPO or another individual in the business responsible for data protection?
  • Can they provide evidence of data protection policies and procedures?
  • Have they experienced a data breach before?
  • What information security procedures do they have in place?
  • How regularly are their security measures tested?
  • Do they hold any form of certification?
  • In which country/region will the data be processed?
  • Who are their sub-processors and where do they process the data?

The above is by no means an exhaustive list.

2. International Data Transfers 

There are additional considerations if international data transfers come into play. If we’re sharing data (or allowing it to be accessed) by a supplier in a third country, we need to check what safeguards need to be in place.

For countries where there’s no adequacy decision (allowing for the free flow of data), we need to implement a transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs).  There’s also the relatively new requirement to conduct a transfer risk assessment, and consider if additional security measures are needed.

3. Contracts – Do we have a clear list of standard clauses for supplier contracts? What do the liability clauses look like? Are we prepared to walk away from suppliers whose contracts aren’t up to scratch? Do we have a good understanding of the level of contractual risk the business is prepared to accept?

UK/EU GDPR is clear on what should be included in contractual arrangements and the ICO have published useful contracts guidance. There are often negotiations to be had, especially when it comes to those tricky liability clauses.

4. Instructions –  Have we provided clear instructions on how our suppliers are permitted to handle the personal data, for what purposes and how long they must retain it?

5. Ongoing risk assessment – Do we have a process for evaluating the level of risk suppliers may represent?

It’s important to recognise some suppliers may bring greater risks than others. It may not be necessary to risk assess every supplier to the same level of granularity. Effectively we need to risk assess the risk assessments.

6. Review / Audit – Do we have a review or audit programme in place? Annual audits of all suppliers may not be possible, but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.

For suppliers considered a higher risk, it may be prudent to routinely audit them. In doing so it’s important to be clear what aspects of the supplier’s business needs to scrutinised.

Creating a framework which is tuned and makes sense for the business is a good step and will mean there’s something to show the thought process if the ICO ever comes calling. Here are some factors to consider:

  • What categories of data is handled?
  • What’s the data volume?
  • How risky is the processing?
  • What could be the impact if a data breach occurred?
  • Was any due diligence carried out when the supplier was onboarded?
  • Is the supplier accredited or certified?
  • Have there been any complaints relating to privacy / breaches?
  • Have there been changes in ownership or scope of processing?
  • Have there been significant changes in processes and workflow?

7. Certification – in the absence of an approved certification scheme, alignment with ISO 27701 (the standard extending ISO27001 into data privacy) is worth considering.

It can sometimes feel like a mountain to climb, especially if operating using multiple suppliers. As the saying goes ‘you can only eat an elephant one bite at a time’, the key to supplier management is identifying the biggest risks and prioritising where action is needed the most.

Top 10 Data Protection Tips for SMEs

January 2023

Is it onerous for SMEs to become compliant?

One of the stated aims of the UK Government’s Data Protection and Digital Information Bill is to support small businesses and remove unnecessary bureaucracy. 

As context, there are 5.6m businesses in UK of which SMEs (less than 250 employees) represents 99% of the total. According to IAPP research approximately 32,000 organisations in UK have a registered DPO. It’s right, therefore, to focus on SMEs. 

But how onerous is small business data protection now? Arguably, the answer is, not as onerous as you might think. We’ve created a top 10 checklist for start-ups and small businesses to help you decide what you should be concerned with: 

1.     Do I need to worry about data protection regulation? 

Yes. Pretty much any business processing personal data for commercial purposes need to worry about data protection. (It does not apply to purely ‘personal or household activity’). Having said that, the law and regulatory advice focuses on taking a ‘proportionate’ approach. There’s no one size fits all and it will depend on the risk appetite of your organisation. 

2.     Do I need a DPO?

Probably not. If the answer to these three questions is no, you don’t need a DPO…

  • Are you a public authority or body?
  • Do your core business activities require regular and systematic monitoring of individuals on a large scale?
  • Do your core business activities involve processing on a large scale ‘special category data’, or criminal convictions or offences data?

Even if you don’t need a DPO, it’s wise to nominate someone in your organisation as a data protection lead. This does not need to be a full-time role. Alternatively, you can outsource this activity to someone/a company who can provide the support on a part-time basis. 

3.     Do I need a RoPA (Record of Processing Activity)

Maybe. There’s no escaping the fact RoPAs are challenging documents to complete and can absorb a huge amount of time. Companies with more than 250 employees must always keep a RoPA – that’s just under 8,000 businesses in UK.

If you have less than 250 employees, you don’t need a RoPA if the following applies:

  • Processing does not pose a risk to the rights and freedoms of the data subject 
  • No special category data is being processed
  • If the processing is only done occasionally

The debate start when you consider what constitutes a ‘risk to the rights and freedom of the data subject’. It’s worth considering the type of data you handle rather than the volumes to help you decide whether to complete a RoPA. As a start up, you may not need a RoPA as defined in the legislation. However, having a record of what information is processed, for what purpose and under what lawful basis is a good idea even if the ICO RoPA form is not. 

There are changes afoot with regards to the RoPA under UK data reform plans, but a record of your activities may still be necessary, just not as current prescribed.

4.     Do I need to register with ICO?

Almost certainly YES. The ICO asks all businesses that process personal data to pay the Data Protection Fee. This is used to fund the ICO and its activities. This isn’t onerous. In fact, most small businesses will only have to pay £40 (or £35 with a direct debit). And that’s before you’ve considered whether you’re exempt. Not for profit status is a possible example. 

 5.     Do I need a privacy notice (policy)?

Yes. A privacy notice is a foundational piece of your data protection work. Any organisation which processes personal data needs to set out what data they are processing and how they are processing it as well as the data subject’s rights. The ICO’s checklist provides very clear guidance for what must be in a notice and what might be in a notice.

6.     How about a cookie notice?

Yes again. If you have a website, assume you need a cookie notice. Even if all you’re doing is using cookies to manage the performance of your website, a cookie notice is required. This does not need to cost money. You can get free software from the major privacy software providers. They have simple step by step set up guides. There is really no excuse not to have a cookie notice. 

7.     What about accountability?

Yes, but make it proportionate. In a nutshell, accountability means ‘evidencing your activities’. Keep a record of what you do, why you’re doing it and your decision-making. It also means making sure you have appropriate technical and organisational measures in place to protect personal data. Have staff been adequately trained in data protection? Do we have clear guidelines and/or policies to help them? 

8.     What about Individual Rights? 

Yes. Every individual has clear rights and irrespective of the size of the organisation you need to fulfil these requests. 

These rights include right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.

Not all of these might apply to a small business but it’s important to decide how to recognise and respond to these requests from individuals. 

9.    Don’t forget information security

Yes. Cyber Essentials was designed for SMEs. Arguably it’s the absolute minimum for any business. It does cost money but not a lot. Gaining the Cyber Essentials certification (if self-certified) costs £300. The five technical controls are: 

  • Boundary firewalls and internet gateways
  • Secure configuration.
  • Access control.
  • Malware protection.
  • Patch management.

10.  What about International Data Transfers? 

Hopefully no! If you and your suppliers are only operating in UK and Europe stop reading now. However, if any data is exported to a third country (such as USA, South Africa or India), there’s no escaping the fact that international data transfers can be painful to work through. 

When EU-US Privacy Shield was invalidated in 2020 this caused significant problems for data transfers between US and EU/UK. At the time, Max Schrems’ advice was to only work with companies based in UK or Europe who are not exporting data to third countries. However, this isn’t always possible – just consider how many people use Google, Microsoft or Mailchimp. 

Many, if not most, businesses will have dealings with these three and the reality is that you must accept they’re not going to change anything for you, or choose not to use them. 

Conclusion

Many small and start-up businesses can get ready relatively quickly. The trick for small business data protection is to review your arrangements on a regular basis and be aware if any more complicated processing emerges. For instance, anything involving automated processing, special category data, AI or children’s data carries significant risk and should be treated with care. 

There’s more helpful information available on the ICO’s Small Business Hub.

Access controls: Protecting your systems and data

August 2022

Is your data properly protected?

Do existing staff or former employees have access to personal data they shouldn’t have access to?  Keeping your business’ IT estate and personal data safe and secure is vital.  One of the key ways to achieve this is by having robust access controls.

Failure to make sure you have appropriate measures and controls to protect your network and the personal data on it could lead to a data breach.  Which could have very serious consequences for your customers and staff, and the business’ reputation and finances.

A former staff advisor for an NHS Foundation was recently found guilty of accessing patient records without a valid reason.  The ability to access and either deliberately or accidentally misuse data is a common risk for all organisations.

Add to this the increased post-Covid risk of more employees and contractors working remotely, and it’s clear we need to take control of who has access to what.

High-level check list of areas to consider

1. Apply the ‘Principle of Least Privilege’

There’s a useful security principle, known as ‘the principle of least privilege’ (PoLP).  This sets a rule that employees should have only the minimum access rights needed to perform their job functions.

Think of it in the same way as the ‘minimisation’ principle within GDPR.  You grant the minimum access necessary for each user to meet the specific set of tasks their role requires, with the specific datasets they need.

By adopting this principle, you can prevent the risk of employees gaining more access rights over time.  You’ll need to periodically check to make sure they still need the existing access rights they have. For example, when someone changes role, their access needs may also change.

If your access controls haven’t been reviewed for a long time, adopting PoLP can give you great start point to tighten up security.

2. Identity and Access Management

IAM is a broad term for the policy, processes and technology you use to administer employee access to your IT resources.

IAM technology can join it all up – a single place where your business users can be authenticated when they sign into the network and be granted specific access to the selected IT resources, datasets and functions they need for their role.  One IAM example you may have heard of is Microsoft’s Active Directory.

3. Role-based access

Your business might have several departments and various levels of responsibility within them.  Most employees won’t need access to all areas.

Many businesses adopt a framework in which employees can be identified by their job role and level, so they can be given access rights which meets the needs of the type of job they do.

4. Security layers

Striking the right balance between usability and security is not easy.   It’s important to consider the sensitivity of different data and the risks if that data was breached.  You can take a proportionate approach to setting your security controls.

For example personal data, financial data, special category or other sensitive personal data, commercially sensitive data (and so on) will need a greater level of security than most other data.

Technologies can help you apply proportionate levels of security.  Implementing security technologies at the appropriate levels can give greater protection to certain systems & data which demand a high level of security (i.e. strictly-controlled access), while allowing non-confidential or non-sensitive information to be accessed quickly by a wider audience.

5. Using biometrics

How do you access your laptop or phone? Many of us use our fingerprint or facial recognition which give a high level of security, using our own biometrics data.  But some say, for all their convenience benefits, they are not as secure as a complex password!

But then, how many of us really use complex passwords? Perhaps you use an app to generate and store complex passwords for you.  Sadly lots of people use words, names or memorable dates within their passwords. Security is only going to be as good as your weakest link.

6. Multi-factor authentication (MFA)

Multi-factor authentication has become a business standard in many situations, to prevent fraudulent use of stolen passwords or PINs.

But do make sure it’s set up effectively. I’ve seen some examples where MFA has to be activated by the user themselves. So if they fail to activate it, there’s little point having it.  I’ve heard about data breaches happening following ineffective implementation of MFA, so do be vigilant.

There are an array of measures which can be adopted. This is just a taster, which I hope you found useful – stay safe and secure!

Data Breach Reporting: Speedy 8-point checklist

July 2022

What are the key questions the ICO will want answers to?

Data breaches can be a pain. They’ll usually arrive when you least expect, and your organisation will want it dealt with pronto.

With that in mind, preparation is everything: knowing in advance what questions need answering saves precious time while investigations take place, facts are gleaned and mitigating measures are considered. All as the clock continues to tick.

Remember – NOT ALL breaches need to be reported

As a quick recap, we aren’t obliged to report every breach. There’s a clear proportionality test around the potential impact of the breach on an individual. The ICO tells us:

If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report.

Our Data Breach Guide takes you through the key steps of establishing the facts and assessing whether a breach needs to be reported or not. You can download a copy here.

You’ve judged the breach reportable

Once you’ve assessed there’s likely to be a risk to affected individuals, you need submit a report to the ICO. This must be done within 72-hours of becoming ‘aware’ of the breach.

(You’re considered to be ‘aware’ at the point there’s a reasonable degree of certainty a security incident has occurred which might have led to personal data being compromised).

The ICO has a helpful online data breach reporting form, which many organisations might choose to use.

And remember, you don’t have to have all the facts to submit an initial report, you can provide updates. The online form gives options on this.

(Please note this is sector dependent: telecoms and internet providers, as well as organisations in the health and communications sectors have distinct reporting requirements).

8-point checklist – the answers you’ll need

1. What went wrong?
Can you describe what happened, how it happened and how it was discovered? When did it happen and when did you discover it?

2. What type of data is affected?
Are basic identifiers, contact details, user passwords, bank account numbers, passport details or other personal data affected? Does the incident involve any special category data such as health data, biometrics, political opinions or sexual orientation?

3. Who is affected?
Whose data is it? Employees, students, subscribers, clients or patients?

4. What’s the volume?
Do you have an exact figure, or an estimate, for how many records are involved and how many people could be affected?

5. What’s the risk?
What damage or harm has already happened? What further impact is anticipated? Is there a ‘high’ risk to those affected? (If so, you’ll also need to notify individuals as well)

6. What training have staff had?
Can you confirm the staff member(s) involved in the breach have received data protection training in the past two years? What’s the nature and frequency of the training? (Be sure to also have a brief description of the training content at hand)

7. What actions have you taken?
What have you done to limit the impact? What’s been done to prevent a reoccurrence? When do you expect mitigating measures to be in place (if they aren’t already)? What further actions will you be taking?

8. Who else have you told?
Have you told affected individuals, or are you planning to? Have you told any other organisations about the breach?

Crucial to easing the potential fallout of a breach is being ready for one. A pre-prepared and robust data breach plan or playbook will alleviate stress levels in the heat of the moment. It also shows, as an organisation, you are on-point with your response to a breach.