Top 10 Data Protection Tips for SMEs

January 2023

Is it onerous for SMEs to become compliant?

One of the stated aims of the UK Government’s Data Protection and Digital Information Bill is to support small businesses and remove unnecessary bureaucracy. 

As context, there are 5.6m businesses in UK of which SMEs (less than 250 employees) represents 99% of the total. According to IAPP research approximately 32,000 organisations in UK have a registered DPO. It’s right, therefore, to focus on SMEs. 

But how onerous is small business data protection now? Arguably, the answer is, not as onerous as you might think. We’ve created a top 10 checklist for start-ups and small businesses to help you decide what you should be concerned with: 

1.     Do I need to worry about data protection regulation? 

Yes. Pretty much any business processing personal data for commercial purposes need to worry about data protection. (It does not apply to purely ‘personal or household activity’). Having said that, the law and regulatory advice focuses on taking a ‘proportionate’ approach. There’s no one size fits all and it will depend on the risk appetite of your organisation. 

2.     Do I need a DPO?

Probably not. If the answer to these three questions is no, you don’t need a DPO…

  • Are you a public authority or body?
  • Do your core business activities require regular and systematic monitoring of individuals on a large scale?
  • Do your core business activities involve processing on a large scale ‘special category data’, or criminal convictions or offences data?

Even if you don’t need a DPO, it’s wise to nominate someone in your organisation as a data protection lead. This does not need to be a full-time role. Alternatively, you can outsource this activity to someone/a company who can provide the support on a part-time basis. 

3.     Do I need a RoPA (Record of Processing Activity)

Maybe. There’s no escaping the fact RoPAs are challenging documents to complete and can absorb a huge amount of time. Companies with more than 250 employees must always keep a RoPA – that’s just under 8,000 businesses in UK.

If you have less than 250 employees, you don’t need a RoPA if the following applies:

  • Processing does not pose a risk to the rights and freedoms of the data subject 
  • No special category data is being processed
  • If the processing is only done occasionally

The debate start when you consider what constitutes a ‘risk to the rights and freedom of the data subject’. It’s worth considering the type of data you handle rather than the volumes to help you decide whether to complete a RoPA. As a start up, you may not need a RoPA as defined in the legislation. However, having a record of what information is processed, for what purpose and under what lawful basis is a good idea even if the ICO RoPA form is not. 

There are changes afoot with regards to the RoPA under UK data reform plans, but a record of your activities may still be necessary, just not as current prescribed.

4.     Do I need to register with ICO?

Almost certainly YES. The ICO asks all businesses that process personal data to pay the Data Protection Fee. This is used to fund the ICO and its activities. This isn’t onerous. In fact, most small businesses will only have to pay £40 (or £35 with a direct debit). And that’s before you’ve considered whether you’re exempt. Not for profit status is a possible example. 

 5.     Do I need a privacy notice (policy)?

Yes. A privacy notice is a foundational piece of your data protection work. Any organisation which processes personal data needs to set out what data they are processing and how they are processing it as well as the data subject’s rights. The ICO’s checklist provides very clear guidance for what must be in a notice and what might be in a notice.

6.     How about a cookie notice?

Yes again. If you have a website, assume you need a cookie notice. Even if all you’re doing is using cookies to manage the performance of your website, a cookie notice is required. This does not need to cost money. You can get free software from the major privacy software providers. They have simple step by step set up guides. There is really no excuse not to have a cookie notice. 

7.     What about accountability?

Yes, but make it proportionate. In a nutshell, accountability means ‘evidencing your activities’. Keep a record of what you do, why you’re doing it and your decision-making. It also means making sure you have appropriate technical and organisational measures in place to protect personal data. Have staff been adequately trained in data protection? Do we have clear guidelines and/or policies to help them? 

8.     What about Individual Rights? 

Yes. Every individual has clear rights and irrespective of the size of the organisation you need to fulfil these requests. 

These rights include right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.

Not all of these might apply to a small business but it’s important to decide how to recognise and respond to these requests from individuals. 

9.    Don’t forget information security

Yes. Cyber Essentials was designed for SMEs. Arguably it’s the absolute minimum for any business. It does cost money but not a lot. Gaining the Cyber Essentials certification (if self-certified) costs £300. The five technical controls are: 

  • Boundary firewalls and internet gateways
  • Secure configuration.
  • Access control.
  • Malware protection.
  • Patch management.

10.  What about International Data Transfers? 

Hopefully no! If you and your suppliers are only operating in UK and Europe stop reading now. However, if any data is exported to a third country (such as USA, South Africa or India), there’s no escaping the fact that international data transfers can be painful to work through. 

When EU-US Privacy Shield was invalidated in 2020 this caused significant problems for data transfers between US and EU/UK. At the time, Max Schrems’ advice was to only work with companies based in UK or Europe who are not exporting data to third countries. However, this isn’t always possible – just consider how many people use Google, Microsoft or Mailchimp. 

Many, if not most, businesses will have dealings with these three and the reality is that you must accept they’re not going to change anything for you, or choose not to use them. 

Conclusion

Many small and start-up businesses can get ready relatively quickly. The trick for small business data protection is to review your arrangements on a regular basis and be aware if any more complicated processing emerges. For instance, anything involving automated processing, special category data, AI or children’s data carries significant risk and should be treated with care. 

There’s more helpful information available on the ICO’s Small Business Hub.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Breach Reporting: Speedy 8-point checklist

July 2022

What are the key questions the ICO will want answers to?

Data breaches can be a pain. They’ll usually arrive when you least expect, and your organisation will want it dealt with pronto.

With that in mind, preparation is everything: knowing in advance what questions need answering saves precious time while investigations take place, facts are gleaned and mitigating measures are considered. All as the clock continues to tick.

Remember – NOT ALL breaches need to be reported

As a quick recap, we aren’t obliged to report every breach. There’s a clear proportionality test around the potential impact of the breach on an individual. The ICO tells us:

If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report.

Our Data Breach Guide takes you through the key steps of establishing the facts and assessing whether a breach needs to be reported or not. You can download a copy here.

You’ve judged the breach reportable

Once you’ve assessed there’s likely to be a risk to affected individuals, you need submit a report to the ICO. This must be done within 72-hours of becoming ‘aware’ of the breach.

(You’re considered to be ‘aware’ at the point there’s a reasonable degree of certainty a security incident has occurred which might have led to personal data being compromised).

The ICO has a helpful online data breach reporting form, which many organisations might choose to use.

And remember, you don’t have to have all the facts to submit an initial report, you can provide updates. The online form gives options on this.

(Please note this is sector dependent: telecoms and internet providers, as well as organisations in the health and communications sectors have distinct reporting requirements).

8-point checklist – the answers you’ll need

1. What went wrong?
Can you describe what happened, how it happened and how it was discovered? When did it happen and when did you discover it?

2. What type of data is affected?
Are basic identifiers, contact details, user passwords, bank account numbers, passport details or other personal data affected? Does the incident involve any special category data such as health data, biometrics, political opinions or sexual orientation?

3. Who is affected?
Whose data is it? Employees, students, subscribers, clients or patients?

4. What’s the volume?
Do you have an exact figure, or an estimate, for how many records are involved and how many people could be affected?

5. What’s the risk?
What damage or harm has already happened? What further impact is anticipated? Is there a ‘high’ risk to those affected? (If so, you’ll also need to notify individuals as well)

6. What training have staff had?
Can you confirm the staff member(s) involved in the breach have received data protection training in the past two years? What’s the nature and frequency of the training? (Be sure to also have a brief description of the training content at hand)

7. What actions have you taken?
What have you done to limit the impact? What’s been done to prevent a reoccurrence? When do you expect mitigating measures to be in place (if they aren’t already)? What further actions will you be taking?

8. Who else have you told?
Have you told affected individuals, or are you planning to? Have you told any other organisations about the breach?

Crucial to easing the potential fallout of a breach is being ready for one. A pre-prepared and robust data breach plan or playbook will alleviate stress levels in the heat of the moment. It also shows, as an organisation, you are on-point with your response to a breach.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Privacy enhancing technologies and how they can help

May 2022

Driving innovation without overlooking privacy controls

As new technologies and ‘big data’ solutions evolve and gain traction across the globe, organisations are increasingly gathering and using people’s data in more creative and innovative ways.

We often hear how the volume of data generated in the past two years alone is greater than that gathered in all previous human history.

Against this backdrop, there’s a growing need to make sure we protect the privacy of individuals whose data we handle. Organisations need to use appropriate and effective technical and organisational measures to protect people’s data. This is the essence of Data Protection by Design.

We need to consider both legal and ethical issues, as well as the reputation risk from a data breach.

Are some organisations becoming too risk-adverse? We’ve seen it happen where an exciting new project with the potential to create huge benefits for customers (even society at large) is side-lined because the associated privacy risks are considered to significant.

How do we strike the right balance?

Balancing innovation and privacy

Privacy enhancing technologies (PETs) are designed to minimise personal data use, maximise security and give individuals control of their data. The use of PETs can reduce or potentially eliminate privacy risks.

The adoption of such technologies are often seen as a key component for successful data innovation, opening up new opportunities and benefits from personal data.

The term PETs includes a wide range of existing and emerging technologies. Generally speaking, these can be categorized as ‘hard’ and ‘soft’ privacy technologies. Here’s some examples – this list is by no means exhaustive.

‘Soft’ privacy technologies

These are used by organisations to keep information secure and keep full control of how data is being used. They may rely on data minimisation, anonymisation and/or pseudonymisation. Examples include:

  • Access controls – to restrict access to personal data
  • Encryption – both for data in transit and at rest
  • Differential privacy – a cryptographic algorithm which adds statistical ‘noise’ to the dataset which enables patterns within the dataset whilst maintaining the privacy of individuals.
  • Other de-identification techniques – such as redaction, tokenisation, hashing or zero-knowledge proofs (ZKP).

‘Hard’ privacy technologies

These give online users control over their privacy when using digital services and applications. Examples include:

  • Virtual Private Networks (VPNs) – which allow the user to have their own private network while browsing the internet.
  • Onion routing – an internet-based encryption technique where messages are embedded within encryption layers. Tor (which stands for ‘The Onion Router’) is a popular free-to-use anonymous browser based on onion routing.

The above examples are by no means exhaustive.

Selecting the right PETs for your organisation

The types of PETs your organisation uses will depend on the nature of your business, the sensitivity of the data you handle, the ways in which you use it, who you share it with, and so on.

Particularly private or sensitive data will clearly need a greater level of protection. It’s all about recognising where the risks lie and taking a proportionate approach.

Sharing data via secure APIs

A very common way to automate safe data sharing is via secure Application Programming Interfaces (APIs). APIs are regularly used to share selected data between internal systems, as well as with third parties. This is much more efficient and secure than sharing datasets via email by attaching spreadsheets, for example.

Where’s the ICO on PETs?

The ICO is currently preparing updated guidance on ‘Anonymisation, Pseudonymisation and Privacy Enhancing Technologies’, following a consultation which began in 2021. Alongside this, early this year the Regulator began consulting with health organisations to shape their thinking on PETs.

Healthcare sector data use

Data driven technology and increased adoption of AI offer huge potential to improve service delivery in the public sector – not least in healthcare. From early diagnosis to infrastructure improvements and more personalised services.

The use of data for public services has never been more vital. Yet sharing more data also poses risks and challenges. Public trust in the way data is shared and used is vital and has to be earned.

In an environment like this, the adoption of effective privacy enhancing solutions is key. For example, the use of access control to give restricted access to patient data based on the user’s role (e.g. doctor, consultant).

Stephen Almond, Director of Technology and Innovation at the ICO:

“Privacy-enhancing technologies (PETs) help organisations build trust and unlock the potential of data by putting data protection by design into practice.

“The healthcare sector handles highly sensitive data that could lead to life-changing, life-saving innovations. Yet organisations are not tapping into the benefits of PETs and we want to find out how to help them adopt these emerging technologies.”

To conclude…

Nobody wants to stifle innovation. We need to be able to balance great ideas and innovation with respect for people and their data.

Privacy enhancing technologies can be a valuable part of your privacy and information security toolkit, giving you the confidence to develop new products and services, knowing you have tackled the privacy risks.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What does the IKEA CCTV story tell us?

April 2022

Only set up video surveillance if underpinned by data protection by design and default

What happened?

Following an internal investigation, IKEA was forced to apologise for placing CCTV cameras in the ceiling voids above the staff bathroom facilities in their Peterborough depot. The cameras were discovered and removed in September 2021, but the investigation has only just concluded in late March 2022.

An IKEA spokesman said:

 “Whilst the intention at the time was to ensure the health and safety of co-workers, we understand the fact that colleagues were filmed unknowingly in these circumstances will have caused real concern, and for this we are sincerely sorry.”

The cameras were installed following “serious concerns about the use of drugs onsite, which, owing to the nature of work carried out at the site, could have very serious consequences for the safety of our co-workers”.

They had been sanctioned following “multiple attempts to address serious concerns about drug use, and the use of false urine samples as a way of disguising it”.

“The cameras placed within the voids were positioned only to record irregular activity in the ceiling voids,” he said.

“They were not intended to, and did not, record footage in the toilet cubicles themselves. However, as aresult of ceiling tiles becoming dislodged, two cameras inadvertently recorded footage of the communal areas of two bathrooms for a period of time in 2017. The footage was not viewed at the time and was only recovered as part of these investigations.”

Apology and new ICO guidance

The key question raised by this incident is where to draw the line. When is it inappropriate to set up CCTV? In this instance, the company had concerns about drug misuse – but was that a good enough reason? I think a lot of us intuitively felt the answer was no. 

This apology conveniently coincides with the recent publication of some new guidance on video surveillance from ICO regarding UK GDPR and Data Protection Act 2018.

This guidance is not based on any changes in the legislation – more an update to provide greater clarity about what you should be considering.

Video surveillance definition

The ICO guidance includes all the following in a commercial setting:

  • Traditional CCTV
  • ANPR (automatic number plate recognition)
  • Body Worn Video (BWV)
  • Facial Recognition Technology (FRT)
  • Drones
  • Commercially available technologies such as smart doorbells and dashcams (not domestic settings)

Guidance for domestic use is slightly different.

Before setting up your video surveillance activity 

As part of the system setup, it’s important to create a record of the activities taking place. This should be included in the company RoPA (Record of Processing Activities).

As part of this exercise, one needs to identify:

  • the purpose of the lawful use of surveillance
  • the appropriate lawful basis for processing
  • the necessary and proportionate justification for any processing
  • identification of any data-sharing agreements
  • the retention periods for any personal data

 As with any activity relating to the processing of personal data, the organisation should take a data protection by design and default approach when setting up the surveillance system.

Before installing anything, you should also carry out a DPIA (Data Protection Impact Assessment) for any processing that’s likely to result in a high risk for individuals. This includes:

  • Processing special category data
  • Monitoring publicly accessible places on a large scale
  • Monitoring individuals at a workplace

A DPIA means you can identify any key risks as well as potential mitigation for managing these. You should assess whether the surveillance is appropriate in the circumstances.

In an employee context it’s important to consult with the workforce, consider their reasonable expectations and the potential impact on their rights and freedoms. One could speculate that IKEA may not have gone through that exercise.

Introducing video surveillance

Once the risk assessment and RoPA are completed, other areas of consideration include:

  • Surveillance material should be securely stored – need to prevent unauthorised access
  • Any data which can be transmitted wirelessly or over the internet requires encryption to prevent interceptions
  • How easily data can be exported to fulfil DSARs
  • Ensuring adequate signage is in place to define the scope of what’s captured and used.

Additional considerations for Body Worn Video  

  • It’s more intrusive than CCTV so the privacy concerns are greater
  • Whether the data is stored centrally or on individual devices
  • What user access controls are required
  • Establishing device usage logs
  • Whether you want to have the continuous or intermittent recording
  • Whether audio and video should be treated as two separate feeds

In any instance where video surveillance is in use, it’s paramount individuals are aware of the activity and understand how that data is being used.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Ransomware attack leads to £98k ICO fine

March 2022

Solicitors firm failed to implement ‘adequate technical and organisational measures’

Are you using Multi-Factor Authentication? Are patch updates installed promptly? Do you encrypt sensitive data?

Reports of cyber security incidents in the UK rose 20% in the last 6 months of 2021.

These figures from the ICO, combined with the heightened threat in the current climate, provide a stark warning to be alert.

The ICO says; “The attacks are becoming increasingly damaging and this trend is likely to continue. Malicious and criminal actors are finding new ways to pressure organisations to pay.”

Against this backdrop the ICO has issued a fine to Solicitors’ firm following a ransomware attack in 2020.

The organisation affected was Tuckers Solicitors LLP (“Tuckers”) which is described on its website as the UK’s leading criminal defence lawyers, specialising in criminal law, civil liberties and regulatory proceedings.

While each organisation will face varying risks, this case highlights some important points for us all.

Here’s a summary of what happened, the key findings and the steps we can all take. For increasing numbers of organisations this case will unfortunately sound all too familiar.

What happened?

On 24 August 2020 Tuckers realised parts of its IT system had become unavailable. Shortly after IT discovered a ransomware note.

  • Within 24 hours it was established the incident was a personal data breach and it was reported to the ICO.
  • The attacker, once inside Tuckers’ network, installed various tools which allowed for the creation of a user account. This account was used to encrypt a significant volume of data on an archive server within the network.
  • The attack led to the encryption of more than 900,000 files of which over 24,000 related to ‘court bundles’.
  • 60 of these bundles were exfiltrated by the attacker and released on the ‘dark web’. These compromised files included both personal data and special category data.
  • The attacker’s actions impacted on the archive server and backups. Processing on other services and systems were not affected.
  • By 7 September 2020, Tuckers updated the ICO to say the servers had been moved to a new environment and the business was operating as normal. The compromised data was effectively permanently lost, however material was still available in management system unaffected by the attack.
  • Tuckers notified all but seven of the parties identifiable within the 60 court bundles which had been released, who they did not have contact details for.

Neither Tuckers, nor third party investigators, were able to determine conclusively how the attacker was able to access the network in the first place. However, evidence was found of a known system vulnerability which could have been used to either access the network or further exploit areas of Tuckers once in side the network.

What data was exfiltrated?

The data released on the ‘dark web’ included:

  • Basic identifiers
  • Health data
  • Economic and financial data
  • Criminal convictions
  • Data revealing racial or ethnic origin

This included medical files, witness statements and alleged crimes. It also related to ongoing criminal court and civil proceedings.

Tuckers explained to the Regulator, based on its understanding, the personal data breach had not had any impact on the conduct or outcome of relevant proceedings.

However, the highly sensitive nature of the data involved increased the risk and potential adverse impact on those affected.

Four key takeaways

The ICO makes it clear in its enforcement notice that primary culpability for the incident rests with the attacker. But clear infringements by Tuckers were found.

The Regulator says a lack of sufficient technical and organisation measures gave the attacker a weakness to exploit.

Takeaways from this case:

1) Multi-Factor Authentication (MFA)

Tuckers’ GDPR and Data Protection Policy required two-factor authentication, where available. It was found that Multi-Factor Authentication (MFA) was not used for its ‘remote access solution’.

The ICO says the use of MFA is a relatively low-cost preventative measure which Tuckers should have implemented.

The Regulator concluded the lack of MFA created a substantial risk of personal data on Tuckers’ systems being exposed to consequences such as this attack.

Takeaway: If you currently don’t use MFA, now would be a good time to implement it.

2) Patch management

The case reveals a high-risk security patch was installed in June 2020, more than FOUR months after its release.

The ICO accepts the attacker could have exploited this vulnerability during the un-patched period.

Considering the highly sensitive nature of the personal data Tuckers were handling, the Regulator concludes they should not have been doing so in an infrastructure containing known critical vulnerabilities. In other words the patch should have been installed much sooner.

Takeaway: Make sure patches are installed promptly, especially where data is sensitive.

3) Encryption

During the investigation Tuckers informed the ICO the firm had not used encryption to protect data on the affected archived server.

While the Regulator accepts this may not have prevented the ransomware attack itself, it believes it would have mitigated some of the risks posed to the affected individuals.

Takeaway: There are free, open-source encryption solutions are available. Alternatively more sophisticated paid for solutions are available for those handling more sensitive data.

Also it’s worth checking you’re adequately protecting archives to the same standard as other systems.

4) Retention

The enforcement notice reveals some ‘court bundles’ affected in the attack were being stored beyond the set 7-year retention period.

Takeaway: This again exposes a common issue for many organisations. Too often data is held longer than is necessary, which can increase the scale & impact of a data breach.

Our comprehensive Data Retention Guidance is packed with useful tools, templates and advice on tackling how long you keep personal data for.

What else can organisations do?

Clearly, we can’t be complacent and shouldn’t cut corners. We need to take all appropriate steps to protect personal data and avoid common pitfalls. Here are some useful resources to help you:

  • Cyber Essentials – The enforcement action notes that prior to the attack Tuckers was aware its security was not at the level of the NCSC Cyber Essentials. In October 2019, it was assessed against the ‘Cyber Essentials’ criteria and failed to meet crucial aspects of its requirements.

Cyber Essentials was launched in 2014 and is an information security assurance scheme operated by the National Cyber Security Centre. It helps to make sure you have the basis controls in place to protect networks/systems from threats.

Cyber Essentials – gain peace of mind with your information security
National Cyber Security Centre

  • ICO Ransomware guidance – The ICO has recently published guidance which covers security policies, access controls, vulnerability management, detection capabilities and much more.
  • DPN Data Breach Guide – Our practical guide covers how to be prepared, how to assess the risk and how to decide whether a breach should be reported or not.

You can read the full details of this case here: ICO Enforcement Action – Tuckers Solicitors LLP

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Breach Guide

How to handle a data breach

Our practical, easy-to-read guide takes you through how to be prepared for a breach, and how to assess the risks should you suffer a personal data breach.

Data breach guide from the data protection consultancy DPN - Data Protection Network

This data breach guide covers:

  • Common causes of breaches
  • Data incident and breach planning
  • How to assess the risks
  • Breach reporting checklists
  • How technology can help
Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data breaches: when to notify Regulators and affected individuals

January 2022

European Data Protection Board (EDPB) publishes new case-based guidelines on data breach notifications

As we know, not all personal data breaches need to be reported to Supervisory Authorities, such as the UK’s Information Commissioner’s Office, nor indeed to affected individuals. It all depends on the nature of the incident and risk posed. This can be a tricky decision to make.

What the law says about notifying a data breach

UK GDPR tells us where a breach is unlikely to result in a risk to the rights and freedoms of individuals, it doesn’t need to be reported to the ICO. Furthermore, it tells us we should inform affected individuals only where it is likely to result in a high risk.

Assessing data breach risks

The key then, after establishing an incident involves personal data, is to assess the risk it poses to the people whose details are affected. This can sometimes be complex, and the law gives us a short timescale to make an assessment. As we know, personal data breaches which are likely to represent a risk to individuals need to be reported to the ICO (or other DPA) within 72 hours of becoming aware of the breach.

This leaves many to err on the side of caution; that’s to say they notify for fear of making the wrong decision.

Our Privacy Pulse Survey 2022 provides some interesting insight on the number of breaches organisations are experiencing, the volumes being reported to the ICO, and the numbers communicated to affected individuals.

Case studies to help our risk assessment

Helpfully, the EDPB has published new guidelines which provide some useful example. These are designed to be complementary to the previously published Guidelines on Personal data breach notification.

The types of scenarios covered include:

  • Ransomware
  • Exfiltration of data from websites
  • Data ‘stolen’ by an employee
  • Accidentally sending data to a trusted party
  • Lost or stolen devices and paper documents
  • Errors by postal mail
  • Social engineering

In each case a common scenario is posed, and we are taken through the decision-making process with the following sections:

  • ‘Prior measures and risk assessment’
  • ‘Mitigations and obligations’

It’s stressed the analyses provided relate explicitly to the specific cases under scrutiny. We’re clearly warned if our circumstances differ slightly, the risk posed will also differ.

I have picked out several examples (please note these have been summarised).

Accidental transmission to a trusted party

An insurance agent noticed that – made possible by the faulty settings of an Excel file received by e-mail – he was able to access information related to two dozen customers not belonging to his scope. He is bound by professional secrecy and was the sole recipient of the e-mail. The arrangement between the data controller and the insurance agent obliges the agent to signal a personal data breach without undue delay to the data controller. Therefore, the agent instantly signalled the mistake to the controller, who corrected the file and sent it out again, asking the agent to delete the former message. According to the above-mentioned arrangement the agent has to confirm the deletion in a written statement, which he did. The information gained includes no special categories of personal data, only contact data and data about the insurance itself (insurance type, amount). After analysing the personal data affected by the breach the data controller did not identify any special characteristics on the side of the individuals or the data controller that may affect the level of impact of the breach.

In this case, the combination of a low number of affected individuals, the immediate detection and the measures taken, leads to an assessment of ‘no risk’. In other words no obligation to notify a Supervisory Authority or individuals. The incident should, however, be logged internally.

Stolen device containing unencrypted data

The electronic notebook device of an employee of a service provider company was stolen. The stolen notebook contained names, surnames, sex, addresses and date of births of more than 100,000 customers. Due to the unavailability of the stolen device it was not possible to identify if other categories of personal data were also affected. The access to the notebook’s hard drive was not protected by any password. Personal data could be restored from daily backups available.

This is clearly a case where there’s an obligation to notify the Supervisory Authority and affected individuals. Other examples are given where devices where encrypted, which lead to a differing assessment of the risks posed and notification obligations.

Postal mail error

Two orders for shoes were packed by a retail company. Due to human error two packing bills were mixed up with the result that both products and the relevant packing bills were sent to the wrong person. This means that the two customers got each other’s orders, including the packing bills containing the personal data. After becoming aware of the breach the data controller recalled the orders and sent them to the right recipients. The bills contained the personal data required for a successful delivery (name, address, plus the item purchased and its price).

The EDPB says the controller should provide for a free return of the items and the accompanying bills, and should request the wrong recipients destroy / delete all copies of the bills containing the other person’s personal data.

In this specific set of circumstances, the assessment concludes the risk to be considered low. No special category data or other data is disclosed, which might lead to substantive negative effects on those involved. Therefore no obligation to notify to the Supervisory Authority nor affected individuals. Saying this, communication of the breach cannot be avoided with the individuals involved, as their cooperation is needed to mitigate the risk.

Ransomware attack with proper backup and without exfiltration

The computer systems of a small manufacturing company were exposed to a ransomware attack, and data stored in those systems was encrypted. The data controller used encryption at rest, so all data accessed by the ransomware was stored in encrypted form using a state-of-the-art encryption algorithm. The decryption key was not compromised in the attack, i.e. the attacker could neither access it nor use it indirectly. In consequence, the attacker only had access to encrypted personal data. In particular, neither the email system of the company, nor any client systems used to access it were affected…
…After analysing the logs and the data collected by the detection systems the company has deployed, an internal investigation supported by the external cybersecurity company determined with certainty that the perpetrator only encrypted data, without exfiltrating it.
A backup was readily available, and the data was restored a few hours after the attack took place.

The assessment reached in this scenario is the breach didn’t result in any consequences for the day-to-day operation of the manufacturing company, nor did it have any significant effect on the data subjects. Therefore, no obligation to notify the Supervisory Authority or communicate to individuals. The personal data breach should be internally logged.

There are further ransomware attack examples given, where the circumstances differ and notification would be required.

Our 7 key data breach takeaways

1. Develop a data breach plan and keep it under regular review
2. Assign a suitably knowledgeable data breach team (or have external experts on hand to support when required)
3. Have a methodology for assessing, evaluating and documenting risk (for example using a risk matrix)
4. Maintain a log of all personal data breaches, whether they’re judged notifiable or not
5. Keep a record of any justification for not notifying of a breach
6. Remember, a breach can be notified before all facts are known. A full assessment can run in parallel to notification and subsequent information learnt can be provided to the ICO (or other Supervisory Authority) in phases.
7. Training and awareness focused on data incident identification, expected actions and triage is essential for both controllers and processors.

In summary…

The EDPB case-based guidelines are another helpful tool to support organisations in their handling of data breaches, and factors to consider during the risk assessment process. The ICO also has detailed data breach guidance and has published some useful data breach examples.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.