Meeting prospective clients’ due diligence demands

September 2024

Proving your data protection and information security credentials

Many businesses provide a service to other businesses, and once the pitch is done and you’re getting closer to signing that vital and lucrative contract, there can be a hurdle to overcome. Namely, meeting the client’s due diligence and supplier set up requirements.

For bigger well-known service providers this can be a breeze, but often small-to-medium sized organisations can find themselves grappling to prove their credentials. Requests can sometimes feel exasperatingly detailed, irrelevant or over-zealous.

Once you’ve got through the questions about sustainability, environmental impact, modern slavery, diversity, equality and inclusion, there will often be the need to answer questions about your approach to data protection and information security.

This will almost certainly be the case where your company’s services involve handling your prospective client’s personal data on their behalf. To use data protection terminology, if the client is the ‘controller’ and your organisation will act as their ‘processor’.

It’s important this relationship is clear, as there are specific contractual requirements for controllers-to-processors relationships under EU/UK GDPRs. Both parties need to meet their obligations. Are we a controller or processor?

So how can you get ahead of the game and be well-prepared? I’ve put together some key questions you may need to cover off. Some of these points will need to be included in any Controller-Processor Data Processing Agreement.

1. Do you have a Data Protection Officer?

Not all businesses need to appoint a DPO (despite most questionnaires expecting you to). If you don’t have a DPO, you may need to explain who in the organisation is responsible for data protection, and may need to be ready to justify why you don’t need a DPO. DPO Myth Buster

2. Do you have a dedicated Information Security team?

As well as being able to provide details of where responsibility for information security rests within your organisation, you’re also likely to be required to provide details of the security measures and controls you have in place to protect client data. This could for example be restricted access controls, use of encryption or pseudonymisation, back-ups, and so on. You may be asked if you have any form of security certification or accreditation.

Note: For contractual terms, such as a Data Processing Agreement/Addendum it’s likely you’ll need to include a summary of your security measures.

3. What data protection related policies do you have?

The most common requirement is being able to demonstrate you have a Data Protection Policy. This would be an internal policy which sets out data protection requirements and your expectations and standards for your staff. A client could ask to see a copy of this. They might also ask if you have more detailed policies or procedures covering specific areas of data protection such as a data retention, individual privacy rights and so on.

4. Where will your processing of client personal data take place?

Many clients will be looking to understand if an international data transfer (what’s known as a restricted transfer) will be taking place. Whether this is happening will be dependent on your client’s location and your own location – including the locations of any servers you’ll process client data on.

The client may want to confirm there are necessary ‘safeguards’ in place for any restricted transfers, to ensure such transfers meet legal requirements. Examples of these include an adequacy decision, Standard Contractual Clauses (with the UK Addendum if relevant) or a UK International Data Transfer Agreement. They may also ask you about Transfer Impact Assessments. International Data Transfers Guide

5. Do you sub-contract services to third-parties?

You need to be prepared to share details of any third-party companies you use to provide your services which involve the handling, including access to, your client’s personal data. These are referred to as ‘sub processors’. They’ll likely ask you to confirm in which country these sub-processors are based.

Note: International data transfers and working with sub-processors are key elements of the GDPR mandated contractual terms between a controller and processor.

6. What procedures do you have in place for handling a personal data breach?

You may be asked if you’ve suffered a data breach in recent years, and to provide details of your procedures for handling a data breach. We’d recommend all businesses have a data breach plan/procedure/playbook. If you’re acting as a processor for your client, you’ll need to inform them ‘without undue delay’ (often within 24 or 48 hours of becoming aware of the breach). Plus be ready to provide them with all relevant information about the incident rapidly, so they can assess their own data risks and report it to the relevant Data Protection Authority (such as the Information Commissioner’s Office) if appropriate.

7. Do you have a disaster recovery plan and backups?

The GDPR doesn’t detail specific requirements around resilience and disaster recovery – this will depend on the nature and sensitivity of the processing. But if you suffer a data breach (particularly a ransomware attack) you’ll want to make your systems have integrity and are fully operational again very quickly after the event. Your clients will expect this if their data could be affected, so expect to be asked tricky questions.

8. Do you have a Record of Processing Activities?

Organisations with more than 250 employees, or smaller organisations which handle large volumes of special category data or data related to criminal convictions are required under EU/UK GDPRs to have a Record of Processing Activities (RoPA). This requirement applies to both controllers and processors.

You may be asked to confirm you have a RoPA and might be asked more detailed questions about your record keeping. If you don’t fall under the RoPA requirement, you may still need to demonstrate a degree of record keeping relating to use of your client’s data.

9. Procedures for handling client individual privacy rights requests

If you are a processor, handling personal data on behalf of your client, it won’t be your responsibility to respond to privacy rights requests (such as Data Subject Access Requests or erasure requests). However, you may need to assist your client in fulfilling requests relating to the client data you hold. And if you receive a request relating to client data, this must be swiftly sent on to the client.

10. Privacy information

Don’t forget your Privacy Notice (aka Privacy Policy). Before a prospective client works with you, they may look at your website and take a peek at the privacy information you provide. If this is off the mark and fails to meet the key requirements, it could be a warning sign for them that you don’t take your data protection obligations seriously. Privacy Notices Quick Guide

The above is by no means an exhaustive list but should help you to be prepared for some of the key areas you may be questioned about.

At DPN, we often suggest processors prepare a factsheet or FAQ in advance of receiving these due diligence questionnaires. This can really help put your business on the front foot and demonstrate to your clients you’re on the ball for both data protection and information security. Crucially it speeds up the decision-making and onboarding process, as by being well prepared you no longer have to scrabble around at the last minute. So you can start work for your new client more quickly.

How to prevent DSAR complaint escalation

September 2024

Nearly forty thousand complaints were received by the Information Commissioner’s Office in the past year. Staggeringly, 39% of them concerned people’s Right of Access according to the ICO’s Annual Report 2023/24.

Handling Data Subject Access Requests (aka DSARs or SARs) can be fraught. Often those requesting a copy of their personal data are already disgruntled, be it an employee going through a grievance procedure or a dissatisfied customer.

This means requestees are often quick to react if the statutory deadline is missed. They may also closely scrutinise your response, looking for any mistakes or omissions. Or their solicitor will.

Any requestee has the potential to become dissatisfied and escalate matters to the ICO. More than a decade ago, I was handling a request and missed the deadline by 24 hours. Much to my frustration they’d had already fired off their complaint to the ICO, and this was pre-GDPR!

I know of many businesses who’ve received letters from the ICO following a DSAR complaint. These will usually ask you to address the issues raised directly with the individual – and quickly! However, if your organisation racks up too many ICO complaints, the regulator is likely to delve deeper. This delving has led to a number of ICO DSAR-related reprimands being issued.

Most recently, the Labour Party has been in the spotlight for ‘repeatedly failing to respond to people who asked what personal information the party held on them’. A backlog of requests mounted up after a cyber attack in October 2021, with the ICO receiving 150 complaints. During its investigation, the ICO discovered 78% of people had not received a response within the maximum extended timescale of three months and more than half were delayed by over a year. They also found an unmonitored ‘privacy inbox’ was overflowing with hundreds of DSAR and erasure requests – none of which received any form of response whatsoever.

Hopefully most organisations will avoid such a catalogue of problems, but it’s still worth remembering certain factors can prompt a spike in DSAR requests. In this case a cyber attack, but a non-cyber data breach could also create a surge. Similarly, a business restructure might prompt a rise in employee-related requests. And let’s not forget the random factor – like Mr Farage’s very public DSARs to NatWest, which not only led to NatWest getting an increase in requests, but reportedly had a knock-on effect on other banks too.

Here are my tips for getting on the front foot and mitigating the risk of complaint escalation.

6 golden rules for managing DSARs

1. Staff awareness & a sense of urgency

A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them (and other privacy rights, such as erasure), and know what to do if they receive or spot one. Failing to do so puts you on the back foot straight away.

Everyone needs to be aware time is of the essence, so training and clear guidance is essential. Refresh it too, with friendly reminders.

Quick checklist:

Individual privacy rights are covered in new starter and refresher training.
Ongoing awareness via posters, intranet posts, newsletters etc.
Specialist training for those involved in the process of fulfilling requests.

2. Robust procedure

A clear procedure which walks relevant staff through the key steps and considerations is invaluable, especially for times when key people aren’t available and someone else has to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on.

Without this, a lot of knowledge could walk out the door when a key person leaves the business or is not available in cases of long periods of absence like maternity or sickness leave.

3. Adequate resourcing

Businesses receiving a significant volume of requests are likely to have a dedicated person or team to handle them. They might also have sophisticated software to help speed up the process. But for those who have low or fluctuating volumes, it can be tricky to judge how many people need to understand the process and manage requests.

In my experience, often the one or two people who have to handle requests end up snowed under for weeks and completely distracted from their day jobs when a DSAR lands on their desk with an ominous thump.

What happens if your go-to DSAR person is not available? The clock is ticking. You also need to factor in how to handle any spike in requests – seen or unforeseen. Have you got other adequately trained staff, or alternative resources on standby to cover higher volumes?

There was a case in Belgium where the Data Protection Authority ruled the person who normally handled DSARs being on long-term absence was no excuse for a late response. I think the UK’s ICO would take a similar stance.

4. Assigned responsibilities

While one person or a team may have ultimate responsibility for managing DSARs and responding to them on time, it’s likely others across the business will need to support them. For example, your IT team may play a significant role in retrieving the data, or HR may need to be closely involved in an employee-related DSAR.

It helps to make sure it’s clear who’s responsible for retrieving the data, reviewing the data, applying exemptions, apply redactions, reviewing the response, approving it and sending it out securely.

5. Managing expectations and communicating

This is my personal favourite; quite often requestees don’t quite understand what a DSAR really entitles them to, so it pays to set out your stall from the start. Explain what the right is and what they can expect to receive. Tell them you have a duty to protect the privacy of others, that it’s not a right to documentation and that exemptions may apply.

Keep in touch with requestees, and dare I say it, even pick up the phone and talk things through. Confrontation can sometimes be defused – I’ve known of DSARs being withdrawn after a decent chat (and with no pressure whatsoever applied).

6. Polished response

A good covering letter can go a long way to satisfying the individual that you’ve made every effort to fulfil their request. This can for example explain;

The personal data being provided
Some of the internal processes (where appropriate)
Redactions have been applied to protect the privacy of others (if relevant)
Why an exemption has been applied (if relevant)
Legally necessary supplementary information, (or a link to a Privacy Notice if this covers matters sufficiently)

The above is by no means an exhaustive list and I’m a big fan of a template response letter which can be adapted as needed.

Finally, don’t forget to inform people about their privacy rights such as the right to object, erasure, rectification and access. Privacy notices should set out these rights, and it should be clear how people can submit a request. And of course, tell them they have the right to raise a complaint with the ICO (with fingers firmly crossed they don’t).

Check out our DSAR Guide for more tips on seeking clarification, retrieving the data, complex requests and applying redactions.

Data Protection Impact Assessments Guide

August 2024

A quick guide to managing DPIAs

This short guide to Data Protection Impact Assessments covers what a DPIA is and when it’s mandatory to conduct one under UK GDPR and EU GDPR. It also includes helpful tips on how to manage the process.

DPIAs not only help to protect people’s data, they also help to protect the business.

Google abandons plans to phase out third-party cookies

In big news for both digital advertising and online privacy Google has announced it won’t be phasing out third-party cookies.

Google had been working on ways to phase out third-party tracking cookies from it’s Chrome browser for 4 years. The idea was that instead of user’s personal data being shared with hundreds of third-party advertisers, Google would take control and do the tracking within the Chrome browser.

The so-called ‘Privacy Sandbox’ is Google’s initiative to develop technologies that protect privacy while also providing tools for digital businesses. But they’ve faced numerous challenges in developing an acceptable alternative to third party cookies which satisfies all parties involved. The advertising sector has been nervous about the effectiveness of the initiatives and their impact on campaign performance. On the other side of the equation Data Protection Authorities have and raised concerns around privacy and transparency. This very delicate balancing act now appears to have fallen from its tightrope!

Google has now decided to keep third party cookies, but give users enhanced privacy options, which could apply across all their Google browsing. In all of this let’s also remember 3rd party cookies cannot be used in Safari or Firefox.

What does this mean for advertisers and publishers?

Over recent years, enlightened advertisers have been looking to start to diversify their activities to reduce reliance on third-party cookies. Life after cookies

Some advertisers may feel a sense of relief this long-running saga is over (for the time being), and revenue streams which were in question before this announcement now look healthier. But there may also be frustration at the time and effort spent looking for privacy-friendly advertising solutions with limited success.
The Privacy Sandbox will continue to evolve and given time may still yield more benefits for advertisers and publishers, as well as consumers and regulators.

Publishers may see changes in how they monetise their content with ads. The emphasis could shift towards leveraging first-party relationships and potentially new advertising models yet to emerge from Google’s Privacy Sandbox.

What does this mean for consumers?

Consumers are increasingly seeking control over their personal data and how they are tracked online. In our daily browsing we face a plethora of cookie banners of differing types – some far less clear and transparent than others.
Whilst there’s a genuine weariness of cookie banners, there’s also been an increase in users choosing to opt out of cookies used for tracking and ad targeting. We may be set for more of the same in the short term. Although regulators may decide now is the time to start to enforce against non-compliant use of cookies.

Charles Ping, Managing Director, Europe at Winterberry Group says the road ahead is not straight-forward:

“Google’s decision to take a different path on the elimination of third-party cookies is an acknowledgment that this stuff is really hard. Making unilateral changes when you have Google’s level of market dominance will always create winners and losers, and the most recent CMA report demonstrated the journey set out in early 2020 had become a Sisyphean task.

However, the success of the mooted solution to give consumers choice, whilst delivering a degree of “cover” to Google that has been absent in recent times, won’t be plain sailing. We have learnt through many years of data collection statements and through the improving opt in rates in world of Apple’s App Tracking Transparency (ATT), that the type of questions asked and how they are actually presented will make a massive difference to the outcome. The devil, as always, is in the detail, but giving consumers choice is, in principle, a great move forward”

Labour’s plans for data protection, cyber security and AI

July 2024

What we know so far about the Government’s agenda

Of the forty or so Bills announced in the Government’s first King’s Speech, some are specifically relevant for those working in the data protection, digital information and data security space. In a significant move, the Government has specifically appointed a Minister of State for Data Protection and Telecomms.

At this stage, the full scope of the Government’s plans is not known. However, the background briefing notes to the King’s Speech give us a little insight into what these Bills may cover.

Digital Information and Smart Data Bill (DISD)

Ready for a new acronym? The DISD Bill appears to resurrect some of the provisions in previous Government’s Data Protection and Digital Information Bill (DPDI) which was abandoned when the snap election was called. But those hoping for significant reform of UK GDPR and less onerous data protection obligations may be disappointed. It looks like the Government will take a different approach, focusing on enabling data sharing with the aim of facilitating economic growth.

The background briefing paper says the Bill “will enable new innovative uses of data to be safely developed and deployed and will improve people’s lives by making public services work better by reforming data sharing and standards; help scientists and researchers make more life enhancing discoveries by improving our data laws; and ensure your data is well protected by giving the regulator (the ICO) new, stronger powers and a more modern structure”. The Bill looks likely to focus on:

Digital identity verification (aka digital ID cards) aimed at enabling people to use digital identities to ease processes such as moving house, buying age-restricted products and pre-employment checks.

‘Smart data’ measures designed to facilitate the ability to share personal data across platforms and with third parties. This is likely to expand on the success of Open Banking which allows customers to easily share their account information with third parties to facilitate payments.

ICO reform to introduce a national Information Commission and move away from having all powers and functions resting with one Commissioner. A move supported by John Edwards, the current Information Commissioner.

■  Consent provisions for scientific research to enable scientists to ask for broad consent for legitimate scientific research.

It will be interesting to see whether industry lobbying can influence the shape of this Bill. The Data & Marketing Association (DMA) is advocating for twelve reforms which it says will make a difference to businesses and charities. These include greater certainty around the use of the Legitimate Interests lawful bases, reducing bureaucracy for small businesses, reducing the consent requirements for non-intrusive cookies and extending the use of the email soft opt-in for non-commercial organisations. Read more in the DMA statement  techUKuJ has also published an open letter to the Government on the need for data protection legislation to be modernised.

Cyber Security and Resilience Bill

The ‘Cyber Bill’ aims to introduce measures to strengthen the UK’s cyber defences. It’s likely to give regulators more powers to push organisations to bolster their cyber defence measures and we could see some form of mandatory cyber incident reporting. It’s likely this this Bill will expand on the existing Network and Information Systems Regulations 2018 and introduce rules which apply beyond essential services to include digital services and supply chains. In the EU, we’ve already seen NIS Regulations updated to NIS2, so this could be mirrored in the UK.

AI Approach

There was no official announcement of an AI Bill, in fact there was surprisingly little reference to AI in the speech itself, other than to state the Government will “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. It was widely predicted there would be an AI Bill announced in the King’s Speech and that we’d see a Labour Government wanting to more closely align with the EU’s approach. The EU AI Act comes into force this year, but it’s now clear a comprehensive approach to regulating AI does not seem to be on the cards in the UK, at least not for the time being.

Meet the Ministerial Team

The Government has announced the following ministerial team:

□ Peter Kyle MP, Secretary of State for Science, Innovation and Technology
□ Lord Patrick Vallance KCB, Minister of State for Science, Research and Innovation
□ Sir Chris Bryant MP, Minister of State for Data Protection and Telecomms
□ Feryal Clark MP, Parliamentary Under-Secretary of State for AI and Digital Government
□ Baroness Jones, Parliamentary Under-Secretary of State for the Future Digital Economy and Digital Safety.

It’s noteworthy the Government has created a Minister of State for Data Protection and Telecomms, a move which may signal a greater emphasis on data protection matters and people’s privacy rights? Chris Bryant will have responsibility for digital infrastructure and telecomms, Building Digital UK, data protection, the ICO, digital inclusion, space sector growth and the UK Space Agency.

Monitoring employees and data protection

Is it transparent, reasonable and proportionate?

There are plenty of reasons why employers might want to monitor staff; to check they’re working, to detect and prevent criminal activity, to make sure people are complying with internal policies, to check their performance, for safety and security reasons, and so on.

With significant advances in technology, there are multiple options available for employees seeking to monitor their workforce, such as:

  • Camera surveillance, including CCTV and body worn cameras
  • Webcams and screenshots
  • Monitoring timekeeping or access control using biometric data
  • Keystroke monitoring
  • Internet tracking for misuse
  • Covert audio recording

Add the growing number of AI-powered solutions into the mix, and the opportunities are seemingly endless. I’ve even seen demos of AI tools which sentiment check emails; scanning the language employees use to detect content which might be discriminatory, bullying or aggressive.

Just because a range of monitoring technologies exist, doesn’t mean we should use them.

A survey commissioned by the UK’s Information Commissioner’s Office in 2023 revealed almost one in five people believe they’ve been monitored by their employer, and would be reluctant to take a job if they knew they were going to be monitored. This research showed 70% of the public believe it’s intrusive to be monitored in the workplace.

However, there is a broad understanding employers might carry out checks on the quality and quantity of their work and an appreciation there may be a necessity to do this proportionately to meet health and safety or other regulatory requirements. Emily Keaney, the ICO’s Deputy Commissioner of Regulatory Policy says “While data protection law does not prevent monitoring, it must be necessary, proportionate and respect the rights and freedoms of workers. We will take action if we believe people’s privacy is being threatened.”

Earlier this year, the ICO did just that, and ordered a Leisure Company to stop using biometric data to monitor their staff. You can read more about the case here: using biometrics to monitor staff

To prevent monitoring employees in an overly intrusive and disproportionate way, it’s crucial to carefully consider any planned monitoring activity and make sure it’s a reasonable thing to be doing.

Workplace monitoring checklist

Here are some of the key considerations to take into account:

1. Is it `lawful, fair and transparent?

To be lawful you need to identify a lawful basis under UK GDPR and meet relevant conditions. Remember, consent would only work where employees have a genuine and fair choice. Often an imbalance of power means consent is not appropriate in an employee context. Employees may feel duty-bound to give consent and therefore there may be an imbalance.

You may be tempted to rely your employment contract with individuals, (i.e the ‘contractual necessity’ lawful basis) but this would need to be genuinely necessary. Many employers may choose to rely on legitimate interests, but this requires a balancing test, and we’d highly recommend conducting and keeping a record of your Legitimate Interests Assessment (LIA).

To be fair you should only monitor workers in ways they would reasonably expect, and in ways which wouldn’t have unjustified adverse effects on them. The ICO says you should conduct a Data Protection Impact Assessment to make sure any monitoring is fair and proportionate.

To be transparent you must be open and upfront about what you’re doing. Monitoring should not routinely be done in secret. Monitoring conducted without transparency is fundamentally unfair. There may however be exceptional circumstances where covert monitoring is justified.

2. Will monitoring gather special category data information?

If monitoring involves special category data, you’ll need to identify a special category condition, as well as a lawful basis. Special category data includes data revealing racial or ethnic origin, religious, political or philosophical beliefs, trade union membership, genetic and biometric data, data concerning health or data about a person’s sex life or sexual orientation.

You may not automatically think this is relevant, but be mindful even monitoring emails, for example, could, without appropriate controls in place, lead to the processing of special category data.

3. Have you clearly set out your purpose(s) for employee monitoring?

You need to be clear about your purpose(s) and not monitor workers ‘just in case’ it might be useful. Personal details captured should not subsequently be used for a different purpose, unless this is assessed to be compatible with the original specified purpose(s).

4. Are you minimising the personal details gathered?

Organisations are required to not collect more personal information than they need to achieve their defined purpose(s). This should be approached with care as many monitoring technologies and methods have the capability to gather more information than necessary. You should take steps to limit the amount of data collected and how long it’s necessary to retain it for.

5. Is the information gathered accurate?

You need to take all reasonable steps to make sure the personal information gathered through monitoring workers is accurate and not misleading, or taken out of context, and people should have the ability to challenge the results of any monitoring.

6. Have you decided how long information will be kept?

Personal information gathered must not be kept for any longer than is necessary. It shouldn’t be kept just in case it might be useful in future. Organisations must have a data retention schedule and delete any information in line with this. The UK GDPR doesn’t tell us precisely how long this should be, but other laws might. Organisations need to be able to justify any retention periods they set.

7. Is the information kept securely?

You must have ‘appropriate technical and organisation measures’ in place to protect personal information. Technical measures include things like firewalls, encryption, multi-factor authentication, and so on. Data security risks should be assessed, access should be restricted, and those handling the information should receive appropriate training.

If monitoring is outsourced to a third-party processor, you’ll be responsible for compliance with data protection law.

8. Are you able to demonstrate your compliance with data protection law?

Organisations need to be able to demonstrate their compliance with UK GDPR. This means making sure appropriate policies, procedures and measures are put in place for workplace monitoring activities. And let’s also consider any monitoring of workers who work from home, or other ‘offsite’ locations. As with everything this must be proportionate to the risks. The ICO says organisations should make sure ‘overall responsibility for monitoring workers rest at the higher senior management level’.

Monitoring people is by its very nature intrusive, it must be proportionate, justified and people should in most circumstances be told it’s happening.

The ICO has published detailed guidance on this: Employment practices and data protection: monitoring workers and the regulator’s overriding message is organisations should carry out a DPIA if they’re considering monitoring their staff.

Data Protection and what the Labour Government should do

July 2024

What should Kier Starmer’s team do about data protection?

After the Conservative Party’s crushing defeat on July 4th, we now have a Labour administration. As the General Election was called, the Data Protection and Digital Information Bill was progressing through Parliament. Although many thought it might be just pass before an Election, the decision by Rishi Sunak to gamble everything on an early election led to the Bill’s abandonment.

The Bill itself was controversial, proposing a mixed bag of changes to data protection and ePrivacy laws. Views within the industry were, it is fair to say, divided.

I’ve asked industry insiders the question; What should the new Government do with UK GDPR, the Privacy and Electronic Communications Regulations (PECR), and AI? Here’s what they say.

Steve Wood, Founder & Director, PrivacyX Consulting and former UK Deputy Information commissioner

“The New Government should firstly take a step back to consider its approach to public engagement on data and AI, particularly with civil society. As they seek to use AI to transform the public sector, a planned and long-term approach to meaningful transparency and engagement is vital. There are good foundations to build on for AI policy and the new Government should look at options to put AI principles on a statutory footing and what additional oversight and coordination is needed to make them effective.

There is scope for a focused AI and Data Bill, learning the lessons of the complexity and confusion in the DPDI Bill and what will really improve the outcomes of the data protection regime – for people and organisations. Changes to GDPR that should remain on table include the new Information Commission reforms, the data protection test for internation transfers and an exemption for analytics cookies.”

You can read more of Steve’s thoughts in his Substack blog – A Digital Policy Memo for the Minister’s Red Box

Chris Combemale, CEO, Data & Marketing Association (DMA)

“The DMA continues to believe that reforming the data protection regime in the UK is fundamental to driving growth, innovation, and wealth creation in the country. Doing so would be a strong sign of the new Government’s commitment to the industry and business.  Amongst the most important reforms for DMA members are:

1. Reforms that establish greater certainty for the use of legitimate Interests as a lawful basis particularly attracting and retaining new customers
2. Reforms that clarify how data can be better used to support scientific research and technology development
3. Reforms that reduce bureaucracy for small business
4. Reforms that enable Smart Data schemes to be introduced in appropriate sectors
5. Reforms that reduce the consent requirements for non-intrusive cookies
6. Reforms that update the law to enable beneficial update of automated decision-making like AI while maintaining strong safeguards

These reforms are consistent with the Labour Policy Forum position and indeed were supported by Labour during scrutiny of the former government’s DPDI Bill. The DMA will work closely with the incoming government to ensure these reforms become law.”

Read Chris’ Open Letter to all political parties

Robert Bond, Senior Counsel, Privacy Partnership Law and Chair, DPN Advisory Group

“The new Government needs to ensure that any changes it makes to our data protection regime do not harm our “adequacy” with the EU. However, I would welcome a review of the reliance on Legitimate Interest as a lawful ground for processing to bolster this useful ground. I would like to see a review of PECR and a proactive focus on practical AI legislation.”

Gerald Coppin, Deputy Group Data Protection Officer, Springer Nature

“I feel a Labour government should work on an international effort to harmonise the data privacy laws across major jurisdictions, it could make it easier for businesses to manage regulatory requirements. They could recommend or mandate techniques like differential privacy, federated learning, and synthetic data generation to enable AI development without compromising individual privacy. As well as expanding regulatory sandboxes that allow companies to test innovative AI applications in a controlled environment, while ensuring privacy safeguards are in place. A reduction in paperwork to prove compliance with the different laws would be MOST welcome!!”

Debbie Evans, Managing Director, FTI Consulting

“I want to be optimistic about change however, it’s not going to be without challenge. Whilst I’m not proclaiming any particular political persuasion – my personal hope is that individual rights are given more visibility. Businesses consequently will need to take compliance more seriously as laws strengthen.”

Eduardo Ustaran, Partner, Hogan Lovells

“My view is that the new UK Government should aim to realise the opportunity to place the UK as a global leader in these areas. The UK is in an ideal sweet spot because it is close enough to the EU’s policy objectives of providing the highest levels of protection for personal data and human rights in the face of today’s AI revolution, but also understands the crucial importance of technological innovation for growth and prosperity. That combination is particularly attractive for responsible global businesses to model their regulatory compliance strategies for privacy, cybersecurity and AI. This is a crucial issue for the UK Government to get right and support its primary goal of growing the economy.”

Charles Ping, Managing Director, Europe, Winterberry Group

“Labour has a big task ahead, and by its own admission, limited resources. So using the eco-friendly mantra of reduce, reuse and recycle they should take all three aspects into evolving our data protection legislation. Reduce the wasted time on devising new policy objectives in this area when there was cross party consensus on the currently lifeless Data Protection of Digital Information Bill. Reuse, because the bill is pretty much “oven ready”, if that phrase hasn’t been rendered entirely valueless by a previous administration.

Recycle the old bill and ensure an expedited path through the corridors and meeting rooms of Westminster. I can’t see a new administration (or country) wanting a traditional summer recess, so this legislation should have time to whistle through and start making a difference.”

Eleonor Duhs, Partner and Head of Data & Privacy, Wells Bates LLP

“I think the new Labour Government, as a priority, should deal with the uncertainty created by the Retained EU Law (Revocation and Reform) Act 2023 (“REULA”) about how to interpret the UK’s data protection frameworks. REULA has turned the statue book on its head, with domestic law (whenever enacted) taking precedence over any law that was previously EU law (including UK GDPR). An example of the unintended consequences of this is in the area of exemptions from data subject rights. The Open Rights case (brought before REULA came into force) required the government to provide EU-standard protections for migrants when exercising data subject rights. But because of the reversal of the relationship between the UK GDPR and the Data Protection Act 2018 every other group in society now has a lower standard of protection for their data subject rights, compared with migrants.

This outcome was clearly not anticipated. In order to ensure data protection standards in the UK remain high the new Labour government should bring forward legislation. It could either use the powers in REULA to reintroduce deleted principles in order to bring clarity and legal certainty. Alternatively, the best course of action may be to enact bring forward primary legislation to ensure that the UK statute book is stabilised. Powers to update our data protection frameworks should also be considered to ensure it continues to be current and tracks accepted EU and international standards. This would support growth and avoid the risk of losing the UK’s data adequacy decision which is due to be reviewed next year.”

You can read more from Eleonor on the REULA here

While I appreciate reforming data protection law may prove not to be a high priority for the new Starmer Government, to offer my tuppence, if Labour does nothing else, I’d urge them to revise PECR. It’s desperately out of date, first introduced over 20 years ago, and then updated back in 2009 with the ‘cookie law’. The world has moved on. There were some proposed changes to PECR under the DPDI Bill which I favoured. In particular, a change allowing not-for-profits to take advantage of the so-called soft opt-in exemption to consent for marketing emails / texts. This is currently only available in a commercial context, which I feel is unfair. As others have mentioned, I’d also like to see a revision of the consent rules for website analytics cookies.

Understanding and handling Special Category Data

July 2024

Why is it special and what does data protection law tell us we need to do?

There is a distinct subset of personal data which is awarded ‘special’ protection under data protection law. This subset includes information for which people have been persecuted in the past, or suffered unfair treatment or discrimination, and still could be. These special categories of personal data are considered higher risk, and organisations are legally obliged to meet additional requirements when they collect and use it.

Employees need to be aware special category data should only be collected and used with due consideration. Sometimes there will be a clear and obvious purpose for collecting this type of information; such as a travel firm needing health information from customers, or an event organiser requesting accessibility requirements to facilitate people’s attendance. In other situations it will be more nuanced.

What’s special category data?

Special Categories of Personal Data under UK GDPR (and it’s EU equivalent), are commonly referred to as special category data, and are defined as personal data revealing:

  • Racial or ethnic origin e.g. diversity and inclusion data
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership

The definition also covers:

  • Genetic data
  • Biometric data (where this is used for identification purposes)
  • Data concerning health e.g. medical records, sickness records, accessibility requirements and so on.
  • Data concerning a person’s sex life or their sexual orientation. E.g. diversity and inclusion data

Inferring special category data

Sometimes your teams might not realise they’re collecting and using special category data, but they might well be.

It’s likely if you have inferred or made any assumptions based on what you know about someone, for example they’re likely to have certain political opinions, or likely to suffer from a certain health condition, this will mean you are handling special category data.

There was an interesting ICO investigation into an online retailer which found it was targeting customers who’d bought certain products, assuming from this they were likely to be arthritis sufferers. This assumption meant the retailer was judged to be processing special category data.

If you collect information about dietary requirements these could reveal religious beliefs, for example halal and kosher. It’s also worth noting in 2020 a judge ruled that ethical veganism qualifies as a philosophical belief under the Equality Act 2010.

Other ‘sensitive’ data

There’s sometimes confusion surrounding what might be considered ‘sensitive’ data and what constitutes special category data. I hear people say “why is  financial data not considered as sensitive as health data or ethnic origin?’ Of course, people’s financial details are sensitive and organisations do still need to make sure they’ve got appropriate measures in place to protect such information and keep it secure. However, UK GDPR (and EU) sets out specific requirements for special category data which don’t directly apply to financial data.

To understand why, it’s worth noting special protection for data such as ethnicity, racial origin, religious beliefs and sexual orientation was born in the 1950s, under the European Convention on Human Rights, after Europe had witnessed people being persecuted and killed.

Special Category Data Requirements

In a similar way to all personal data, any handling of special category data must be lawful, fair and transparent. Organisations need to make sure their collection and use complies with all the core data protection principles and requirements of UK GDPR. For example;

  • Do you have a clear purpose and reason for collecting/using special category data?
  • Have you identified a lawful basis? For example:
    • is this data necessary in order for you to fulfil a contract you have with the individual?
    • Are you legally obliged to hold this data?
    • Should you be seeking their consent?
    • Or is there another appropriate lawful basis?  Quick Guide to Lawful Bases.
  • Have you told people what their special category data will be used for? What does your Privacy Notice tell people? Have people seen your Privacy Notice?
  • Can you minimise the amount of special category data you are collecting?
  • Have you decided how long this data will be kept for?
  • How will you make sure this data is not used for another different purpose?
  • What security measures will you put in place? e.g. can you limit who has access to this data?

What makes special category data unique is it will be considered a higher risk than other types of data, and also requires you to choose a special category condition.

Other key considerations and requirements

Risk Assessments

Confirm whether you need to conduct a Data Protection Impact Assessment for your planned activities using special category data. DPIAs are mandatory for any type of processing which is likely to be high risk. This means a DPIA is more likely to be needed when handling special category data. That’s not to say it will always be essential, it really will depend on the necessity, nature, scale and your purpose for using this data.

Special Category Condition

Alongside a lawful basis, there’s an additional requirement to consider your purpose(s) for processing this data and to select a special category condition. These conditions are set out in Article 9, UK GDPR.

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)

Associated condition in UK Law

Five of the above conditions are solely set out in Article 9. The others require specific authorisation or a basis in law, and you’ll need to meet additional conditions set out in the Data Protection Act 2018.

If you are relying on any of the following you also need to meet the associated condition in UK law. This is set out in Part 1, Schedule 1 of the DPA 2018.

  • Employment, social security and social protection
  • Health of social care
  • Public health
  • Archiving, research and statistics.

If you are relying on the substantial public interest condition you also need to meet one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.

The ICO tells us for some of these conditions, the substantial public interest element is built in. For others, you need to be able to demonstrate that your specific processing is ‘necessary for reasons of substantial public interest’, on a case-by-case basis. The regulator says we can’t have a vague public interest argument, we must be able to ‘make specific arguments about the concrete wide benefits’ of what we are doing.

Appropriate Policy Document (APD)

Almost all of the substantial public interest conditions, plus the condition for processing employment, social security and social protection data, require you to have an APD in place. The ICO Special Category Guidance in includes a template appropriate policy document.

Privacy Notice

A privacy notice should explain your purposes for processing and the lawful basis being relied on in order to collect and use people’s personal data, including any special category data. Remember, if you’ve received special category data from a third party, this should be transparent and people should be provided with your privacy notice.

Data breach reporting

You only have to report a breach to the ICO if it is likely to result in a risk to the rights and freedoms of individuals, and if left unaddressed the breach is likely to have a significant detrimental effect on individuals. Special category data is considered higher risk data, and therefore if a breach involves data of this nature, it is more likely to reach the bar for reporting. It is also more likely to reach the threshold of needing to notify those affected.

In summary, training and raising awareness are crucial to make sure employees understand what special category data is, how it might be inferred, and to know that collecting and using this type of data must be done with care.