Data Protection Officers: Myth Buster

June 2022

We don't ALL currently need a DPO!

It irks me somewhat that the removal of the requirement to designate a DPO as part of the UK data reform plans is cited as way of easing the legislative burden on small businesses.

The Government’s response to the Autumn consultation, says ‘those who supported the removal of DPOs’ (who were in the minority) said this would be ‘beneficial for small businesses’.  They’re pushing ahead, with much talk about how many of the planned changes will ease the burden on small businesses.

Let’s be absolutely clear, most small organisations are unlikely to fall under the current UK GDPR requirement to appoint a DPO.  Many medium-sized business won’t necessarily need a DPO either.

Let’s also be clear if you fall under the mandatory requirement, or voluntarily choose to appoint a DPO, this is currently a clearly defined role in law. The GDPR sets out specific tasks a DPO is responsible for and the organisation has a duty to support the DPO to help them to fulfil these responsibilities.

The DPO Confusion!

I believe GDPR (perhaps inadvertently, through media coverage and elsewhere) created a degree of confusion about who needed a DPO and what the role actually entails.

It led many businesses to voluntarily appoint one, thinking they really should.  It led clients to include ‘do you have a DPO?’ in their due diligence questionnaires.  Suppliers to think, ‘oh we better have one.’

Some organisations understood the DPO requirements, others perhaps less so.  Many will have informed the ICO who their DPO is, others won’t.

Some DPOs will be striving to fulfil their designated tasks, others won’t have the resources to do this, some may be blissfully unaware of the legal obligations their role carries with it.

When is it currently mandatory to have a DPO?

The law tells us you NEED to appoint a DPO if you are a Controller (or a Processor) and the following apply:

  • you are a public authority or body (except for courts acting in their judicial capacity); or
  • your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

This raises questions about what’s mean by ‘large-scale’ and what happens if you are found not to have appointed a DPO when you should have.  The truth is many smaller businesses and not-for-profits don’t have to have one.

(When it comes to interpreting ‘large-scale’ the European Data Protection Board Guidelines on Data Protection Officers, provide some examples).

What are your current options if you don’t fall under mandatory requirements?

The ICO tells us all organisations need to have ‘sufficient staff and resources to meet the organisation’s obligations under the GDPR’. If you don’t fall under the mandatory requirement, you currently have a choice:

  • voluntarily appoint a DPO, or
  • have a team or individual responsible for overseeing data protection, in a proportionate way based on the size or your organisation and the nature of the personal data you handle.

What is the ‘position’ of the DPO?

If you appoint a DPO, UK/EU GDPR tells us they must:

  • report directly to the highest level of management
  • be given the independence and autonomy to perform their tasks
  • be given sufficient resources to be able to perform their tasks
  • be an expert in data protection
  • be involved, in a timely manner, in all issues relating to data protection.

In short, not just anybody can be your DPO.

They can be an internal or external appointment.  In some cases a single DPO can be appointed for represent several organisations. They can perform other tasks, but there shouldn’t be a conflict of interests.  (For example a Head of Marketing also being the DPO might be an obvious conflict).

A DPO must also be easily accessible, for individuals, employees and the ICO.  Their contact details should be published (e.g. in your privacy notice) and the ICO should be informed who they are.

What tasks should a DPO fulfil?

The DPO role currently has a formal set of accountabilities and duties, laid down within the GDPR.

  • Duty to inform and advise the organisation and its employees about their obligations under UK/EU GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations.
  • Duty to monitor the organisation’s compliance with the UK GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively.
  • Duty to advise on, and to monitor data protection impact assessments (DPIAs).
  • Duty to be the first point of contact for individuals whose data is processed, and for liaison with the ICO.

In short, you can’t appoint a DPO in name only.

It’s also worth noting, if you don’t listen to the advice of your DPO you should document why you didn’t follow up on their recommended actions. Also a DPO cannot be dismissed or penalised for performing his or her duties.

What changes are on the cards?

The mandatory requirement to appoint a DPO is going to be dropped, provided the UK Government’s plans survive the legislative process and the scrutiny this will entail.

The intention is to have a new requirement to appoint a ‘senior responsible individual’ for data protection.  This could prove somewhat of a relief and may provide clarity for small to medium sized businesses.  But the devil will be in the detail.  Does this mean you won’t be able to have a ‘team’ of people responsible for data protection? Which some organisations currently might have if they don’t have a DPO.

The consultation response says, ‘most of the tasks of a data protection officer will become the ultimate responsibility of a designated senior individual to oversee as part of the Privacy Management Programme.’

This role will include:

  • representing or delegating a representative to the ICO and data subjects
  • ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel
  • providing tailored training to ensure staff understand the organisation’s policies
  • regularly auditing the efficacy of the Privacy Management Programme.

We’re told organisations which currently have a DPO will be able to continue to do so.  The catch is in the words ‘as long as there’s appropriate oversight from the senior accountable individual’. This seems to suggest if you keep your DPO, you‘ll need to have someone senior to them with overall responsibility for data protection.

If this is the case it could prove a headache for companies which fall within the scope of EU GDPR and need to retain a DPO. Or will they be the DPO for European purposes, and the senior responsible individual in the UK?

Who knows! The finer detail of the Data Reform Bill, when it’s published will hopefully give us the nuance we need here.

UK data reform plans revealed: a snapshot

June 2022

DCMS publishes response to data reform consultation

DPOs, Records of Processing Activities and DPIA requirements are all set to go under UK Data Reform plans, as the Government pushes ahead with it’s intention to require organisations to implement a Privacy Management Programme (PMP).

Plans also include changes to PECR (the UK’s Privacy and Electronic Communications Regulations) including permitting charities to use the soft opt-in and allowing analytics cookies without consent.

The Government has set out the detail of how it plans to reform the data protection landscape in its response to the Autumn consultation.

Key highlights

(This article is not intended to cover the wide-ranging detail of the plans. The full consultation response from the Government can be found here).

Accountability 

  • The Government plans to proceed with the requirement for organisations to implement Privacy Management Programmes (PMPs).
  • Organisations currently compliant with the UK GDPR will not need to significantly change their approach, unless they wish to ‘take advantage of the additional flexibility the new legislation will provide’.
  • Organisations will have to implement a PMP based on the ‘level’ of processing activities they’re engaged in and the volume and sensitivity of the personal data they handle.
  • The PMP requirement will be subject to the same sanctions as under the current regime.

Data Protection Officers

  • The requirement to designate a Data Protection Officer will be removed.
  • There will be a new requirement to appoint a senior individual responsible for data protection. It’s envisaged most of the tasks of a DPO will become ‘the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’

Data Protection Impact Assessments

  • Under the new PMP requirement, organisations will be required to identify and manage risks, but ‘they will be granted greater flexibility as to how to meet these requirements’.
  • There will no longer be a requirement to undertake DPIAs as prescribed by UK GDPR.  However, organisations will be required to make sure they have ‘risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’
  • Organisations will be able, if they wish, to continue to use DPIAs but can tailor them based on the nature of their processing activities.
  • Existing DPIAs will remain a valid way of achieving the new requirement.

Record of Processing Activities

  • Personal data inventories will be needed as part of organisation’s PMP, covering what and where personal data is held, why it has been collected and how sensitive it is.
  • Organisations will not have to stick to the prescribed requirements set out under Article 30, UK GDPR.

Reporting Data Breaches

  • No changes will be introduced to alter the threshold for reporting a data breach.
  • The Government will work with the ICO to explore the feasibility of clearer guidance for organisations.

Subject Access Requests

  • The Government plans to proceed with changing the current threshold for refusing or charging a fee for Subject Access Requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It is said this will bring it in line with the Freedom of Information regime.
  • The Government does not intend to re-introduce a nominal fee for processing access requests.

Alongside changes to the current regime under UK GDPR, the Government plans include amendments to PECR. Key intended changes include:

Cookies

  • In the immediate term, the Government intends to permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes’. It’s anticipated this will include analytics cookies which allow organisations to measure traffic to webpages and improve offerings to users.
  • It’s intended these changes will apply to connected technology, including apps on smartphones, tablets, smart TVs or other connected devices, as well as websites.
  • In the future, the Government intends to move to an ‘opt-out model of consent for cookies placed by websites’. The Government says its ambition is to improve the user experience and remove the need for ‘unnecessary’ cookie consent banners. It stresses an opt-out model would not apply to websites likely to be accessed by children (we’re assuming this means consent would be required) and its ambitions will be subject to an assessment that effective solutions are widely available for use.

Use of ‘soft opt-in’ extended

PECR fines to be increased

  • The Government plans to proceed with proposals to increase fines under PECR. This will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover.  This would bring fines in line with current fines under the existing regime.  Currently the maximum fine under PECR is capped at £500,000.

Political campaigning

  • The Government plans to consider further whether political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).
  • It also intends to extend the soft opt-in so that ‘political parties and elected representatives can contact individuals who have previously shown an interest in the activities of the party (for example, by attending a conference or making a donation) without their explicit consent, provided they have been given an opportunity to refuse such communications at the point of providing their details’.

Human oversight of automated decision-making and profiling

  • The Government notes  the vast majority of respondents to the consultation opposed the proposal to remove Article 22.  The right to human review of automated decisions is considered a fundamental safeguard. It was confirmed this proposal will not be pursued.
  • The Government says it will be considering how to amend Article 22 to clarify the circumstances in which this must apply. It says it wants to align proposals in this area ‘with the broader approach to governing AI-powered automated decision-making’.  This will form part of an upcoming white paper on AI governance.

Legitimate Interests

  • The Government intends to create a limited list of defined processing activities where there would not be a requirement to conduct a balancing test for legitimate interests. This list will initially be limited to ‘carefully defined processing activities’.
  • This is likely to include processing activities to prevent crime, reporting safeguarding concerns or those which are necessary for important public interests reasons.
  • The Government proposes a new power to be able to update this list subject to parliamentary scrutiny.

Adequacy

A key concern is will UK data reform risk adequacy.  The European Commission has granted the UK adequacy, which allows for the free flow of personal data from the EEA to the UK, without the need for additional safeguards.  However, in granting adequacy the EC said it would keep it under review and if any significant changes were made it could revoke the decision.

The Government does not believe its plans risk this decision. The consultation response says; “the UK is firmly committed to maintaining high data protection standards – now and in the future”.

Response from the ICO

UK Commissioner, John Edwards says he shares and supports the ambition of these reforms.  In particular he says “I am pleased to see the government has taken our concerns about independence on board”.  You can read the ICO’s statement here.   The independence of the ICO was cited by Mr Edwards as an area which could jeopardise adequacy (in recent evidence he gave to the Science and Technology Committee).

What next?

We now await the detail of the Data Reform Bill, which will be subject to parliamentary scrutiny.  So still some way to go before the intended changes come into play.

UK Data Reform – Quick Update

June 2022

A few nuggets gleaned...

UK data reform is on the way, but we don’t know the detail yet.  However a meeting of Parliament’s Science and Technology Committee this week, gave us a little insight.

Among others giving evidence were Julia Lopez, Minister of State for Media, Data and Digital Infrastructure and UK Information Commissioner, John Edwards.

Much was discussed in the two and half hour session, but here are a few highlights…

When will we learn more?

Lopez said the response to the Government’s Autumn 2021 consultation paper will be linked to the legislation. It will be published before or at the same time as the Data Reform Bill. She wouldn’t be drawn on whether this would be before Parliament’s Summer Recess (from 22 July).

What shape will the UK data reform legislation take?

We were told the Bill is being designed to build on existing legislation. Lopez said the aim was to improve on legislation inherited from the EU (GDPR), not to start with a blank piece of paper.

It was said this is being done intentionally to make sure there isn’t an additional cost and burden of people having to look at a whole new set of requirements.

Lopez stressed there shouldn’t be any concern the Government is diluting data protection standards.  She said, “the aim is for the legislation to provide greater clarity for organisations about what you can and can’t do.”

Is the role of DPO being removed?

Reading between the lines it looks like this requirement is going. Lopez reiterated the aim was to move to an ‘outcomes approach’ rather than a ‘tick box exercise’.

She said, “you wouldn’t necessarily need to have a Data Protection Officer, but you would need to have a Privacy Management Programme within your business or organisation, where you need to have proper accountability, proper reporting.”

Lopez said it was a lot to ask of small businesses to appoint a DPO, and it would be a more reasonable approach to appoint someone responsible for data protection.

(This does make me wonder whether the message has got through that GDPR never introduced a mandatory requirement for ALL businesses to have a DPO. Smaller businesses would not currently need to appoint a DPO unless the nature of their business or data they handle is particularly sensitive.

Will there be a DSAR fee?

The Minister wouldn’t be drawn on the proposal to reintroduce a small fee for data subject access requests. She said a careful balance was needed between easing the burden on businesses without diluting people’s rights.

Does reform risk EU adequacy?

Lopez said, “we are confident it will maintain adequacy”. She said the team at DCMS were in regular contact with their European counterparts, to make sure there were no surprises.

On this point John Edwards, also seemed relatively confident the reform would not risk the EU’s adequacy decision. (Which allows for the free flow of personal data from the EU to the UK without the requirement for additional safeguards).

He said, “viewed objectively there isn’t anything in the proposed reform, with a few tweaks, that can be demonstrably shown to not be essentially equivalent”.

However he did have a caveat…

“There are a few issues in the initial consultation proposal which I was concerned could risk adequacy. For example aspects of the proposal which could be seen as impinging on the Commissioner’s independence.”

Edwards said he agreed with his predecessor, Elizabeth Denham, that if those were carried through into legislation it could be taken by the European Commission as undermining a “fundamental aspect of the safe regulatory environment required to represent adequacy.”

He said there remained a couple of decisions the Government needed to take on this.

Separate to this, concerns are being raised by some that the Brexit Freedoms Bills and the Bill of Rights (replacing the Human Rights Act in the UK) also represent threats to UK adequacy.

Does automated decision-making need human review?

Edwards was asked about AI, automated decision-making and the right to human intervention. He said he would be concerned if the right to have human review of an automated decision was removed.

The DCMS is said to be looking closely at GDPR Article 22 and there’s a move to look at this ‘holistically’ and not just through the data protection lens.

Lopez stressed the importance of privacy, but also said, “we need to be mindful of the need to be economically competitive, to allow our scientists and innovators to have access to high quality datasets”.

“Whilst maintaining privacy and trust, we shouldn’t create fear in a way which undermines our businesses and scientists’ ability to innovate”.

That’s all for now folks. We’re on standby to check the detail of the consultation response and new Bill as and when it’s published.

Three Steps to Transparency Heaven

June 2022

A strategic approach to transparency

Transparency is enshrined in one of the key data protection principles: Principle (a): Lawfulness, fairness and transparency….

You must be clear, open and honest with people from the start about how you will use their personal data. 

There’s also a requirement to consider a data protection by design and default approach. To legitimately take this approach requires some planning and clear communication between teams about which data is used for what. 

It’s obvious that most companies can pull together a privacy notice. However, as with many things to do with GDPR, creating engaging communications which deliver the correct information in a digestible format appears easier said than done.

Recent fines related to lack of transparency

In May we saw a €4.2m fine for Uber by Italian Data Protection Authority (the Garante) for data protection violations. Amongst other things, the privacy notice was incorrect and incomplete whilst there were not enough details on the purposes of processing and the data subject’s rights had not been spelled out.  

Earlier this year, Klarna Bank AB was fined by the Swedish Data Protection Authority (IMY) for lack of transparency. 

Be warned, the regulators are taking a look at these documents.

Step 1: Creating your Privacy Notice

Privacy notices have become rather formulaic since 2018 and my colleague Phil wrote a handy checklist of what must and should be included. Take note and have a look to see if you have ticked all the boxes. 

Step 2: Housekeeping your Privacy Notice

The privacy notice is a dynamic document. Keeping it up to date is important. 

  • New data processing activities: Make sure you’re made aware of new technology, new teams, new business processes which may all generate new data processing activities that need to be notified. 
  • Record of Processing Activities: Create a routine to keep your RoPA up to date and that any changes are clearly flagged to the DP team.
  • Regulatory changes: Review any change in regulatory guidance. International data transfers are a perfect case in point where the guidance has changed. Changes may necessitate an update to your privacy notice.
  • Supplier due diligence: Review your supplier arrangements – are they carrying out new data processing activities which need to be captured in the notice. Are new suppliers in place and have they been audited/reviewed?
  • Marketing innovations: Ask your marketing team about their plans as digital marketing developments move at breakneck speed. The use of AI for targeting and segmentation, innovations in digital advertising as well as the evolution of social media platforms all present privacy challenges. In addition you may need to inform consumers of material changes. 

Step 3: Breathing life into your Privacy Notice

It’s a marketing challenge to get people to pay attention to the privacy notice.

  • Use different communication methods – not everyone likes reading long screeds of text. Look at creative communication methods such as infographics, videos, cartoons to get the message across. Channel 4 are an exemplar as are The Guardian.
  • Use plain English – whenever you write it down, make sure it’s couched in terms your target audience will understand. Various reports place average reading age as 8, 9 or 11. Plain English, short sentences, easy to understand words should be deployed to get your message across.
  • Include information tailored to different target audiences: Companies will sometimes carry out data processing for clients, for consumers and for employees. Trying to cram all this information into one document makes it nigh on impossible for anyone to understand what’s going on. Separate it out and clearly signal what’s relevant to each group.
  • Use layers of communication – the ICO advocates a layered approach to communicating complicated messages. If you create a thread through your messages from clear top-level headlines with clear links to additional information, there’s a higher chance of achieving better levels of comprehension.
  • Keep it short and sweet – having read some of the documents produced by corporates, I am struck by how repetitive they can be. Not only do you lose the will to live, but comprehension levels are low and confusion levels are high. All of which is rather unhelpful.
  • Be upfront and transparent – do not obfuscate and confuse your audience. Although it can feel scary to tell individuals what is happening with their personal data, audiences appreciate the openness when processing is explained clearly. They need to know what’s in it for them. 

Overall, this is a major marketing challenge. Explaining how you use personal data is an important branding project which allows a company to reflect their values and their respect for their customers.

The marketing teams need to get close to their privacy colleagues and use their formidable communication skills to make these important data messages resonate and make sense.

Four years on from GDPR, now is a good time to take a look at your privacy notice to see if it needs a refresh.

 

Data Retention Guide

Data retention tools, tips and templates

We know we shouldn’t keep personal data longer than we need it, but this is easier said than done.

Our in-depth data retention guide takes you through the key steps and considerations.  Where to start? When we are legally required to keep data? How to judge necessity? And more.

It make sense to get to grips with retention, keeping and using data has a cost.  Storage limitation is a core data protection principles and holding on to personal data longer than you should has its risks.

Whether you are starting out and reviewing your retention policy and schedules, we hope this guide will support your work.

DOWNLOAD YOUR COPY

The guide, first published in June 202o was developed and written by data protection specialists from a broad range of organisations and sectors.  A huge thank you to all those who made this guidance possible.

Suppliers – why your contracts and security are important

Processors and controllers are both accountable

Do you provide a service to clients and handle your client’s personal data? If you’re acting as a processor, a recent GDPR fine serves as a helpful reminder to be sure to have all your ducks in a row.

There’s a clear warning you shouldn’t just assume the contracts your clients ask you to sign are okay, nor can you just say you have robust security measures in place, you actually have to have them!

In this recent case a software publisher, acting as a processor for their clients, was fined 1.5 million Euros by the French regulator (CNIL) following a data breach involving sensitive health data.

It was found data was exfiltrated by unauthorised parties from a poorly protected server. In a nutshell the key findings were:

  • Significant gaps in the processor’s security processes
  • Contractual documentation which failed to include mandatory obligations required under Article 28 of GDPR.

It’s worth noting the fine was based on both these counts. The ruling makes it clear processors should be wary of relying on their clients to make sure contractual terms are up to scratch. It’s the responsibility of both parties.

Here’s a quick recap on the how suppliers can minimise their risks.

Getting the relationship clear

The most important first step is to establish the relationship between your company and another.

  • Are you handling a client’s data on their behalf, under their instruction, to provide a service to them?
  • Are you acting as controller, clearly determining how the personal data will be used for your own purpose(s)?
  • Are you both? i.e. acting as a controller in certain circumstances, but a processor for specific services you provide to clients.

Are we controller or are we processor?

What are the contractual requirements?

Once you’re clear you are a processor, acting under your client’s instructions, the law states your arrangements with clients must be covered by a binding agreement. EU and UK GDPR set out specific provisions which must be written into such contracts. In brief these are as follows:

1. Types of personal data & categories of data subject

The contract needs to specify what types of personal data you’ll be handling. It should also include details of whether this data relates to your client’s employees, patients, customers, and so forth.

2. Nature, purpose, duration of processing

The contract should describe the nature of the service(s) you provide, what purpose(s) this serves and the term of the contract. The agreement should cover instructions from your client of what you are permitted to do with their data.

3. The rights and duties of each party

The obligations of both parties should be clearly defined. For example, the client’s obligation to have a lawful basis for processing, its responsibility to fulfil individual privacy rights and your commitment as a supplier to not use your client’s data for any other purpose.

4. Technical and organisational measures

As a supplier you need to provide sufficient guarantees to implement proportionate technical and organisational measures to meet requirements of UK/EU GDPR.

5. Sub-processors

If you engage other companies (‘sub processors’) to support you in delivering your services, you’ll need specific or general written authorisation from your client(s). If you make any changes to which sub-processors you use (including software providers), you’ll need to tell your client and give them the opportunity to object. Contractual terms should stipulate that you are accountable for your sub-processors.

6. International transfers

If relevant, the agreement should include details and provisions for any transfers of personal data to a third country. For example if you are based in the UK, a transfer to any other country. This would include details of any sub-processors based outside the UK. A transfer is often associated with the act of sending or transmitting personal data from one country to another. It should be noted the definition also covers cases where personal data is made ‘available’, in other words can be accessed in a third country.

7. Duty of confidentiality

There must be a confidentiality clause, which commits you to ensuring any of your staff authorised to access the client’s data are committed to a duty of confidentiality or are under a statutory obligation of confidentiality.

8. Assisting your clients

The contract should cover your commitment to assisting your clients, where necessary, with handling individual privacy rights, handling data breaches and conducting data protection impact assessments.

9. Return or destruction of data

It should be clear what happens to the client’s data when the contract ends. Does the client want you to return the data or destroy it?

10. Audits and inspections

As a processor you must agree to make available all information necessary to demonstrate your compliance and agree to audits, including inspections by your client or their authorised auditor.

Processors have obligations

This recent CNIL fine shows you can’t just sign a contract, sit back and relax.

As a processor you’re responsible for your sub-processors, data transfers, staff training and confidentiality, assisting your clients when necessary and so forth. You have to be sure to implement the technical and organisation measures you said you would to protect your client’s data.

While some clients will ask you to jump through multiple hoops as part of their due diligence process, making you clearly demonstrate your security measures are robust, others may not be so picky. But that doesn’t release you from your responsibilities.

The law and this recent fine make it clear processors can be held liable. In the event of a breach, your contractual arrangements and internal practices could come under rigorous scrutiny.

Data Subject Access Request Guide

Being prepared and handing DSARs

Handling Data Subject Access Requests can be complex, costly and time-consuming.

How do you make sure you’re on the front foot, with adequate resources, understanding and the technical capability to respond within a tight legal timeframe?

This guide aims to take you through the key steps to consider, such as…

  • Being prepared
  • Retrieving the personal data
  • Balancing complex requests
  • Applying redactions & exemptions
  • How technology can help

Just complete your details to get your copy now.

Is your Privacy Notice complete?

April 2022

A GDPR fine reveals gaps in necessary privacy information

A core GDPR theme is transparency; being upfront and open about how people’s personal information is collected and used. People have a fundamental right to be informed and one of the key ways organisations can do this is with easily accessible privacy notices.

Four years ago, in the run up to GDPR enforcement, many businesses rushed to make sure their privacy notices met the enhanced and specific requirements.

  • When did you last review yours?
  • Have your business activities changed in recent years?
  • Are you sure you’ve got everything covered?

It can be easy to think nobody actually reads our privacy notices, but some do, and a regulator most definitely would. A recent 725,000 Euro fine for a lack of transparency shows how it can come back to haunt you if you’ve missed vital aspects out, or not been as clear as you could have been.

This is an area some major charities were found wanting before GDPR was even enforced. Back in 2017 the Information Commissioner’s Office (ICO) issued a series of fines and a key finding was the charities had failed to tell people about activities such as wealth-screening and appending telephone numbers.

The GDPR fine

Fast forward to 2022 and a recent fine against Klarna Bank AB, by the Swedish Data Protection Authority (IMY), reveals a failure to give customers necessary privacy information.

What necessary information did the bank not provide?

  • Purposes and lawful basis for processing
    It was found for one of the bank’s services Klarna did not provide information on the purpose(s) for which it was processing personal data and the lawful basis/bases it was relying on.
  • Recipients who data is shared with
    It was found incomplete and misleading information was provided about other companies they shared personal data with.
  • International transfers
    Information was not given on which countries outside the EU/EEA personal data was transferred to. There was also no information about the safeguards which might apply to such transfers.
  • Individual rights
    Incomplete information was provided about people’s privacy rights, such as the right to erasure, data portability and the right to object.

In conclusion it was found Klarna had failed to fulfil the basic principle of transparency and people’s right to information.

Privacy notice checklist

As a reminder for us all, here are the key points which should be covered in privacy notices. This checklist is based on Article 13 of UK/EU GDPR and ICO guidance.

The 7 essential elements

  1. Name and contact details of your organisation
  2. Purposes of processing – explain each different purpose you use people’s personal information for.
  3. Lawful basis for processing – explain the lawful basis you rely on to collect and use people’s personal data.
  4. Data retention – tell people how long you envisage keeping personal data for, or at least the criteria used to decide retention periods.
  5. Privacy rights – tell people what their privacy rights are and how they can exercise them. The right of access, erasure, objection, rectification, data portability, restriction.
  6. Right to withdraw consent – tell people they can withdraw their consent at any time, where this is the lawful basis you are relying on. It should be as easy to withdraw consent as it is to give it and you should tell people how they can withdraw their consent.
  7. Right to lodge a complaint – tell people they have the right to complain to a supervisory authority, for example the Information Commissioner’s Office in the UK.

7 more points to include, if relevant for your business

Where applicable you’re also required to provide the following details:

  1. DPO – Provide contact details of your Data Protection Officer (if you have appointed one)
  2. Data Protection Representative – If you are based outside the EU/UK, but you offer services of monitor the behaviour of people based in the EU/UK you should have a Data Protection Representative and provide contact details for them.
  3. Legitimate Interests – Explain which purposes you rely on legitimate interests for.
  4. Recipients, or categories of recipients – Provide details of who you’ll share people’s personal data with. This includes suppliers acting as processors, handling data on your behalf. ICO guidance states you can provide specific names, or at least the categories of organisation they fall within.
  5. International Transfers – Inform people if you transfer their personal data to any countries outside the UK (or if based in the EU, outside the EU). Explain whether transfers are based on an adequacy decision. If not provide a description of other safeguards in place, such as Standard Contractual Clauses.
  6. Automated decision-making, including profiling – Tell people if you make solely automated decisions, including profiling that may have a legal or similar significant effect on individuals. Meaningful information should be provided about the logic involved, the significance and envisaged consequences.
  7. Statutory/contractual obligations – Let people know if you are required to collect their data by law or under contract, and the consequences should they not provide necessary information.

In addition to the above there are some other best practice points, such as indicating when the privacy notice was last updated and offering further assurances surrounding how personal data is protected.

Furthermore, if you collect details about people from another source, in order words not directly from them, you should make sure you tell them you are handling their personal data and provide the relevant privacy information.

This case serves as a reminder that we need to regularly review our privacy notices. Put very simply, the law says there should be no surprises about how we’re using people’s personal data.

Our privacy notice may be the least clicked link on our websites, but it’s not just regulators and people like me who read them. It’s not unusual for businesses, as part of their data protection due diligence when considering working with other companies, to take a peek at privacy notices to check they look relatively in order.