Your views on UK data regime reform proposals

September 2021

DPN Survey on the UK Government’s data regime reform consultation

We’d love to hear your views on the proposals for reforming the data regime in the UK post Brexit.

The consultation can be found here and we’ve published our 12 highlights. Proposals include changes to UK GDPR and the Privacy Electronic and Communications Regulations (PECR).

The DPN will be responding to the consultation and will publish the results of this survey in due course. This survey will close on 21st October.

TAKE PART IN DATA REFORM SURVEY

 

UK data reform: Data Protection Officers

September 2021

One of the more surprising and thought-provoking proposals in the UK Government’s plans for data regime reform is removing the mandatory requirements surrounding appointing a DPO.

The idea is to replace the DPO with a requirement to designate a suitable individual (or individuals), who would be responsible for a privacy management programme and for overseeing data protection compliance.

Is this a good or risky move?

The consultation accepts there may be potential risks in removing mandatory DPO requirements, if this was seen to significantly weaken internal scrutiny. It points out organisations which undertake high risk processing may still choose to appoint someone who performs a similar role.

Who currently falls under the mandatory requirement?

At present, organisations need to appoint a DPO if they are a public authority or body or if their core activities require large scale, regular and systematic monitoring of individuals or consist of large-scale processing of special categories of data, or data relating to criminal convictions and offences. These requirements apply to both controllers and processors.

Most small businesses not involved in high-risk processing have always been out of scope. However some medium sized organisations have been unsure whether they should appoint a DPO or not. The advice given in the past was ‘if in doubt appoint a DPO’.

For more details please see our article ‘Data Protection Officers – should we appoint a DPO?’.

What key tasks must a DPO currently perform?

The DPO role currently has a formal set of accountabilities and duties, laid down within the GDPR. Let’s look at how these could be affected under the new proposal.

  1. Duty to inform and advise the organisation and its employees about their obligations under UK GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations. It’s questionable if a ‘designated individual’ without the obligations to stay close to these laws and guidance would remain so well informed about significant developments which may affect processing and if they would feel empowered to speak up when changes are needed.
  2. Duty to monitor the organisation’s compliance with the UK GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively. It appears the Government doesn’t want to formalise these responsibilities.. Some feel this could that lead to a reduction in awareness and understanding of data protection across businesses and potentially a slipping back in data protection standards across the wider business.
  3. Duty to advise on data protection impact assessments (DPIAs). The proposals also include scrapping the mandatory requirement to conduct DPIAs. Risk assessments for data will continue to important, but they would not need to be formalised like a DPIA is now. Instead, organisations will enjoy greater flexibility around their approach to assessments.
  4. Reporting directly to the highest level of management. So who will the designated individual report too? Could they become siloed within a specialist function (such as IT or Marketing) leading to a change of focus? Current law and guidance highlighted potential conflicts of interests between operating within a specialist function and the impartiality required to perform DPO tasks (Article 39). Is there a risk the level of oversight of data protection matters by the Board could be diminished?
  5. Autonomy. Under the GDPR, a DPO must not receive any instructions regarding the exercise of his/her duties: therefore they currently need a high degree of autonomy. The GDPR also states a DPO cannot be dismissed or penalised for performing his or her duties. It looks likely autonomy will reduce under these proposals.
  6. Duty to be the first point of contact for individuals whose data is processed, and for liaison with the ICO. It seems logical the designated individual would continue to fulfil these roles, but would it be mandatory?

What do people think?

We’ve gathered the views of some key people on whether the DPO role should be scrapped or not:

“The role of the DPO is an essential part of ensuring compliance and the UK GDPR is clear that a DPO is only a mandatory requirement in certain circumstances, particularly where the processing of personal data involves large scale processing of sensitive data. To remove this requirement weakens accountability. It creates even more uncertainty than there is now. To suggest that the need for a DPO is a burden on SMEs is red herring as most SMEs do not have to have a DPO.”
Robert Bond – Senior Counsel, Bristows Law Firm

“The proposals are not a massive change on the substance and practice of the DPO role. Changes might come to the employment protections the DPO currently enjoys, but in managing the privacy programme, many of the activities that the DPO completes in Art. 39 (Tasks of the DPO) will be broadly the same. Where things might differ is the requirements in Art. 37 (Designation of the DPO) and 38 (Position of the DPO), particularly when it comes to resources, instructions and independence. I am not convinced these were all implemented to the letter of the law already, but they might not be explicit requirements.

I think the biggest impact will be DPO as a service. But for the in-house DPO, they will take on the management of the privacy programme and the world will keep turning.”
Stephen McCartney – Data Protection Officer, Simply Business

“We welcome the consultation to ensure legislation surrounding data protection continues to be appropriate. An area being considered is no longer requiring a mandatory Data Protection Officer to be in role. For us having a dedicated individual at a suitable level helps with overall ownership and accountability. Although we are not at the size to have a dedicated DPO in place, having someone who as part of their role can lead the development and oversight is important and I worry there could be a lack of consistency applied across firms with how they apply the ‘suitable individual’ and would they be at the required seniority in the business or have the ability to influence required changes to systems and controls.”
David Mollison – Chief Risk Officer, Monmouthshire Building Society

“I’m highly sceptical about the government’s proposals. Simplification is a laudable ambition, but removing the mandatory requirement to appoint a DPO risks removing the clear accountability that the role is intended to provide – and which is an essential foundation for data protection. The government says some organisations, particularly smaller ones, “may struggle to appoint an individual with the requisite skills who is sufficiently independent.” It’s unclear how the proposal to designate “a suitable individual” helps solve this problem and avoids weakening internal scrutiny, which the government itself highlights as a risk.”
Martin Turner, Managing Director, Full Frame Technology

Thanks to the contributors above.  It’s going to fascinating to see how the proposals progress – especially with Nadine Dorries now at the helm of the DCMS and a new John Edwards all set to become the new Information Commissioner.

It all makes me think of another quote – ‘May you live in interesting times!’.

UK data regime change consultation: 12 highlights

September 2021

The Government’s consultation on UK data protection reform contains a number of sensible proposals to ease the burden on business. There are also a few surprises likely to raise eyebrows in Brussels. The headlines are:

  • The UK is not about to become the ‘Wild West’ for data, as some may have feared
  • Changes to both UK GDPR and the UK’s Privacy and Electronic Communications Regulations (PECR) look likely
  • A probable relaxation of several areas of UK GDPR, with a focus on outcomes rather than prescribed processes
  • Plans to increase fines under PECR to match those under GDPR, a clear warning to those flagrantly disregarding marketing rules
  • The consultation is a ‘direction of travel’ – nothing’s carved in stone. It’s business as usual for now

The Government’s overall aim is to drive economic growth and innovation and strengthen public trust in use of data.

The way they want to achieve this is to alleviate some of the more prescriptive GDPR obligations on business, whilst retaining a robust data protection regime built largely on existing laws.

This approach is in keeping with the UK’s common law tradition, also used in Australia, New Zealand, Jamaica, Pakistan and Singapore (to name a few), as opposed to the statute law system used across Europe. Common law is viewed by its proponents as more flexible. It’s also why legal proceedings tend to move more quickly in UK courts than those in the EU.

It’s clear the UK Government hopes any changes will be compatible with EU equivalency, enabling the UK to retain adequacy.

Data regime proposals 12 highlights

1. Accountability & Privacy Management Programmes (PMPs)

Changes to the accountability framework are proposed, with businesses expected to have a Privacy Management Programme in place. This approach to accountability is long-established in countries such as Australia, Canada and Singapore.

It’s argued this would allow organisations to implement a risk-based privacy programme based on the volume and sensitivity of personal data they handle, and the types of activities they’re involved in.

By doing this, the proposal seeks to do away with some of the accountability obligations under the current UK GDPR, which may be considered to be more burdensome.

Organisations will still need to know where their data is, what its used for, apply lawful bases, implement robust security measures, manage suppliers, assess privacy risks and fulfil privacy rights. But there could be more flexibility and control over how you achieve this.

This doesn’t mean ripping up all the hard work you’ve done to comply with GDPR.

When the dust has settled, many organisations may choose to stick with the tried and tested framework they’ve already established. Others may jump on the opportunity to adapt their approach.

And let’s not forget, UK businesses operating in Europe will still be governed by EU GDPR.

2. No mandatory Data Protection Officers

The consultation proposes removing the mandatory requirement to appoint a DPO.

Under GDPR, a DPO must be appointed by public authorities – and in the commercial sector – if organisations meet specific criteria. It also sets out requirements and responsibilities for the role.

It’s proposed the requirement for a DPO is replaced with a requirement to designate a suitable individual (or individuals) responsible for overseeing compliance. However, the new law wouldn’t lay down specific requirements & obligations for this role.

3. No mandatory requirement for Data Protection Impact Assessments 

Currently, GDPR makes a DPIA mandatory for high-risk activities. It also sets out core elements such an assessment must include.

Furthermore, it requires supervisory authorities to establish a list of processing operations which definitely require a DPIA.  This led authorities, including the UK’s ICO, to dutifully publish lists of where DPIAs would be considered mandatory, as well as best practice.

The Government is proposing removing this mandatory requirement, although this won’t mean throwing out screening questionnaires and DPIA templates, which are often very useful.

The onus would be on organisations to take a proportionate and risk-based decision on when they consider it appropriate to carry out impact assessments and how they go about this.

4. More flexible record keeping

Completing and maintaining up-to-date records, known as Records of Processing Activities (RoPA) has been one of the more onerous aspects of GDPR.

Again, current law and guidance is prescriptive about records keeping requirements – although small and medium sized organisations (with less than 250 employees) are exempt from this.

It’s proposed a more flexible model for record keeping is introduced.

Maintaining a central record of what personal data you hold, what it’s used for, where it’s stored and who it’s shared with is a sensible and valuable asset for any organisation. Many feel such records are vital to effective data risk management.

So again, you don’t need to rip up your current ROPA, but you may soon be allowed to adapt your record keeping to suit your business and perhaps make your records easier to maintain.

5. Data breach notification threshold changes

It’s clear GDPR has led to data protection authorities being inundated with data breach reports. The ICO, for one, has highlighted a substantial amount of over-reporting.

This isn’t surprising when there’s a legal obligation for organisations to report a personal breach if it is likely to represent a ‘risk’ to individuals.

Its proposed organisations would only need to report a personal data breach where the risk to the individual is ‘material’.  The ICO would be encouraged to produce clear guidance and examples of what would be ‘non-material’ risk, and what would or would not be considered a reportable breach.

6. Data Subject Access Requests changes

The stated purpose of a subject access request is to give individuals access to a copy of their personal data so they can ‘be aware and verify the lawfulness of processing’ (although many organisations might question if this is why some submit requests).

The consultation recognises the burden of responding to DSARs has on organisations, especially smaller businesses which often lack the resources to handle them.

The possibility of charging a nominal fee could be reintroduced. It’s also proposed the threshold for judging when a request may be vexatious / manifestly unfounded is amended.

7. Cookies

Headlines surrounding UK data reform usually focus on ending the barrage of cookie pop-ups. The consultation proposes two main options:

  • Permitting organisations to use analytics cookies and similar technologies without the user’s consent. In other words, treating them in the same way as ‘strictly necessary’ cookies. It’s worth noting that this proposal is included in the most recent EU ePrivacy draft. (It’s accepted further safeguards would be required to ensure this had a negligible impact on user privacy and any risk of harm. It would also not absolve organisations from providing clear and comprehensive information about cookies and similar technologies).

or

  • Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. An example given is that this could include processing necessary for the legitimate interests of controllers where the impact on privacy is likely to be minimal.

The Government says it is keen to hear feedback on the most appropriate approach.

8. Legitimate Interests

There’s a proposal to create an exhaustive list of legitimate interests which organisations could rely on without needing to conduct the balancing test, i.e. no Legitimate Interest Assessment (LIA) required.

The following are some of the examples given:

  • ensuring bias monitoring, detection and correction in AI systems
  • statutory public communications and public health & safety messages by non-public bodies
  • network security
  • internal research and development projects

Where an activity is not on the list, we’re assuming assessments using the current 3-step test would still be needed.

9. Extended use of the ‘soft opt-in’

PECR currently permits email and SMS marketing messages where consent has been given, or for existing customers only, when the soft opt-in requirements are met.

This exemption to consent for existing customers is only currently available to commercial organisations. It’s proposed this could be extended to other organisations such as political parties and charities.

This could be great news for charities, but could it lead to a deluge of unwanted messages from political parties?

10. Research purposes

The Government wants to simplify the use of personal data for research, with a specific focus on scientific research.

Considerations include establishing new lawful grounds for research (subject to ‘suitable safeguards’) and incorporating a clear definition of ‘scientific research’.

11. Artificial intelligence

It’s proposed certain automated decision-making should be permitted without human oversight.

GDPR prohibits this unless necessary for a contract with an individual, authorised by law or based on explicit consent. The consultation suggests Article 22 is scrapped.

The aim is to ‘deliver more agile, effective and efficient public services and further strengthen the UK’s position as a science and technology superpower’.

It’s hoped this can be achieved by developing a safe regulatory space for responsible AI development, testing and training which allows greater freedom to experiment.

In the consultation press release, an AI partnership between Moorfields Eye Hospital and the University College London Institute of Ophthalmology is highlighted.  Researchers have trained machine-learning technology to identify signs of eye disease, which is more successful than using clinicians.

This is cited as a clear example of the type of data use which should be encouraged, not hindered by law.

12. Reform of the ICO

The Government wants to assert greater control over the UK’s data protection regulator, the Information Commissioner’s Office.

They propose to introduce a new, statutory framework to set out the ICO’s strategic objectives and duties and a power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities.

This would will bring the ICO into line with other UK regulators such as Ofcom, Ofwat and Ofgem.

The proposals also include introducing a new overarching objective for the ICO, in addition to its other functions, tasks and duties with two key elements:

  • Upholding data rights and safeguard personal data from misuse
  • Encouraging trustworthy and responsible data use, to uphold the public’s trust and confidence in use of personal data

Summary

Yes, a shake-up of UK data laws and enforcement is on the horizon, but the final outcome remains unknown, and a healthy debate will surely follow.

The consultation closes on 19th November 2021, and there will undoubtedly be some time before any changes become law.

For the time being its business as usual, but this document gives us a clear idea of what the future might look like.

Meanwhile, the EU will be keeping a very close eye on developments, and it’s possible the UK could be deemed to be going a step to far – it’s easy to see EC adequacy decisions being held over the UK Government like the Sword of Damocles.

The UK Government’s objective is to give organisations more control and flexibility around data protection management within a less burdensome regime, which supports the data economy and drives innovation.

In some ways, it could even be seen as a move towards giving organisations who don’t take data protection seriously more rope to hang themselves with.

The full consultation document is worth a read and can be found HERE.

Simon Blanchard, Phil Donn & Julia Porter – September 2021

Artificial Intelligence – helping businesses address the privacy risks

August 2021

The use of artificial intelligence (AI) is increasing at great pace, to drive valuable new benefits across all areas of business and society. We see its applications expanding across many areas of our daily lives anything from social media usage through to self-driving and parking cars, and medical applications.

However, as with any new technology, there can be challenges too. How can we be sure we are protecting people from risk and potential harm when processing their personal data within AI systems?

Like with any other use of personal data, businesses need to ensure they comply with core data protection principles when designing, developing or productionising AI systems which use personal data.

You may recall in April 2021, the European Commission published its proposal for new regulation, harmonising the rules governing artificial intelligence.

The regulation of AI is a tricky balancing act. On the one hand there’s the desire not to hinder research and development from adopting new technologies to bring increasing societal benefits – but those exciting opportunities must be balanced against the need to protect individuals against any inherent risks.

So how can we strike the right balance?

AI privacy ‘toolkit’

The ICO have published an improved ‘beta’ version of their AI toolkit, which aims to help organisations using AI to better understand & assess data protection risks.

It’s targeted at two main audiences; those with a compliance focus such as DPOs, general counsel, risk managers and senior management; alongside technology specialists such as AI/ML developers, data scientists, software developers & engineers and cybersecurity & IT risk managers.

So what is the toolkit?

It’s an Excel spreadsheet which maps key stages of the AI lifecycle against the data protection principles, highlighting relevant risks and giving practical steps you can take to assess, manage and mitigate risks.

It also provides suggestions on technical and organisational measures which could be adopted to tackle any risks. The toolkit focuses on four key stages of the AI lifecycle:

  • Business requirements and design
  • Data acquisition and preparation
  • Training and testing
  • Deployment and monitoring

The ICO have quite rightly recognised that the development of AI systems is not always a linear journey from A to B to C. One stage does not necessarily flow straight into another.

Therefore it will often be best to take a holistic approach and recognise you won’t have all the information available for assessment at ‘product definition’ stage. The engagement for a DPO (or other privacy champion) will need to stretch across all stages of the AI lifecycle.

What kinds of risk are highlighted?

Quite a few actually, including:

  • Failure to adequately handle the rights of individuals
  • Failure to choose and appropriate lawful basis for the different stages of development
  • Issues with training data which could lead to negative impacts on individuals – such as discrimination, financial loss or other significant economic or social disadvantages
  • Lack of transparency regarding the processes, services and decisions made using AI
  • Unauthorised / unlawful processing, accidental loss, destruction or damage to personal data
  • Excessive collection or use of personal data
  • Lack of accountability or governance over the use of AI and the outcomes it gives

AI has become a real focus area for the ICO of late. The toolkit follows on the heels of their Guidance on AI and Data Protection; their co-badged guidance with The Alan Turing Institute on Explaining Decisions Made With AI. This is all connected with their commitment to enable good data protection practice in AI.

Want to join the consultation?

The ICO are currently looking for organisations using their guidance, to better understand how it works in practice and make sure the Regulator keeps pace with emerging developments and that guidance and toolkits are genuinely useful to businesses. You can give your feedback to the ICO here.

In summary

The use of AI is exciting and presents many opportunities and potential benefits, but it‘s clearly not without its risks. There’s more and more guidance emerging to help organisations begin to adopt or continue to expand their use of AI. The clear message from the Regulator is this activity must be handled carefully and data protection must be considered from the outset.

The ICO is keen to work with businesses to make sure its guidance its useful for organisations, so it can continue to support the increasing use of AI.

 

Is this all going in the right direction? We’d be delighted to hear your thoughts. Alternatively if you’d like data protection advice when designing and developing with AI, we can help. CONTACT US.

 

Will the new Information Commissioner be able to fend off the critics?

July 2021

Another Commonwealth candidate – this time from New Zealand – has emerged as favourite to replace Elizabeth Denham when her tenure at the helm of the ICO ends this Autumn.

This marks a trend for Anglosphere figures winning top public appointments in the UK, including former Governor of the Bank of England, Mark Carney. Carney, like Denham, is Canadian.

John Edwards, currently New Zealand’s Privacy Commissioner has reportedly been recommended to replace Denham, subject to approval from the Prime Minister. Edwards has so far declined to comment on his potential appointment.

Already dubbed as ‘Facebook-hating’ by ‘The Times’, Edwards has been a vocal critic of social media companies. He gave Facebook a fierce dressing-down after the Christchurch mosque massacre in 2019, which was livestreamed on the platform.

News Edwards is tipped to be the next Commissioner seems to have been released following harsh criticism of Number 10’s handling of the appointment.

The Department of Culture, Media and Sport (DCMS) Committee was meant to start hearings to appoint a new commissioner on 8th July, but was postponed twice.

Just last week, the DCMS Committee chairman, Julian Knight commented; “We understand that despite processes running well, delays centre on Number 10. This mishandling calls into question decision-making at the top of Government.”

Denham’s replacement needs to be in place and ready to start work in November, so the clock’s ticking.

Data Sheriff, or Data Stooge?

The appointment process has been criticised from the start. The original job description, posted in February, didn’t even mention candidates should have experience in regulating data protection.

The advert also indicated the new Commissioner would need to play a ‘key role’ in supporting the rollout of the Government’s controversial National Data Strategy.

This led to fears the Government was seeking a malleable stooge rather than an honest broker. I think it’s fair to say these fears would appear to be unfounded if John Edwards is appointed.

Still is it possible the bumpy appointment process damaged perceptions of the role? Is this why the Government has looked further afield yet again? Is there no senior talent in the UK who wants to take the job on?

ICO under fire

Regulators in any field occasionally find themselves in the position of upsetting everybody, especially in a high-value, high-impact area of business like data.

Denham has not been without her critics. The ICO stands accused of lacking teeth when it comes to dealing with data behemoths like Facebook and Google.

A quick glance at LinkedIn reveals no shortage of criticism by professionals, some suggesting the ICO like other bodies (yes, we’re looking at you, HMRC) tend to go after ‘low-hanging fruit’. Are they more comfortable issuing fines for breaches of the marketing rules, than GDPR?

Conversely, the ICO also faces criticism it has failed to deliver on its bread-and-butter work. Should the regulator only focus on the big picture, or should they focus in on data protection compliance at company level?

It’s a difficult balance to get right.

Part of the problem may be the reactive nature of the ICO, they only appear to investigate when there’s a breach or a significant complaint. Should this change?

Earlier this year the ICO announced it was resuming its ad tech investigations (paused during the pandemic). Work is said to include ‘a series of audits focusing on data management platforms’. Does this represent a more proactive stance or not? We await the outcome.

Other DPAs in the EU would certainly appear to take a more proactive approach, for example back in 2019 the Dutch DPA carried out an audit of approximately 175 websites in various sectors to check their compliance with the requirements for tracking cookies.

Meanwhile, the ICO has been credited with publishing a new Children’s Code, which comes into force in September. But how will this be enforced?

After all the hype of GDPR, businesses may have settled back into feeling no one will ever come after them.

To be fair to the ICO, the task was huge, even before the impact of a global pandemic. It’s common knowledge the backlog caseworkers face is substantial.

There are also claims the ICO is underfunded and under resourced. However, a Deloitte report on Data Protection Authorities in 2019 showed the UK Regulator to be better funded that its EU counterparts.

It’s likely to also be significant that of the ICO’s 680 or so staff, only tiny fraction are in the investigations team.

The challenge ahead for the next Commissioner

Data protection divergence?

Along with running the tight rope of balancing resources, tackling the big issues whilst not ignoring the bread-and-butter, the new regulator will have to tiptoe through the minefield that is Brexit and alignment with the EU.

We’ve already heard more than murmurings about a desire, in some areas of Government, to ditch GDPR and create a more innovation-friendly data protection environment. Cut the EU red tape!

My money is on the Government trying to loosen GDPR’s regulatory grip on some areas of technology deemed high-value and high-profit as we start leaving the EU’s orbit.

With all this in mind, how influential with the new Commissioner be?

Covid Passports and NHS App

The pandemic has led to a huge surge in the collection and use of health data, another sensitive conundrum for legislators to tackle.

The current Commissioner has warned the Government in an interview with the Telegraph that the ICO will be alert to any mission creep with the NHS covid app.

She said: “We will be watching the evolution of the app very carefully. My modus operandi has always been how can we help government get this right and build in privacy to these innovations. At the end of the day, if there is a contravention of the law with the app or overreach in its use then we will take action.”

She stressed the ICO’s will focus on how it is to be used next, and how it will be decommissioned when no longer necessary.

The ICO is currently advising the Government on the domestic use of vaccine passports. Denham is clear ministers must make sure any measures, for example to use passports for nightclub-goers, must be time-limited and not be allowed to evolve into a more permanent post-pandemic regime.
Will the new Commissioner take a similar view, given the New Zealand government’s zero-Covid strategy?

If Mr. Edwards does take the job, we wish him the best of luck. He’ll need it, too, with a serious in-tray of problems to solve.

 

Data protection team over-stretched? Ease the strain with our no-nonsense advice and support via our flexible Privacy Manager Service. Find out how our experience team can help you. CONTACT US.

Are we controller, or are we processor?

July 2021

(…and I’m on my knees looking for the answer, are we Controller, or are we Processor?)

In the past 5 years since the final text of GDPR was published, deciding whether you are acting as a controller or a processor has been a contentious area for some businesses.

On paper the definitions may seem straight-forward, but as ever the devil’s in the detail and interpretation.

I was interested to see a recent ICO enforcement notice which concluded a marketing company was acting as controller, despite classifying itself as a processor.

This case was pretty clear-cut; the company clearly used personal data it received from other companies for its own purposes and financial gain.

But the distinction can be more nuanced.

Many a debate (and disagreement) has been had between DPOs, lawyers and other privacy professionals when trying to classify the relationship between different parties.

It’s not unusual for it to be automatically assumed all suppliers providing a service are processors, but this isn’t necessarily the case. Sometimes joint controllership, or distinct controllers, is more appropriate.

Organisations more often than not act as both, acting as controller and processor for specific processing tasks. Few companies will solely be a processor, most will be a controller for at least their own employee data, and often for their own marketing activities too.

So what does the law say a controller and processor are, and how should we interpret this?

The GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.

A processor means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

There are some key questions which will help organisations to reach a conclusion, such as;

  • Are we responsible for deciding the purposes for which personal data are processed?
  • Are we responsible for deciding how and what data is collected?
  • Do we decide the lawful basis for the processing tasks we carry out?
  • Do we make sure people are informed about the processing of their data?
  • Do we handle individual privacy rights, such as data subject access requests?
  • Is it us who’ll notify the Regulator / affected individuals in the event of a significant data breach?
    And so on…

If you’re answering ‘yes’, you’re a controller. And the ICO makes it clear it doesn’t matter if a contract describes you as a processor; “organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services”.

Why it’s important to get this right

Controllers have a higher level of accountability to comply with all data protection principles, and are also responsible for the compliance of their processors.

If you are a processor, you must only handle data on behalf of another organisation and under their instructions.

This means if you’re doing anything else with this data, for your own purposes, you can’t be a processor for those purposes. You must be the controller – at least for those purposes which were not instructed to you by another party.

Let’s be clear though, this doesn’t mean a processor can’t make some technical decisions about how personal data is processed.

Data protection law does not prevent processors providing added value services for their clients. But as a processor you must always process data in accordance with the controller’s instructions.

Processors also have a number of direct obligations under UK GDPR – such as the technical and organisation measures it uses to protect personal data. A processor is responsible for ensuring the compliance of any sub-processors it may use to fulfil their services to a controller.

If the relationship is controller to processor, you must make sure you have a suitable agreement in place which covers key data protection requirements.

Often overlooked is the need to have clear documented instructions from the controller. These instructions are often provided as an Annex to the main contract, so they can be updated if the processing changes.

What’s clear from the recent ICO ruling is even if your contract says you are a processor, if you are in fact in control of the processing, this will be overturned.

In this case, the marketing company has been given three months to mend their ways. Actions required include notifying individuals that the company is processing their data, ceasing to process personal data where this is not possible and making sure robust evidence of consent is retained.

The ICO doesn’t let us mark our own homework; it’s interested in what we do as opposed to what we say we do!

In July 2021 the European Data Protection Board published adopted guidelines on the concepts of controller and processor.

 

Data protection team over-stretched? Ease the strain with our no-nonsense advice and support via our flexible Privacy Manager Service. Find out how our experience team can help you. CONTACT US.

Adequacy and the new SCCs – what does it all mean?

Great news for businesses! The European Commission finally adopts adequacy decisions for data transfers. Alongside this, the long-awaited new EU Standard Contractual Clauses have been published. What does this all mean?

The European Commission has adopted two adequacy decisions concerning transfers of personal data between the UK and EU, under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).

These agreements confirm the UK as having ‘adequate’ data protection for the transfer of personal data from the EU – thereby paving the way for lawful transfers between the EU and UK.

This is really helpful for UK businesses which rely on service providers or partners based in the EU – who would otherwise have needed to rely on other transfer mechanisms, such as Standard Contractual Clauses, to ensure data transfers to the UK are lawful.

Just in time too!

The news emerged on 28 June 2021 – only two days before expiration of the six month post-Brexit transition period under the UK-EU Trade and Cooperation Agreement.

There’s a caveat. These agreements are dependent on the UK’s legislative and regulatory environment for data. If the UK decides to go its own way with data protection laws, for example, diverges from the GDPR, the EU could potentially withdraw adequacy.

Positive reactions

Unsurprisingly, reaction to this news has been overwhelmingly positive.

The ICO:

“This is a positive result for UK businesses and organisations. Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices. Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently. The result is also a testament to the strength of the UK’s data protection regime.”

The UK Direct Marketing Association:

“A positive decision on data adequacy is a huge relief for thousands of businesses across the UK – over half of businesses surveyed by the DMA just before Brexit stated this was important for the future of their business. The government estimated that without adequacy the UK economy could lose up to £85 billion, so this announcement is a significant boost after a challenging year.”

Where do we stand for data transfers outside of the UK & EU?

Whilst the European’s Commissions’ decision is indeed a terrific boost, UK businesses will still need to ensure their transfers to/from other areas outside the EU are lawful.

For many businesses, this will mean a continued reliance on SCCs in contracts with trading partners outside UK and the EU.

The European Commission has also recently published its final Implementing Decision adopting new Standard Contractual Clauses. They’ve been updated to:

  • align with the GDPR,
  • allow for more flexibility, depending on whether parties are processors or controllers,
  • address requirements following the Schrems II ruling of July 2020.

New SCCs are ready to use!

Organisations can start to use the new SCCs from 27 June 2021. The Commission have allowed for a transition period. Exporters and importers can continue signing the existing SCCs for a further 3 months until 27 September 2021, however after that date no new contracts can be signed using the existing SCCs.

Exporters and importers will then have until 27 December 2022 to replace contracts which use the current SCCs with the new SCCs. That’s unless the underlying processing operations change, in which case the new SCCs should be used from that point on.

What is different about these new SCCs?

There are several key differences you may wish to note.

1. Modular approach: Specific sets of clauses can be used for different types of transfers:

  • controller-to-controller,
  • controller-to-processor,
  • processor-to-processor
  • processor-to-controller.

There is an option for more than two parties to join and use the clauses through the docking clause.

2. Identification of a competent supervisory authority: The new SCCs specify that the supervisory authority of the data exporter will be the competent supervisory authority. If the data exporter is not established in an EU member state, but falls within the scope of GDPR, the supervisory authority should be identified as follows:

  • if the exporter has an EU representative, the supervisory authority will be the one where the representative is established.
  • if the data exporter does not require an EU representative, the supervisory authority will be the one of the Member States in which the data subjects whose personal data is transferred are located.

By entering into a contract bearing the new SCCs, the data importer agrees to accept the authority of the that supervisory authority and respond to it’s enquiries, comply with the measures adopted by them and submit to their audit regime.

3. Requirement to assess local laws: With a nod the Schrems II ruling of July 2020, the new SCCs contain a warranty stating both parties have carried out an assessment of the local laws in the jurisdiction the personal data will be transferred to, and they have no reason to believe those laws would prevent the importer from complying with its obligations under the clauses.

Additional guidance has been provided in Clause 18 (d) (12) around factors to take into account when giving this warranty. The parties will be required to document the assessment and make it available to a data protection supervisory authority on request.

4. Security measures: The new SCCs require that the technical and organisational measures (TOMs) adopted to safeguard the personal data transfers are described in specific terms in Annex II, clearly indicating which measures apply to each transfer.

5. No separate contractual measures are required: Contracting using the new SCCs will neatly avoid any requirement for controllers to impose separate contractual measures on a processor, in order to comply with the their obligations under Article 28 of GDPR.

6. Access by public authorities: Provisions are included which data importers will have to comply with if they receive a binding request from a public authority for disclosure of personal data transferred under new SCCs.

Don’t forget our Supplier Management Checklist

The DPN has published a 6-point supplier management checklist. This is designed to help controllers to manage their suppliers – wherever in the world they are based. We hope you find it useful. You may also wish to view the recording our recent webinar ‘How to avoid privacy errors with your suppliers.

In summary…

At last we have some much-needed clarity on international transfers. But if your business needs to rely on SCCs, there could well be quite a bit of work to be done to bring your supplier contracts into line by December 2022.

For your reference, here are the links to the European Commission’s two adequacy decisions:

 

Data Protection Impact Assessments: 10 Tips

June 2021

It’s sometimes difficult not to view Data Protection Impact Assessments as an onerous box ticking exercise. If this is the mindset in your business, is it time to shout about what a valuable tool they are and get your process on track!

If DPIAs are solely seen through the prism of compliance, they’ll be seen as burden. They may be attempted half-heartedly or left inadequately completed.

While DPIAs sit at the heart of the principle of data protection by design, it can be best to see them as a handy warning system to protect the entire business and those whose data it processes from unnecessary risk.  A way of identifying risks in advance, before they become a much bigger problem.

10 tips for getting your DPIA process on track

1. Create a DPIA Screening Questionnaire

Put together a quick set of questions for business owners and/or project leads to use, which help to identify if a DPIA is required or not for their particular project or activity.

This will not only help teams to think about data protection considerations from the outset, but also avoids time being spent conducting DPIAs when they really aren’t necessary.

2. Identify types of projects likely to need a DPIA

In some situations a DPIA is are mandatory, in others they may be a ‘good to have’.  So, it’s good to set out some clear guidelines which explain your organisation’s position on this.  When do YOU consider it appropriate to carry out a DPIA?

For example, are you using innovative tech or AI? Will you be handling biometric data? Are you matching data or combining data sets from different sources? Was the personal data collected indirectly? Are you tracking people (either their location or behaviour)? Do you use third party ad tech providers? Does it involved children or special category data? Are you transferring data outside the UK/EEA? And so on.

3. Don’t forget your marketing related activities

It can be easy to forget that marketing related activities could require or benefit from a DPIA.

In its draft Direct Marketing Code of Practice, the ICO says any ‘direct marketing’ activity which involves the processing of personal data that is likely to result in ‘high risk’ to the individual requires a DPIA before you start processing. The following examples are given:

  • when conducting ‘large scale’ profiling of individuals for marketing purposes
  • matching datasets for marketing purposes
  • processing which may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
  • using geo-location data for marketing purposes
  • tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
  • targeting children or other vulnerable individuals for marketing purposes.

In its Ad Tech investigations, the ICO also highlighted the need for DPIAs, which it said were rarely conducted but should be.

4. Design an easy-to-use DPIA process

You’re unlikely to reap the benefits if you have an unwieldly DPIA template full of data protection jargon, with questions people just don’t know how to answer. Create a practical usable DPIA template which isn’t too complicated for people to follow.

The ICO has published a DPIA template, but I’d recommend adapting this to suit your business.  You may also choose to have a simplified version for less complex projects.

Does your process help your teams to identify and assess any privacy risks? Do you provide examples of what types of mitigating actions could be taken? Clear guidelines on how to complete a DPIA are invaluable.

5. DPIA training

Key team members need to have the skills to conduct a DPIA: to understand what the process entails, how to brief key stakeholders and walking them through the process, explaining what sort of risks to look out for and so on.

The DPO, or data protection lead, can’t be expected to do this single-handed.  The ICO in their DPIA guidance calls out the need to provide specialist training..

6. Awareness

If people don’t what DPIAs are, they’ll be blissfully unaware doing great innovative things and not considering the potential data protection issues. This may come back to bite you just before a project launches… or worse afterwards if you receive a privacy complaint!

Once all your ducks are in a row; when you have a screening questionnaire and a decent DPIA template, it’s time to make sure people know about DPIAs across the business. Get your Comms team involved to spread the message far and wide.

7. Start early

In particular, talk to your project leaders, change management (if you have them) and IT leaders. Make sure people who work on projects which involve personal data complete screening questionnaires as soon as possible. Assess whether a DPIA is needed, so you can start the process as soon as possible. This way you can find problems and fix them, avoiding nasty surprises later on.

8. Collaborate

A DPIA is likely to need the input of people from different areas of the business. Get people collaborating so projects can proceed at pace, without unnecessary delays.

Engage business and project management stakeholders at an early stage, so you can scope out the processing and start to identify any potential privacy risks, and consider mitigating measures.

9. Keep revisiting your DPIA

Throughout the different stages of a project keep an ongoing dialogue with stakeholders, especially with Agile projects which may expand over time. Check if new ideas, new developments have an impact.

10. Review

Once a DPIA is completed, don’t just set it to one side and forget about it. Set review dates, where you can check if things have changed.

For instance, you may have developed a new app, and six months later you want to improve the functionality, add new features – does this impact on privacy?

Also keep you screening questionnaire, template and guidelines under review, there will always be enhancements you can make to make it even more effective. Why not ask teams for feedback on how they can be improved?

In summary, DPIAs can feel a bit daunting, but the more familiar people are with the process, the things they should be looking out for and the types of measures and controls that could be deployed to protect people’s data, the easier it all becomes.

And don’t forget DPIAs, as well as acting as a warning system, also support your business in meeting UK GDPR’s accountability requirements. They give you evidence you take data protection seriously and have documentation to prove it.

 

Struggling with data protection? Ease the strain with our no-nonsense advice and support via our flexible Privacy Manager Service. Find out how our experience team can help you. CONTACT US.