Data Protection Officers – what does it take to do the job?

January 2022

The unique blend of traits and skills which make for a great DPO

What is it that makes a DPO effective and successful? Whether you’re recruiting or someone interested in the role, here are a few thoughts for you to chew over. I’m focussing here more on character traits, rather than the specialist knowledge & skills required for the job.

Be a good leader – not just a manager

A DPO should be a self-starter, with the energy and motivation to lead and inspire others. With the leadership skills to set the direction of travel for data protection across the organisation, laying out clear priorities and bringing others with them on the journey.

In the words of Mark Starmer; ‘Will the real leader please stand up?’, leadership is all about being able to influence. This means building effective relationships with everyone from senior management, clients, customers and so on. All this helps the DPO with their quest to embed data protection principles and processes across the organisation.

If they have direct reports, they’ll need to be someone who can lead and inspire their team. This includes recognising people’s individual strengths and weaknesses, their progress and achievements. Finding appropriate and perhaps innovative ways to recognise and reward each individual.

Thirst for knowledge

Not only does a DPO need to have an excellent grasp of the relevant laws, and ideally qualifications to evidence this, but they also need to be someone who is always on a quest to learn more. Someone who is happy to spend their spare time reading new guidance, privacy articles and opinions, case law and so on. Someone with a genuine interest in the data landscape and emerging trends.

Autonomy and independence

A DPO must also be able to act autonomously, independently and objectively, as the role requires. Not only looking at what the law requires, but also considering ethical and moral issues, to work out what is the right thing to do. Acting with genuine honesty and integrity.

Robert Bond, Senior Legal Counsel at Bristows:

“Data Protection Officers must be adept and be able to adapt and adopt as circumstances require. Above all they need to implement compliance & ethics with impartiality.”

A great communicator and diplomat

Strong communication skills are vital. Taking the time to actively listen, interpret and understand others.

A DPO is likely to work with a range of staff across the organisation, plus clients and suppliers. Often working across national borders too. This requires cultural awareness and sensitivity. They need to be able to change their approach, depending on who they are talking to.

As Fedelma Good, Director at PwC UK explains:

‘DPOs need to be great communicators and above all they need to be multi-lingual. They need to be able to communicate across a broad range of stakeholders, ranging from board members to web designers and quite often they need to act as the translator to ensure that technical, legal and business specialists really do all understand each other.’

Sympathetic but strong

A good DPO will be both understanding and assertive. There’ll be times when people are tricky to handle, be it disgruntled customers or even perhaps a member of the senior management team!

The role doesn’t exist to preserve the status quo. They may need to push back against established practices (‘we’ve always done it that way’) and challenge people to think differently and find creative solutions. This takes sheer persistence and the drive to make a difference.

Confidence

A DPO should to be a confident individual who is up for some straight-talking when needed. They must be ready to stand their ground. But they also need the confidence to show humility and say when they don’t know the answer. The laws are detailed and complex and no DPO can know it all.

To apply the law in practice, they often need time to think it through and deliberate. DPOs need to be clear when they need this time and need to resist the temptation (or demands) to respond immediately.

Well-organised

Sometimes everyone seems to be clamouring for a piece of the DPO. Juggling multiple conflicting priorities, means being well-organised is critical. Some demands will be urgent, others important but less urgent, some can wait. That data breach always seems to happen on a Friday afternoon!

A DPO will inevitably need to do their fair share of ‘fire-fighting’ when things crop up out of the blue. They need to manage not only their diary, but colleagues’ expectations too!

Even at the busiest times, it’s also important to try and remain approachable with an ‘open door’ to anyone in the organisation.

Finding workable solutions

Because of the specialist knowledge and obligations a DPO has, they need to work hard to show the business how their role acts as an enabler for the business. Nobody wants to be seen as ‘the department of No’.

In my view this often comes back to character and communication style – being ready not only to shine a light on compliance risks but also to go the extra mile, working closely with stakeholders to find pragmatic solutions.

Taking a more flexible solution-oriented approach builds much better relationships, where the rest of the business sees the DPO as someone who doesn’t put up barriers, but will help them navigate their way to reach their goals.

This is especially important during times of change. Someone who can embrace change, stay positive and focussed and keep working towards shared goals is more likely to succeed in the end.

In conclusion

Wow, the DPO role is certainly a demanding role which requires a lot of positive character traits and interpersonal skills!

All nicely summed up by Matt Kay, Deputy DPO at Metro Bank:

“It goes without saying that the role of a DPO is multi-faceted requiring a broad skillset with organisations valuing certain skills more than others, and this of course differs between organisations. For me I think the key skills are stakeholder engagement, the ability to project manage, navigate conflicting priorities and being able to take a pragmatic approach. Taking risk based decisions that balance the needs of data subjects and the organisation you work for.”

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Privacy Pulse Report 2022

Monitoring the heartbeat of the UK data protection community

Nearly four years after GDPR was implemented, data protection professionals are still grappling with DSARs, RoPAs and getting organisational buy-in…

  • How well resourced are data protection teams?
  • Is accountability being taken seriously?
  • What are privacy tech solutions being used for?

Find out the answers to these questions and more in the Privacy Pulse Report 2022.

>>Download Privacy Pulse Report<< 

Published in partnership with Exterro, this report is based on our November survey and a series of more in-depth interviews.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Cabinet Office data breach fine – 6 key takeaways

December 2021

A data breach could be blamed on human error, when the real culprits are a lack of controls, checks and balances

The ICO has fined HM Government’s Cabinet Office £500,000 for a data breach, following the disclosure of people’s home addresses published in the New Year’s Honours List.

What went wrong and what lessons can we learn?

How did the data breach happen?

Here’s a summary – yes it’s quite dry but worth looking at. It illustrates how the devil really is in the detail when it comes to systems and end-user requirements from a data protection perspective.

  • In 2019, a new IT system was introduced in the Cabinet Office to handle public nominations for the New Year Honours.
  • The ICO investigation found the system was set up incorrectly; it was mistakenly configured to generate a CSV file which included people’s postal addresses. This should not have happened and was not a feature requested in the original build requirements.
  • Testing took place on the reports the system generated, but the postal address column went unnoticed. It’s believed this was partly due to the large number of fields in the spreadsheet and the focus being on making sure the list of successful Honours recipients was accurate.
  • Instructions were provided to staff to explain the process for running the reports. However, these were based on how the system should have been set up (i.e. the original build requirements) and didn’t include checks to make sure extraneous personal data was removed.
  • The error was identified at a later stage, but due to tight timescales to get the Honours list published, it was decided the file should be amended rather than making modifications to the IT system itself. A decision was taken to hide the postal address information, however it was still contained within the document itself, as it had not be deleted.
  • When the list was published on the Cabinet Office website on Friday 27 December at 10.30pm, this data became visible, and people’s postal addresses were accessible.
  • Some of the data affected was already in the public domain. However, numerous postal addresses which were not in the public domain were made public.

Steve Eckersley, ICO Director of Investigations, said: “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”

Action taken following the data breach

Within thirty minutes of the list being published, a member of the Government Communications Team alerted the Cabinet Office to the breach.

The list was quickly republished, removing the link to the offending CSV file. However, due to the automatic caching on the gov.uk website the file continued to be accessible (seriously, caching is the bane of my life too!).

A developer finally managed to permanently delete the CSV file shortly before 1am on the Saturday morning.

I’m sure this was an, er, interesting Friday night for those involved.

Individuals affected by the breach were contacted within 48 hours via email or telephone, and a few were contacted by post.

The Cabinet Office notified the ICO within 72 hours of becoming aware of the breach in accordance with GDPR.

In its enforcement notice the ICO acknowledges that the Cabinet Office acted promptly and undertook a full incident review.

Since the breach, it is reported a number of ‘operation and technical’ measures have been implemented to improve the system security and an independent review focusing on the handling of data was completed in 2020.

You can read more detail in the full enforcement notice

6 key takeaways

The ICO investigation and an independent review examined the Cabinet Office’s data handling practices in light of this breach. The findings provide useful tips on measures we should be considering and steps we should be taking. All of these speak to the need to take a Privacy by Design approach.

1. New systems

The review report said; “Interviewees raised a number of concerns around the procurement of new software to run their data handling processes. Some said that financial considerations meant that off-the-shelf solutions were chosen to run processes that, given their complexity, warranted bespoke solutions”.

A stark lesson: we need to make sure appropriate due diligence is conducted both at the procurement stage and when scoping the requirements for tech solutions, and ensuring development accurately matches that agreed scope. We need thorough UAT (user acceptance testing). We mustn’t roll-out new systems/software too quickly. Cutting corners can lead to mistakes.

Conducting a Data Protection Impact Assessment can often be really useful way of identifying and mitigating risks from the outset.

2. Procedures and processes

Staff need to be aware of, and have access to, clear data handling procedures and processes. In this case it was found procedures were insufficient or incorrect. There was also a lack of instructions for what to do in a crisis (i.e. how to reverse publication once the breach had occurred).

Are you confident your staff know how to handle data appropriately? Are your processes regularly reviewed and updated? Have you practiced or ‘war-gamed’ worse-case scenarios?

3. Out of hours incidents

It’s a bit of cliché, but data breaches inevitably occur at the worst possible time – at the weekend or on a Bank Holiday. Sod’s law they will happen when key people are on holiday or unavailable.

The Cabinet Office suffered a breach at 10.30pm, on a Friday, in between Christmas and New Year. They aren’t the first, and certainly won’t be the last to have this happen at the worst possible time.

Does your data incident plan cover such eventualities? A common gap can be not having mobile numbers for key people and not having contact details for ‘a second in command’ if the key person isn’t available.

Credit where credit’s due – in the circumstances I think it’s impressive they managed to get in touch with affected individuals within 48 hours and got their notification into the ICO within 72 hours.

4. Time pressures

Many businesses are high-tempo, with new systems and projects putting pressure on employees to meet deadlines and deliver on time.

The review of the Cabinet Office found there was regular pressure to deliver on urgent political priorities; “The pace required to deliver on these priorities was cited by some business units and stakeholders as potentially compromising the disciplines of good personal data handling”.

Is your organisation at risk of pushing too hard to the detriment of data protection? Are people aware of the potential risks?

5. Training and awareness

The Cabinet Office had seven modules in their “Responsible for Data” e-Learning. However they were unable to provide the ICO with a clear percentage of who’d completed the training.

The regulator found employees in the Press Office and Digital Team, who were also involved in the process of the data being published, hadn’t received data protection training in the past two years.

This demonstrates the importance of not only making sure staff receive adequate, regular and appropriate training, but also why its important to keep records too.

6. Accountability

Do you have clear lines of accountability and responsibility? It’s a potential recipe for disaster to leave less experienced or junior members of staff to handle important jobs (especially late on a Friday night). Are senior members of staff available to sign off and check things when required?

In summary…

When I first heard of this breach back in December 2019, my heart sank for those involved in pushing the button. Would the finger inevitably be pointed at them for making such a big and very public mistake?

But I also thought, how could it have got to this stage? How could there not have been checks and balances in place throughout the process to make sure people’s private postal addresses could never be published?

In the independent review commissioned by the Cabinet Office, the following important observation is made: “Breaches, such as the one that impacted New Year’s Honours recipients in December 2019, are too easily assigned to human error where a greater consistency of process, controls and culture across Cabinet Office could have reduced the risk systemically”

We all have feet of clay, and this is not an issue which will be limited to the Cabinet Office.

 

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Record of Processing Activities: Pros and Cons

October 2021

How important is it to keep robust records of your data?

Should it be mandatory for organisations to maintain a Record of Processing Activities (RoPA)?

One of the areas attracting interest under the UK Government’s proposals to reform UK data laws is a relaxation of the requirements for record keeping.

Under the UK GDPR, organisations are required to document their data processing activities. For businesses of 250 employees or more these records should meet a number of specified requirements.  Smaller organisations which carry out special category or ‘high risk’ processing are required to document these activities.

That’s regardless of whether you’re acting as controller or processor.

The Government is proposing to remove mandatory record keeping requirements.

Yes, you heard that right… the idea is to replace these with a more flexible requirement to maintain records as part of a Privacy Management Programme (PMP). So in effect, records will still be needed, but there may be more flexibility about how you go about it.

Organisations would be able decide on the right level of detail they need in their own records, taking into account the volume and sensitivity of the personal information they handle.

Therefore, organisations handling simple or fairly routine processing activities could, in theory, keep simpler, less onerous, records of those activities.

Sound like a welcome easing of ’box ticking’?

Why is record keeping important?

Record keeping is often regarded amongst privacy professionals as one of the most fundamental and necessary requirements of the GDPR.

It requires organisations to map and record the personal data they hold across the organisation, including what personal data assets are used, where it is stored, what it’s used for, who it’s shared with and what measures & controls are in place to protect it.

The problem many organisations face is that creating and maintaining these records (in line with GDPR Article 30 requirements) can be onerous and time consuming.

As data is typically used by many different business functions, the process requires the support of stakeholders across all the business functions that process data.

But once in place, your Record of Processing Activities (or RoPA) can really give you a solid advantage to help you meet some of the most important data protection standards.

Six benefits of robust record keeping

1. Transparency – Getting to grips with your processing activities enables you to create a clear and accurate privacy notice(s). With good records in place, you can be confident you’ve identified all the types of processing which need to be covered in your privacy notices.

2. Individual rights – When you receive a Subject Access Request, your records can really help to locate and access the specific data required to fulfil the request.

3. Risk awareness and management – Knowing and recording your processing activities allows you to properly understand the full breadth and sensitivity of your processing. That’s vital to identify where your privacy and security risks lie, so you can establish your priorities.

4. Fair and lawful processing – Confirming and recording which lawful basis (or bases) you’re using for each processing task enables you to make sure you’re meeting the relevant conditions.

5. Keep track of your data processors – Logging all your processors helps you keep on top of contractual requirements and international data transfers.

6. Data breach – Your records could be very useful if and when you suffer a data breach. They can help you to identify what personal data may have been exposed and how sensitive that data is, helping you quickly conduct a risk assessment and decide how best to act.

OK so there’s many positives, but what are the challenges organisations face trying to comply with the current rules?

Six downsides of the GDPR-based approach to record keeping

1. Complexity – The level of detail required makes the records time consuming to create.

2. Resources – Maintaining records which meet GDPR requirements requires resources and is an on-going challenge.

3. Ownership – The data protection team can’t do this on their own. You are likely to need to appoint people across different business function to take ownership of maintaining records within their function.

4. One size doesn’t fit all – Organisations all operate differently and are engaged in widely differing processing activities. Some smaller businesses may carry out highly-sensitive activities. Bigger organisations that fall under the mandatory requirement may not. The current ‘standard template’ approach lacks flexibility.

5. Cost – Due to the current level of complexity, some businesses have felt the need to invest in a privacy technology solution to help them create and manage their processing records. So for those businesses there’s a cost consideration.

6. Staying up to date – Left unmanaged your records quickly become outdated and useless.

In Summary…

More flexibility around record keeping would be a practical move, allowing for organisations to adopt a more tailored and proportionate approach.

However, there’s the risk removing mandatory requirements could lead to record keeping ‘falling off the radar’ and data protection teams could get less traction within the business.

We should not ignore the very valuable role which our records can play. If this proposal goes ahead, we should take care not to over-simplify our records too much.

Perhaps a mid-way solution could work – keeping mandatory requirements to maintain records, but removing the prescribed list of what should be in them?

I think the ROPA may well be an area whether there is a 50 / 50 split between those who see the benefit of keeping mandatory requirements and those that would appreciate more flexibility.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Privacy Management Programme – what does one look like?

October 2021

The concept is nothing new, but the term Privacy Management Programme (PMP) has been flung into the spotlight by the UK Government’s plans to reform data laws.

In a nutshell, the Government plans to revise the current accountability framework, replacing existing obligations (some of which are mandatory) with a requirement to implement a PMP.

It’s argued the current legislative framework ‘may be generating a significant and disproportionate administrative burden’ because it sets out detailed requirements organisations need to satisfy in order to demonstrate compliance.

The idea is a new ‘risked-based accountability framework’ will be introduced, requiring organisations to implement a PMP, but allow flexibility to internally tailor the programme to suit the organisation’s specific processing activities.

What is a Privacy Management Programme?

A PMP is a structured framework which supports organisations to meet their legal compliance obligations, the expectations of customers and clients, fulfil privacy rights, mitigate the risks of a data breach – and so forth.

Such a programme should recognise the value in taking an all-encompassing, holistic approach to data protection and privacy; embedding data protection principles and the concept of privacy by design and default.

Core components of a Privacy Management Programme

There are a number of PMP approaches and frameworks in existence. The UK Government has not yet elaborated on what they would expect a PMP to look like.

This top-level summary is broadly based on the IAPP’s Privacy Programme Management approach.

  • Governance

Organisations should develop and implement a suitable framework of management practices which make sure data is used properly and in line with organisational aims, laws and best practice. This should include adopting a privacy by design and by default approach; ensuring appropriate measures are in place to prevent unnecessary risks.

  • Assessments

Achieving clear oversight of the data held and processed, including any suppliers used to support business activities. Developing risk assessment tools which help to identify privacy risks and manage them effectively (e.g. Privacy Impact Assessments / Data Protection Impact Assessments).

  • Record-keeping

Mapping and maintaining an inventory of where personal data is, its purpose, how it is used and who it’s shared with.

  • Policies

Developing and implementing clear policies and procedures to guide staff and give them clear instructions about how personal data should be collected, used, stored, shared, protected and so on.

  • Training and awareness

Making sure adequate and appropriate training is conducted to give staff the knowledge and understanding they need to protect and handle data lawfully and in line with organisational expectations in their day-to-day roles. Making sure people are aware of how their organisation expects them to behave.

  • Privacy rights

Putting in place appropriate procedures to effectively and efficiently fulfil individual privacy rights requests, such as the right of access, erasure or objection.

  • Protecting personal information

Crucial to any PMP is protecting personal information. Working in conjunction with information security, a data protection by design approach would be expected – a proactive rather than reactive approach.

  • Data incident planning

Creating and developing data incident procedures and plans. Having appropriate methods to assess risk and potential impact, as well as understanding breach notification requirements.

  • Monitoring and auditing

Last, but by no means least no PMP would be complete without a methodology for tracking and benchmarking the programme’s performance.

What might change?

To many who’ve endeavoured to comply with the GDPR, all of the above will sound very familiar.

So, the Government isn’t proposing we do away with all the hard work already done. It’s planning a relaxation to some of the mandatory requirements; giving organisations more flexibility and control over how they implement certain elements of their programme.

On the one hand, this could be seen as a welcome move away from a ‘one-size fits all’ approach under UK GDPR, giving organisations more flexibility around how implement their privacy programmes to achieve desired outcomes.

On the other hand, there are fears the removal of mandatory requirements will lead to a watering down of the fundamental principle of accountability (a principle significantly bolstered under GDPR).

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Social media targeting: consent or legitimate interests?

April 2021

Social media marketing is well established and mainstream – lots of organisations carry out targeted advertising via various social media platforms.

But are we being open and upfront about it? Do our customers, or supporters, know enough about how you use their data on social media platforms?

From retargeting your own customers by uploading pseudonymised data to a social media platform, through to targeting ‘lookalikes’, there are a variety of options available.

Are there any compliance risks when we conduct these activities? Do people have enough control over the use of their data and the advertising they see? And to what degree are people even bothered by it?

What does the ICO think?

We began to get an insight into the ICO’s expectations when they published their draft Direct Marketing Code, back in January 2020.

Firstly, yes they are in scope:

Online behavioural advertising and some types of social media marketing are not classed as electronic mail under PECR but these are still direct marketing communications.

The ICO points out the need for transparency:

Individuals may not understand how non-traditional direct marketing technologies work. Therefore it is particularly important that you are clear and transparent about what you intend to do with their personal data.

Individuals are unlikely to understand how you target them with marketing on social media so you must be upfront about targeting individuals in this way.

You must be transparent and clearly inform individuals about this processing so that they fully understand you will use their personal data in this way. For example, that you will use their email addresses to match them on social media for the purposes of showing them direct marketing.

When using “list-based” tools (e.g. Facebook Custom Audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (e.g. list of email addresses) you must be transparent and clearly inform people about this processing.

The draft DM Code says:

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

If an individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools.

So, the ICO says we need consent.

But actually many disagree with this rather draconian interpretation of the law. Remember this is still draft guidance and we don’t know if it will change or when the Code will be published.

(When finalised, as a Code of Practice it will replace and carry more weight than the existing Direct Marketing Guidance, which doesn’t really touch on social media marketing).

So, is Legitimate Interests out of the question?

Many organisations may be currently relying on Legitimate Interests, especially when using “list based tools”. It’s not been made clear why the ICO believes these tools would not meet the three-part test for Legitimate Interests.

In contrast, the European Data Protection Board (EDBP) suggest in their August 2020 social media guidelines that Legitimate Interests might be suitable for social media targeting:

Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6(1)(a) GDPR) or legitimate interests (Article 6(1)(f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.

The EDPB goes on to explain the 3 conditions for a Legitimate Interests must be met:

(i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed
[i.e. the processing must be for a legitimate purpose]

(ii) the need to process personal data for the purposes of the legitimate interests pursued, and
[i.e. the processing must be necessary]

(iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.

The EDPB reminds us that, in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration in relation to (iii) above.

Therefore it is important to make sure your privacy notice is clear about the use of personal data for social media targeting.

The EDPB also reminds us that CJEU have previously specified that, in a situation of joint controllership (as there might be with a controller and a social media platform):

It is necessary that each of those controllers should pursue a legitimate interest […] through those processing operations in order for those operations to be justified in respect of each of them.

Why would you want to be a trail blazer and limit the scale of your marketing activity by adopting a consent-based approach, when others don’t do it too?

John Mitchison is Director of Policy and Compliance at the Data and Marketing Association (DMA);

“The current compliance landscape can be very confusing for marketers, not least in the area of online advertising and social media.  We have a ‘draft’ version of the ICO’s Direct Marketing Code of Practice and guidance from the EU, of which the UK is no longer a part.

If a person has a first party relationship with a brand and a first party relationship with a social media platform it seems entirely reasonable for that person to see ads about the brand on the social site, and for this processing to be done under Legitimate Interest. 

Transparency and control are essential if you want to retain the trust with your customers; clearly explain what is going on in your privacy policy and allow people to opt out if they really want to.”

Consumer expectations

It can be argued people nowadays expect to see relevant advertising when they browse social media and that ads which are relevant to their interests have got to be better then untargeted ads.

So is there really any harm in this type of targeted advertising?

It’s important to acknowledge there could be harm if data is used in intrusive, appropriate or unlawful ways, especially were individuals may be minors or vulnerable people.

When data is used without the proper controls to protect people, such as offering dieting tablets to anorexics, targeting alcohol offers to alcoholics, or offering gambling services to problem gamblers – it is highly likely to be harmful.

This type of advertising is also regulated under the CAP code, so we’re not entirely reliant on data protection rules here.

But outside of these concerning situations, where targeted advertising is used for non-sensitive products and services, is this type of targeting likely to cause harm?

What user-controls are available within social media platforms?

Most social media platforms which carry advertising provide user controls on the advertising you are exposed to. For example, Facebook Ad Preferences enable users to:

  • see which advertisers are targeting you directly and hide ads if you wish
  • manage advertising topics and ‘see fewer’ if you wish
  • view data about your activity from ad partners
  • decide if you wish to share certain profile information (employer, job title, education & relationship status) for advertising purposes
  • edit you’re your interests and other categories used by advertisers to reach you
  • find out whose targeting you via audience-based advertising and hide those ads if you want

What are the risks to advertisers?

At this point in time, it seems the likelihood of enforcement action by the ICO regarding social media targeting (for non-sensitive products & services) appears rather low. But of course this could change.

It’s certainly wise to keep a close eye out for customer / supporter complaints which might arise from social media targeting, as if these are not handled properly, people could escalate their concerns to the ICO.

At the end of the day the key is making sure you are open and upfront about how you use people’s personal information.  Take a risk-based judgement call on the right lawful basis for your business and try to avoid any unwelcome surprises!

 

If you’d like any advice or support regarding social media marketing, or any other use of data, please get in touch – Contact Us 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data breaches: Why humans are our weakest link

April 2021

Ever felt the sense of impending doom after you realise you’ve left your laptop in the pub? Or, possibly worse, on the 16.43 from Waterloo?

Have you suffered the embarrassment of emailing an attachment to the wrong person? Have you ever absent-mindedly clicked on a links in a fake email?

If you have, you’re not alone. Welcome to a not even remotely exclusive club.

In our recent survey of DPN subscribers, 69% of responders said they’d suffered a personal data breach in the past 12 months. Of these a whopping 90% said those breaches were caused by human error.

We asked what types of mistake people had made which led to a data breach. The following clear themes emerged:

  • Email containing personal data sent to the wrong recipients
  • Incorrectly spelling email recipients and disclosing personal data in error to the wrong person
  • Forwarding attachments with personal data in error
  • Following links in a phishing email
  • Sensitive mail going to the wrong postal address (yes, a properly old-fashioned dead wood data breach!)

It’s clear our email activities are the DPO’s biggest headache, and the area where people are most likely to act in haste and make a mistake.

Given the torrent of emails most of us handle on a weekly basis, maybe it’s not much of a surprise.

Is an email error a data breach?

An interesting question has been raised recently about whether incorrectly disclosing personal data via email is actually a personal data breach or not.

In a recent ruling, the Belgian Data Protection Authority concluded that mistakenly sending an email (which in the case in point meant personal data was disclosed to the wrong recipient) did NOT represent a data breach.

The Belgian DPA said a personal data breach could only occur as a result of a breach of security controls. In this case, security controls had not been breached.

Happy days! Do we no longer need log (or in some cases notify) all those email errors?

Hmmm, I’m not so sure.

This got me thinking, why is human error cited in every breach report as one of the major causes of personal data breaches?

Data breaches: What does the ICO say?

The UK Information Commissioner’s Office has detailed data breach guidance in which it states:

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

The ICO goes on to provide some examples:

Personal data breaches can include:

      • access by an unauthorised third party;
      • deliberate or accidental action (or inaction) by a controller or processor;
      • sending personal data to an incorrect recipient;
      • computing devices containing personal data being lost or stolen;
      • alteration of personal data without permission; and
      • loss of availability of personal data.

Clearly the UK Regulator does consider ‘sending personal data to an incorrect recipient’ as a personal data breach. After all, data has been provided to someone who shouldn’t have received it. Surely how it happened is, to a certain extent, academic?

I’m reminded of an embarrassing case from a couple of years ago, where a sexual health clinic mistakenly divulged sensitive personal details when recipients were cc’d rather than blind copied.

The clinic received some very unwelcome publicity and was fined by the ICO (albeit a small amount as they were ‘an unincorporated associate rather than a full, money-making charity’).

Data breaches: What does the EDPB say?

Earlier this year the European Data Protection Board helpfully published data breach notification examples. This includes a number of different scenarios including:

  • Stolen material storing non-encrypted personal data
  • Stolen paper files with sensitive data
  • Snail mail mistake
  • Personal data sent by mail by mistake

I’m therefore minded not to dwell on the Belgian DPA ruling, and will continue to consider disclosing personal data via email in error as a data breach (which may or may not be notifiable depending on the level of risk posed).

Although I’m not a lawyer, I do wonder if the Belgian DPA’s decision is perverse. Perhaps other cases passing through the same courts may end up revising the Belgian finding, and it’s certainly one to keep an eye on.

What keeps you awake at night?

In our DPN survey we also asked, ‘when thinking about data breaches, what worries you the most?’. The following common worries were most apparent:

  • Reputational damage
  • Staff not reporting mistakes quickly enough
  • Staff not reporting their mistakes at all
  • Legal action by affected data subjects
  • Customer data being used for fraud / other harm caused to data subjects
  • Timescale challenges
  • Not being aware a serious incident has occurred

Clearly staff not reporting mistakes is a worry. Unfortunately, humans make errors and are tempted to cover them up. As my mother taught me as a child, this seldom ends well!

Quite often it’s not the mistakes that become the biggest problem, it’s attempts to conceal them. Politicians of all stripes, I’m looking at you!

To this point I favour stressing, in any awareness campaigns and in data incident policies; ‘We know people make mistakes, but you must report them.’ (It might help).

A culture that treats mistakes as learning opportunities strikes me as more likely to pick up on errors.

How do we combat human error?

We’ve all rushed to meet a deadline (or finish stuff before we go on leave) and we’ve all had moments where our concentration lapses – we can’t prevent this.

The message just needs to be repeated over and over again, we need to take care.

Regular data protection training is important, but so is reinforcing this message with ongoing awareness efforts – intranet alerts, eye-catching posters in lifts, including data protection awareness in appraisals… whatever it takes.

I will also point out the Regulators are humans too, they understand mistakes happen no matter how much you try to avoid them. What they want to see is clear evidence that you’ve made a concerted effort to try to make people aware and reduce the likelihood.

The ICO’s investigation into a data breach at Heathrow Airport in 2017 found the Airport had failed not only ‘to ensure that the personal data held on its network was properly secured’ but that it had also failed ‘to provide any, or any sufficient training in relation to data protection and information security.’

It is highly likely the fine would have been reduced if Heathrow Aiport could demonstrate sufficient training had been conducted.

We have to accept human error can’t be eradicated, (unless I, Robot becomes reality), but there’s a whole raft of strategies we can use to mitigate risk.

And showing we’ve tried to do the right thing in the first place is half the battle, as a cocktail of human error AND complacency makes for the worst sort of mistake.

 

Data incident support –  Our experienced team can develop or review your incident procedures and provide rapid support in the event of a suspected or actual personal data breach. Find out more

 

 

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Minimise your data with maximum permissions

March 2021

Deliver successful marketing campaigns without hoarding data

This might seem like a contradiction in terms. How can you minimise the volumes of data you keep whilst also maintaining good levels of marketing permissions?

The answer, of course, is to only keep the data you need. Less is more. I’ll say that again – less is more. However, the challenge for many marketers is to understand which data to discard and which data to keep.

Figuring out which data is needed takes time and effort and draws on some old-fashioned skills we learnt in the pre-internet era to maintain data accuracy and assess what variables/values actually drives a sale.

Before the ubiquitous email, which appears to cost nothing, we used to make some very difficult decisions about who to contact because each contact cost a fortune. Now is the time to re-discover some of those skills and cut down on those emails and digital ads, whilst rebuilding trust with prospects and customers.

1. Data accuracy

Arguably the most boring job for any marketer is to keep their customer and prospect data up to date and accurate.

Questions to consider:

  • How many records hold inaccurate data?
  • Are they worth keeping?
  • How recently did that prospect engage with you?
  • Will they ever engage again?
  • Are the marketing permissions up to date and valid?

Like de-cluttering your house, it’s difficult to throw away data but keeping data for too long can attract large fines and a bad reputation.

2. Effective retention policies

If you understand the patterns of purchase and sale you’ll have a good idea of when people who are customers are no longer engaged and either need to be refreshed or removed.

Asking if people want to be removed from a database after a long period of inactivity is a good idea. Why keep people on a list who don’t want to hear from you?

Questions to ask:

  • Have you reviewed your retention policy and refreshed permissions?
  • Do you have a regular routine in place to identify and update permissions once they reach their retention policy limit?
  • Do you regularly review the responses you generate from the older data sets?
  • Based on your findings, should you adjust the retention policy periods?

3. Reduce the collection of data points

If I provide a phone number when I place an order, what happens to that data?

Unless it’s for a carrier I’ll always provide an inaccurate number. It makes more sense to explain exactly why you need every single data point and provide a “what’s in it for me” reason why this data should be collected. The completion rate will be greater with more accurate information.

Questions to ask:

  • Do have a clear plan for how every single data point is used?
  • Have you communicated that intention clearly?
  • Have you explained clearly the “what’s in it for me”?
  • Which data can be discarded?

4. Special category data

Special category data can be explicitly collected or inferred from the combination of other data sets. This is a particular challenge in Adtech where the quantity of data collected through third party cookies is, frankly, mind blowing.

If you’re able to establish  sexuality from which websites someone uses this, potentially, becomes special category data. Keeping any special category data presents an additional risk and should be carefully considered, whilst consent for marketing needs to be sought under any circumstance. If in doubt get rid of it.

Questions to consider:

  • Do you really need to know anything sensitive about your prospects and customers?
  • What difference will knowing the information make to your ability to sell your products and services?

5. Preference centres

The notion you should give your customers and prospects the choice to manage their preferences in an open and transparent way is at the heart of data protection legislation.

There are technology solutions from a wide variety of providers to create preference centres for cookies, as well as managing marketing preferences for emails, direct mail and so on.

Presenting this information in an easy-to-understand format can feel like a formidable challenge and there’s sometimes the temptation to hide it or just not bother to explain clearly enough.

Not explaining or hiding information is never a great idea, as there is a direct link between openness and transparency and trust.

“Doing the right thing” and building trust is a No 1 priority for many brands and they see it reaps dividends in greater loyalty and repeat purchase.

Not only that but the afore-mentioned technology solutions have relatively inexpensive options for smaller or medium sized businesses. Cost should not be an impediment.

Questions to consider:

  • Are all your marketing and cookie preferences managed centrally?
  • Do you know what all the cookies on your website do?
  • Do you know what happens to the data that is captured by third party Adtech providers?
  • Have you completed a DPIA for Ad Tech activity?
  • Do you have a compliant cookie notice and preference centre with the permissions options applied correctly?

6. Understanding the ROI of your campaigns

Being able to analyse the customer/prospect journey from first point of data capture through to a final sale is the holy grail. An apparently cost-efficient lead at the front end may not translate into high margin sales in the end.

Equally, being able to understand what influences a purchasing decision and what environment is most successful will allow you to filter your marketing effort against fewer key variables.

As the ICO clearly stated in their review of RTB, the sheer volume of data in use by Adtech providers feels disproportionate to the outcome.

Questions to ask:

  • Can you calculate an end-to-end ROI on customer transactions?
  • Do you know which variables will influence purchase more than anything else?
  • Have you done some modelling of your own customer data to create anonymised look alike segments to be used with contextual advertising?

7. How do you move on from third-party cookies?

As we know, Google will stop supporting third party cookies in 2022. This places an immediate pressure on advertisers to focus on their own first party data.

Immediate questions to ask:

  • Do we have any first party data?
  • How else do we add to what we already know?
  • Can we ask our customers to share more data? What interests them, what content do they consume, how do they shop?

If we’re able to create segments from our own data, the opportunity to use that information to create anonymised look-alikes will improve targeting efficiency. We are seeing a proliferation of providers who are using different variables to target customers which does not even involve large quantities of cookie data and this trend is set to grow.

If you understand your data well and create meaningful segments for targeting from first party data, which has been volunteered by customers, marketing teams will be in a strong position to deliver more with less.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.