Data Governance Quick Guide Taking control of our data In essence Data governance is a framework of management practices which makes sure data is used properly in line with our organisational aims, the law and best practice. Think of it as embedding Data Protection by Design and by Default across the organisation. It means business objectives can be met without taking unnecessary risks with data. Data governance helps us to: protect the business and those whose data we process: customers, employees, etc. reduce our organisational risk profile educate our people, by providing policy & guidance to them on how to use data in the safe and appropriate ways build in an ethical approach build our reputation, customer trust and enhance the value of our data assets support our teams’ innovation with use of data. The 6 data governance steps 1. Data discovery It’s vital to identify data assets held across the business understanding how personal data is being gathered, stored, used and shared. It can be helpful to map where the data is located on systems, and document it. Most medium to large businesses will need to do this anyway to create and maintain an Information Asset Register (IAR) and Records of Processing Activity (RoPA). 2. Policies & standards If our people don’t know how we expect them to behave when handling other people’s data, we can’t expect them to make a great job of it. Are your policies and procedures all up to scratch? Having a straight-forward, easy to understand and practical Data Protection Policy is a good place to start (alongside relevant training). The importance of well-crafted easy to use policies shouldn’t be underestimated. 3. Stakeholder accountability We need to identify key stakeholders within the business. Likely to be heads of key functions, such as HR, Operations, Sales & Marketing, and so on. It’s good to establish data roles and responsibilities, so people are clear what aspects they and others are responsible for. Who has the authority to make decisions about certain data? 4. Risk assessment process Businesses should have risk assessment procedures to discover, assess, prioritise and take action to mitigate data risks. A governance programme helps teams to identify and assess both existing and emerging risks, so they can be efficiently assessed and mitigated. Think of data like a balance sheet: it has great potential to create value, but also carries risks and liabilities. The aim of a data governance programme is to protect both the business and those whose data we process from harm which may arise. For example, things like inaccurate data, unlawful or unfair processing or using people’s data in ways they would not expect or want. For certain projects it will be necessary to conduct a Data Protection Impact Assessment (DPIA). 5. Technical and organisational measures (TOMs) Once privacy risks have been identified, we need to consider what measures could be put in place to tackle them. You may choose to mitigate them internally with new procedures or security measures, or perhaps work with a third party to adopt technical or operational measures. Privacy Enhancing Technologies – how they can help Organisational measures include making sure there’s good awareness about data protection across the business, and employees receive appropriate training. 6. Executive oversight Risks should be reported up the line to make sure the Senior leadership team has proper oversight and the opportunity to take appropriate action. If your organisation has a Data Protection Officer (DPO) this reporting will be part of the formal accountabilities for their role. But remember not all businesses need to have a DPO. Should we appoint a DPO? Overcoming cultural challenges Data protection and privacy professionals face a cultural challenge to win hearts and minds. I have sometimes heard legal or privacy teams described as ‘the department of no’. That’s not how we want to be seen! Smart businesses are realising the value of taking privacy seriously. We should help our business colleagues to balance the needs of commercial and operational functions with legal & ethical requirements. We shouldn’t just explain what the law requires. We must go further and help them our colleagues to find practical solutions. Collaboration and mutual understanding are essential ingredients for successful data governance.
Are we conducting too many DPIAs – or not enough? How to decide when to conduct Data Protection Impact Assessments Make no mistake, Data Protection Impact Assessments (DPIAs) are a really useful risk management tool. They help organisations to identify likely data protection risks before they materialise, so corrective action can be taken. Protecting your customers, staff and the interests of the business. DPIAs are key element of the GDPR’s focus on accountability and Data Protection by Design. It’s not easy working out when a DPIA is necessary, or when it might be useful, even if not strictly required by law. Businesses need to be in control of their exposure to risk, but don’t want to burden their teams with unnecessary work. So it falls to privacy professionals to use their judgement in what can be a delicate balancing act. Lack of clarity around when DPIAs are genuinely needed could lead businesses to carry out far more DPIAs than needed – whilst others may carry out too few. When are DPIAs required? We should check if a DPIA is required during the planning stage of new projects, or when changes are being planned to existing activity. Where needed, DPIAs must be conducted BEFORE the new processing begins. DPIAs are considered legally necessary when the processing of personal data is likely to involve a ‘high risk’ to the rights and freedoms of individuals. What does ‘high risk’ look like? Why types of activity might fall into ‘high risk’ isn’t always clear. Fortunately the ICO have given examples of processing likely to result in high risk to help you make this call. Regulated sectors, such as financial services and telecoms, have specific regulatory risks to consider too. Give consideration to the scope, types of data used and the manner of processing. It’s wise to also take account of any protective measures already in place. In situations where the nature, scope, context and purposes of processing are very similar to another activity, where a DPIA has already been carried out, you may not need to conduct another. Three key steps for a robust DPIA screening process 1. Engage your key teams In larger organisations, building good relationships with key teams such as Procurement, IT, Project Management, Legal and Information Security can really help. They might hear about projects involving personal data before you do. Make sure they’re aware when a DPIA may be required. This means they’ll be more likely to ‘raise a hand’ and let you know when a project which might require a DPIA comes across their desk. In smaller businesses there may still be others who can help ‘raise a hand’ and let you know about relevant projects. Work out who those people are. 2. Confirm the businesses appetite for risk Is your organisation the sort which only wants DPIAs to be carried out when strictly required by law? Or perhaps you want a greater level of oversight? Choosing to carry out DPIAs as your standard risk assessment methodology for any significant projects involving personal data – even if they might appear to involve lower levels of risks to individuals. Logic says you’ll never be 100% sure unless you carry out an assessment and DPIAs are a tried and tested way to give you oversight and confidence. But this approach requires more time, resources and commitment from the business. You need to strike the right balance for your organisation. 3. Adopt a DPIA screening process If you don’t currently use a screening process, you really should consider adopting one. It’s a quick and methodical way to identify if a project does or does not require a DPIA. You can use a short set of standard questions, which can be provided for stakeholders to complete and return or discussed in a call. So the question ‘Is a DPIA needed or not?’ can be reached rapidly and with confidence. Personally I prefer to arrange a short call with the stakeholders, using my screening questionnaire as a prompt to guide the discussion. Don’t forget to keep a record of your decisions! Including when you decide a DPIA isn’t necessary. Try not to burden colleagues with unnecessary assessments for every project, if there really is minimal risk. This is unlikely to be a well-received approach. Raise awareness and have a built-in DPIA screening process to make sure you catch the projects which really do warrant a deeper dive.
Data Retention Guide Data retention tools, tips and templates This comprehensive guides take you through the key steps and considerations when approaching data retention. Whether you’re starting out or reviewing your retention policy and schedules, we hope this guide will support your work. This guide was developed and written by data protection specialists from a broad range of sectors. A huge thank you to all those who made it possible.
Data Subject Access Request Guide Being prepared and handing DSARs Handling Data Subject Access Requests can be complex, costly and time-consuming. How do you make sure you’re on the front foot, with adequate resources, understanding and the technical capability to respond within a tight legal timeframe? This guide aims to take you through the key steps to consider, such as… Being prepared Retrieving the personal data Balancing complex requests Applying redactions & exemptions How technology can help
Ransomware attack leads to £98k ICO fine Solicitors firm failed to implement ‘adequate technical and organisational measures’ Are you using Multi-Factor Authentication? Are patch updates installed promptly? Do you encrypt sensitive data? Reports of cyber security incidents in the UK rose 20% in the last 6 months of 2021. These figures from the ICO, combined with the heightened threat in the current climate, provide a stark warning to be alert. The ICO says; “The attacks are becoming increasingly damaging and this trend is likely to continue. Malicious and criminal actors are finding new ways to pressure organisations to pay.” Against this backdrop the ICO has issued a fine to Solicitors’ firm following a ransomware attack in 2020. The organisation affected was Tuckers Solicitors LLP (“Tuckers”) which is described on its website as the UK’s leading criminal defence lawyers, specialising in criminal law, civil liberties and regulatory proceedings. While each organisation will face varying risks, this case highlights some important points for us all. Here’s a summary of what happened, the key findings and the steps we can all take. For increasing numbers of organisations this case will unfortunately sound all too familiar. What happened? On 24 August 2020 Tuckers realised parts of its IT system had become unavailable. Shortly after IT discovered a ransomware note. Within 24 hours it was established the incident was a personal data breach and it was reported to the ICO. The attacker, once inside Tuckers’ network, installed various tools which allowed for the creation of a user account. This account was used to encrypt a significant volume of data on an archive server within the network. The attack led to the encryption of more than 900,000 files of which over 24,000 related to ‘court bundles’. 60 of these bundles were exfiltrated by the attacker and released on the ‘dark web’. These compromised files included both personal data and special category data. The attacker’s actions impacted on the archive server and backups. Processing on other services and systems were not affected. By 7 September 2020, Tuckers updated the ICO to say the servers had been moved to a new environment and the business was operating as normal. The compromised data was effectively permanently lost, however material was still available in management system unaffected by the attack. Tuckers notified all but seven of the parties identifiable within the 60 court bundles which had been released, who they did not have contact details for. Neither Tuckers, nor third party investigators, were able to determine conclusively how the attacker was able to access the network in the first place. However, evidence was found of a known system vulnerability which could have been used to either access the network or further exploit areas of Tuckers once in side the network. What data was exfiltrated? The data released on the ‘dark web’ included: Basic identifiers Health data Economic and financial data Criminal convictions Data revealing racial or ethnic origin This included medical files, witness statements and alleged crimes. It also related to ongoing criminal court and civil proceedings. Tuckers explained to the Regulator, based on its understanding, the personal data breach had not had any impact on the conduct or outcome of relevant proceedings. However, the highly sensitive nature of the data involved increased the risk and potential adverse impact on those affected. Four key takeaways The ICO makes it clear in its enforcement notice that primary culpability for the incident rests with the attacker. But clear infringements by Tuckers were found. The Regulator says a lack of sufficient technical and organisation measures gave the attacker a weakness to exploit. Takeaways from this case: 1) Multi-Factor Authentication (MFA) Tuckers’ GDPR and Data Protection Policy required two-factor authentication, where available. It was found that Multi-Factor Authentication (MFA) was not used for its ‘remote access solution’. The ICO says the use of MFA is a relatively low-cost preventative measure which Tuckers should have implemented. The Regulator concluded the lack of MFA created a substantial risk of personal data on Tuckers’ systems being exposed to consequences such as this attack. Takeaway: If you currently don’t use MFA, now would be a good time to implement it. 2) Patch management The case reveals a high-risk security patch was installed in June 2020, more than FOUR months after its release. The ICO accepts the attacker could have exploited this vulnerability during the un-patched period. Considering the highly sensitive nature of the personal data Tuckers were handling, the Regulator concludes they should not have been doing so in an infrastructure containing known critical vulnerabilities. In other words the patch should have been installed much sooner. Takeaway: Make sure patches are installed promptly, especially where data is sensitive. 3) Encryption During the investigation Tuckers informed the ICO the firm had not used encryption to protect data on the affected archived server. While the Regulator accepts this may not have prevented the ransomware attack itself, it believes it would have mitigated some of the risks posed to the affected individuals. Takeaway: There are free, open-source encryption solutions are available. Alternatively more sophisticated paid for solutions are available for those handling more sensitive data. Also it’s worth checking you’re adequately protecting archives to the same standard as other systems. 4) Retention The enforcement notice reveals some ‘court bundles’ affected in the attack were being stored beyond the set 7-year retention period. Takeaway: This again exposes a common issue for many organisations. Too often data is held longer than is necessary, which can increase the scale & impact of a data breach. Our comprehensive Data Retention Guidance is packed with useful tools, templates and advice on tackling how long you keep personal data for. What else can organisations do? Clearly, we can’t be complacent and shouldn’t cut corners. We need to take all appropriate steps to protect personal data and avoid common pitfalls. Here are some useful resources to help you: Cyber Essentials – The enforcement action notes that prior to the attack Tuckers was aware its security was not at the level of the NCSC Cyber Essentials. In October 2019, it was assessed against the ‘Cyber Essentials’ criteria and failed to meet crucial aspects of its requirements. Cyber Essentials was launched in 2014 and is an information security assurance scheme operated by the National Cyber Security Centre. It helps to make sure you have the basis controls in place to protect networks/systems from threats. Cyber Essentials – gain peace of mind with your information security National Cyber Security Centre ICO Ransomware guidance – The ICO has recently published guidance which covers security policies, access controls, vulnerability management, detection capabilities and much more. DPN Data Breach Guide – Our practical guide covers how to be prepared, how to assess the risk and how to decide whether a breach should be reported or not. You can read the full details of this case here: ICO Enforcement Action – Tuckers Solicitors LLP
Data Breach Guide How to handle a data breach Our practical, easy-to-read guide takes you through how to be prepared for a breach, and how to assess the risks should you suffer a personal data breach. This data breach guide covers: Common causes of breaches Data incident and breach planning How to assess the risks Breach reporting checklists How technology can help
Data Protection Officers – what does it take to do the job? The unique blend of traits and skills which make for a great DPO What is it that makes a DPO effective and successful? Whether you’re recruiting or someone interested in the role, here are a few thoughts for you to chew over. I’m focussing here more on character traits, rather than the specialist knowledge & skills required for the job. Be a good leader – not just a manager A DPO should be a self-starter, with the energy and motivation to lead and inspire others. With the leadership skills to set the direction of travel for data protection across the organisation, laying out clear priorities and bringing others with them on the journey. In the words of Mark Starmer; ‘Will the real leader please stand up?’, leadership is all about being able to influence. This means building effective relationships with everyone from senior management, clients, customers and so on. All this helps the DPO with their quest to embed data protection principles and processes across the organisation. If they have direct reports, they’ll need to be someone who can lead and inspire their team. This includes recognising people’s individual strengths and weaknesses, their progress and achievements. Finding appropriate and perhaps innovative ways to recognise and reward each individual. Thirst for knowledge Not only does a DPO need to have an excellent grasp of the relevant laws, and ideally qualifications to evidence this, but they also need to be someone who is always on a quest to learn more. Someone who is happy to spend their spare time reading new guidance, privacy articles and opinions, case law and so on. Someone with a genuine interest in the data landscape and emerging trends. Autonomy and independence A DPO must also be able to act autonomously, independently and objectively, as the role requires. Not only looking at what the law requires, but also considering ethical and moral issues, to work out what is the right thing to do. Acting with genuine honesty and integrity. Robert Bond, Senior Legal Counsel at Bristows: “Data Protection Officers must be adept and be able to adapt and adopt as circumstances require. Above all they need to implement compliance & ethics with impartiality.” A great communicator and diplomat Strong communication skills are vital. Taking the time to actively listen, interpret and understand others. A DPO is likely to work with a range of staff across the organisation, plus clients and suppliers. Often working across national borders too. This requires cultural awareness and sensitivity. They need to be able to change their approach, depending on who they are talking to. As Fedelma Good, Director at PwC UK explains: ‘DPOs need to be great communicators and above all they need to be multi-lingual. They need to be able to communicate across a broad range of stakeholders, ranging from board members to web designers and quite often they need to act as the translator to ensure that technical, legal and business specialists really do all understand each other.’ Sympathetic but strong A good DPO will be both understanding and assertive. There’ll be times when people are tricky to handle, be it disgruntled customers or even perhaps a member of the senior management team! The role doesn’t exist to preserve the status quo. They may need to push back against established practices (‘we’ve always done it that way’) and challenge people to think differently and find creative solutions. This takes sheer persistence and the drive to make a difference. Confidence A DPO should to be a confident individual who is up for some straight-talking when needed. They must be ready to stand their ground. But they also need the confidence to show humility and say when they don’t know the answer. The laws are detailed and complex and no DPO can know it all. To apply the law in practice, they often need time to think it through and deliberate. DPOs need to be clear when they need this time and need to resist the temptation (or demands) to respond immediately. Well-organised Sometimes everyone seems to be clamouring for a piece of the DPO. Juggling multiple conflicting priorities, means being well-organised is critical. Some demands will be urgent, others important but less urgent, some can wait. That data breach always seems to happen on a Friday afternoon! A DPO will inevitably need to do their fair share of ‘fire-fighting’ when things crop up out of the blue. They need to manage not only their diary, but colleagues’ expectations too! Even at the busiest times, it’s also important to try and remain approachable with an ‘open door’ to anyone in the organisation. Finding workable solutions Because of the specialist knowledge and obligations a DPO has, they need to work hard to show the business how their role acts as an enabler for the business. Nobody wants to be seen as ‘the department of No’. In my view this often comes back to character and communication style – being ready not only to shine a light on compliance risks but also to go the extra mile, working closely with stakeholders to find pragmatic solutions. Taking a more flexible solution-oriented approach builds much better relationships, where the rest of the business sees the DPO as someone who doesn’t put up barriers, but will help them navigate their way to reach their goals. This is especially important during times of change. Someone who can embrace change, stay positive and focussed and keep working towards shared goals is more likely to succeed in the end. In conclusion Wow, the DPO role is certainly a demanding role which requires a lot of positive character traits and interpersonal skills! All nicely summed up by Matt Kay, Deputy DPO at Metro Bank: “It goes without saying that the role of a DPO is multi-faceted requiring a broad skillset with organisations valuing certain skills more than others, and this of course differs between organisations. For me I think the key skills are stakeholder engagement, the ability to project manage, navigate conflicting priorities and being able to take a pragmatic approach. Taking risk based decisions that balance the needs of data subjects and the organisation you work for.”
Privacy Management Programme – what does one look like? The concept is nothing new, but the term Privacy Management Programme (PMP) has been flung into the spotlight by the UK Government’s plans to reform data laws. In a nutshell, the Government plans to revise the current accountability framework, replacing existing obligations (some of which are mandatory) with a requirement to implement a PMP. It’s argued the current legislative framework ‘may be generating a significant and disproportionate administrative burden’ because it sets out detailed requirements organisations need to satisfy in order to demonstrate compliance. The idea is a new ‘risked-based accountability framework’ will be introduced, requiring organisations to implement a PMP, but allow flexibility to internally tailor the programme to suit the organisation’s specific processing activities. What is a Privacy Management Programme? A PMP is a structured framework which supports organisations to meet their legal compliance obligations, the expectations of customers and clients, fulfil privacy rights, mitigate the risks of a data breach – and so forth. Such a programme should recognise the value in taking an all-encompassing, holistic approach to data protection and privacy; embedding data protection principles and the concept of privacy by design and default. Core components of a Privacy Management Programme There are a number of PMP approaches and frameworks in existence. The UK Government has not yet elaborated on what they would expect a PMP to look like. This top-level summary is broadly based on the IAPP’s Privacy Programme Management approach. Governance Organisations should develop and implement a suitable framework of management practices which make sure data is used properly and in line with organisational aims, laws and best practice. This should include adopting a privacy by design and by default approach; ensuring appropriate measures are in place to prevent unnecessary risks. Assessments Achieving clear oversight of the data held and processed, including any suppliers used to support business activities. Developing risk assessment tools which help to identify privacy risks and manage them effectively (e.g. Privacy Impact Assessments / Data Protection Impact Assessments). Record-keeping Mapping and maintaining an inventory of where personal data is, its purpose, how it is used and who it’s shared with. Policies Developing and implementing clear policies and procedures to guide staff and give them clear instructions about how personal data should be collected, used, stored, shared, protected and so on. Training and awareness Making sure adequate and appropriate training is conducted to give staff the knowledge and understanding they need to protect and handle data lawfully and in line with organisational expectations in their day-to-day roles. Making sure people are aware of how their organisation expects them to behave. Privacy rights Putting in place appropriate procedures to effectively and efficiently fulfil individual privacy rights requests, such as the right of access, erasure or objection. Protecting personal information Crucial to any PMP is protecting personal information. Working in conjunction with information security, a data protection by design approach would be expected – a proactive rather than reactive approach. Data incident planning Creating and developing data incident procedures and plans. Having appropriate methods to assess risk and potential impact, as well as understanding breach notification requirements. Monitoring and auditing Last, but by no means least no PMP would be complete without a methodology for tracking and benchmarking the programme’s performance. What might change? To many who’ve endeavoured to comply with the GDPR, all of the above will sound very familiar. So, the Government isn’t proposing we do away with all the hard work already done. It’s planning a relaxation to some of the mandatory requirements; giving organisations more flexibility and control over how they implement certain elements of their programme. On the one hand, this could be seen as a welcome move away from a ‘one-size fits all’ approach under UK GDPR, giving organisations more flexibility around how implement their privacy programmes to achieve desired outcomes. On the other hand, there are fears the removal of mandatory requirements will lead to a watering down of the fundamental principle of accountability (a principle significantly bolstered under GDPR).