Managing Erasure Requests or DSARs via Third-Party Portals

January 2022

Do organisations have to honour them? Well, it depends…

Over the past few years GDPR, the California Consumer Privacy Act (CCPA) and other privacy regulations have led to specialist companies offering to submit Erasure or Data Subject Access Requests (DSARs) on behalf of consumers.

These online portals say they want to help people exercise their privacy rights, while enabling them to make requests to multiple organisations simultaneously.

Companies on the receiving end of such requests often receive them in volume, and not necessarily from consumers they even know. Requests can quote swathes of legislation, some of which may be relevant, some which won’t apply in your jurisdiction.

If you haven’t had any yet, you may soon. Companies like Mine, Privacy Bee, Delete Me, Revoke and Rightly all offer these services.

They don’t all operate in the same way, so be warned the devil is in the detail.

How third-party portals work

Okay, bear with me, as said there are different approaches. They may use one, or a combination of, the following elements:

  • Offer to simply submit requests on the individual’s behalf, then the consumer engages directly with each organisation
  • Offer people the opportunity to upload their details and proof of ID, so the portal can submit requests on their behalf without the consumer needing to validate their ID each time.
  • Provide a bespoke link which organisations are invited to use to verify ID/authority. (Hmmm, we’re told not to click on links to unknown third parties, right?)
  • Allow consumers to select specific named organisations to submit requests too
  • Make suggestions for which organisations the individual might wish to ‘target’
  • Offer to scan the individual’s email in-box to then make suggestions about which organisations are likely to hold their personal data. (Again, really? Would you knowingly let any third-party scan your in-box?).

Is this a good thing? Does it empower the consumer?

On the surface, this all seems fairly positive for consumers, making it simpler and quicker to exercise their privacy rights.

For organisations, these portals could be seen as providing an easier way of dealing with rights requests in one place. Providing perhaps, a more secure way of sharing personal data, for example in responding to a DSAR.

I would, however, urge anyone using these portals to read the small print, and any organisation in receipt of these requests to do their homework.

Why it’s not all straight-forward

The following tale from one DPO may sound familiar…

We tend to find these requests slightly frustrating and time-consuming. First, we have to log all requests for our audit trails. We cannot simply ignore the requests otherwise this can cause regulatory issues, not to mention if they are genuine requests.

More often than not, they are sent in batches and do not contain the information we require to search and make the correct suppression. Where we do have enough information to conduct searches, we often find the personal details do not exist on our database.

Another concern is whether the requests are actually for meant for us. We recently received a number of requests for a competitor, who was clearly named on the requests. When we tried to contact the portal to explain this issue, we did not get a response and were essentially ignored, which leaves us in a predicament – do we continue with the with the request, was it actually for our organisation or not?

So, there’s a problem. Requests might be submitted on behalf of consumers who organisations have never have engaged with. Requests can arrive with insufficient information. We can’t always verify people’s identity, or the portal’s authority to act on their behalf. In these circumstances, do people genuinely want us to fulfil their Erasure or Access request?

What does the ICO say about third-party portals?

The regulator does reference online portals in is Right of Access guidance. It tells us we should consider the following:

  • Can you verify the identity of the individual?
  • Are you satisfied the third-party has authority to act on their behalf?
  • Can you view the request without having to take proactive steps (e.g. paying a fee or signing up to a service)?

The ICO makes it clear it would not expect organisations to be obliged to take proactive steps to discover whether a DSAR has been made. Nor are you obliged to respond if you’re asked to pay a fee or sign up to a service.

The Regulator says it’s the portal’s responsibility to provide evidence of their authority to act on an individual’s behalf. If we have any concerns, we’re told to contact the individual directly.

If we can’t contact the individual, the guidance tells us we should contact the portal and advise them we will not respond to the request until we have the necessary information and authorisation.

This all takes time…

This is all very well, but for some organisations receiving multiple requests this is incredibly time-consuming.  Some organisations are receiving hundreds of these requests in a single hit, as Chris Field from Harte Hanks explains in – You’ve been SAR-bombed.

In addition, we need to do our research and understand how the portal operates, checking whether we believe they’re bone fide or not.

Another DPO, whose company receives around thirty privacy requests from third-party portals a month says; “Often these tools don’t provide anything more than very scanty info, so they all require responses and requests for more info”. This company takes the following approach; “We deal with the individual if it’s a legitimate contact detail, or we don’t engage.”

It really is a question of how much effort is reasonable and proportionate.

We must respect fundamental privacy rights, understand third-party portals may be trying to support this, but balance this with our duty to safeguard against fraud or mistakes.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Are Data Subject Access Requests driving you crazy?

January 2022

Complicated. Costly. Time-consuming...

… And driving me crazy. We’ve all heard the dreaded words, right? I’d like a copy of my personal data.

Which led me to think; is the fundamental privacy right of accessing our personal data becoming part of our increasingly litigious culture? The DSAR is now a staple opening shot for law firms handling grievance claims or employment tribunals, looking for potentially incriminating morsels of information.

Of course, this right must be upheld, but is the process fit for purpose? Employee-related requests, in particular, can entail a massive amount of work and the potential for litigation makes them a risky and complex area.

For some organisations, this is water off a duck’s back; they’ve always had access requests, anticipated volume would increase after GDPR, have teams to handle them, invested in tech solutions, have access to lawyers and so on.

Great stuff, but please spare a thought for others.

Plenty of businesses have lower volumes of DSARs. They’re unable to justify, or afford, extra resources. These guys are struggling under a system that assumes one size fits all.

Then there are businesses who’ve never even had a DSAR. For them, just one request can be an administrative hand grenade.

Of course some businesses are guilty of treating employees badly, but I wish things could be different. It’s about getting the balance right, that most elusive of things when creating regulatory regimes. Are the principles behind the DSAR important? Of course. Can the processes be improved? Definitely!

So be warned – here begins a micro-rant on behalf of the smaller guys. I’m feeling their pain.

What’s that sound? It’s wailing and the gnashing of teeth

It’s clear in our Privacy Pulse Report DSARs are a significant challenge facing data protection professionals. One DPO told us;

“Vexatious requests can be very onerous. Controllers need broader scope for rejection and to refine down the scope, plus criteria for when they can charge… In my view, the ICO should focus on helping controllers to manage complex and vexatious DSARs.”

Some access requests are straightforward, especially routine requests where ‘normal’ procedures apply. However, some requests are made by angry customers or disgruntled ex-employees on a mission… and there’s no pleasing them. A troublesome minority appear to be submitting DSARs because they want to cause inconvenience because they’re angry, but don’t go so far as to fall under the ‘manifestly unfounded’ exemption.

Anyhow, for all those of you out there dealing with this stuff, know that I feel your pain. Without any further ado…

My THREE biggest DSAR bugbears (there are others)

Everything!

We’re entitled to a copy of ALL our personal data (to be clear, this doesn’t mean we’re entitled to full documents just because our name happens to appear on them somewhere).

It’s true organisations are allowed to ask for clarification, and the ICO’s Right of Access Guidance, provides some pointers on how to go about this.

Yet that tiny glimmer of hope is soon dashed – we’re told we shouldn’t seek clarification on a blanket basis. We should only seek it if it’s genuinely required AND we process a large amount of information about the individual.

Furthermore; “you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them.”

Why?

Let’s take the hypothetical (but realistic) case of an ex-employee who believes they’ve been unfairly dismissed. They worked for the company for 10 years, they submit a DSAR but choose not to play along with clarifying their request. They want everything over a decade of employment.

Do they really need this information? Or are they refusing to clarify on purpose? Is this a fair, proportionate ‘discovery process’? As I’ve said before, large organisations may be better placed absorb this, it’s the not-so-big ones who can really feel the pain. And in my experience, much personal data retrieved after hours of painstaking work isn’t relevant or significant at all.

Emails!

I get conflicted with the requirement to search for personal data within email communications and other messaging systems.

On the one hand we have the ICO’s guidance, which to summarise tells us:

  • personal data contained within emails is in scope (albeit I believe GDPR has been interpreted differently by other countries on this point);
  • you don’t have to provide every single email, just because someone’s name and email address appears on it;
  • context is important and we need to provide emails where the content relates to the individual (redacted as necessary).

If you don’t have a handy tech solution, this means trying to develop reasonable processes for retrieving emails, then eliminating those which won’t (or are highly unlikely) to have personal data within the content. This takes a lot of time.

Why am I conflicted? In running a search of your email systems for a person’s name and email address, you’ll inevitably retrieve a lot of personal data relating to others.

They might have written emails about sensitive or confidential matters, now caught within the retrieval process. Such content may then be reviewed by the people tasked with handling the request.

I suspect this process can negatively impact on wider employee privacy. Yes, we’re able to redact third party details, but by searching the emails in the first place, we’re delving into swathes of lots of people’s personal data.

It seems everyone else’s right to privacy is thrown out in the interests of fulfilling one person’s DSAR.

It also makes me wonder; if I write a comment that might be considered disparaging about someone in an email, do I have any right to this remaining private between me and the person I sent it to? (Even if it wasn’t marked confidential or done via official procedure).

I know many DPOs warn their staff not to write anything down, as it could form part of a DSAR. I know others who believe they’re justified in not disclosing personal data about the requester, if found in other people’s communications. Which approach is right?

Time!

Who decided it was a good idea to say DSARs had to be fulfilled within ‘one calendar month’?

It wasn’t! This phrase led to the ICO having to offer this ‘clarification’;

You should calculate the time limit from the day you receive the request, fee or other requested information (whether it is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.

This means that the exact number of days you have to comply with a request varies, depending on the month in which an individual makes the request.

For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

I hope you got that.

Wouldn’t it have been easier to have a set number of days? And perhaps more realistic timescale?

Let’s take the hypothetical (but realistic) case; you receive a DSAR on 2nd December. You can’t justify an extension as it isn’t unduly complex.

Yes, I know you’re with me; bank holidays and staff leave suddenly means the deadline is horribly tight.

I wish there was specific number of days to respond. I wish they excluded national bank holidays and I wish there was a reprieve for religious festivals. I know, I’m dreaming.

DSARs and UK data reform

Is the UK Government going to try and address the challenges in their proposal to reform UK data protection law?

The consultation paper makes the right noises about the burden DSARs place on organisations, especially smaller businesses.

Suggestions include introducing a fee regime, similar to that within the Freedom of Information Act. One idea is a cost ceiling, while the threshold for responding could be amended. None of this is without challenges. There’s also a proposal to re-introduce a nominal fee.

On the latter point, GDPR removed the ability to charge a fee. You may recall prior to 2018 organisations could charge individuals £10 for a copy of their personal data.

Many will disagree, but I think the nominal fee is reasonable. I realise it could be seen a barrier to people on lower incomes exercising a fundamental right. However, my thoughts are organisations wouldn’t be forced to charge. It would be their choice. They would also be able to use their discretion by waiving the fee in certain situations.  It makes people stop and think; ‘do I really want this?’

Whatever transpires, I truly hope some practical changes can be made to support small and medium-sized businesses. Balancing those with individual rights isn’t easy, but that’s why our legislators are paid the big bucks.

And here, dear reader, endeth my rant!

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection Officers – what does it take to do the job?

January 2022

The unique blend of traits and skills which make for a great DPO

What is it that makes a DPO effective and successful? Whether you’re recruiting or someone interested in the role, here are a few thoughts for you to chew over. I’m focussing here more on character traits, rather than the specialist knowledge & skills required for the job.

Be a good leader – not just a manager

A DPO should be a self-starter, with the energy and motivation to lead and inspire others. With the leadership skills to set the direction of travel for data protection across the organisation, laying out clear priorities and bringing others with them on the journey.

In the words of Mark Starmer; ‘Will the real leader please stand up?’, leadership is all about being able to influence. This means building effective relationships with everyone from senior management, clients, customers and so on. All this helps the DPO with their quest to embed data protection principles and processes across the organisation.

If they have direct reports, they’ll need to be someone who can lead and inspire their team. This includes recognising people’s individual strengths and weaknesses, their progress and achievements. Finding appropriate and perhaps innovative ways to recognise and reward each individual.

Thirst for knowledge

Not only does a DPO need to have an excellent grasp of the relevant laws, and ideally qualifications to evidence this, but they also need to be someone who is always on a quest to learn more. Someone who is happy to spend their spare time reading new guidance, privacy articles and opinions, case law and so on. Someone with a genuine interest in the data landscape and emerging trends.

Autonomy and independence

A DPO must also be able to act autonomously, independently and objectively, as the role requires. Not only looking at what the law requires, but also considering ethical and moral issues, to work out what is the right thing to do. Acting with genuine honesty and integrity.

Robert Bond, Senior Legal Counsel at Bristows:

“Data Protection Officers must be adept and be able to adapt and adopt as circumstances require. Above all they need to implement compliance & ethics with impartiality.”

A great communicator and diplomat

Strong communication skills are vital. Taking the time to actively listen, interpret and understand others.

A DPO is likely to work with a range of staff across the organisation, plus clients and suppliers. Often working across national borders too. This requires cultural awareness and sensitivity. They need to be able to change their approach, depending on who they are talking to.

As Fedelma Good, Director at PwC UK explains:

‘DPOs need to be great communicators and above all they need to be multi-lingual. They need to be able to communicate across a broad range of stakeholders, ranging from board members to web designers and quite often they need to act as the translator to ensure that technical, legal and business specialists really do all understand each other.’

Sympathetic but strong

A good DPO will be both understanding and assertive. There’ll be times when people are tricky to handle, be it disgruntled customers or even perhaps a member of the senior management team!

The role doesn’t exist to preserve the status quo. They may need to push back against established practices (‘we’ve always done it that way’) and challenge people to think differently and find creative solutions. This takes sheer persistence and the drive to make a difference.

Confidence

A DPO should to be a confident individual who is up for some straight-talking when needed. They must be ready to stand their ground. But they also need the confidence to show humility and say when they don’t know the answer. The laws are detailed and complex and no DPO can know it all.

To apply the law in practice, they often need time to think it through and deliberate. DPOs need to be clear when they need this time and need to resist the temptation (or demands) to respond immediately.

Well-organised

Sometimes everyone seems to be clamouring for a piece of the DPO. Juggling multiple conflicting priorities, means being well-organised is critical. Some demands will be urgent, others important but less urgent, some can wait. That data breach always seems to happen on a Friday afternoon!

A DPO will inevitably need to do their fair share of ‘fire-fighting’ when things crop up out of the blue. They need to manage not only their diary, but colleagues’ expectations too!

Even at the busiest times, it’s also important to try and remain approachable with an ‘open door’ to anyone in the organisation.

Finding workable solutions

Because of the specialist knowledge and obligations a DPO has, they need to work hard to show the business how their role acts as an enabler for the business. Nobody wants to be seen as ‘the department of No’.

In my view this often comes back to character and communication style – being ready not only to shine a light on compliance risks but also to go the extra mile, working closely with stakeholders to find pragmatic solutions.

Taking a more flexible solution-oriented approach builds much better relationships, where the rest of the business sees the DPO as someone who doesn’t put up barriers, but will help them navigate their way to reach their goals.

This is especially important during times of change. Someone who can embrace change, stay positive and focussed and keep working towards shared goals is more likely to succeed in the end.

In conclusion

Wow, the DPO role is certainly a demanding role which requires a lot of positive character traits and interpersonal skills!

All nicely summed up by Matt Kay, Deputy DPO at Metro Bank:

“It goes without saying that the role of a DPO is multi-faceted requiring a broad skillset with organisations valuing certain skills more than others, and this of course differs between organisations. For me I think the key skills are stakeholder engagement, the ability to project manage, navigate conflicting priorities and being able to take a pragmatic approach. Taking risk based decisions that balance the needs of data subjects and the organisation you work for.”

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Cabinet Office data breach fine – 6 key takeaways

December 2021

A data breach could be blamed on human error, when the real culprits are a lack of controls, checks and balances

The ICO has fined HM Government’s Cabinet Office £500,000 for a data breach, following the disclosure of people’s home addresses published in the New Year’s Honours List.

What went wrong and what lessons can we learn?

How did the data breach happen?

Here’s a summary – yes it’s quite dry but worth looking at. It illustrates how the devil really is in the detail when it comes to systems and end-user requirements from a data protection perspective.

  • In 2019, a new IT system was introduced in the Cabinet Office to handle public nominations for the New Year Honours.
  • The ICO investigation found the system was set up incorrectly; it was mistakenly configured to generate a CSV file which included people’s postal addresses. This should not have happened and was not a feature requested in the original build requirements.
  • Testing took place on the reports the system generated, but the postal address column went unnoticed. It’s believed this was partly due to the large number of fields in the spreadsheet and the focus being on making sure the list of successful Honours recipients was accurate.
  • Instructions were provided to staff to explain the process for running the reports. However, these were based on how the system should have been set up (i.e. the original build requirements) and didn’t include checks to make sure extraneous personal data was removed.
  • The error was identified at a later stage, but due to tight timescales to get the Honours list published, it was decided the file should be amended rather than making modifications to the IT system itself. A decision was taken to hide the postal address information, however it was still contained within the document itself, as it had not be deleted.
  • When the list was published on the Cabinet Office website on Friday 27 December at 10.30pm, this data became visible, and people’s postal addresses were accessible.
  • Some of the data affected was already in the public domain. However, numerous postal addresses which were not in the public domain were made public.

Steve Eckersley, ICO Director of Investigations, said: “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”

Action taken following the data breach

Within thirty minutes of the list being published, a member of the Government Communications Team alerted the Cabinet Office to the breach.

The list was quickly republished, removing the link to the offending CSV file. However, due to the automatic caching on the gov.uk website the file continued to be accessible (seriously, caching is the bane of my life too!).

A developer finally managed to permanently delete the CSV file shortly before 1am on the Saturday morning.

I’m sure this was an, er, interesting Friday night for those involved.

Individuals affected by the breach were contacted within 48 hours via email or telephone, and a few were contacted by post.

The Cabinet Office notified the ICO within 72 hours of becoming aware of the breach in accordance with GDPR.

In its enforcement notice the ICO acknowledges that the Cabinet Office acted promptly and undertook a full incident review.

Since the breach, it is reported a number of ‘operation and technical’ measures have been implemented to improve the system security and an independent review focusing on the handling of data was completed in 2020.

You can read more detail in the full enforcement notice

6 key takeaways

The ICO investigation and an independent review examined the Cabinet Office’s data handling practices in light of this breach. The findings provide useful tips on measures we should be considering and steps we should be taking. All of these speak to the need to take a Privacy by Design approach.

1. New systems

The review report said; “Interviewees raised a number of concerns around the procurement of new software to run their data handling processes. Some said that financial considerations meant that off-the-shelf solutions were chosen to run processes that, given their complexity, warranted bespoke solutions”.

A stark lesson: we need to make sure appropriate due diligence is conducted both at the procurement stage and when scoping the requirements for tech solutions, and ensuring development accurately matches that agreed scope. We need thorough UAT (user acceptance testing). We mustn’t roll-out new systems/software too quickly. Cutting corners can lead to mistakes.

Conducting a Data Protection Impact Assessment can often be really useful way of identifying and mitigating risks from the outset.

2. Procedures and processes

Staff need to be aware of, and have access to, clear data handling procedures and processes. In this case it was found procedures were insufficient or incorrect. There was also a lack of instructions for what to do in a crisis (i.e. how to reverse publication once the breach had occurred).

Are you confident your staff know how to handle data appropriately? Are your processes regularly reviewed and updated? Have you practiced or ‘war-gamed’ worse-case scenarios?

3. Out of hours incidents

It’s a bit of cliché, but data breaches inevitably occur at the worst possible time – at the weekend or on a Bank Holiday. Sod’s law they will happen when key people are on holiday or unavailable.

The Cabinet Office suffered a breach at 10.30pm, on a Friday, in between Christmas and New Year. They aren’t the first, and certainly won’t be the last to have this happen at the worst possible time.

Does your data incident plan cover such eventualities? A common gap can be not having mobile numbers for key people and not having contact details for ‘a second in command’ if the key person isn’t available.

Credit where credit’s due – in the circumstances I think it’s impressive they managed to get in touch with affected individuals within 48 hours and got their notification into the ICO within 72 hours.

4. Time pressures

Many businesses are high-tempo, with new systems and projects putting pressure on employees to meet deadlines and deliver on time.

The review of the Cabinet Office found there was regular pressure to deliver on urgent political priorities; “The pace required to deliver on these priorities was cited by some business units and stakeholders as potentially compromising the disciplines of good personal data handling”.

Is your organisation at risk of pushing too hard to the detriment of data protection? Are people aware of the potential risks?

5. Training and awareness

The Cabinet Office had seven modules in their “Responsible for Data” e-Learning. However they were unable to provide the ICO with a clear percentage of who’d completed the training.

The regulator found employees in the Press Office and Digital Team, who were also involved in the process of the data being published, hadn’t received data protection training in the past two years.

This demonstrates the importance of not only making sure staff receive adequate, regular and appropriate training, but also why its important to keep records too.

6. Accountability

Do you have clear lines of accountability and responsibility? It’s a potential recipe for disaster to leave less experienced or junior members of staff to handle important jobs (especially late on a Friday night). Are senior members of staff available to sign off and check things when required?

In summary…

When I first heard of this breach back in December 2019, my heart sank for those involved in pushing the button. Would the finger inevitably be pointed at them for making such a big and very public mistake?

But I also thought, how could it have got to this stage? How could there not have been checks and balances in place throughout the process to make sure people’s private postal addresses could never be published?

In the independent review commissioned by the Cabinet Office, the following important observation is made: “Breaches, such as the one that impacted New Year’s Honours recipients in December 2019, are too easily assigned to human error where a greater consistency of process, controls and culture across Cabinet Office could have reduced the risk systemically”

We all have feet of clay, and this is not an issue which will be limited to the Cabinet Office.

 

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Privacy Management Programme – what does one look like?

October 2021

The concept is nothing new, but the term Privacy Management Programme (PMP) has been flung into the spotlight by the UK Government’s plans to reform data laws.

In a nutshell, the Government plans to revise the current accountability framework, replacing existing obligations (some of which are mandatory) with a requirement to implement a PMP.

It’s argued the current legislative framework ‘may be generating a significant and disproportionate administrative burden’ because it sets out detailed requirements organisations need to satisfy in order to demonstrate compliance.

The idea is a new ‘risked-based accountability framework’ will be introduced, requiring organisations to implement a PMP, but allow flexibility to internally tailor the programme to suit the organisation’s specific processing activities.

What is a Privacy Management Programme?

A PMP is a structured framework which supports organisations to meet their legal compliance obligations, the expectations of customers and clients, fulfil privacy rights, mitigate the risks of a data breach – and so forth.

Such a programme should recognise the value in taking an all-encompassing, holistic approach to data protection and privacy; embedding data protection principles and the concept of privacy by design and default.

Core components of a Privacy Management Programme

There are a number of PMP approaches and frameworks in existence. The UK Government has not yet elaborated on what they would expect a PMP to look like.

This top-level summary is broadly based on the IAPP’s Privacy Programme Management approach.

  • Governance

Organisations should develop and implement a suitable framework of management practices which make sure data is used properly and in line with organisational aims, laws and best practice. This should include adopting a privacy by design and by default approach; ensuring appropriate measures are in place to prevent unnecessary risks.

  • Assessments

Achieving clear oversight of the data held and processed, including any suppliers used to support business activities. Developing risk assessment tools which help to identify privacy risks and manage them effectively (e.g. Privacy Impact Assessments / Data Protection Impact Assessments).

  • Record-keeping

Mapping and maintaining an inventory of where personal data is, its purpose, how it is used and who it’s shared with.

  • Policies

Developing and implementing clear policies and procedures to guide staff and give them clear instructions about how personal data should be collected, used, stored, shared, protected and so on.

  • Training and awareness

Making sure adequate and appropriate training is conducted to give staff the knowledge and understanding they need to protect and handle data lawfully and in line with organisational expectations in their day-to-day roles. Making sure people are aware of how their organisation expects them to behave.

  • Privacy rights

Putting in place appropriate procedures to effectively and efficiently fulfil individual privacy rights requests, such as the right of access, erasure or objection.

  • Protecting personal information

Crucial to any PMP is protecting personal information. Working in conjunction with information security, a data protection by design approach would be expected – a proactive rather than reactive approach.

  • Data incident planning

Creating and developing data incident procedures and plans. Having appropriate methods to assess risk and potential impact, as well as understanding breach notification requirements.

  • Monitoring and auditing

Last, but by no means least no PMP would be complete without a methodology for tracking and benchmarking the programme’s performance.

What might change?

To many who’ve endeavoured to comply with the GDPR, all of the above will sound very familiar.

So, the Government isn’t proposing we do away with all the hard work already done. It’s planning a relaxation to some of the mandatory requirements; giving organisations more flexibility and control over how they implement certain elements of their programme.

On the one hand, this could be seen as a welcome move away from a ‘one-size fits all’ approach under UK GDPR, giving organisations more flexibility around how implement their privacy programmes to achieve desired outcomes.

On the other hand, there are fears the removal of mandatory requirements will lead to a watering down of the fundamental principle of accountability (a principle significantly bolstered under GDPR).

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

The data breach that cost Marriott £18.4 million – what went wrong?

November 2020

The humongous penalty train keeps rolling – after the £20 million fine for British Airways for GDPR violations, the Information Commissioner’s Office (ICO) has slapped an £18.4 million fine on Marriott International Inc.

In its ruling, the ICO says Marriott made multiple failures in its technical and organisational measures for protecting personal data. The case also highlights how when a business acquires another company it becomes accountable for past as well as present compliance.

An estimated (and staggering) 339 million guest records were affected worldwide, following the 2014 cyber-attack on Starwood Hotels and Resorts Worldwide Inc. It’s estimated 7 million of those affected were UK citizens.

Starwood was acquired by Marriott in 2016, and the attack went undetected until September 2018. The ICO has stressed its ruling relates to infringements after GDPR came into force in May 2018.

As the data breach was notified before Brexit, the ICO was able to act as lead supervisory authority, charged with investigating the breach on behalf of all affected EU citizens.

The penalty was signed-off by other EU data protection authorities, under GDPR’s one-stop shop mechanism for cross-border cases. Moving forward post-Brexit, the UK will no longer be part of the one-stop mechanism.

Why was the fine reduced?

In its original ‘Notice of Intention’ to fine in July 2019, the ICO set the figure at an eye-watering £99 million. The Regulator says this amount was reduced taking several factors into consideration;

  • Marriott’s representations to the ICO
  • The action the hotel group took to mitigate the breach’s impact
  • The economic impact of the COVID-19 pandemic

There are some rumblings the pandemic may be proving a handy ‘excuse’ for the ICO; COVID-19 was also cited in the reasons for reducing the British Airways fine.

This begs the question – did the ICO significantly over-estimate in their initial notices, or are they being kind-spirited due to the current financial and operating climate?

What went wrong for Marriott?

  • In 2014 unknown hacker(s) installed code onto a device in the Starwood systems. This gave them the ability to edit the contents of the device remotely.
  • This was exploited to install malware, giving the attacker privileged access. The attacker had unrestricted access to connected devices across the Starwood network. The attacker then continued to install further tools, enhancing the malicious access.
  • In 2016 Marriott acquired Starwood. The ICO’s ruling reveals Marriott was only able to carry out limited due diligence of Starwood’s data processing systems and databases prior to acquisition (those with acquisition experience will know how challenging robust due diligence can be).
  • In September 2018, the attacker made a move which finally tripped an alert. They exported a table which contained card details on which a security trigger had been set. Such alerts were not in place to automatically trigger on other data sets accessed – for example passport details.
  • Marriott notified the ICO and affected individuals in November 2018 after becoming ‘aware’ of the nature of the breach.
  • The data exfiltrated by the hacker(s) affected data included names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status and loyalty program information.

72-hour data breach notification rules

You may note there was a significant time delay between the trigger being fired in September on Starwood’s systems and Marriott’s notification to the ICO in November.

As part of its representations Marriott challenged the ICO’s initial finding that the 72-hour breach notification rules had been infringed (GDPR Article 33).

This comes down to when a controller can be judged to be ‘aware’ a personal data breach has occurred.

In its final ruling ICO found Marriott was incorrect to claim that;

“The GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the Commissioner. Rather, a data controller must be able to reasonably conclude that it is likely a personal data breach has occurred to trigger the notification requirement.”

However, in ‘this particular case’ taking into account Marriott’s representations the Commissioner decided to make a finding that Marriott had NOT breached the notification requirements.

Key ICO findings

At a top-level there are four key findings in the ICO’s ruling. It’s worth remembering the ruling applies to the period post 25 May 2018, despite historic pre-2018 concerns.

  1. Insufficient monitoring of privileged accounts
    There was a failure to put in place ongoing network and user activity monitoring. The ICO says Marriott should’ve been aware of the need to have multiple layers of security.
  2. Insufficient monitoring of databases
  3. Failure to implement server hardening – the vulnerability of the server could’ve been reduced, for example, through whitelisting.
  4. Lack of encryption – for example, passport details were not encrypted.

If you are interested in the full details, you can read the full ICO Marriott ruling.

The ICO references the National Cyber Security Guidance: 10 steps for Cyber Security, which is a useful resource for any business wanting to make sure their cyber sec is robust.

There’s little doubt the attack Marriott suffered was sophisticated, but the ICO says their investigation revealed how the hotel group failed to put in place appropriate security measures to address such attacks and other identifiable risks to their systems.

Impact on individuals

In its ruling the ICO ruling took into account the nature of the personal data breached.

Despite assurances given and mitigating steps taken by Marriott, the Regulator concluded it was likely some of the affected individuals will, depending on their circumstances, have suffered anxiety and distress. The Ruling also specifically calls out the duration of the breach, lasting as it did a period of 4 years.

What can we learn from this data breach?

The number of people affected, the nature of the data maliciously accessed, the potential distress caused and the size and profile of Marriott… all of these will have played a part in the £18.4 million fine. This is a scalable problem – but for every business cyber security needs to be a priority.

When acquiring a company, due diligence is crucial prior and post-acquisition, but this must be an ongoing process, not a one-off activity.

The fine’s just the tip of the financial iceberg. Marriott will have spent a significant amount on rectifying the breach and mitigating the impact for affected individuals, before we even contemplate the cost of complex and protracted legal representation.

Alongside this hefty financial hit, the hotel group also faces a class action lawsuit from customers who are seeking compensation. If successful, this could prove even more costly.

It’s worth noting the fine would’ve been higher if Marriott hadn’t proactively sent email communications to affected customers, created a data breach website and set up a call centre to provide a data breach hotline.

It’s often said, because it’s true, you can’t underestimate how crucial it is to be prepared for a data breach.  Making sure you have a robust (and tested) data incident plan, being able to effectively and quickly assess the risk posed, plus having a pre-prepared communications strategy and measures to support those affected.

Commenting on the fine, the UK’s information commissioner Elizabeth Denham said;

“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Marriott says they remain committed to the privacy and security of their guests and is continuing to make significant investments in security measures for its systems. Marriott has not admitted liability for the breach, but has indicated it won’t appeal.

 

Need extra support and advice? We can support with your data incident planning and procedures. Get in touch – we can also provide rapid support should you suffer a data incident which requires effective and quick investigation.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

British Airways data breach – what can we learn?

October 2020

We’ve finally heard the UK Information Commissioner’s Office (ICO) has fined British Airways £20 million for failing to protect personal and credit card data in their 2018 data breach. A breach which affected more than 400,000 BA customers and staff.

A final decision on this has been expected for some time, we just didn’t know what the figure would be until now. The amount is a fraction of the £183 million initially announced in the ICO’s notice of intention to fine. After considering BA’s representations and factoring in the economic impacts of COVID-19 it has been significantly reduced. But it’s still an eye-watering sum, in fact, the largest fine issued by the ICO.

What are the key lessons other businesses can learn from BA’s painful experience?

Information security must be taken seriously at Board level

Modern businesses rely on data more and more to provide quality services for customers and to create competitive advantage.  However, the risks to personal data are numerous, varied and ever-changing. A data breach can massively harm a business’s reputation with its customers, staff and with the world at large.

It’s often said that with power comes responsibility, so businesses need to recognise their roles as guardian and protector of the personal data of their customers and employees. We have to deliver on the promises we make, for example, in our privacy notices. Any steps your business can take to properly protect personal data and demonstrate to staff and the public how seriously you take data protection will help protect them from harm and also may help you to stand out from competitors in these tough times.

Boards need to show leadership by insisting on a strong and vigilant information security regime. I guess that means they need to be prepared to fund it too! It also means asking tough questions about the levels of data protection in place across the organisation.

Rachel Aldighieri, MD of the Data & Marketing Association (DMA), believes this is a wake up call;

“Brexit and coronavirus have put businesses under immense financial strain. A fine of this magnitude will certainly get the attention of Board members of organisations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO. This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.

“Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers. This message should resonate with businesses now more than ever.”

Security measures must not only be ‘adequate’ but also checked and verified

The ICO said there were numerous measures BA could have used to mitigate or prevent the risk of an attacker accessing their network.

Martin Turner, Managing Director at cybersecurity specialists Full Frame Technology, believes BA missed the basics:

“As with so many serious data breaches, this one was caused by a failure to adopt the most basic security measures, including limiting access to applications, rigorous cybersecurity testing, and protecting accounts with multi-factor authentication.

Login credentials for a domain administrator account were stored in plain text. Software code wasn’t reviewed effectively. These are issues that a cybersecurity audit should have revealed, and BA has yet to explain why this didn’t happen.”

The ICO has (finally) shown us it has teeth!

Could this be a turning point? It’s been a long time coming and many expected it to happen much sooner. The ICO have finally issued a BIG fine more in keeping with the expectations most of us had when GDPR came into force.

Nevertheless, you might feel the ICO has shown a measure of pragmatism, reducing the fine down so much from the original £183m. But it’s not great timing for any business to suffer a body blow like this.

It will be interesting to see what figure the ICO finally decide to fine Marriott International for their Starwood data breach, which first came to our attention around the same time as BA. The ICO’s original ‘intention to fine’ for Marriott was £99 million.

Should we think again about data breach insurance?

You might be thinking afresh about breach insurance. We’d suggest you shop around and pay attention to the fine print, as data breach insurance policies can vary more than you might imagine.

Don’t just look at the price as no two policies are the same and there is little consistency in the way policies are worded. The levels of cover and features on offer can vary significantly. Keep an eye out for exclusions!

One key differentiator you may wish to delve into is the level of support your insurer will provide in the event of a breach or a cyber attack. Do they have a team of specialists in place who will advise and help you to triage a live situation? This is one area where you might get just what you pay for.

This fine was long anticipated and the pandemic has definitely played its part in reducing the final amount. The travel sector has been badly impacted by COVID and £20 million will hit BA hard. BA may decide to appeal against it. It goes to show how important it is to have robust data protection and security measures in place.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection by Design: Part 3 – Data Protection Impact Assessments

September 2020

Getting your DPIA process on track

Deciding when to carry out a Data Protection Impact Assessment (DPIA), and understanding how to conduct one effectively, is a challenging area.

I’ve come across cases where DPIAs are not being conducted when necessary, or left incomplete. Less frequently, DPIAs are over-used, creating an unnecessary burden on key teams.

DPIAs sit at the heart of Data Protection by Design, and this is part 3 of our series, following on from:

Part 1: Data Protection by Design – The Basics 

Part 2 – How to approach Data Protection by Design

Just to be clear – we may be hearing the term DPIA more frequently, but it’s not a new idea – what changed under GDPR is they were made mandatory in certain circumstances. And even if not mandatory they can be a very useful tool in your data protection toolbox.

So how do you make sure your DPIA process is on track? I’ve taken a look at the key stages you should have in place, and how to get people on-board and improve their understanding.

But first things first.

What is a Data Protection Impact Assessment?

Just to recap, a DPIA is a management tool which helps you:

  • Identify privacy risks
  • Assess these risks
  • Adopt measures to minimise or eliminate risks

It’s a way for you to analyse your processing activities and consider any risks they might pose. It focuses on identifying any risks to people’s rights and freedoms, and considers the principles laid down in data protection law.

The key is to start the assessment process early so you can make sure any problems are found (and hopefully fixed) as soon as possible in any project – be this implementing a new system, designing a new app or creating new processes.

When is a DPIA mandatory?

When considering new systems, technologies or processes a DPIA should be conducted if these might result in a high risk to the rights and freedoms of individuals. A DPIA may also be conducted retrospectively if you believe there are inherent risks.

It’s mandatory, under the GDPR to conduct a DPIA in all of the following scenarios:

  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
  • a systematic monitoring of a publicly accessible area on a large scale

Each EU regulatory authority has published their own list of other scenarios in which a DPIA would be mandatory. You can find the UK Innformation Commissioner’s Office’s in its DPIA Guidance. This includes;

  • use innovative technology (note the criteria from the European guidelines)
  • process biometric data or genetic data (note the criteria from the European guidelines)
  • match data or combine datasets from different sources
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (note the criteria from the European guidelines)
  • track individuals’ location or behaviour (note the criteria from the European guidelines)
  • profile children or target marketing or online services at them – it’s also worth checking the new ‘Children’s Code’ aimed at protecting children online

When a DPIA is not mandatory… but a good idea

The ICO says it’s “good practice to do a DPIA for any other major project which requires the processing of personal data.” Here are some examples of where it might be advisable to conduct a DPIA, if your processing;

  • would prevent or restrict individuals from exercising their rights
  • means disclosing personal data to other organisations
  • is for a new purpose (i.e. not the purpose the data was originally collected for)
  • will lead to transfer of personal data outside the European Economic Area (EEA)
  • involves contacting individuals in a manner which could be deemed intrusive.

What the ICO expects you to do

The ICO DPIA guidance has a handy checklist of areas to focus on:

  • provide training so staff understand the need to consider a DPIA at the early stages of any plan involving personal data
  • make sure existing policies, processes and procedures include references to DPIA requirements
  • understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary
  • create and document a DPIA process
  • provide training for relevant staff on how to carry out a DPIA

How to build a robust DPIA process

So how do you go about fulfilling the ICO’s expectations above? Here are some steps to take.

A. Getting Board / Senior Management buy-in

Growing awareness and buy-in from across the organisation is crucial. It can be helpful to highlight why DPIAs are a good thing, for example;

    • they’re a warning system – they alert compliance teams, and the business as a whole, of risks before they occur. Prevention is always better than cure
    • by identifying risks before they’ve an adverse impact, DPIAs can protect you against potential damage to your brand reputation, e.g. from complaints or enforcement action
    • they help management make informed decisions about how your processing will affect the privacy of individuals
    • they show you take data protection seriously and provide evidence, should you need it, of your compliance

Training is also important, I’ll come on to this in a bit, but first you need to make sure your process is fit for purpose….

B. Creating a screening questionnaire

Create a quick set of questions for business owners or project leads to use, which help to identify if a DPIA is required or not.
These can ask about the type of personal data being used, whether it entails any special category data or children’s data, what the aim of the project is and so on.

The answers can be assessed to judge whether a more detailed assessment is really required or not. (It can also show where more training might be needed, if people struggle to answer the questions).

C. The DPIA itself

You need to develop a robust process for conducting a DPIA. The ICO has a template you can use, but it’s good idea to adapt this to suit your business. Make sure it’s easy to understand and not full of data protection jargon.

These are the core aspects it needs to cover:

    • describe the processing you are planning to do – it’s nature, scope, context and purposes
    • assess its necessity and proportionality
    • identify and asses any risks
    • identify solutions and integrate into a plan
    • sign off and record outcomes
    • implement risk control plans
    • and finally, keep your DPIA under review

Let’s look at these seven key stages in a little more depth…

1. Describe your processing

These are some of the type of questions you’d want answers to (this is not an exhaustive list):

    • how is personal data being collected/used/stored and how long it is retained for?
    • what are the source(s) of the personal data?
    • what is the relationship with individuals whose data will be processed?
    • what types of personal data does it involve, does this include special category data, children’s data or other vulnerable groups?
    • what is the scale of the activity – how many individuals will be affected?
    • is the processing within individuals’ reasonable expectations?
    • will data be transferred to a third party and is this third party based outside the EEA?
    • what risks have already been identified?
    • what are the objectives? Why is it important to the business and / or beneficial for individuals?

2. Necessity and proportionality

Consider the following questions (again, this is not an exhaustive list):

    • what is the most appropriate lawful basis for processing?
    • is there another way to achieve the same outcome?
    • have you ensured that the minimum amount of personal data is used to achieve your objectives (i.e. data minimisation)?
    • how can you ensure data quality and integrity is maintained?
    • how will you inform individuals about any new processing?
    • how will individuals’ rights be upheld?
    • are any processors used and if so how will you ensure their compliance?
    • how will international transfers be protected, what safeguard mechanisms will be used?
    • who will have access to personal data, does this need to be restricted?
    • where will data be stored and how will it be kept secure?
    • how long will data be retained and how will data be destroyed when no longer required?
    • have the relevant staff received appropriate data protection training?

3. Identify and assess the risks

Identify any privacy issues with the project and associated risks. These may be risks to the individuals whose data is being processed, compliance or commercial risks.

Is there potential for harm, whether this be physical, material or non-material? A DPIA should ideally benchmark the level of risk using a risk matrix which considers both the likelihood and the severity of any impact on individuals.

You don’t have to eliminate all risks, but they should be documented, and any residual risks need to be understood and, if appropriate, accepted by the business.

If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.

4. Identify solutions and integrate into a plan

Develop solutions which will eliminate or minimise privacy risks and then consider how these solutions impact on the project.

It can be helpful to use the established ‘four strategies for risk management’ (the 4Ts), i.e.

    • Treat the risk, i.e. adopt measures to minimise or eliminate risk
    • Transfer the risk, e.g. outsource the processing
    • Tolerate, e.g. accept risk if its within the organisations accepted level of risk
    • Terminate it, i.e. stop that specific processing or change the process in such a way that the risk no longer exists

5. Sign off and record outcomes

Someone must sign-off that the DPIA is complete and be accountable for any residual risks. It’s a good idea to log residual risks in your Risk Register.

6. Implement risk control plans

7. And finally, keep your DPIA under review

There’s also lots of useful content on this in the ICO’s DPIA Guidance.

D. Awareness and Training

Once you have your questionnaire and DPIA process ready to go, it’s time to make sure people know about it! If people aren’t aware they’ll be busy doing fabulously innovative things, not considering the potential data protection issues and impact on people’s privacy.

Making sure your teams know what a DPIA is, in simple layman’s terms, is an important step – building an understanding about why it’s important and the benefits to the business as a whole.

Creating short, easy to understand, guidelines and raising awareness via other means helps reinforce the message that DPIAs are a good thing and people need to think data protection in their day to day work.

It’s also important to develop people’s skills. After all the DPO (or team/person responsible for data protection) can’t do this single-handed. You need key people to know;

    • what a DPIA entails
    • how to answer the questions
    • what are the types of risks to look out for
      and
    • what type of solutions will mitigate any identified risks

Holding workshops with relevant staff to discuss how you conduct a DPIA, and / or perhaps run through an example, can help improve people’s skills. My key tip would be to try and not over-complicate things and to keep it straightforward.

In summary, whether you are required by law or not to complete a DPIA they are a useful way to make sure data protection is considered from the outset, with no nasty surprises just before your project launches!

“But it’s essential that we go live on Friday!” If I had a penny for every time I’ve heard this one. If only they’d known, or thought of, speaking to the people responsible for data protection.

Often a DPIA won’t required, but there’ll be times when it’s mandatory or just a very good idea.

 

Data Protection team over-stretched?  We can review your existing DPIA process or help you to develop one. We can also do remote DPIA workshops for key members of your teams – Get in touch

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

  • This field is for validation purposes and should be left unchanged.