Five Data Protection Essentials

June 2023

What we can't survive without

On Radio 4’s Desert Island Discs, guests are asked to choose eight songs, a luxury item and a book they couldn’t live without. The less glamorous version is Privacy Island Discs, where we choose just five essentials for data protection survival.

Although you might choose differently, here are my five ‘must haves’, plus a luxury item and a ‘good’ read.

Privacy Survival Kit

1. Understand our data

What key sets of personal data do we have and how are our people using them?

Without knowing this information we can’t get a of handle on any potential data protection risks. Even if we don’t fall under the mandatory requirement to create and maintain a ‘record of processing activities’, it never hurts to map out what data we have and create a record.

Even a simple version – of what data we hold, what it’s used for, who it’s shared with and how long we keep it. Down the line, this sort of reference tool is invaluable in the event of a data breach, privacy rights request or other issues.

2. Training, awareness & guidance

We can’t expect our people to protect personal data and keep it secure if we don’t guide them

We need to train employees in how we expect them to behave, empowering them to make sensible and reasoned decisions.

They need enough knowledge to handle most situations in their role, but raise a query when they’re unsure and raise an alarm when necessary. And often, what they need to know will differ depending on their role.

Good data protection training and clear data policies and procedures are essential. Clearly this can be proportionate based on organisational requirements and the type of data held.

As a starter;

  • Do people know what a suspected data breach looks like and the most common causes? Do they know what to do if they suspect one has happened? Do they know they won’t be punished if they make a mistake?
  • Do people know what privacy rights we all enjoy, such as the right of access, right to object, right to erasure? Again, do they know what to do if they receive a request?
  • Have they ever considered if their processing is fair and lawful?
  • Do people have clear guidance for secure storage and sharing of personal data?

Annual online data protection training which doesn’t feel relevant, a dry data protection policy which no one reads and/or knows where to find, and no clear rules about basic data security all mean mistakes are more likely. Remember, more than three quarters of reported breaches are the result of human error.

Try to avoid making this a ‘tick-box’ exercise by creating easy to understand policies and guides. Get the Comms or Marketing team involved in raising awareness as an ongoing exercise. Use mistakes and organisational learning to reinforce key messages. How to focus data protection training

3. No surprises!

Give people information about how we use their personal data

Transparency is a key principle underpinning data protection law. We’re told we need to be honest and open about how we collect and use people’s personal information.

A privacy notice (aka privacy policy) is an absolute must have; UK / EU GDPRs set out what we must include. It may be the least visited page on our website, but not for complainers and regulators! A ‘vanilla’ notice copied from another website is unlikely to cut the mustard. For more on this see our Privacy Notice Quick Guide.

This also takes us back to my first must have; if we don’t know what data we hold and what it’s used for we can’t really have a privacy notice which truly reflects what we do.

4. Data sharing

Be open about data sharing and do it securely

Often, we need to share personal data with our colleagues and other organisations. Will people be surprised their data is being shared, are we only sharing what’s absolutely necessary and are we sharing it securely?

Our 10-point data sharing checklist has some useful pointers when sharing data with other organisations who’ll use the data for their own purposes (controllers).

If we’re permitting third parties such as service providers and technology vendors to handle our data, there are very specific contractual requirements. Data protection and our suppliers

Cyber-attacks on the MOVEit file transfer software (affecting payroll provider Zellis) and on Capita just illustrate how important it is to be on top of our supply chain contracting and due diligence. A few years back, a breach at the survey provider Typeform impacted hundreds of different organisations who used their services.

And this is before we even get started on the murky and complex world of International Data Transfers. But never fear, if the plethora of acronyms and jargon are making your head explode, you can tune in on 20 July as we Demystify International Data Transfers and/or read our International Data Transfers Guide.

5. Be prepared for the worst

Have a plan!

When a significant data breach happens, the first 24-hours can be crucial in reducing potential fallout. Thinking ‘we’ll deal with it when it happens’ isn’t a plan at all – it’s a recipe for disaster. The 72-hour timescale to notify the Supervisory Authority of a reportable breach can evaporate so fast – especially if it happens on a Friday or during a holiday period!

Even a simple procedure covering key people who’ll investigate, make decisions, answer core questions and a clear method for assessing the risk will all mitigate internal panic. See our Data Breach Guide or listen to our tackling data breaches webinar

My luxury privacy island item

Now, this shouldn’t really be a luxury, and may sound familiar to some readers. My luxury item is a CEO who genuinely recognises data protection is quite important. (Hmmm… are we stuck together on privacy island?)

Oh, and for a light beach read I’m taking the ICO’s Right of Access Guidance.

Honest.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Cookie compensation demands

June 2023

A quick buck for non-compliance?

What’s darkening our e-doormat this morning? It’s not a letter from the Information Commissioner’s Office.

It’s not ransomware or a phishing attempt.

No… it’s the dreaded cookie compensation demand!

Increasingly my colleagues and I, and friends in the data protection space, hear reports of official looking, legally-laden letters being received by companies. The simple message; your cookies are non-compliant, this is distressing me and I want money from you.

And everyone’s a potential target – any size of business, any sector. We know of small agencies through to blue chips receiving these letters. They aren’t complaining to a regulator, they‘re coming straight to your front door or in-box.

Unlike the well-known privacy group noyb, who threaten to raise a formal complaint with a regulator if the offending company doesn’t remedy violations within a specified time, these demands from individuals would appear to have the sole aim of earning a quick buck.

For me, such letters leave a nasty taste, especially when smaller businesses or not-for-profits are targeted and where cookie use is limited.

How do they know our cookies aren’t compliant?

It’s easy to find out what cookies are used by any website. There are a number of free tools which you can just pop a website domain name into, and hey presto! A scan is run, and the results returned, revealing any cookie sins you may have committed.

What’s the claim?

Generally the claim letters allege non-essential cookies are being dropped onto users’ devices automatically, without clear information about their purposes and without consent. If a cookie banner is present, the claim will be it’s not compliant with UK GDPR / Privacy and Electronic Communications Regulations (PECR).

The letters often assume personal data is captured by the cookies – which may or may not be true. However, remember the PECR rules apply to cookies and similar tech regardless of whether the data they collect is personal or not.

The letters will claim distress or damage has been caused as a result of the placement of cookies onto the user’s device. It’s worth noting the right to compensation isn’t automatic; the claimant must be able to prove ‘damage or distress.’

As for how much – this isn’t nearly as scary as the realms of ransomware, with typical compensation demands in the region of £500-£1000.

To pay, or not to pay?

Companies are of course taking different approaches. In our experience many are ignoring them, and never hear from the complainant ever again. Others are standing their ground and asking for evidence of distress or damage. While some take a look at their cookies and similar tech and think, okay, fair cop we aren’t compliant so we’ll pay.

If you pay out, do you need to quickly get your cookie house in order? There’s the risk if you don’t, they could be back in a few months’ time if you’ve not successfully resolved any issues.

What are the cookie rules?

Before we blame GDPR, the rules for cookies and similar technologies are in the UK set out in PECR. Other countries across Europe have similar (but not identical) rules derived from the European ePrivacy Directive.

In short, we need to provide meaningful information to people about the categories of cookies and similar tech we use, and gain consent for any cookies which are not strictly necessary.

Different regulators across Europe have taken slightly differing approaches to what would be considered strictly necessary. Here in the UK, for example website statistical cookies are not considered strictly necessary. (This could potentially change under government plans to reform data laws; you can read more about this here). However the French regulator, CNIL, for example, accepts statistical cookies as strictly necessary.

When GDPR came into effect in 2018, consent needed to meet a higher standard. The days of implied consent were over. This is why we’re greeted by a barrage of cookie banners and notices wherever we go online.

The reason these compensation demands are possible is under PECR, people who have suffered damage or distress as a result of a contravention of the rules are entitled to bring proceedings against the offending party and seek compensation for that damage. Similarly under GDPR people have the right to receive compensation where they’ve suffered material or non-material damage due to an infringement of the law.

What can we do to protect ourselves?

The only way to completely avoid a cookie compensation demand is to understand what types of cookies and similar tech are used by our website(s), behave transparently with a clear notification and collect informed consent for any which aren’t strictly necessary. The ICO Cookie Guidance illustrates what type of cookies might be considered strictly necessary.

There are lots of cookie consent management platforms on the market, some of which are free. However, if your cookie use is quite sophisticated, or you have sub-domains, a free option might not be enough.

Alternatively the options are to ignore, stand your ground or pay out.

I’ve heard a little rumour, one of the posse of cookie claimants is an in-house DPO who does this as a side hustle. And if you ask me, it’s just not cricket.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection Impact Assessments: 10 Tips

May 2023

How to get your DPIA process on track

Do teams know when a Data Protection Impact Assessment should be conducted? Are you carrying out too many, or too few?

Don’t make DPIAs a onerous box ticking exercise. If DPIAs are solely seen through the prism of compliance, they’ll be seen as burden. They may be attempted half-heartedly or left inadequately completed.

If this is happening it’s time to shout about what a valuable tool they are!

Assessing potential data protection risks from the start of a project, acts as handy warning system for the business and protects those whose person information is involved from unnecessary risks. DPIAs help to identify risks in advance, before they can potentially become a bigger problem.

10 tips for getting your DPIA process on track

1. Create a DPIA screening questionnaire

Put together a set of questions for business owners and/or project leads to use, which help to identify if a DPIA is required or not for their particular project or activity.

This will not only help teams to think about data protection considerations from the outset, but also avoids time being spent conducting DPIAs when they aren’t necessary.

2. Identify types of projects likely to need a DPIA

In some situations DPIAs are mandatory under UK/EU GDPR, in others they may be a ‘good to do’.  So, it’s helpful to set out some clear guidelines which explain your organisation’s position on this. When does your business consider it appropriate to carry out a DPIA?

For example, are you using innovative tech or AI? Will you be handling biometric data? Are you matching data or combining data sets from different sources? Was the personal data collected indirectly? Are you tracking people (either their location or behaviour)? Do you use third party ad tech providers? Does the project involve children or special category data? Are you transferring data outside the UK/EEA? And so on.

3. Don’t forget your marketing related activities

It can be easy to forget marketing related activities could require or benefit from a DPIA. If marketing could result in a ‘high risk’ to individuals it’s likely you’ll need to do an assessment of the data protection risks.  Here are some examples;

    • ‘large scale’ profiling of individuals for marketing purposes
    • matching datasets for marketing purposes
    • processing which may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
    • using geo-location data for marketing purposes
    • tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
    • targeting children or other vulnerable individuals for marketing purposes.

4. Design an easy-to-use DPIA process

You’re unlikely to reap the benefits if you have an unwieldly DPIA template full of data protection jargon, with questions people just don’t know how to answer. Create a practical usable DPIA template which is as straight-forward as possible for people to follow.

The ICO has published a DPIA template, but there is nothing to stop you adapting this to suit your business.  You may also choose to have a simplified version for less complex projects.

Does your process help your teams to identify and assess privacy risks? Do you provide examples of what types of mitigating actions could be taken? Clear guidelines on how to complete a DPIA are invaluable.

5. DPIA training

Key team members need to have the skills to conduct a DPIA: to understand what the process entails, how to brief key stakeholders and walking them through the process, explaining what sort of risks to look out for and so on.

The DPO, or data protection lead, can’t be expected to do this single-handed.  The ICO in their DPIA guidance specifically mentions the need to provide specialist training.

6. Awareness

If teams don’t know what DPIAs are, they may push forward with new projects and innovations, and fail to consider the potential data protection issues. This may come back to bite you just before a project launches… or worse afterwards if you receive a complaint, breach and/or regulatory scrutiny.

Once all your ducks are in a row; when you have a screening questionnaire and a decent DPIA template, it’s time to make sure people know about DPIAs across the business. Get your Comms team involved to spread the message far and wide.

7. Start early

Talk to your project leaders, change management (if you have them) and IT leaders. Make sure people who work on projects which involve personal data complete screening questionnaires as soon as possible. Assess whether a DPIA is needed, so you can start the process as soon as possible. This way you can find problems and fix them early on.

8. Collaborate

A DPIA is likely to need the input of people from different areas of the business. Get people collaborating so projects can proceed at pace, without unnecessary delays.

Engage business and project management stakeholders at an early stage, so you can scope out the processing and start to identify any potential privacy risks, and consider mitigating measures.

9. Keep revisiting your DPIA

Throughout the different stages of a project keep an ongoing dialogue with stakeholders, especially with Agile projects which may expand over time. Check if new ideas, new developments have an data protection impact.

10. Review

Once a DPIA is completed, set review dates, so you can check if things have changed.

For instance, you may have developed a new app, and six months later you want to improve the functionality, adding new features – what data protection issues could this raise?

Also keep you screening questionnaire, template and guidelines under review, there will always be enhancements you can make to make them more effective. Why not ask teams for feedback on how they can be improved?

DPIAs can feel a bit daunting, but the more familiar people are with the process, the risks they should be looking out for and the types of measures and controls that could be deployed to protect people’s data, the easier it all becomes.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Privacy Notices Quick Guide

May 2023

The right to be informed

All businesses need an external facing Privacy Notice, aka Privacy Policy, if collecting and handling people’s personal information.

Data protection law tells us we must provide people with easily accessible and specific privacy information when we collect their data. This guide sets out the key considerations and core requirements our Privacy Notices.

privacy notice guide from the data protection consultancy DPN - Data Protection Network

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

DPOs and conflict of interests

EU Court of Justice says businesses should conduct assessment

I was recently mulling over with colleagues whether someone could be both the CEO and Data Protection Officer, along with another client query about whether someone could wear two hats; Consumer Services Manager and DPO.

UK/EU GDPR specially tells us a DPO ‘may fulfil other tasks and duties’, but says the controller or processor must make sure ‘any such tasks and duties do not result in a conflict of interests’.

So, I read with some interest the recent judgement from the EU Court of Justice about the role of a DPO and the risk of a conflict of interests. (Albeit, it probably doesn’t say any more than we already suspected).

The court confirms, DPOs should be ‘in a position to perform their duties and tasks in an independent manner’. This means they should not be carrying out tasks or duties with would result in them determining the objectives and methods of processing personal data within the organisation.

Where an individual may have two, or multiple roles (including DPO), organisations are urged to make an assessment of whether there’s a potential conflict of interests. This should be done on a case-by-case basis taking into account all relevant circumstances, including organisational structure.

What matters is what happens in practice. If a DPO has two roles, the organisation needs to make sure there are clear rules in place to avoid, or limit, any conflict of interests arising. (And it’s not the DPO’s job to try and resolve this).

If a DPO’s other job means they have responsibility for the data processing itself, there’s likely to be a conflict. But, in practice this may be a difficult line to draw.

The law also tells us a DPO cannot be dismissed for or penalised for performing DPO tasks. However, DPOs could be dismissed from the role if they are unable or no longer able to carry out their duties and tasks in an independent manner.

So, can a CEO also be a DPO, probably far from ideal. Can a Customer Service Manager also be a DPO? Possibly, if the different roles are clearly defined.

The European Data Protection Board’s DPO guidance gives us a bit of a steer. This says conflicting positions within an organisation may include; ‘senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments)’.  This may extend to ‘other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing’.

Clearly if you’re a smaller business, but judge you should have a DPO, it may be prove challenging to appoint a suitable person where a conflict doesn’t arise with limited numbers to chose from. One would hope any regulator would take size and resources into account.

It’s probably a good idea to follow this judgement and conduct an assessment. Clearly set out what different role’s entail, document your decision and be ready to defend if you have to.

With all of this it’s worth remembering;

  • the law sets out specific tasks and duties a DPO must perform
  • not every business needs a DPO!

Read our DPO myth buster covering who needs a DPO and what the role entails. And don’t forget changes may be on the horizon under the UK Data Protection and Digital Information Bill.  This could require UK businesses to appoint a ‘Senior Responsible Individual’ for data protection.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data protection and our suppliers

February 2023

How to manage the third parties we work with

One of the more challenging aspects of data protection compliance has been identifying and managing all our suppliers.  Those acting as our processors, supporting our business.

Making sure appropriate contractual terms are in place, whilst doing all we can to protect the business from supply chain data breaches (which are all too common) can become onerous. It can help to take a risk-based approach, focusing on the suppliers which represent the biggest business risk first.

Alongside this, for any new suppliers we need to make sure we carry out appropriate and robust due diligence.

Years after GDPR was implemented, many projects to tackle supplier management remain unfinished, representing an ongoing risk. If we have limited visibility into how our data is processed by our suppliers (and any sub-processors) it clearly leaves the business exposed.

What does good supplier management look like?

In short, we need to make sure our suppliers are doing what they say they’ll do to protect personal data, using risk assessments and audits. This includes knowing how our suppliers will respond when it comes to the crunch– a data breach. How quickly and fully will they notify us, how will they assist us?

Seven-point supplier management checklist

1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place? Is there evidence to prove this? It’s good practice to request meaningful answers to certain questions, such as:

  • Do they have a DPO or another individual in the business responsible for data protection?
  • Can they provide evidence of data protection policies and procedures?
  • Have they experienced a data breach before?
  • What information security procedures do they have in place?
  • How regularly are their security measures tested?
  • Do they hold any form of certification?
  • In which country/region will the data be processed?
  • Who are their sub-processors and where do they process the data?

The above is by no means an exhaustive list.

2. International Data Transfers 

There are additional considerations if international data transfers come into play. If we’re sharing data (or allowing it to be accessed) by a supplier in a third country, we need to check what safeguards need to be in place.

For countries where there’s no adequacy decision (allowing for the free flow of data), we need to implement a transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs).  There’s also the relatively new requirement to conduct a transfer risk assessment, and consider if additional security measures are needed.

3. Contracts – Do we have a clear list of standard clauses for supplier contracts? What do the liability clauses look like? Are we prepared to walk away from suppliers whose contracts aren’t up to scratch? Do we have a good understanding of the level of contractual risk the business is prepared to accept?

UK/EU GDPR is clear on what should be included in contractual arrangements and the ICO have published useful contracts guidance. There are often negotiations to be had, especially when it comes to those tricky liability clauses.

4. Instructions –  Have we provided clear instructions on how our suppliers are permitted to handle the personal data, for what purposes and how long they must retain it?

5. Ongoing risk assessment – Do we have a process for evaluating the level of risk suppliers may represent?

It’s important to recognise some suppliers may bring greater risks than others. It may not be necessary to risk assess every supplier to the same level of granularity. Effectively we need to risk assess the risk assessments.

6. Review / Audit – Do we have a review or audit programme in place? Annual audits of all suppliers may not be possible, but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.

For suppliers considered a higher risk, it may be prudent to routinely audit them. In doing so it’s important to be clear what aspects of the supplier’s business needs to scrutinised.

Creating a framework which is tuned and makes sense for the business is a good step and will mean there’s something to show the thought process if the ICO ever comes calling. Here are some factors to consider:

  • What categories of data is handled?
  • What’s the data volume?
  • How risky is the processing?
  • What could be the impact if a data breach occurred?
  • Was any due diligence carried out when the supplier was onboarded?
  • Is the supplier accredited or certified?
  • Have there been any complaints relating to privacy / breaches?
  • Have there been changes in ownership or scope of processing?
  • Have there been significant changes in processes and workflow?

7. Certification – in the absence of an approved certification scheme, alignment with ISO 27701 (the standard extending ISO27001 into data privacy) is worth considering.

It can sometimes feel like a mountain to climb, especially if operating using multiple suppliers. As the saying goes ‘you can only eat an elephant one bite at a time’, the key to supplier management is identifying the biggest risks and prioritising where action is needed the most.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Top 10 Data Protection Tips for SMEs

January 2023

Is it onerous for SMEs to become compliant?

One of the stated aims of the UK Government’s Data Protection and Digital Information Bill is to support small businesses and remove unnecessary bureaucracy. 

As context, there are 5.6m businesses in UK of which SMEs (less than 250 employees) represents 99% of the total. According to IAPP research approximately 32,000 organisations in UK have a registered DPO. It’s right, therefore, to focus on SMEs. 

But how onerous is small business data protection now? Arguably, the answer is, not as onerous as you might think. We’ve created a top 10 checklist for start-ups and small businesses to help you decide what you should be concerned with: 

1.     Do I need to worry about data protection regulation? 

Yes. Pretty much any business processing personal data for commercial purposes need to worry about data protection. (It does not apply to purely ‘personal or household activity’). Having said that, the law and regulatory advice focuses on taking a ‘proportionate’ approach. There’s no one size fits all and it will depend on the risk appetite of your organisation. 

2.     Do I need a DPO?

Probably not. If the answer to these three questions is no, you don’t need a DPO…

  • Are you a public authority or body?
  • Do your core business activities require regular and systematic monitoring of individuals on a large scale?
  • Do your core business activities involve processing on a large scale ‘special category data’, or criminal convictions or offences data?

Even if you don’t need a DPO, it’s wise to nominate someone in your organisation as a data protection lead. This does not need to be a full-time role. Alternatively, you can outsource this activity to someone/a company who can provide the support on a part-time basis. 

3.     Do I need a RoPA (Record of Processing Activity)

Maybe. There’s no escaping the fact RoPAs are challenging documents to complete and can absorb a huge amount of time. Companies with more than 250 employees must always keep a RoPA – that’s just under 8,000 businesses in UK.

If you have less than 250 employees, you don’t need a RoPA if the following applies:

  • Processing does not pose a risk to the rights and freedoms of the data subject 
  • No special category data is being processed
  • If the processing is only done occasionally

The debate start when you consider what constitutes a ‘risk to the rights and freedom of the data subject’. It’s worth considering the type of data you handle rather than the volumes to help you decide whether to complete a RoPA. As a start up, you may not need a RoPA as defined in the legislation. However, having a record of what information is processed, for what purpose and under what lawful basis is a good idea even if the ICO RoPA form is not. 

There are changes afoot with regards to the RoPA under UK data reform plans, but a record of your activities may still be necessary, just not as current prescribed.

4.     Do I need to register with ICO?

Almost certainly YES. The ICO asks all businesses that process personal data to pay the Data Protection Fee. This is used to fund the ICO and its activities. This isn’t onerous. In fact, most small businesses will only have to pay £40 (or £35 with a direct debit). And that’s before you’ve considered whether you’re exempt. Not for profit status is a possible example. 

 5.     Do I need a privacy notice (policy)?

Yes. A privacy notice is a foundational piece of your data protection work. Any organisation which processes personal data needs to set out what data they are processing and how they are processing it as well as the data subject’s rights. The ICO’s checklist provides very clear guidance for what must be in a notice and what might be in a notice.

6.     How about a cookie notice?

Yes again. If you have a website, assume you need a cookie notice. Even if all you’re doing is using cookies to manage the performance of your website, a cookie notice is required. This does not need to cost money. You can get free software from the major privacy software providers. They have simple step by step set up guides. There is really no excuse not to have a cookie notice. 

7.     What about accountability?

Yes, but make it proportionate. In a nutshell, accountability means ‘evidencing your activities’. Keep a record of what you do, why you’re doing it and your decision-making. It also means making sure you have appropriate technical and organisational measures in place to protect personal data. Have staff been adequately trained in data protection? Do we have clear guidelines and/or policies to help them? 

8.     What about Individual Rights? 

Yes. Every individual has clear rights and irrespective of the size of the organisation you need to fulfil these requests. 

These rights include right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.

Not all of these might apply to a small business but it’s important to decide how to recognise and respond to these requests from individuals. 

9.    Don’t forget information security

Yes. Cyber Essentials was designed for SMEs. Arguably it’s the absolute minimum for any business. It does cost money but not a lot. Gaining the Cyber Essentials certification (if self-certified) costs £300. The five technical controls are: 

  • Boundary firewalls and internet gateways
  • Secure configuration.
  • Access control.
  • Malware protection.
  • Patch management.

10.  What about International Data Transfers? 

Hopefully no! If you and your suppliers are only operating in UK and Europe stop reading now. However, if any data is exported to a third country (such as USA, South Africa or India), there’s no escaping the fact that international data transfers can be painful to work through. 

When EU-US Privacy Shield was invalidated in 2020 this caused significant problems for data transfers between US and EU/UK. At the time, Max Schrems’ advice was to only work with companies based in UK or Europe who are not exporting data to third countries. However, this isn’t always possible – just consider how many people use Google, Microsoft or Mailchimp. 

Many, if not most, businesses will have dealings with these three and the reality is that you must accept they’re not going to change anything for you, or choose not to use them. 

Conclusion

Many small and start-up businesses can get ready relatively quickly. The trick for small business data protection is to review your arrangements on a regular basis and be aware if any more complicated processing emerges. For instance, anything involving automated processing, special category data, AI or children’s data carries significant risk and should be treated with care. 

There’s more helpful information available on the ICO’s Small Business Hub.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Takeaways from Meta’s huge fine

January 2023

Digital advertising faces significant changes in the wake of the latest fine to be levelled at Mark Zuckerberg’s Meta.

The Data Protection Commission (DPC) for Ireland has fined Meta (Meta Platforms Ireland Limited) a huge 390 million Euros. It was ruled Meta’s reliance on contract terms as the lawful basis for personalised advertising on both Facebook and Instagram, is invalid.

On top of the fine the DPC has given Meta three months to comply with its interpretation of the EU GDPR.

What does this mean for social media advertising?

Behavioural advertising on Facebook and Instagram platforms are targeted using user-profile information. It’s based on people’s online activity and other details they share with the platform. This helps advertisers to target individuals based on location, hobbies, interests and other behaviours.

This latest ruling calls into question whether social media platforms must seek their users’ prior opt-in consent for behavioural advertising, rather than rely on the contractual terms people sign up for to use the platforms.

If social platforms switch to an opt-in consent, users will inevitably gain far more control over the adverts they see. But on the flipside, the number of individuals available for targeting by advertisers is likely to decline. This would have a big impact the marketing mix for many companies.

What’s behind the Meta ruling?

The DPC’s investigation stretches back to complaints originally raised on the very first day EU GDPR came into force, in May 2018. From the get go, it was argued Facebook’s (now Meta) processing for personalised advertising was unlawful.

Significantly prior to May 2018, Facebook Ireland updated both Facebook and Instagram’s Terms of Service. ‘Implicit consent’ had previously been used for behavioural advertising, but with consent being much more onerous to achieve under GDPR, there was a switch to relying on contract as the new lawful basis for the ads.

Users were asked to click ‘I accept’ to the updated Terms of Service and, in doing so, by default accepted behavioural advertising as part of the service package. The platforms simply would not be accessible if users declined to do so. The Irish DPC has now rejected the validity of the contract as a valid lawful basis for behavioural advertising.

This ruling follows a lot of uncertainty and disagreement between the DPC, other EU regulators and the European Data Protection Board (EDPB), over the use of contract as a legal basis for this type of advertising.

The Chair of EDPB, Andrea Jelinek: ‘The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model.’

This latest ruling represents a U-turn by the DPC, who have now stated their decisions ‘reflect the EDPB’s binding determinations.’

This is not Meta’s only fine. In September 2022, the DPC fined Meta €405 million for allowing minors to operate business accounts on Instagram, and there have been others. Unsurprisingly Meta plans to appeal both of the DPC’s decisions.

Key takeaways for digital advertising

  1. The burning question is ‘Can I still run ads on Facebook & Instagram?’. Technically yes – the ruling applies to Meta, not its advertisers. Meta, for its part, said; ‘These decisions do not prevent personalised advertising on our platform.’ However, using theses platforms is not without potential risks.
  2. Data protection by design is paramount for digital advertisers. There’s a regulatory expectation that the interests, rights, and freedoms of individuals are respected. Platforms need to evidence these considerations have been taken into account.
  3. Users must be given a real choice. They must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. They must be given meaningful control and the platforms must be able to demonstrate there is user choice through the data lifecycle.
  4. Accountability is key – there should be genuine transparency around how and why personal data is processed and who is responsible for that processing.

Max Schrems, privacy activist and honorary chair of Noyb: ‘People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.’

Estelle Masse, Global Data Protection Lead at Access Now, said the decisions are ‘hugely significant‘ for online companies which rely on targeted ad revenues. She said they should look at whether the way they deliver ads online is ‘legal and sustainable.’

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.