Our data, tech and the app-ocalypse

January 2024

In 2013, after Edward Snowden leaked thousands of secret files, the Kremlin’s security bureau did something interesting. They swapped computers for manual typewriters. Russian spooks reasoned hard copies were easier to protect than digital files. Furthermore, hackers might be able to infiltrate sensitive systems, but the old-school art of safe-cracking? It seemed to have fallen by the wayside.

As I get older, I’m beginning to think the Kremlin might have been onto something. Why?

Maybe it’s a generational issue. I’m Gen ‘X’. I grew up without mobile phones or the internet, but became familiar with the technology as it developed from the 1990s onwards. I enjoy technology. I respect it. I’m also, however, sceptical in a way many of my Millennial and Gen ‘Z’ colleagues may not be.

For me it boils down to two concerns – trust and over-reliance . Given how there’s now an app for everything, I have to ask – is the App-ocalypse Nigh ? What happens to the increasingly personal and intrusive levels of personal data entered into these ‘everything apps’.

Just because data’s aggregated into zeros and ones, it doesn’t mean it’s ‘tidy’. In fact, I suspect too many digital ‘data warehouses’ resemble the hoarder’s houses you might have seen on daytime TV, with stuff scattered everywhere.

It’s not just apps – the endless requirement to populate online forms is relentless. Now I hear more ‘frictionless facial recognition’ is planned at airports in the UK and elsewhere. And it’s making me uneasy. Technology is wonderful for creating efficiencies and streamlining processes. In my world alone, I see how clever privacy technology solutions ease the burden of data protection compliance.

But is technology always wonderful? Why am I uneasy?

An example – I needed to renew my driving licence. I went on to the Government website and duly entered a great deal of sensitive data. This included my passport number, my mother’s maiden name, my date of birth, my home address and my National Insurance number. This started me thinking… ‘How secure is this platform? What are the Government really doing to prevent my data falling into malicious hands?’

At the other end of the scale, I needed to reschedule a beautician’s appointment (much needed after eating my body weight in chocolate and cheese over Christmas). My call was met by a recorded message. I duly pressed ‘2’ to cancel/change an appointment. I was then informed I must (yes, they did say must) download the app to cancel/change appointments. A look at the app’s privacy information didn’t fill me with confidence, so I rang again, selecting ‘3’ for all other enquiries. After ten minutes of listening to promotions about fantastic rejuvenating treatments, I gave up. What if I prefer not to be forced to register and share my personal details via your app? I’m getting a face treatment, not applying for a pilot’s licence!

At this point, a shout out to the Kennel Club’s customer service. I took out their insurance for my puppy this year. They’re great. I’ve had to call twice, and each time a prompt pick-up from a lovely human. Somewhat of a rarity these days.

I recently read EasyPark Group, the owner of brands like RingGo and Park Mobile, were hacked. Yes, like many others I have RingGo. I was forced to download the app to use a station car park – there was no choice. I also have other parking apps. Oh the joys of standing in the rain in a car park trying to download yet another parking app. Handing over my data to yet another company. Will these companies protect it? What security measures and controls do they have? Did they conduct a DPIA? Was it outsourced to an app developer, possibly outside the UK/EU? Did they do any due diligence?

As well as my fears around data, I also worry for the significant minority disenfranchised by the widescale embrace of what my colleague Simon calls the ‘Mobilical Cord’. It’s so very true – I’m unable to properly function without my smartphone implanted in my paw. I use it to access the internet, my emails, messages, banking and so on. It’s also a crucial part of our company security – to authenticate I am really me.

The 2021 UK Census showed 90% of households had a home computer. 93% had access to a mobile phone. I suspect it’s higher now, but it’s still not everyone. As of 2023, according to research by Statista 98% of 16-24 year olds have a smartphone. However, this drops to 80% for the over 65s. Less tech-savvy and particularly the elderly are being left behind. My mother is 84. I got her a smartphone, but she hates it and doesn’t understand it. Apps? An enigma. She’s also terrified of online scams, knowing how the elderly are disproportionately targeted.

So, now we also face the prospect of passport-free travel. UK Border Force is set to trial an e-gate schemes similar to those rolled out in Dubai and Australia. This negates the need to show a passport, instead using facial recognition technology (FRT).

Phil Douglas, the Director General of Border Force has said “I’d like to see a world of completely frictionless borders where you don’t really need a passport. The technology already exists to support that.” He added: “In the future, you won’t need a passport – you’ll just need biometrics.”

According to the Times the biometric details of British and Irish travellers are already held after being collected in the passport application process. What does Phil Douglas feel about our personal biometrics being potentially harvested by countries with dodgy human rights records?

Too many people will shrug – an end to lengthy queues? Yes please. But who controls my facial map? How will it be used? Will it be shared? How will it be kept secure? Facial recognition tech also raises issues of bias in algorithms, and the potential for mistakes, with serious consequences.

I suspect, one day, there’ll be the kind of disaster one sees in movies, where the Internet collapses for a significant period. What then? I also wonder if, eventually, ambulance-chasers will identify companies using apps to disproportionately harvest data – and playing fast and loose with the safeguards set up to protect us. Will this become the next big Personal Indemnity Insurance (PII) style business opportunity?

What I do know is businesses who put all their eggs in one basket without contingencies, or fail to anticipate risk, are those likeliest to suffer when the app-ocalypse (however it manifests itself) is nigh!

Now, did I mention AI…?

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

The three foundations of good data governance

January 2024

People, processes and technologies

Creating a clear data governance strategy is crucial to making sure data is handled in line with your organisation’s aims and industry best practice.

Data governance is often thought of as the management process by which an organisation protects its data assets and ensures compliance with data laws, such as GDPR. But it’s far broader than compliance. It’s a holistic approach to data and should have people at its very heart. People with defined roles, responsibilities, processes and technologies which help them make sure data (not just personal data) is properly looked after and wisely used throughout its lifecycle.

How sophisticated your organisation’s approach needs to be will depend on the nature and size of your business, the sensitivity of the data you hold, the relationships you have with business partners, and customer or client expectations.

Benefits of good data governance

There are many benefits this activity can bring, including:

  • Minimising risks to the business, your employees, customers and suppliers
  • Giving your people clarity around expected behaviours and best practices
  • Embedding compliance requirements

A strong data governance approach can also help an organisation to make the most of their data assets, improve customer experience and benefits, and leverage competitive advantage.

Data governance – where to start?

There are three foundational elements which underpin successful data governance – People, Processes and Technologies.

Data governance people processes technologies

People

Engaging with stakeholders across the organisation to establish and embed key roles and responsibilities for data governance.

Many organisations look to establish a ‘Data Ownership Model’ which recognises data governance is an organisational responsibility which requires close collaboration across different roles and levels, including the delegation of specific responsibilities for data activities.

Here’s some examples of roles you may wish to consider:

  • Data strategy lead – such as Chief Data Officer / Chief Digital Officer
  • Data protection lead – such as Data Protection Officer (DPO), if you have one
  • Information security lead – such as Chief Information Security Officer (CISO) or Chief Technology Officer
  • Information asset owners (or data owners) – leaders of business functions / teams which collect and/or use personal data for particular purposes. Such as HR, Marketing & Sales, Finance, Operations, and so on.
  • Data specialists – heavy users of complex datasets, such as data analysts and data scientists.
  • System owners – the people who manage the key systems which hold personal data, such as IT managers.

Processes

Think about all the processes, policies, operating procedures and specialist training provided to guide your employees and contractors to enable them to handle data in line with your business expectations – as well to comply with the law. For example:

Without these in place and regularly updated, your people can’t possibly act in the ways you want and expect them to.

In my experience, success comes from keeping these items concise, and as relevant and engaging as possible. They can easily be forgotten or put in the ‘maybe later’ pile…  a little time and effort can really pay dividends!

Technologies

The technologies which underpin all data activities across the data lifecycle. For example, your HR, marketing & CRM, accounting and other operational systems you use regularly. Data governance requires those responsible for adopting technologies to ensure appropriate standards and procedures are in place which ensure appropriate:

  • Accessibility and availability standards
  • Data accuracy, integrity and quality management
  • Privacy and security

Looking at privacy technology in particular, the solutions available have really progressed in recent years in terms of both their capability and ease of use. Giving DPOs and others with an interest in data protection clear visibility of where the risks lie, help to prioritise them and pointers to relevant solutions. They can also help provide clear visibility and oversight to the senior leadership team.

The ‘Accountability Principle’

Data governance goes hand in hand with accountability – one of the core principles under GDPR. This requires organisations to be ready to demonstrate the measures and controls they have to protect personal data and in particular, show HOW they comply with the other data protection principles.

Appropriate measures, controls and records need to be in place to evidence accountability. For example, a Supervisory Authority (such as the ICO) may expect organisations to have:

  • Data protection programme, with clear data ownership & governance and regular reporting up to business leaders
  • Training and policies to guide staff
  • Records of data mapping exercises and processing reviews, such as an Information Asset Register and Record of Processing Activities
  • Risk assessments, such as Data Protection Impact Assessments and Legitimate Interests Assessments
  • Procedures for handling of individual privacy rights and data breaches
  • Contracts in place between organisations which include the relevant data protection clauses, including arrangement for restricted international data transfers
  • Data sharing agreements

Ready to get started?

If you’re keen to reap the benefits of improved compliance and reduced risk to the business, the first and crucial step is getting buy-in from senior leadership and a commitment from key stakeholders, so I’d suggest you kick-off by seeking their support.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection Impact Assessments for Agile projects

November 2023

How to assess risks when a project has multiple phases

Agile methodology is a project management framework comprising of several dynamic phases, known as ‘sprints’. Many organisations use Agile for software & technology development projects, which often involve the processing of personal data.

From a data protection perspective, Agile (and indeed other multi-stage projects) present some challenges. The full scope of data processing is often unclear at the start of a project. The team are focussed on sprint one, then sprint two, and so on. So how do you get Privacy by Design embedded into an Agile project?

Conducting a Data Protection Impact Assessment (DPIA) is a legal requirement under data protection law for certain projects. Even when a DPIA is not mandatory it’s a good idea to consider the privacy impacts of any new processing.

Looking at a project through a privacy lens at an early stage can act as a ‘warning light’, highlighting potential risks before they materialise and when measures can still be easily put in place to reduce the risks.

If your organisation uses Agile, it’s likely you’ll need to adapt your DPIA process to work for Agile projects. Understand the overall objectives and direction of travel to get a handle on how data use will evolve and what risks might be involved.

Working together to overcome challenges

It’s important all areas of the business collaborate to make sure projects can proceed at pace, without unnecessary delays. Compliance requirements must be built into Agile plans alongside other business requirements – just as ‘Privacy by Design’ intended.

Those with data protection responsibilities need project management teams to engage with them at an early stage, to explore the likely scope of processing and start to identify any potential privacy risks, while there’s still time to influence solution design.

This isn’t always easy. Given the fluid nature of Agile, which is its great strength, there is often very limited documentation available for review to aid Compliance assessments.

Privacy questions often can’t be answered at the start – there may be many unknowns. So its key to agree what types of data will be used , for what purposes and when more information will be available for the DPIA – crucially before designs are finalised. Timings for assessment need to be aligned to the appropriate sprints.

As many companies have found, embedding privacy awareness into the company culture is a big challenge and ensuring Data Protection  by Design is a key consideration for tech teams at the outset is an on-going task.

Example: data warehouse

Organisations with legacy data systems might want to build a data warehouse / data lake to bring disparate data silos together under one roof, gain new insights and drive new activity. It’s important to assess any privacy impacts this new processing create.

Using Agile, new capabilities may be created over several development phases. So it’s important to conduct an initial assessment at the start, but stay close to as the project evolves and be ready to collaborate again, in line with sprint timings – before data is transferred or before new solutions are created.

Top tips for ‘Agile’ DPIAs

Here are my top tips for a fluid DPIA process;

1. DPIA training & guidance – make sure relevant teams, especially IT, Development and Procurement, all know what a DPIA is (in simple layman’s terms) and why it’s important. They need to recognise the benefits of including privacy in scope from the start (i.e. ‘by Design’).

2. Initial screening – develop a quick-fire set of questions for the business owner or project lead, which will give the key information you need, such as

  • the likely personal data being use
  • any special category data, children’s data or vulnerable people’s data
  • the purposes of processing
  • security measures… and so on

Once it has been identified there is personal data involved you can start assessing the potential risks, if any. As odd as this may sound, it is not uncommon for tech teams to be unsure at the beginning of a project if personal data (as defined under GDPR to include personal identifiers) will in fact be involved.

3. DPIA ‘Lite’ – if there are potential risks, develop a series of questions to evaluate compliance against the core data protection principles of the GDPR.

The Agile environment can prove challenging but also rewarding. Adopting a flexible DPIA process which works in harmony with Agile is a positive step forward for innovative companies, allowing your business to develop new solutions while protecting individuals from data protection risks, as well as protecting your business from any possible reputational damage.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK telemarketing rules

November 2023

How to avoid falling foul of the rules for marketing calls

Hardly a month goes by without the UK’s Information Commissioner’s Office (ICO) fining another company for breaking the telemarketing rules under the Privacy and Electronic Communications Regulations (PECR).

I’m sure all of us have been on the receiving end of a dodgy call. The favoured have you recently been involved in an accident? springs to mind.

Tackling nuisance calls is clearly a key priority for the Regulator, so how do bone fide businesses avoid being tarred with the same brush as the rogue operators?

6-point telemarketing guide

1. Service vs marketing calls

The definition of direct marketing covers any advertising or promotional material directed at particular individuals. Routine customer service calls don’t count as direct marketing.

But if you’re treating a call as a service call (and not applying the marketing rules under PECR) you need to be careful the script / call guide and what your call handlers say in practice doesn’t stray into the realms of trying to get customers to buy extra products, services or to upgrade or renew contracts.

A Trade Union was fined in 2021 for not screening numbers against the TPS. The Union didn’t believe its calls were direct marketing, but the ICO judged they were. Just because you believe you’re acting in good faith doesn’t mean you are. Marketing messages and service messages

2. Consent or Legitimate Interests?

Telephone numbers which can directly or indirectly identify an individual are personal data and fall under the scope of UK GDPR. For example, when using someone’s personal or work mobile, direct line business number or home landline you’ll need to comply with both UK GDPR and PECR.

You’ll need to decide whether to rely on consent or legitimate interests as your lawful basis under UK GDPR to make telemarketing calls to people. In brief:

  • Consent: make sure this meets the requirement to be a specific, informed, unambiguous indication of someone’s wishes made with a positive action (e.g. an opt-in). Keep records of consent (including, if relevant the script used) and make sure withdrawing consent is as easy as it is to give it. Consent – getting it right
  • Legitimate Interests: conduct a Legitimate Interests Assessment (LIA), keep a record of this assessment and be sure to provide people with a way to opt-out of future calls. Legitimate interests – is it legit? 

3. Live marketing calls to individuals

Below are the key rules to follow:

  • Don’t make marketing calls to anyone who’s told you they don’t want to hear from you. Keep a suppression file of all objections to telemarketing, and screen your campaigns against this internal ‘do not call list’.
  • Don’t make marketing calls to anyone registered with the Telephone Preference Service, unless you’ve collected consent to call them.
  • Say who’s calling – i.e. clearly state the name of your organisation.
  • Always display your number (or an alternative contact number).
  • Provide an address or freephone contact number if asked.
  • Make it easy to opt-out of further calls.

4. Remember sector specific rules

Stricter rules apply if you’re making calls about claims management or pension schemes. For claims management services you must have consent. For calls about pension schemes, you must have consent unless:

  • You are a trustee/manager of a pension scheme; or
  • A firm authorised by the Financial Conduct Authority; or
  • Your relationship with the individual meets strict criteria.

5. Automated calls

When using automated dialling systems which play a recorded message the rules are very strict. You must have:

  • Specific consent from individuals indicating they’re okay to receive automated calls; and
  • Calls must include your organisation’s name and contact address or freephone number; and
  • You must display your number (or alternative contact number).

In practice, these consent rules make genuine compliant automated calls very difficult.

6.  Marketing/sales calls to business numbers

The rules under the UK’s PECR are the same for calling businesses as they are for individuals.

  • You can call any business that has specifically consented to your calls. Or, and most commonly…
  • You can make live calls to any business number which is not registered with the TPS or the Corporate Telephone Preference Service (CTPS). But only if they haven’t objected to your calls and you’re not calling about claims management services.

The reason screening against both TPS and CTPS is necessary (if you don’t have consent), is sole traders and some partnerships may have registered with the TPS.

Applicable laws for telemarketing

PECR gives us the rules for telemarketing calls in the UK and the ICO has published telemarketing guidance. As well as complying with PECR you should comply with UK GDPR for your handling of personal data.

The rules differ in other countries, so check local laws if your telemarketing extends to calling people in other territories. Many countries have a ‘do not call’ register similar to the Telephone Preference Service.

There are also specific rules under PECR for email marketing messages, see UK email marketing rules.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

3 steps to decide your data retention periods

November 2023

How to start tackling data retention

Both UK and EU data protection law requires organisations to not keep personal data any longer than necessary for the purpose(s)s the data is processed for. Sounds simple, doesn’t it?

In practice, it’s one the most challenging areas of the law to comply with. How do businesses decide on justifiable retention periods? How do they implement retention periods in practice? And, crucially, what are the risks if they get it wrong?

In our experience it’s not uncommon for many businesses to be holding onto unnecessary personal data. So when deciding how long personal data should be kept, it’s helpful to work through the following key steps.

1. Does the law tell us how long to retain certain records?

Sometimes there will be a legal or statutory requirement to retain personal data for certain purposes. This is the easy bit, as you can use this to set retention periods for certain categories of data.

For example, your business may be subject to laws relating to employment and finance which give specific periods when you process people’s data for these purposes.

There may also be a duty to preserve documents for disclosure in legal proceedings that may have started or may be started in future.

2. Are there industry standards, guidelines or known good practice?

In regulated sectors such as finance, health and manufacturing there may be agreed industry standards or agreed professional practices which recommend and/or can justify retention periods. Working to best practice and precedent makes things much easier.

3. What about… everything else?

Okay, you’ve established for certain dataset and what you use that data for, there’s no statutory requirements. Maybe you’ve also no industry standards that apply. What do you do now?

You’ll need to assess what’s necessary, proportionate and reasonable to retain. By its very nature, this is subjective; cases will often turn on their own merits. Ideally, you’ll want to be able to justify retention periods for different datasets.

Here are some of the questions you can ask to try and reach a defensible decision.

  • What are the business drivers for retention?
  • Does the product lifecycle have an effect on retention?
  • Does your approach to pricing have an effect on retention?
  • Can it be evidenced certain data is legitimately needed for a certain amount of time?
  • Do you need to keep personal data to handle queries or complaints?
  • How damaging would it be to the business to delete certain data?

To give an example, I know of a retailer which took the step of carrying out research into how often their customers purchased their products. Due to the sturdy nature of their products, the research clearly showed for many customers there was a gap of 3-4 years between purchases. This analysis was used as justification for retaining customer details for postal marketing longer than perhaps another company might.

What are the risks?

Businesses expose themselves to a number of risks if they keep personal data for longer than necessary, or indeed don’t keep it long enough.

Information security risks

The impact of a data breach could be significantly worse; with a larger volume of records and more people affected. Enforcement action could be more severe if it becomes clear personal data has been kept with no justifiable reason, i.e. a Regulator might deem that older data was unlawfully held. It could also increase the likelihood of complaints from individuals asking why their data was kept for so long.

I once received an email from a major UK brand informing me that my data had been involved in a data breach. My first thought was how on earth does this company still have information about me? I couldn’t remember when I’d last bought anything from them.

Legal risks

Where there’s a statutory requirement for personal data to be retained for a specific period, there’s clearly a risk if records aren’t kept for the statutory period.

Contractual risks

Certain personal data may need to be kept to meet contractual terms; for example to provide a service or warranties. Not keeping certain data long enough may lead to an inability to respond to complaints, litigation or regulatory enforcement.

Customer expectations

Customers expect organisations to be able to respond to their needs. For example, answering queries or responding to complaints. Data about them therefore needs to be kept long enough to meet customers’ reasonable expectations. However, once a reasonable period has elapsed a customer may not expect you to be continuing to hold their details.

All these risks could also result in reputational damage for an organisation which fails to meet its legal obligations, contractual obligations, or their customers’ expectations.

We’d recommend all businesses have a straightforward retention policy and keep a retention schedule. Admittedly these are only the first steps. Actually implementing and deleting data when it comes to the end of its retention period can be the biggest challenge. We’d suggest you review your data at least annually and cleanse.

Using the old adage ‘you can only eat an elephant one bite at a time’, we’d advise focusing on the biggest risk areas. What data represents the biggest risk if you keep it too long?

Our detailed Data Retention Guide is full of further tips, case studies and sample retention schedules.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Legitimate interests: is it legit?

November 2023

5-point legitimate interests checklist

“Legitimate interests is the most flexible lawful basis for processing,
but you cannot assume it will always be the most appropriate.”
UK Information Commissioner’s Office

Legitimate interests is used as a ‘go-to’ lawful basis for a host of business activities; analysis, administration, fraud prevention, network security, prospecting, marketing segmentation and personalisation… the list goes on.

But, just because we could do something with people’s personal data, doesn’t mean we should. The lack of another lawful basis as a ‘good fit’ doesn’t mean we should simply choose legitimate interests and decree it legit!

UK and EU GDPR require organisations to balance their own legitimate interests against the interests of the people whose data is used for a particular activity – and their rights and freedoms. Such business interests can be commercial ones, but they need to be balanced.

Legitimate interests checklist

Here’s a quick reminder of the elements to consider when relying on legitimate interests as your lawful basis.

1. Reasonable expectations

Are you handling people’s personal data in a way they would reasonably expect? If not do you have a very strong justification?

Judging reasonable expectations is objective. Legitimate interests is more likely to apply where you have a relevant and appropriate relationship with the people whose data you’re using. For example, they’re employees, clients or existing customers. Other factors which  play a part in this are how long ago you collected the data, where you sourced the data from and whether you’re using new technology or using data in a way people might not have expected.

2. Assessment

Have you conducted a Legitimate Interests Assessment (LIA)? This 3-part assessment should cover:

  • Identifying a legitimate interest
  • Demonstrating the processing is necessary for your organisation to achieve your objectives
  • Balancing your interests against individual interests, rights and freedoms

Where a case for relying on legitimate interests is clear cut, this needn’t be a complex assessment, but alarm bells should start ringing if what you’re planning to do…

  • isn’t really necessary
  • could be achieved in another less intrusive way
  • would be unexpected or unreasonable
  • may cause harm or distress to those whose data is involved
  • means people are unable to exercise their privacy rights

3. Transparency

Are you open about what you’re doing? Have you fulfilled people’s right to be informed about how their personal data’s being used?

It’s a legal requirement to tell people what processing activities you rely on legitimate interests for. This should be explained in a privacy notice clearly brought to people’s attention. Typically a privacy notice would be on forms where you collect personal data, on your website footer and in the footer of your emails.

4. Right to object

Can you provide people with a clear opportunity to object? If not, can you justify not doing so? For example, you probably wouldn’t give people the opportunity to object to necessary fraud or security checks.

5. Risk assessment?

Does what you want to do involve children’s data? Does it involve special category data (such as health data or biometrics)? Monitoring people on a large-scale? Involve innovative solutions like AI?

For any higher risk activities, it’s likely you’ll need to conduct a Data Protection Impact Assessment in addition to an LIA.

Legitimate interests and marketing

Direct marketing may be a legitimate interest, to paraphrase GDPR Recital 47, but organisations businesses still need to balance their commercial interests, and make sure their marketing doesn’t infringe on the rights and freedoms of individuals.

Crucially, legitimate interests can only be used if consent is not a requirement under eprivacy rules, such as the UK’s Privacy Electronic and Communications Regulations (PECR).

Clearly, it’s difficult to argue direct marketing is in people’s interests, so the ICO recommends focusing on the following factors when conducting a legitimate interest assessment:

  • Would people expect you to use their details for marketing?
  • Would unwanted marketing messages cause a nuisance?
  • Could the method and frequency of communications have a negative impact on more vulnerable people? In simple language, could you be accused of being overly pushy or aggressive?

Most importantly, everyone has an absolute right to object to direct marketing. The ICO says it’s more difficult to pass a balancing test if you do not give people a clear option to opt-out when you collect their details. Or, if the data wasn’t collected directly from them, in your first communication.

Ultimately to genuinely rely on legitimate interests for any purpose, we should be up front and honest about what we are doing, make sure it’s reasonable and give people the chance to say no. Unless we have a strong case for doing otherwise.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfers and UK-US Data Bridge

September 2023

What is it and what does it mean for UK businesses?

The UK-US Data Bridge was finalised on 21 September 2023 and goes live 12 October 2023.

The term ‘data bridge’ is the UK’s preferred terminology for ‘adequacy’ and it allows for the free flow of personal data from the UK to another country without the need for further safeguards.

The UK Government stresses data bridges are not reciprocal, they don’t permit the free flow of data from other countries to the UK. A data bridge is designed to ensure the level of protection for UK individual’s personal data under UK GDPR is maintained.

The UK-US Data Bridge is aimed at easing the burden on UK businesses, faced with complex international data transfer rules and requirements.

Background on data transfers to the United States

In the past, and when the UK was part of the EU, UK businesses could transfer personal data to US companies which had signed up to the EU-US Privacy Shield, without the need for other safeguards to be in place.

For more than a decade the Austrian privacy activist Max Schrems (and his business NOYB) has been challenging data transfers and highlighting concerns about US Government and agencies ability to access and intercept data transferred to the US.

This ultimately led to a 2020 European Court ruling, known as Schrems II which invalidated the EU-US Privacy Shield and raised concerns about another commonly used safeguard; Standard Contractual Clauses – SCCs.

(Just in case you’re wondering, there was also Schrems I – a ruling in 2015 which invalidated Safe Harbor, the predecessor to the Privacy Shield!)

Since the Schrems II ruling, EU businesses have been required to implement alternative safeguards when transferring personal data overseas, such as putting in place NEW Standard Contractual Clauses between the parties and conducting a Transfer Impact Assessment.

In the UK, we’ve seen the development of the UK’s own International Data Transfer Agreement (IDTA) and Transfer Risks Assessments, for UK based businesses. Oh, and let’s not forget there’s also the UK Addendum to EU SCCs.

Complex, isn’t it? Are you still with me?

EU-US Data Privacy Framework

The European Commission adopted an adequacy decision for transfers to the US which came into force on 11 July 2023. The EC confirmed the EU-US Data Privacy Framework, gives protection to personal data transferred which is comparable to that provided within the EU.

This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S. In a similar way to the previous Privacy Shield, only US businesses regulated by the Federal Trade Commission or the US Department of Transportation are eligible, and need to self-certify compliance against a set of principles.

UK-US data bridge

Post-Brexit the UK is not covered by the EU-US Data Privacy Framework. But now, under the Data Bridge, the UK can benefit from similar arrangements. It’s important to note US companies must already be signed up to the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. Essentially the Data Bridge is an extension to the EU framework, which US suppliers would also need sign up to.

What steps can businesses take?

Businesses transferring personal data from the UK to the US can now check whether their arrangements with US businesses could benefit from the new Data Bridge. This would include checking;

1) whether US businesses are participating in the scheme, or intend to
2) the US businesses’ privacy policies
3) whether the caterogies of data being transferred are covered

Some types of US organisations are not eligible to participate in the Data Bridge, or Data Privacy Framework, and some categories of data may be excluded or require additional steps. For example special category data (such as health data, biometrics, political opinions) and criminal offence data require additional measures.

There’s further information available about the Data Privacy Framework here, and there’s also an ability to check if a US business is signed up using the participant search.

Legal challenges

As with it’s predecessors Safe Harbor and the Privacy Shield, the EU-US Data Privacy Framework is facing legal challenges. It’s argued it still doesn’t offer enough protection to EU citizens. It’s likely these challenges could take many months, may be even years to go through the courts. However, there’s the possibility the EC could invalidate the Data Privacy Framework at some point in the future. If this happens it’s not clear what the repercussions might be for the UK-US data bridge.

Businesses wanting to take a belt and braces approach, may therefore want to still rely on safeguard measures such as EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and where necessary the UK Addendum.

See our International Data Transfer Guide for an overview of the rules and requirements.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

EU Representative and Swiss Representative for data protection

September 2023

Do you need to appoint a data protection representative?

The revised Swiss Federal Act on Data Protection (revFADP), which came into force on 1st September this year, includes a requirement to appoint a Swiss representative. This got me wondering how many UK companies might remain blissfully unaware of the requirement for many businesses to appoint an EU representative post Brexit.

What is an EU Representative?

If you’re a UK based business, you may still fall under the scope of EU GDPR if you offer goods and services to individuals in the European Economic Area or monitor the behaviour of individuals in the EEA. If you don’t have a branch, office or other establishment in an EU or EEA state, EU GDPR requires you to appoint a representative within the EEA.

This representative needs to be authorised in writing to act on your organisation’s behalf regarding your EU GDPR compliance. They are intended to be a point of contact for any EU regulator and EU citizens.

The representative can be an individual or a company and should be based in an EU or EEA state where some of the individuals whose personal data you handle are located. So, for example if you process data relating to German, Spanish and Italian customers, your EU rep should be based in one of these countries.

What constitutes ‘Offering Goods and Services’?

The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provide helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.

Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.

Let’s take a look at what that means. Does your organisation;

  • describe products and services in the language of an EU member state?
  • offer prices in Euros?
  • actively run marketing and advertising campaigns targeting an EU country audience?
  • mention dedicated contact details to be reached from an EU country?
  • use any top-level domain names, such as .de or .eu?
  • describe travel instructions from one or more EU member state to where your service is provided?
  • mention clients/customers based in one or more EU states?
  • offer to deliver goods to EU member states?

Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Representative. You will not need to appoint a representative if; you are a public authority or your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we’re a small business and our answers to all the above questions is NO.

But if for example you’re actively targeting your marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.

What does an EU Representative do?

Once you’ve established you meet the criteria, you need to know what an EU Representatives responsibilities are and find a company to p0rovide this service.  They have the following core responsibilities:

  • co-operating with the EU supervisory authorities on your behalf
  • facilitating communications between EU citizens and your organisation
  • being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
  • supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.

A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies. In selecting Ireland, you would need to be handling Irish citizen’s data. If for example you only process French and German citizens’ data you would need a Representative in one of these countries.

What about Swiss Representatives?

The revised Swiss Federal Act on Data Protection (revFADP) includes new and more stringent obligations on non-Swiss companies doing business in Switzerland. It includes a requirement to appoint a Swiss Representative. The Act broadens the territorial scope of the application of Swiss data protection law to make sure companies worldwide remain accountable for the protection of Swiss individuals’ personal data.

In practice, like the EU GDPR, organisations targeting goods or services to Swiss individuals or monitoring their behaviour will now have to comply with revFADP requirements. Organisations which process personal data of individuals in Switzerland and do not have a ‘corporate seat’ in Switzerland will need a Swiss Rep. For example if your activities

  • offering goods and/or services to individuals or monitor their behaviour, on a large scale,
  • are on a large scale, carried out regularly and pose a high risk to the data subject.

The role of Swiss Rep has involved from EU GDPR, they act as a local, accessible point of contact in Switzerland for individuals and for the FDPIC.

However, there are some distinct differences between revFADP and EU GDPR, such as the difference between a ‘corporate seat’ under revFADP and an ‘establishment’ under EU GDPR. Data processing on a large scale regularly and posing a high risk are part of the application criteria under revFADP, whereas under EU GDPR there’s an exemption to appointing a EU representative if your processing is not on a large scale, is not routine and is not high risk.

So, what’s the risk of not having a Representative?

This is not an area where we have seen much regulatory action. It seems likely a failure to appoint an EU or Swiss representative would only to come to light if an organisation suffered a personal data breach which impacted EU or Swiss individuals, or a particularly tricky complaint was received from an individual based in the EU or Switzerland.

However, if you squarely meet the criteria to appoint one, it would be wise to do so. There are plenty of companies who provide this service.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.