Data protection and our suppliers

February 2023

How to manage the third parties we work with

One of the more challenging aspects of data protection compliance has been identifying and managing all our suppliers.  Those acting as our processors, supporting our business.

Making sure appropriate contractual terms are in place, whilst doing all we can to protect the business from supply chain data breaches (which are all too common) can become onerous. It can help to take a risk-based approach, focusing on the suppliers which represent the biggest business risk first.

Alongside this, for any new suppliers we need to make sure we carry out appropriate and robust due diligence.

Years after GDPR was implemented, many projects to tackle supplier management remain unfinished, representing an ongoing risk. If we have limited visibility into how our data is processed by our suppliers (and any sub-processors) it clearly leaves the business exposed.

What does good supplier management look like?

In short, we need to make sure our suppliers are doing what they say they’ll do to protect personal data, using risk assessments and audits. This includes knowing how our suppliers will respond when it comes to the crunch– a data breach. How quickly and fully will they notify us, how will they assist us?

Seven-point supplier management checklist

1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place? Is there evidence to prove this? It’s good practice to request meaningful answers to certain questions, such as:

  • Do they have a DPO or another individual in the business responsible for data protection?
  • Can they provide evidence of data protection policies and procedures?
  • Have they experienced a data breach before?
  • What information security procedures do they have in place?
  • How regularly are their security measures tested?
  • Do they hold any form of certification?
  • In which country/region will the data be processed?
  • Who are their sub-processors and where do they process the data?

The above is by no means an exhaustive list.

2. International Data Transfers 

There are additional considerations if international data transfers come into play. If we’re sharing data (or allowing it to be accessed) by a supplier in a third country, we need to check what safeguards need to be in place.

For countries where there’s no adequacy decision (allowing for the free flow of data), we need to implement a transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs).  There’s also the relatively new requirement to conduct a transfer risk assessment, and consider if additional security measures are needed.

3. Contracts – Do we have a clear list of standard clauses for supplier contracts? What do the liability clauses look like? Are we prepared to walk away from suppliers whose contracts aren’t up to scratch? Do we have a good understanding of the level of contractual risk the business is prepared to accept?

UK/EU GDPR is clear on what should be included in contractual arrangements and the ICO have published useful contracts guidance. There are often negotiations to be had, especially when it comes to those tricky liability clauses.

4. Instructions –  Have we provided clear instructions on how our suppliers are permitted to handle the personal data, for what purposes and how long they must retain it?

5. Ongoing risk assessment – Do we have a process for evaluating the level of risk suppliers may represent?

It’s important to recognise some suppliers may bring greater risks than others. It may not be necessary to risk assess every supplier to the same level of granularity. Effectively we need to risk assess the risk assessments.

6. Review / Audit – Do we have a review or audit programme in place? Annual audits of all suppliers may not be possible, but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.

For suppliers considered a higher risk, it may be prudent to routinely audit them. In doing so it’s important to be clear what aspects of the supplier’s business needs to scrutinised.

Creating a framework which is tuned and makes sense for the business is a good step and will mean there’s something to show the thought process if the ICO ever comes calling. Here are some factors to consider:

  • What categories of data is handled?
  • What’s the data volume?
  • How risky is the processing?
  • What could be the impact if a data breach occurred?
  • Was any due diligence carried out when the supplier was onboarded?
  • Is the supplier accredited or certified?
  • Have there been any complaints relating to privacy / breaches?
  • Have there been changes in ownership or scope of processing?
  • Have there been significant changes in processes and workflow?

7. Certification – in the absence of an approved certification scheme, alignment with ISO 27701 (the standard extending ISO27001 into data privacy) is worth considering.

It can sometimes feel like a mountain to climb, especially if operating using multiple suppliers. As the saying goes ‘you can only eat an elephant one bite at a time’, the key to supplier management is identifying the biggest risks and prioritising where action is needed the most.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Top 10 Data Protection Tips for SMEs

January 2023

Is it onerous for SMEs to become compliant?

One of the stated aims of the UK Government’s Data Protection and Digital Information Bill is to support small businesses and remove unnecessary bureaucracy. 

As context, there are 5.6m businesses in UK of which SMEs (less than 250 employees) represents 99% of the total. According to IAPP research approximately 32,000 organisations in UK have a registered DPO. It’s right, therefore, to focus on SMEs. 

But how onerous is small business data protection now? Arguably, the answer is, not as onerous as you might think. We’ve created a top 10 checklist for start-ups and small businesses to help you decide what you should be concerned with: 

1.     Do I need to worry about data protection regulation? 

Yes. Pretty much any business processing personal data for commercial purposes need to worry about data protection. (It does not apply to purely ‘personal or household activity’). Having said that, the law and regulatory advice focuses on taking a ‘proportionate’ approach. There’s no one size fits all and it will depend on the risk appetite of your organisation. 

2.     Do I need a DPO?

Probably not. If the answer to these three questions is no, you don’t need a DPO…

  • Are you a public authority or body?
  • Do your core business activities require regular and systematic monitoring of individuals on a large scale?
  • Do your core business activities involve processing on a large scale ‘special category data’, or criminal convictions or offences data?

Even if you don’t need a DPO, it’s wise to nominate someone in your organisation as a data protection lead. This does not need to be a full-time role. Alternatively, you can outsource this activity to someone/a company who can provide the support on a part-time basis. 

3.     Do I need a RoPA (Record of Processing Activity)

Maybe. There’s no escaping the fact RoPAs are challenging documents to complete and can absorb a huge amount of time. Companies with more than 250 employees must always keep a RoPA – that’s just under 8,000 businesses in UK.

If you have less than 250 employees, you don’t need a RoPA if the following applies:

  • Processing does not pose a risk to the rights and freedoms of the data subject 
  • No special category data is being processed
  • If the processing is only done occasionally

The debate start when you consider what constitutes a ‘risk to the rights and freedom of the data subject’. It’s worth considering the type of data you handle rather than the volumes to help you decide whether to complete a RoPA. As a start up, you may not need a RoPA as defined in the legislation. However, having a record of what information is processed, for what purpose and under what lawful basis is a good idea even if the ICO RoPA form is not. 

There are changes afoot with regards to the RoPA under UK data reform plans, but a record of your activities may still be necessary, just not as current prescribed.

4.     Do I need to register with ICO?

Almost certainly YES. The ICO asks all businesses that process personal data to pay the Data Protection Fee. This is used to fund the ICO and its activities. This isn’t onerous. In fact, most small businesses will only have to pay £40 (or £35 with a direct debit). And that’s before you’ve considered whether you’re exempt. Not for profit status is a possible example. 

 5.     Do I need a privacy notice (policy)?

Yes. A privacy notice is a foundational piece of your data protection work. Any organisation which processes personal data needs to set out what data they are processing and how they are processing it as well as the data subject’s rights. The ICO’s checklist provides very clear guidance for what must be in a notice and what might be in a notice.

6.     How about a cookie notice?

Yes again. If you have a website, assume you need a cookie notice. Even if all you’re doing is using cookies to manage the performance of your website, a cookie notice is required. This does not need to cost money. You can get free software from the major privacy software providers. They have simple step by step set up guides. There is really no excuse not to have a cookie notice. 

7.     What about accountability?

Yes, but make it proportionate. In a nutshell, accountability means ‘evidencing your activities’. Keep a record of what you do, why you’re doing it and your decision-making. It also means making sure you have appropriate technical and organisational measures in place to protect personal data. Have staff been adequately trained in data protection? Do we have clear guidelines and/or policies to help them? 

8.     What about Individual Rights? 

Yes. Every individual has clear rights and irrespective of the size of the organisation you need to fulfil these requests. 

These rights include right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.

Not all of these might apply to a small business but it’s important to decide how to recognise and respond to these requests from individuals. 

9.    Don’t forget information security

Yes. Cyber Essentials was designed for SMEs. Arguably it’s the absolute minimum for any business. It does cost money but not a lot. Gaining the Cyber Essentials certification (if self-certified) costs £300. The five technical controls are: 

  • Boundary firewalls and internet gateways
  • Secure configuration.
  • Access control.
  • Malware protection.
  • Patch management.

10.  What about International Data Transfers? 

Hopefully no! If you and your suppliers are only operating in UK and Europe stop reading now. However, if any data is exported to a third country (such as USA, South Africa or India), there’s no escaping the fact that international data transfers can be painful to work through. 

When EU-US Privacy Shield was invalidated in 2020 this caused significant problems for data transfers between US and EU/UK. At the time, Max Schrems’ advice was to only work with companies based in UK or Europe who are not exporting data to third countries. However, this isn’t always possible – just consider how many people use Google, Microsoft or Mailchimp. 

Many, if not most, businesses will have dealings with these three and the reality is that you must accept they’re not going to change anything for you, or choose not to use them. 

Conclusion

Many small and start-up businesses can get ready relatively quickly. The trick for small business data protection is to review your arrangements on a regular basis and be aware if any more complicated processing emerges. For instance, anything involving automated processing, special category data, AI or children’s data carries significant risk and should be treated with care. 

There’s more helpful information available on the ICO’s Small Business Hub.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Takeaways from Meta’s huge fine

January 2023

Digital advertising faces significant changes in the wake of the latest fine to be levelled at Mark Zuckerberg’s Meta.

The Data Protection Commission (DPC) for Ireland has fined Meta (Meta Platforms Ireland Limited) a huge 390 million Euros. It was ruled Meta’s reliance on contract terms as the lawful basis for personalised advertising on both Facebook and Instagram, is invalid.

On top of the fine the DPC has given Meta three months to comply with its interpretation of the EU GDPR.

What does this mean for social media advertising?

Behavioural advertising on Facebook and Instagram platforms are targeted using user-profile information. It’s based on people’s online activity and other details they share with the platform. This helps advertisers to target individuals based on location, hobbies, interests and other behaviours.

This latest ruling calls into question whether social media platforms must seek their users’ prior opt-in consent for behavioural advertising, rather than rely on the contractual terms people sign up for to use the platforms.

If social platforms switch to an opt-in consent, users will inevitably gain far more control over the adverts they see. But on the flipside, the number of individuals available for targeting by advertisers is likely to decline. This would have a big impact the marketing mix for many companies.

What’s behind the Meta ruling?

The DPC’s investigation stretches back to complaints originally raised on the very first day EU GDPR came into force, in May 2018. From the get go, it was argued Facebook’s (now Meta) processing for personalised advertising was unlawful.

Significantly prior to May 2018, Facebook Ireland updated both Facebook and Instagram’s Terms of Service. ‘Implicit consent’ had previously been used for behavioural advertising, but with consent being much more onerous to achieve under GDPR, there was a switch to relying on contract as the new lawful basis for the ads.

Users were asked to click ‘I accept’ to the updated Terms of Service and, in doing so, by default accepted behavioural advertising as part of the service package. The platforms simply would not be accessible if users declined to do so. The Irish DPC has now rejected the validity of the contract as a valid lawful basis for behavioural advertising.

This ruling follows a lot of uncertainty and disagreement between the DPC, other EU regulators and the European Data Protection Board (EDPB), over the use of contract as a legal basis for this type of advertising.

The Chair of EDPB, Andrea Jelinek: ‘The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model.’

This latest ruling represents a U-turn by the DPC, who have now stated their decisions ‘reflect the EDPB’s binding determinations.’

This is not Meta’s only fine. In September 2022, the DPC fined Meta €405 million for allowing minors to operate business accounts on Instagram, and there have been others. Unsurprisingly Meta plans to appeal both of the DPC’s decisions.

Key takeaways for digital advertising

  1. The burning question is ‘Can I still run ads on Facebook & Instagram?’. Technically yes – the ruling applies to Meta, not its advertisers. Meta, for its part, said; ‘These decisions do not prevent personalised advertising on our platform.’ However, using theses platforms is not without potential risks.
  2. Data protection by design is paramount for digital advertisers. There’s a regulatory expectation that the interests, rights, and freedoms of individuals are respected. Platforms need to evidence these considerations have been taken into account.
  3. Users must be given a real choice. They must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. They must be given meaningful control and the platforms must be able to demonstrate there is user choice through the data lifecycle.
  4. Accountability is key – there should be genuine transparency around how and why personal data is processed and who is responsible for that processing.

Max Schrems, privacy activist and honorary chair of Noyb: ‘People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.’

Estelle Masse, Global Data Protection Lead at Access Now, said the decisions are ‘hugely significant‘ for online companies which rely on targeted ad revenues. She said they should look at whether the way they deliver ads online is ‘legal and sustainable.’

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Governance Quick Guide

January 2023

Taking control of our data

In essence Data governance is a framework of management practices which makes sure data is used properly in line with our organisational aims, the law and best practice.

Think of it as embedding Data Protection by Design and by Default across the organisation. It means business objectives can be met without taking unnecessary risks with data. Data governance helps us to:

  • protect the business and those whose data we process: customers, employees, etc.
  • reduce our organisational risk profile
  • educate our people, by providing policy & guidance to them on how to use data in the safe and appropriate ways
  • build in an ethical approach
  • build our reputation, customer trust and enhance the value of our data assets
  • support our teams’ innovation with use of data.

The 6 data governance steps

building a robust data governance framework from the data protection consultancy DPN

1. Data discovery

It’s vital to identify data assets held across the business understanding how personal data is being gathered, stored, used and shared. It can be helpful to map where the data is located on systems, and document it.

Most medium to large businesses will need to do this anyway to create and maintain an Information Asset Register (IAR) and Records of Processing Activity (RoPA).

2. Policies & standards

If our people don’t know how we expect them to behave when handling other people’s data, we can’t expect them to make a great job of it. Are your policies and procedures all up to scratch? Having a straight-forward, easy to understand and practical Data Protection Policy is a good place to start (alongside relevant training). The importance of well-crafted easy to use policies shouldn’t be underestimated.

3. Stakeholder accountability

We need to identify key stakeholders within the business. Likely to be heads of key functions, such as HR, Operations, Sales & Marketing, and so on.

It’s good to establish data roles and responsibilities, so people are clear what aspects they and others are responsible for. Who has the authority to make decisions about certain data?

4. Risk assessment process

Businesses should have risk assessment procedures to discover, assess, prioritise and take action to mitigate data risks. A governance programme helps teams to identify and assess both existing and emerging risks, so they can be efficiently assessed and mitigated.

Think of data like a balance sheet: it has great potential to create value, but also carries risks and liabilities.

The aim of a data governance programme is to protect both the business and those whose data we process from harm which may arise. For example, things like inaccurate data, unlawful or unfair processing or using people’s data in ways they would not expect or want.
For certain projects it will be necessary to conduct a Data Protection Impact Assessment (DPIA).

5. Technical and organisational measures (TOMs)

Once privacy risks have been identified, we need to consider what measures could be put in place to tackle them. You may choose to mitigate them internally with new procedures or security measures, or perhaps work with a third party to adopt technical or operational measures. Privacy Enhancing Technologies – how they can help

Organisational measures include making sure there’s good awareness about data protection across the business, and employees receive appropriate training.

6. Executive oversight

Risks should be reported up the line to make sure the Senior leadership team has proper oversight and the opportunity to take appropriate action. If your organisation has a Data Protection Officer (DPO) this reporting will be part of the formal accountabilities for their role. But remember not all businesses need to have a DPO. Should we appoint a DPO?

Overcoming cultural challenges

Data protection and privacy professionals face a cultural challenge to win hearts and minds. I have sometimes heard legal or privacy teams described as ‘the department of no’. That’s not how we want to be seen!

Smart businesses are realising the value of taking privacy seriously. We should help our business colleagues to balance the needs of commercial and operational functions with legal & ethical requirements.

We shouldn’t just explain what the law requires. We must go further and help them our colleagues to find practical solutions. Collaboration and mutual understanding are essential ingredients for successful data governance.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection Basics: The 6 lawful bases

November 2022

A quick guide to the six lawful bases for processing personal data

One of the fundamental data protection principles is that our handling of personal data must be ‘lawful, fair and transparent’. To be lawful, clearly, we shouldn’t do anything illegal in general terms. But what else does it mean to be lawful?

We’re given six lawful bases to choose from under UK/EU GDPR. For each purpose we use personal data for, we need to match it with an appropriate lawful basis.

For example a purpose might be:

  • Sending marketing emails to our customers
  • Profiling our audience to better target our marketing
  • Handing staff payroll data to pay salaries
  • Handling customer enquiries about our services
  • Delivering a product a customer has requested
  • Implementing measures to prevent fraud

We need to select the most appropriate lawful basis and meet its own specific requirements. Each basis is equally valid, but one may be more appropriate than others for any specific task. We’re legally obliged to set out the lawful bases we rely on in our privacy notices.

If none of them seem to work, you may want to question whether you should be doing what you’re planning to do.

Quick guide to the 6 lawful bases

(This is not intended to be exhaustive, do check the ICO’s Lawful Basis Guidance)

1. Contract

This lawful basis will be appropriate if you need to process an individual’s personal information to deliver a service to them. Or you need collect certain details to take necessary steps before entering into a contract or agreement.

Example 1: An individual purchases a product from you and you need to handle specific personal information about them in order to deliver that product, including when you acknowledge their order, provide essential information, and so on.

Example 2: Someone asks you to give them a quote for your services, and you need certain information about them in order to provide that quote.

Contract tips:

  • It doesn’t apply to other purposes you may use the data for which are not essential.
  • It’s most likely to be used when people are agreeing to T&Cs, although it can also be used where a verbal agreement or request for information is made.
  • The person whose data you’re processing must be party to the contract or agreement with you. It doesn’t apply if you want to process someone’s details, but the contract is with someone else, or with another business.

2. Legal obligation

There may be circumstances where you are legally obliged to conduct certain activities, which will involve processing personal data. This could be to comply with common law or to undertake a statutory obligation.

Example 1: You are offering a job to someone outside the EU. You need to check they have a visa to work in the UK, as this is a legal obligation.

Example 2: Airlines and tour operator collect and process Advance Passenger Information (API) as this is a legal requirement for international air travel.

Legal obligation tips

  • Legal obligation shouldn’t be confused with contractual obligations
  • Document your decision. You should be able to either:
    a) identify the specific legal provision you are relying on
    or
    b) the source of advice/guidance which sets out your obligation.

3. Vital interests

You can collect, use or share personal data in emergency situations, to protect someone’s life.

Example: A colleague collapses at work, is unable to talk, and you need to tell a paramedic they have a medical condition. Common sense should prevail.

Vital interest tips

  • It’s very limited in scope, and should generally only apply in life and death situations.
  • It should only be used when you manifestly can’t rely on another basis. For example, if you could seek consent, you can’t rely on vital interests.

4. Public task

You can process personal data if necessary for public functions and powers that are set out in law, or to perform a specific task in the public interest.

Most often this basis will be relied upon by public authorities and bodies, but it can apply in the private sector where organisations exercise official authority, or carry out tasks in the public interest.

Public task tips

  • If you could reasonably perform your tasks or exercise powers in a less intrusive way this basis won’t be appropriate. The processing must be necessary.
  • Document your decisions, specify the task, function or power, and identify the statutory or common law basis.

5. Legitimate Interests

This is the most flexible lawful basis, but don’t just assume what you’re doing is legit. It’s most likely to be appropriate when you use people’s data in a way they’d reasonably expect. Where there is minimal impact on them, or where you have a compelling justification.

Legitimate interests must be balanced. You must balance the organisation’s interests against the interests, rights and freedoms of individuals. If your activities are beyond people’s reasonable expectations or would cause unjustified harm, their rights and interests are likely to override yours. Legitimate interests – when it isn’t legit

Legitimate Interests tips

  • Conduct and document a Legitimate Interests Assessment (LIA). This may be relatively simple and straight-forward, or more complex.
  • Consider whether you can provide people with an easy way to object. This is not essential in all situations (e.g. fraud protection).
  • Be open about where you rely on legitimate interests so its likely to be in people’s reasonable expectations.
  • Remember to include what your legitimate interests are in your privacy notice.
  • Check the ICO’s guidance on when legitimate interests can be relied upon for marketing activities.

6. Consent

This is when you choose to give individuals a clear choice to use their personal details for a specific purpose and they give their clear consent for you to go ahead. The law tells us consent must be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes given by a ‘clear affirmative action’.

Consent is all about giving people a genuine choice and putting them in control. They must be able to withdraw their consent at any time, without a detrimental impact on them.  Consent, getting it right.

Consent tips:

  • It should be clear what people are consenting to
  • Consent shouldn’t be bundled together for different purposes, each purpose should be distinct
  • It must not be conditional – people shouldn’t be ‘forced’ to consent to an activity as part of signing up to a service.
  • Consent is unlikely to be appropriate where there may be an imbalance of power. For example, if an employee would feel they have no option but to give consent to their employer (or might feel they could be penalised for not giving it).
  • The law sometimes requires consent. For example, under the electronic marketing rules consent is sometimes a requirement.

In summary, consider all the purposes you have for processing personal data. Assign a lawful basis to each purpose and check you’re meeting the specific requirements for each basis. Tell people in your privacy notice the lawful bases you rely on, and specifically explain your legitimate interests.

Finally, don’t forget, if you’re processing special category data (for example data revealing racial or ethnic origin, health data or biometric data) you’ll need a lawful basis, plus you’ll need to meet one of the conditions under UK GDPR Article 9.  For criminal convictions data you’ll need a lawful basis, plus one of the conditions under UK GDPR Article 10.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection Basics: The 7 data protection principles

November 2022

Understanding the key principles of data protection

Let’s get back to basics. There are seven core principles which form the foundation of data protection law. Understanding and applying these principles is the cornerstone for good practice and key to complying with UK / EU GDPR.

Here’s our quick guide to the data protection principles.

1. Lawfulness, fairness and transparency

This principle covers 3 key areas.

a) Lawfulness – We must identify an appropriate ‘lawful basis’ for collecting and using personal data. In fact, we need to decide on a lawful basis for each task we use personal data for, and make sure we fulfil the specific conditions for that lawful basis. There are 6 lawful bases to choose from.

We need to take special care and look to meet additional requirements when using what’s termed ‘special category’ data or data which relates to minors or vulnerable people.

We should also be sure not do anything which is likely to contravene any other laws.

b) Fairness – We must only use people’s data only in ways that are fair. Don’t process data in a way which might be unexpected, discriminatory or misleading. This means evaluating any adverse affects on individuals.

c) Transparency – We must be clear, open and honest with people about how we use their personal information. Tell people what we’re going to do with their personal information. Routinely this is achieved by providing relevant privacy information at the point data is collected, and by publishing a complete and up to date privacy notice and making this easy to find. Transparency requirements apply right from the start, when we collect or receive people’s data.

2. Purpose limitation

This is all about only using personal details in the ways we told people they’d be used for. We must be clear about what our purposes for processing are and specify them in the privacy information we provide to individuals.

Sometimes we might want to use personal data for a new purpose. We may have a clear legal obligation to do it, but if not we should check the new purpose is compatible with the original purpose(s) we had for that data. If not, then we may need to secure the individual’s consent before going ahead.

Remember, if we surprise people, they ‘ll be more likely to complain.

3. Data minimisation

We must make sure the personal data we collect and use is:

  • Adequate – necessary for our stated purposes. Only collect the data we really need. Don’t collect and keep certain personal information ‘just in case’ it might be useful in future.
  • Relevant – relevant to that purpose; and
  • Limited to what is necessary – don’t use more data than we need for each specific purpose.

4. Accuracy

We should take ‘all reasonable steps’ to make sure the personal data we gather and hold is accurate, up-to-date and not misleading.

It’s good practice to use data validation tools when data is captured or re-used. For example, validate email addresses are in the right format, or verify postal addresses when these are captured online.

If we identify any of the personal information we hold is incorrect or misleading, we should take steps to correct or delete it promptly.

Data accuracy can decline over time. For example, people change their email address, move house, get married or divorced, their needs and interests change. And of course some people on your database may pass away. So we need to consider ways to keep our data updated and cleansed.

Perhaps find ways to give people the opportunity to check and update their personal details?

5. Storage limitation

Don’t be a hoarder! We must not keep personal data longer than necessary for the purposes we have specified.

Certain records need to be kept for a statutory length of time, such as employment data. But not all data processing has a statutory period. Where the retention period is not set by law, the organisation must set an appropriate data retention period for each purpose, which it can justify.

The ICO would expect us to have a data retention policy in place, with a schedule which states the standard retention period for each processing task. This is key step to making sure you can comply with this principle.

When the data is no longer necessary, we must destroy or anonymise it, unless there’s a compelling reason for us to keep it for longer. For example, when legal hold applies. For more information see our Data Retention Guidance.

6. Security

This is the ‘integrity and confidentiality’ principle of the GDPR – often known as the security principle. This requires organisations to make sure we have appropriate security measures in place to protect the personal data we hold.

UK / EU GDPR talks about ‘appropriate technical and organisational measures’ (known as TOMs). These includes things like physical and technical security measures, conducting information security risk analyses, having information security policies & standards in place to guide our staff.

Our approach to security should be proportionate to the risks involves. The ICO advises us to consider available technology and the costs of implementation when deciding what measures to take.

Some of the basics include transferring data securely, storing it securely, restricting access to only those who need it and authenticating approved data users.

Cyber Essentials or Cyber Plus can be helpful as an assurance framework to carry out a review of your data security arrangements.

Controllers should consider information security standards when appointing and managing relationships with processors, i.e. service providers handling personal data on your behalf to provide their services. Are your processors securely handling their processing of the data you control? Carry out appropriate due diligence to make sure.

7. Accountability

The accountability principle makes organisations responsible for complying with the UK / EU GDPR and says they must be able to evidence how they comply with the above principles.

This requires data governance across the organisation. Think of accountability as a collective responsibility, flowing from the Executive team and down through to the teams that process personal data.

To demonstrate how we comply, we need to have records in place. For many organisations this will include a Record of Processing Activities (RoPA).

The ICO provides a useful ‘Accountability Framework’ we can use to benchmark performance against their expectations.

In summary, identify the lawful bases you’re relying on and be fair and be open about what you do. Minimise the data you collect and make sure it remains accurate over time. Always keep it secure and don’t keep it for longer than you need it. Take care if you want to use personal data for a new purpose. Keep records and be ready to justify your approach.  The ICO has published more detailed guidance on the seven principles.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Controller or processor? What are we?

November 2022

Are you a service provider acting as a processor? Or a controller engaging a service provider? Is the relationship clear?

There are a few regulatory cases which remind us why it’s important to establish whether we’re acting as a controller or a processor, and to clearly define the relationship in contractual terms.

On paper the definitions may seem straight-forward, but deciding whether you’re acting as a controller, joint-controller or processor can be a contentious area.

Two regulator rulings to note

  • The ICO has taken action against a company providing email data, cleansing and marketing services. In the enforcement notice, it’s made clear the marketing company had classified itself as a processor. The ICO disagreed.
  • The Spanish data protection authority (AEPD) has ruled a global courier service was acting as a controller for the deliveries it was making. Why? Largely due to insufficient contractual arrangements setting out the relationship and the nature of the processing.

Many a debate has been had between DPOs, lawyers and other privacy professionals when trying to classify the relationship between different parties.

It’s not unusual for it to be automatically assumed all suppliers providing a service are acting as processors, but this isn’t always the case. Sometimes joint controllership, or separate distinct controllers, is more appropriate.

Organisations more often than not act as both, acting as controller and processor for specific processing tasks. Few companies will solely be a processor, for example, most will be a controller for at least their own employment data, and often for their own marketing activities too.

What the law says about controllers and processors

The GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.

A processor means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

How to decide which we are

There are some key questions to ask which will help organisations reach a conclusion.

  • Do we decide how and what personal data is collected?
  • Are we responsible for deciding the purposes for which the personal data is processed?
  • Do we use personal data received from a third party for our own business purposes?
  • Do we decide the lawful basis for the processing tasks we are carrying out?
  • Are we responsible for making sure people are informed about the processing? (Is it our privacy notice people should see?)
  • Are we responsible for handling individual privacy rights, such as data subject access requests?
  • Is it us who’ll notify the regulator and/or affected individuals in the event of a significant data breach?

If you’re answering ‘yes’, to some or all of these questions, it’s highly likely you’re a controller.

And the ICO makes it clear it doesn’t matter if a contract describes you as a processor; “organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services”.

Controller or processor? why it’s important to confirm your status

Controllers have a higher level of accountability to comply with all data protection principles, and are also responsible for the compliance of their processors.

If you are a processor, you must only handle the controller’s data under their instructions.

This means if you’re doing anything else with this data, for your own purposes, you can’t be a processor for those purposes. You will be acting as a controller when the processing is for your own purposes.

Let’s be clear though, this doesn’t mean a processor can’t make some technical decisions about how personal data is processed.
Data protection law does not prevent processors providing added value services for their clients. But as a processor you must always process data in accordance with the controller’s instructions.

Processors also have a number of direct obligations under UK GDPR – such as the technical and organisation measures it uses to protect personal data. A processor is responsible for ensuring the compliance of any sub-processors it may use to fulfil their services to a controller.

Controller-Processor data processing agreements

If the relationship is controller to processor, you must make sure you have a suitable agreement in place. The specific requirements for what must be included in contractual terms between a controller and processor are set out in Article 28 of EU / UK GDPR.

Often overlooked is the need to have clear documented instructions from the controller. These instructions are often provided as an annex to the main contract (or master services agreement), so they can be updated if the processing changes.

There will be times where you’re looking to engage the services of a household name, a well-known and well-used processor. There may be limited or no flexibility to negotiate contractual terms. In such cases, it pays to check the terms and, if necessary, take a risk-based view on whether you wish to proceed.

What’s clear from the Spanish courier case is how important it is to have contracts in place defining the relationship. The ICO ruling demonstrates even if your contract says you’re a processor, if you are in fact in control of the processing, this will be overturned, and you’d be expected to meet your obligations as a controller.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Is your data use compatible with what you collected it for?

November 2022

Have the ways you use people's data strayed too far from the original purpose(s)?

An ICO reprimand issued to a Government department serves as a welcome reminder to be careful about what we’re using data for, who we’re sharing it with, and what they might use it for.

Is what we’re doing transparent, fair and reasonable? Are the tasks we now use data for still in line with what we originally collected it for?

In this public sector case, the ICO has chosen not to issue a fine, but rather a warning with a requirement to implement specific measures. Commercial businesses are unlikely to face the same leniency.

What went wrong?

The Department for Education (DfE) received a reprimand from the ICO after it came to light a database containing the learning records of up to 28 million children had been used to check whether people who opened online gambling accounts were aged 18 or over.

The ICO investigation criticised the DfE for failing to protect young people’s data from unauthorised processing by third parties, whose purposes were found to be incompatible with the original purposes the data was collected for.

The DfE has overall responsibility for the Learning Records Service (LRS) database, which provides a record of pupil’s qualifications for education providers to access. Its main purpose is to enable schools, colleges, higher education and other education providers to verify data for educational purposes – such as the academic qualifications of potential students, or check if they are eligible for funding. LRS is only supposed to be used for education purposes.

But the DfE also allowed access to LRS to Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm. They in turn offered their services commercially to other companies, including GB Group, which used it to help betting companies screen new online gambling customers to confirm they were 18 or over.

Trustopia had access to the LRS database from September 2018 to January 2020, carrying out searches involving 22,000 learners.

This incident followed an audit of the DfE’s data activities by the ICO in 2020, which also found the DfE broke data protection laws in how it handled pupil data.

What were the failings?

The ICO found against the DfE in two respects:

  1. It failed in its obligations (as data controller) to use and share children’s data fairly, lawfully and transparently. Individuals were unaware of what was happening and could not object or withdraw from the processing. DfE failed to have appropriate oversight to protect against unauthorised processing of personal data held on the LRS database.
  2. It was also found to have failed to ensure confidentiality by failing to prevent unauthorised access to children’s data. The DfE’s lack of oversight and appropriate controls to protect the data enabled it to be used for other purposes, which were not compatible with the provision of educational services.

In its reprimand the ICO set out clear measure the DfE need to action to improve data protection practices and make sure children’s learning records are properly protected.

Since the incident, the DfE has confirmed they have permanently removed Trustopia’s access to the data. In fact, they have removed access from 2,600 organisations.

A spokesperson for DfE said the department takes the security of data we hold “extremely seriously” and confirmed it will publish a full response to the ICO by the end of 2022 giving “detailed progress in respect of all the actions identified”.

Why wasn’t there a massive fine?

In keeping with the ICO’s Regulatory Action Policy, they considered issuing a fine of £10 million. This is the amount considered to be ‘effective, proportionate and dissuasive’. However, the Information Commissioner has chosen not to issue a fine in this case, in line with its revised approach to public sector enforcement, announced in June 2022.

Some may find this surprising, so let’s dig deeper. John Edwards, UK Information Commissioner, said:

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.

“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

So Govt Departments can break the law and not be fined?

Well on the face of it, in the case of data protection, yes! Mr Edwards has confirmed the ICO are trialling a new approach to public sector enforcement which will see more public reprimands without fines, in all but the most serious cases.

In return, the ICO has received a commitment from the Cabinet Office and DCMS to create a cross-Whitehall senior leadership group, to encourage compliance with high data protection standards.

Hmmm… how do we feel about this?

I totally understand issuing a fine to the DfE is, ultimately, a fine against public funds for education. Which means our children could potentially be the ones who would suffer if a hefty fine was imposed. Nobody wins here.

But on the flipside, could this approach significantly weaken the deterrent? Will public sector employees feel motivated enough to go take appropriate steps to comply with data protection laws when there’s little risk of being fined?

After all, the private sector will continue to be fined as appropriate when they’re found to have violated the data laws.

What do you think? We’d love to hear your thoughts at info@dpnetwork.org.uk

A timely reminder?

This case serves as a helpful reminder that we need to take care the personal data we collect and hold as an organisation is not used for purposes which are incompatible with the original purposes.

Due diligence is especially important when the data is shared with other organisations, who might use it for their own purposes.

We must always be clear and transparent about how we use people’s data so they have an opportunity to exercise their right to object, and indeed any other privacy rights.

Ask yourself this key question; ‘Is your data use compatible with what you collected it for?’

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.