Data breaches – human or a catalogue of errors?

August 2023

Why systems fail

The recent spate of serious data breaches, not least the awful case involving the Police Service of Northern Ireland (PSNI), left me wondering: who’s really to blame? We’re used to hearing about human error, but is it too easy to point the finger?

Is it really the fault of the person who pressed the send button? An old adage comes to mind, ‘success has a thousand fathers, failure is an orphan.’

Of course, people make mistakes. Training, technology and procedures can easily fail if ignored, either wilfully or otherwise. Yes, people are part of the equation. But that’s what it is. An equation. There are usually other factors at play.

In the PSNI case – one involving safety-critical data – I would argue there’s a strong argument that any system allowing such unredacted material to enter an FOIA environment in the first place is flawed?

Nobody is immune from human error. About nine years ago, on my second day in a new compliance role, I left my rucksack on the train. Doh! Luckily, there was no personal data relating to my new employer inside. I lost my workplace starter pack and had to cancel my debit card. I recall the sinking feeling as my new boss said, ‘well, that’s a bit embarrassing for someone in your job’. It was. But I knew it could have been so much worse.

Approximately 80% of data breaches are classified by the Information Commissioner’s Office as being caused by human error. Common mistakes include:

  • Email containing personal data sent to the wrong recipients
  • Forwarding attachments containing personal data in error
  • Failing to notice hidden tabs or lines in spreadsheets which contain personal data (this is one of the causes cited in the PSNI case)
  • Sensitive mail going to the wrong postal address (yes, a properly old-fashioned dead wood data breach!)

However, sometimes I hear about human error breaches and don’t think ‘how did someone accidently do that?’ Instead, I wonder…

  • Why didn’t anyone spot the inherent risk of having ALL those records in an unprotected spreadsheet in the first place?
  • Why wasn’t there a system in place to prevent people being able to forget to blind copy email recipients?
  • Is anyone reviewing responses to Data Subject Access Requests or FOI requests? What level of supervision / QA exists in that organisation?
  • Why is it acceptable for someone to take confidential papers out of their office?

I could go on.

Technical and Organisational Measures (TOMs)

Rather than human error, should we be blaming a lack of appropriate technical and organisational measures (TOMs) to protect personal data? A fundamental data protection requirement.

We all know robust procedures and security measures can mitigate the risk of human error. A simple example – I know employees who receive an alert if they’re about to send an attachment containing personal data without a password.

Alongside this, data protection training is a must, but it should never be a ‘tick box’ exercise. It shouldn’t be a case of annual online training module completed; no further action required! We need to make sure training is relevant and effective and delivers key learning points and messages. Training should be reinforced with regular awareness campaigns. Using mistakes (big or small) as case studies are a good way to keep people alert to the risks. This is another reason why post-event investigation is so important as a lesson-learning exercise.

Rather than being a liability, if we arm people with enough knowledge they can become our greatest asset in preventing data breaches.

Chatting with my husband about this, he mentioned a boss once asking him to provide some highly sensitive information on a spreadsheet. Despite the seniority and insistence of the individual, my husband refused. He offered an alternative solution, with protecting people’s data at heart. Armed with enough knowledge, he knew what he had been asked to do was foolhardy.

Lessons from previous breaches

It’s too early to call what precisely led to these recent breaches:

  • The Police Service of Northern Ireland releasing a spreadsheet containing the details of 10,000 police officers and other staff public in response to a Freedom of Information Request
  • Norfolk and Suffolk Police accidentally releasing details of victims and witnesses of crime
  • Scottish genealogy website revealing thousands of adopted children’s names.

However, we can learn from previous breaches and the findings of previous ICO investigations.

You may recall the case of Heathrow Airport’s lost unencrypted memory stick. Although ostensibly a case of human error, the ICO established the Airport failed not only ‘to ensure that the personal data held on its network was properly secured’, but also failed to provide sufficient training in relation to data protection and information security. The person blamed for the breach was unaware the memory stick should have been encrypted in the first place.

Then there was the Cabinet Office breach in which people’s home addresses we published publicly in the New Year’s Honours list. The actual person who published the list must’ve had a nightmare, when they realised what had happened. But the ICO findings revealed a new IT system was rushed in and set up incorrectly. The procedure given for people to follow was incorrect. A tight deadline meant short-cuts were taken. The Cabinet Office was found to have been complacent.

The lesson here? Data breaches aren’t always solely the fault of the person pressing the ‘send’ button. Too often,  systems and procedures have already failed. Data protection is a mindset. A culture. Not an add-on. As the PSNI has sadly discovered, in the most awful of circumstances.

The impact breaches can have on employees, customers, victims of crime, patients and so on, can be devastating. Just the knowledge that their data is ‘out there’ can cause distress and worry.

Data protection law doesn’t spell out what businesses must do. To know where data protection risks lie, we need to know what personal data we have across the business and what it’s being used for.  Risks need to be assessed and managed. And the measures put in place need to be proportionate to the risk.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What types of data protection risk are there?

August 2023

Data protection risks come in all shapes and sizes. They are not always easy to identify. How do we know what to look for and how serious they could it be?

There are risks to individuals (e.g. employees, customers, patients, clients etc) which are paramount under data protection laws. But there are also commercial and reputational risks for businesses relating to their use for data.

Risks could materialise in the event of a data breach, failure to fulfil individual privacy rights (such as a Data Subject Access Request), complaints, regulatory scrutiny, compensation demands or even class actions.

We should recognise our service & technology providers, who may handle personal data on our behalf, could be a risk area. For example, they might suffer a data breach and our data could be affected, or they might not adhere to contractual requirements.

International data transfers are another are where due diligence is required to make sure these transfers are lawful, and if not, recognise that represents a risk.

Marketing (either in-house, agency or tech platforms) could also be a concern, if these activities are not fully compliant with ePrivacy rules – such as the UK’s Privacy and Electronic Communications Regulations (known as PECR). Even just one single complaint to the regulator could result in a business finding themselves facing a PECR fine and the subsequent reputational damage.

The seven core data protection principles under UK and EU GDPRs are a great place to start when trying to identify where data protection risks may lie.

Data protection principles

1. Lawfulness, fairness and transparency

Is what we’re doing legal? Have we identified a suitable lawful basis, and are we meeting the conditions of this lawful basis? Is it fair and ethical? Are we being transparent about what we do in our privacy notices? See DPN Lawful Basis Guide

2. Purpose limitation

Are we only using personal data in the ways we told people it would be used for? We might want to use their data in new ways, but are these compatible with the original purpose(s) we gathered the data for? If we surprise people, they’ll be more likely to complain.

3. Minimisation

Are we collecting, using and holding onto more data than we actually need? Is some data collected and kept ‘just in case’ it might be useful in future?

4. Accuracy

Inaccurate or out-of-date personal information could lead to false assumptions which could come back to bite us.

5. Storage limitation

Hoarding data for longer than necessary could mean the impact of a data breach is much worse. Over-retention of people’s data could be exposed when handling a Data Subject Access Request, or an or Erasure Request. See DPN Data Retention Guidance

6. Information Security

Have we implemented robust security measures and controls to make sure personal data is protected, when at rest on our systems and when its transferred?

7. Accountability

Are we in a good position to defend what we do with the data? If scrutinised, do we have suitable records & evidence to demonstrate that we’ve taken data protection seriously? See Quick Guide to Data Governance

The lengths we go to try and embed these principles across our organisation will clearly differ depending on the sensitivity of personal data involved and what we’re using it for. When considered what security measures are appropriate, we should take a proportionate approach.

Some activities can automatically bring with them more risk. For example; handling special category data (such as health data, biometrics, sexual preference and ethnicity), collecting children’s data, using innovative technology such as AI and any activities which could result in an automated decision being made about someone.

We need to consider people’s privacy rights and have procedures in place to handle any requests we receive. For example, their right to be informed, right of access, right to object, right to erasure and so on. An inability to fulfil such requests may draw unwelcome attention.

In certain circumstances it’s mandatory to conduct a Data Protection Impact Assessment (DPIA). Conducting an assessment can often be useful, even if what you’re doing doesn’t fall under the mandatory criteria. It can help us to identify data risks from the outset so you can put measures in place to mitigate risks before they have any opportunity to become an issue. See DPN DPIA Guide.

Mistakes can happen

Here are some issues or gaps which could lead to data protection risks coming to the surface.

  • People-related risks – such as lack of training and lack of governance or ownership
  • Process risks – such as poor data handling procedures or manual processing on Excel / Sheets.
  • Technology risks – such as ineffective controls on core systems, or ineffective archiving/deletion processes.

If you don’t know where your risks lie, you won’t have a handle on how much risk the business is carrying. You may have several significant risks, but multiple low-level risks could also prove damaging.

Listen back to our online discussion: Managing and Assessing Data Protection Risks 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Why is data mapping so crucial?

August 2023

Locating data across your business and creating your records

It’s widely recognised as the best foundation for any successful privacy programme; map your data and create a Record of Processing Activities.

It’s one of the UK Information Commissioner’s Office’s (ICO) key expectations:

‘Your organisation carries out information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.’

Believe it or not, some people don’t get excited by data mapping and record keeping! Nevertheless, maintaining effective records of your data processing is an important obligation under data protection law, which gives a range of benefits to your privacy programme. So let’s take a look.

Data discovery and mapping

This is the process of mapping out your data and how it flows across the business. Personal data may be held on a wide range of systems used by almost every function of the business – including HR, Marketing, Operations, IT, Logistics and so on. In many situations the data may be located on third party supplier systems.

So where to start? First talk with your IT colleagues who look after the systems the data is located on. Some businesses may already have inventory of their systems.

Mature businesses might even have an Information Asset Register (IAR), which lists all your information assets on each system. If so, you’re off to a flyer!

But if you’re not in that fortunate position, there are various ways to conduct a data mapping exercise. We suggest you take it a step at a time and set clear priorities.

Focus on datasets are likely to pose the greatest data protection risk, in the event of a data breach or other privacy violation. You can always build out from there later.

You might consider using technology to ‘sniff out’ personal data. Or you might talk with your IT teams to draft an inventory of your key systems & service providers, what personal data they hold and who the internal ‘owners’ (decision-makers) for these datasets are.

Record of Processing Activities (RoPA)

A RoPA is a key requirement for many organisations under the UK & EU GDPRs; notably those with 250 plus employees. This requirement applies to both controllers and processors. There is a limited exemption for small and medium-sized organisations who don’t handle particular sensitive data.

But what is the data used for? A RoPA links your personal data assets to the activities which the data is used for, by whom, where the data is located, any third parties its shared with, what measures are in place to protect it… and so on.

Fortunately, these activities (or uses for personal data) are usually linked to specific business functions/teams within an organisation. For example, the HR team will know all the activities associated with recruitment and employment of staff.

To create the RoPA, the two main approaches are to a) invest in privacy software with a RoPA module or b) use an Excel base template from a Supervisory Authority (e.g. the ICO) and populate it by collaborating with all the business functions which use personal data.

This is not a task to be taken lightly; the requirements for record keeping are onerous. It’s an area which many businesses have found challenging. And once you’ve create the RoPA, you’ll need to keep it up to date over time.

Gain extra benefits

Your RoPA should be the first place to look if you suffer a data breach, helping you to identify the categories of individual, sensitivity of the data, any data processors involved, who the data was shared with and so on. It can also be very helpful to reference your RoPA when handling Data Subject Access Requests, so you know where to look for the data required.

A proportionate approach for smaller organisations

Even smaller organisations, which may benefit from exemption from creating a full RoPA, still have basic record keeping responsibilities, which should not be overlooked and could still prove very useful. Smaller organisations only need to document their processing which is:

  • not occasional – therefore all the frequent processing must still be documented; or
  • activities which could result in a risk to the rights and freedoms of individuals; or
  • those which involve the processing of special categories of personal data, or data on criminal convictions.

A short guide to keeping your data records complete and up-to-date

1. Why? – The need for accurate records

If your records are allowed to become outdated, you can quickly lose track of the reach of your processing. Resulting in uncertainty when you most need it. After all, if you don’t know about certain processing, or hold a record of it, how can you possibly be sure the business is protecting that data?

There’s always some new system, processing activity or change of suppliers, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a Data Protection Impact Assessment or Legitimate Interests Assessment.

If requested you might need to make your records available to a Supervisory Authority, such as the ICO, so you’d want to be sure they are in good shape. Allowing them to get out of date makes the job of getting them back into order all the more difficult.

2. Who? – Stakeholder relations

Make sure you have enlisted the support of your Board, as you’ll need help from many stakeholders to update you about changes to data processing in their area and notify you of new service providers to keep the RoPA updated.

No DPO or data protection team can create or maintain the records their own. They always need the support of others. We suggest you use a ‘top down’ as well as ‘bottom up’ approach.

Have you identified ‘data owners’ who are accountable for key datasets within the business? For example:

  • Human Resources – employment & recruitment data
  • Sales & Marketing – customer / client data
  • Procurement – supplier data; and so on

Each data owner needs to understand their role & responsibilities to meet internal data policies and ensure their function’s processing complies with data laws.
Building a regular two-way dialogue with data owners is essential, not only for record keeping but many other data protection tasks. They will be best placed to tell you what data they hold, what it’s used for and what measures they use to protect it.

3. What? – Make sure you’re capturing all the right information

Check you’re capturing all the RoPA requirements. These are slightly different if you act as a controller or processor (or may act as both). If you want to check, see the ICO’s guidance on documentation.

I hope this short guide helps you to keep your own records up to scratch. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach, or receive a data subject access request, can motivate others to support you with this important task. Remember, you can’t make sure personal data is adequately protected if you don’t know where it is and what it’s used for. Good luck!

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Dossiers, profiles and the data protection conundrum

August 2023

‘We have a file on you…’ It sounds sinister. Like something from a spy movie.

Nonetheless, there are many reasons why organisations create and retain profiles on individuals. Recently, this hitherto unremarkable topic took centre stage via the ‘Farage-gate’ de-banking affair. Suffice to say the fallout for NatWest and its private banking arm, Coutts, has been disastrous. We also know Nigel Farage won’t be the only person on whom banks have complied profiles. Nor are banks the only businesses to do so.

I’m not going to dwell too much on Nigel Farage or NatWest’s handling of his case. As a data protection practitioner what interests me are the inherent difficulties around creating compliant dossiers or profiles for legitimate business purposes.

Some organisations may have been blissfully unaware of the risks around ‘business intelligence’ or ‘due diligence’ profiling (until Farage-gate, that is). Others may decide the business benefits of the information they’re holding on individuals outweighs the potential risk.

Here’s a list of just some of the reasons businesses may choose to enhance the records held on individuals or create new records.

  • Business pitches: In preparing a business pitch, it seems logical to research potential customers or partners. Consider corporate hospitality, for example – do they support Arsenal or enjoy horse racing? These might be the little details that seal the deal.
  • Employment: For many roles, it would seem perverse to NOT perform basic due diligence on a candidate. Indeed, some organisations might be criticised for not doing so.
  • Donations: Charities, academic institutions and research bodies might receive a donation and want to know if it might be reputationally damaging to accept. Or they may research high-profile figures and/or philanthropists to see if they’re a good fit to approach to support their cause.
  • The personal touch: A client or customer shares sensitive information about themselves in everyday conversation. Their partner is unwell, for example. Do you want to keep a record, so you remember to ask after them the next time you speak? Or they might mention it’s their birthday – shall we keep a note so you can send flowers next year? My local Indian restaurant always sent my husband a birthday card, which he is always delighted to receive (although it might have had something to do with the complimentary samosas).
  • Activists & risk management: You may be aware of individuals who seek to disrupt your business activities for political or environmental reasons. In fact, you might argue you’ve an obligation to establish the risk for employee welfare and safety purposes.
  • Complainers: You might wish to alert your contact centre staff to customers who are prolific / abusive and / or vexatious complainants.
  • Social media commentators: You learn of people prone to unfairly badmouthing your business on Twitter / ‘X’, Facebook or online forums. You might choose to monitor their output for rebuttal purposes (incidentally, the most major political parties do this via ‘rebuttal units’).

There are endless scenarios why it makes good business sense to add information to a record you hold, or to create specific profiles about people. Clearly, the more sensitive the information, the more risk involved should the record be exposed – especially if you haven’t been open about what you’re doing.

The data protection conundrum

There’s something of a Catch-22 here. One of the core principles of data protection law is the handling of personal data must be lawful, fair and transparent.

Lawful basis

To be lawful, you shouldn’t do anything obviously illegal. Secondly, you also require a lawful basis for the purpose for which you’re using personal data. There are six to choose from:

  • Contract: You may be able to rely on contract if it’s necessary to gather this information for the purposes of a contractual relationship with the individual, or to take steps before entering into a contract with them. Banking is a good example, with its regulatory rules around money-laundering.
  • Public interest: You may be able to argue your actions are in the public interest. The risk here is conflating your interests with public’s! The threshold here’s pretty specific, usually for public protection and safety.
  • Legal obligation: You may have a statutory or sector-specific obligation to gather and hold certain information (banking, again, is a prime example).
  • Vital interests: This would only apply in an emergency; a life and death type situation.
  • Consent: You could ask the individual for their specific, informed and unambiguous consent. (hmmm, perhaps not … although in some parts of the world consenting to intrusive pre-employment screening is a prerequisite of recruitment processes).
  • Legitimate interests: You could balance your business interests, with the interests, rights and freedoms of the individual.

As you can see, at the first hurdle organisations may struggle to squeeze what they’re doing into a lawful basis. A quick glance might even suggest swathes of business intelligence and due diligence practices may technically be unlawful.

Many will have regulatory reasons that may fall under Legal Obligation or Legitimate Interests. Is your business or organisation one of them?

Legitimate Interests is often the lawful basis businesses choose, but would the balancing test of your business interests with the interests rights and freedoms of the individual really stand up to scrutiny? Perhaps not, if they have no idea you’re doing it. Which brings me neatly on to transparency…

Transparency

Data protection law tells us we should be open and upfront about what we do. Alongside this, people have a fundamental right to be informed about how we collect and use their personal information.

Your privacy notice (aka Privacy Policy) should cover the purposes you use personal data for. It may say something like; ‘We create profiles to better understand our customers and improve the service we provide’. It may clearly state you conduct ‘wealth screening’ or collect data indirectly from openly available sources.

But is it really that transparent? And has this privacy notice been brought to people’s attention, not camouflaged using acres of small print? Probably not, if the dossiers or profiles you’re creating aren’t related to people you enjoy an existing relationship with.

So, at this second hurdle, organisations may fail to meet transparency requirements.

Data collected indirectly

Arguably one of the most widely ignored aspects of data protection law (especially in this context) is the requirement to inform people and provide privacy information when we’ve collected their data indirectly, i.e. from another organisations or from openly available sources.

This should be done ‘within a reasonable period after obtaining the personal data, but at the latest within one month’. If the personal information’s going to be used for a communication with the individual, ‘at the latest at the time of the first communication’.

There are some exceptions such as providing this information would involve disproportionate effort and when the personal information must remain confidential subject to an obligation of professional secrecy.

In practice, individuals will often be blissfully unaware of dossiers and profiles have been created about them, until things go wrong.

What are the risks?

The two main ways in which data protection risks could materialise are a Data Subject Access Request (as the Nigel Farage case demonstrates) or a data breach.

Businesses should ask themselves – what would your response to a Data Subject Access Request (DSAR) look like? When gathering and keeping additional information about people, you need to consider the repercussions should you be required to disclose this information to the individual themselves. How likely is the individual to submit a request for a copy of their personal data. And if so, how damaging could it be?

Even if a DSAR feels highly unlikely, what would be the potential impact should this information be disclosed in a data breach?

How can you mitigate the risks?

Imagine your lawful basis is tenuous and people are unaware you’re holding a dossier or profile on them. Nonetheless, you still feel there’s a genuine business necessity. What can you do?

I know at this point, some people in my world might begin clutching their pearls, but with a seriously practical head on? We can reduce the risk by following other data protection principles:

  • Only gather and retain what you really need and can justify. Be proportionate – as the Farage case shows, do you really need all the information you’ve garnered when researching someone?
  • Delete it promptly when you no longer need it
  • Store it securely and limit access to only those who need it
  • Make a record your decisions. It’s much easier down the line to argue necessity if you’ve made a proper record at the time.

Don’t share material unless absolutely necessary and be mindful of the sensitivity of the details you’re keeping. If you feel it’s necessary to offer a view on someone’s opinions or politics – that becomes their personal data too. I can think of several reasons why that might be an entirely reasonable thing to do. Conversely, I can think of many reasons why it might not be!

So what do you think now? Are your dossiers or profiles really necessary and justifiable? Make sure you’re ready to defend your actions to individuals, the ICO or ultimately to the courts.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfer Resources

How to tackle international data transfers

The rules on international data transfers under UK/EU data protection law can be complex to navigate. At the core is a requirement for specific safeguard measures to be in place for what are termed ‘restricted transfers’ and for companies to assess the risk posed to individuals by transferring their data overseas.

Data Transfers Q&A

Multiple different scenarios for international data transfers throw up all kinds of questions. We’ve selected some questions raised by our audience which we believe will be common to many organisations: International Data Transfers Q&A with Debbie Venn, Partner at DMH Stallard LLP.

Other useful resources

UK

ICO Guidance – International Data Transfer Agreement

ICO Guidance and Tool – UK Transfer Risk Assessments

EU

European Data Protection Board Guidance on International Data Transfers

European Data Protection Board – information sheet re US adequacy decision

European Data Protection Board supplementary measures recommendations

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Five Data Protection Essentials

June 2023

What we can't survive without

On Radio 4’s Desert Island Discs, guests are asked to choose eight songs, a luxury item and a book they couldn’t live without. The less glamorous version is Privacy Island Discs, where we choose just five essentials for data protection survival.

Although you might choose differently, here are my five ‘must haves’, plus a luxury item and a ‘good’ read.

Privacy Survival Kit

1. Understand our data

What key sets of personal data do we have and how are our people using them?

Without knowing this information we can’t get a of handle on any potential data protection risks. Even if we don’t fall under the mandatory requirement to create and maintain a ‘record of processing activities’, it never hurts to map out what data we have and create a record.

Even a simple version – of what data we hold, what it’s used for, who it’s shared with and how long we keep it. Down the line, this sort of reference tool is invaluable in the event of a data breach, privacy rights request or other issues.

2. Training, awareness & guidance

We can’t expect our people to protect personal data and keep it secure if we don’t guide them

We need to train employees in how we expect them to behave, empowering them to make sensible and reasoned decisions.

They need enough knowledge to handle most situations in their role, but raise a query when they’re unsure and raise an alarm when necessary. And often, what they need to know will differ depending on their role.

Good data protection training and clear data policies and procedures are essential. Clearly this can be proportionate based on organisational requirements and the type of data held.

As a starter;

  • Do people know what a suspected data breach looks like and the most common causes? Do they know what to do if they suspect one has happened? Do they know they won’t be punished if they make a mistake?
  • Do people know what privacy rights we all enjoy, such as the right of access, right to object, right to erasure? Again, do they know what to do if they receive a request?
  • Have they ever considered if their processing is fair and lawful?
  • Do people have clear guidance for secure storage and sharing of personal data?

Annual online data protection training which doesn’t feel relevant, a dry data protection policy which no one reads and/or knows where to find, and no clear rules about basic data security all mean mistakes are more likely. Remember, more than three quarters of reported breaches are the result of human error.

Try to avoid making this a ‘tick-box’ exercise by creating easy to understand policies and guides. Get the Comms or Marketing team involved in raising awareness as an ongoing exercise. Use mistakes and organisational learning to reinforce key messages. How to focus data protection training

3. No surprises!

Give people information about how we use their personal data

Transparency is a key principle underpinning data protection law. We’re told we need to be honest and open about how we collect and use people’s personal information.

A privacy notice (aka privacy policy) is an absolute must have; UK / EU GDPRs set out what we must include. It may be the least visited page on our website, but not for complainers and regulators! A ‘vanilla’ notice copied from another website is unlikely to cut the mustard. For more on this see our Privacy Notice Quick Guide.

This also takes us back to my first must have; if we don’t know what data we hold and what it’s used for we can’t really have a privacy notice which truly reflects what we do.

4. Data sharing

Be open about data sharing and do it securely

Often, we need to share personal data with our colleagues and other organisations. Will people be surprised their data is being shared, are we only sharing what’s absolutely necessary and are we sharing it securely?

Our 10-point data sharing checklist has some useful pointers when sharing data with other organisations who’ll use the data for their own purposes (controllers).

If we’re permitting third parties such as service providers and technology vendors to handle our data, there are very specific contractual requirements. Data protection and our suppliers

Cyber-attacks on the MOVEit file transfer software (affecting payroll provider Zellis) and on Capita just illustrate how important it is to be on top of our supply chain contracting and due diligence. A few years back, a breach at the survey provider Typeform impacted hundreds of different organisations who used their services.

And this is before we even get started on the murky and complex world of International Data Transfers. But never fear, if the plethora of acronyms and jargon are making your head explode, you can tune in on 20 July as we Demystify International Data Transfers and/or read our International Data Transfers Guide.

5. Be prepared for the worst

Have a plan!

When a significant data breach happens, the first 24-hours can be crucial in reducing potential fallout. Thinking ‘we’ll deal with it when it happens’ isn’t a plan at all – it’s a recipe for disaster. The 72-hour timescale to notify the Supervisory Authority of a reportable breach can evaporate so fast – especially if it happens on a Friday or during a holiday period!

Even a simple procedure covering key people who’ll investigate, make decisions, answer core questions and a clear method for assessing the risk will all mitigate internal panic. See our Data Breach Guide or listen to our tackling data breaches webinar

My luxury privacy island item

Now, this shouldn’t really be a luxury, and may sound familiar to some readers. My luxury item is a CEO who genuinely recognises data protection is quite important. (Hmmm… are we stuck together on privacy island?)

Oh, and for a light beach read I’m taking the ICO’s Right of Access Guidance.

Honest.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Cookie compensation demands

June 2023

A quick buck for non-compliance?

What’s darkening our e-doormat this morning? It’s not a letter from the Information Commissioner’s Office.

It’s not ransomware or a phishing attempt.

No… it’s the dreaded cookie compensation demand!

Increasingly my colleagues and I, and friends in the data protection space, hear reports of official looking, legally-laden letters being received by companies. The simple message; your cookies are non-compliant, this is distressing me and I want money from you.

And everyone’s a potential target – any size of business, any sector. We know of small agencies through to blue chips receiving these letters. They aren’t complaining to a regulator, they‘re coming straight to your front door or in-box.

Unlike the well-known privacy group noyb, who threaten to raise a formal complaint with a regulator if the offending company doesn’t remedy violations within a specified time, these demands from individuals would appear to have the sole aim of earning a quick buck.

For me, such letters leave a nasty taste, especially when smaller businesses or not-for-profits are targeted and where cookie use is limited.

How do they know our cookies aren’t compliant?

It’s easy to find out what cookies are used by any website. There are a number of free tools which you can just pop a website domain name into, and hey presto! A scan is run, and the results returned, revealing any cookie sins you may have committed.

What’s the claim?

Generally the claim letters allege non-essential cookies are being dropped onto users’ devices automatically, without clear information about their purposes and without consent. If a cookie banner is present, the claim will be it’s not compliant with UK GDPR / Privacy and Electronic Communications Regulations (PECR).

The letters often assume personal data is captured by the cookies – which may or may not be true. However, remember the PECR rules apply to cookies and similar tech regardless of whether the data they collect is personal or not.

The letters will claim distress or damage has been caused as a result of the placement of cookies onto the user’s device. It’s worth noting the right to compensation isn’t automatic; the claimant must be able to prove ‘damage or distress.’

As for how much – this isn’t nearly as scary as the realms of ransomware, with typical compensation demands in the region of £500-£1000.

To pay, or not to pay?

Companies are of course taking different approaches. In our experience many are ignoring them, and never hear from the complainant ever again. Others are standing their ground and asking for evidence of distress or damage. While some take a look at their cookies and similar tech and think, okay, fair cop we aren’t compliant so we’ll pay.

If you pay out, do you need to quickly get your cookie house in order? There’s the risk if you don’t, they could be back in a few months’ time if you’ve not successfully resolved any issues.

What are the cookie rules?

Before we blame GDPR, the rules for cookies and similar technologies are in the UK set out in PECR. Other countries across Europe have similar (but not identical) rules derived from the European ePrivacy Directive.

In short, we need to provide meaningful information to people about the categories of cookies and similar tech we use, and gain consent for any cookies which are not strictly necessary.

Different regulators across Europe have taken slightly differing approaches to what would be considered strictly necessary. Here in the UK, for example website statistical cookies are not considered strictly necessary. (This could potentially change under government plans to reform data laws; you can read more about this here). However the French regulator, CNIL, for example, accepts statistical cookies as strictly necessary.

When GDPR came into effect in 2018, consent needed to meet a higher standard. The days of implied consent were over. This is why we’re greeted by a barrage of cookie banners and notices wherever we go online.

The reason these compensation demands are possible is under PECR, people who have suffered damage or distress as a result of a contravention of the rules are entitled to bring proceedings against the offending party and seek compensation for that damage. Similarly under GDPR people have the right to receive compensation where they’ve suffered material or non-material damage due to an infringement of the law.

What can we do to protect ourselves?

The only way to completely avoid a cookie compensation demand is to understand what types of cookies and similar tech are used by our website(s), behave transparently with a clear notification and collect informed consent for any which aren’t strictly necessary. The ICO Cookie Guidance illustrates what type of cookies might be considered strictly necessary.

There are lots of cookie consent management platforms on the market, some of which are free. However, if your cookie use is quite sophisticated, or you have sub-domains, a free option might not be enough.

Alternatively the options are to ignore, stand your ground or pay out.

I’ve heard a little rumour, one of the posse of cookie claimants is an in-house DPO who does this as a side hustle. And if you ask me, it’s just not cricket.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection Impact Assessments: 10 Tips

May 2023

How to get your DPIA process on track

Do teams know when a Data Protection Impact Assessment should be conducted? Are you carrying out too many, or too few?

Don’t make DPIAs a onerous box ticking exercise. If DPIAs are solely seen through the prism of compliance, they’ll be seen as burden. They may be attempted half-heartedly or left inadequately completed.

If this is happening it’s time to shout about what a valuable tool they are!

Assessing potential data protection risks from the start of a project, acts as handy warning system for the business and protects those whose person information is involved from unnecessary risks. DPIAs help to identify risks in advance, before they can potentially become a bigger problem.

10 tips for getting your DPIA process on track

1. Create a DPIA screening questionnaire

Put together a set of questions for business owners and/or project leads to use, which help to identify if a DPIA is required or not for their particular project or activity.

This will not only help teams to think about data protection considerations from the outset, but also avoids time being spent conducting DPIAs when they aren’t necessary.

2. Identify types of projects likely to need a DPIA

In some situations DPIAs are mandatory under UK/EU GDPR, in others they may be a ‘good to do’.  So, it’s helpful to set out some clear guidelines which explain your organisation’s position on this. When does your business consider it appropriate to carry out a DPIA?

For example, are you using innovative tech or AI? Will you be handling biometric data? Are you matching data or combining data sets from different sources? Was the personal data collected indirectly? Are you tracking people (either their location or behaviour)? Do you use third party ad tech providers? Does the project involve children or special category data? Are you transferring data outside the UK/EEA? And so on.

3. Don’t forget your marketing related activities

It can be easy to forget marketing related activities could require or benefit from a DPIA. If marketing could result in a ‘high risk’ to individuals it’s likely you’ll need to do an assessment of the data protection risks.  Here are some examples;

    • ‘large scale’ profiling of individuals for marketing purposes
    • matching datasets for marketing purposes
    • processing which may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
    • using geo-location data for marketing purposes
    • tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
    • targeting children or other vulnerable individuals for marketing purposes.

4. Design an easy-to-use DPIA process

You’re unlikely to reap the benefits if you have an unwieldly DPIA template full of data protection jargon, with questions people just don’t know how to answer. Create a practical usable DPIA template which is as straight-forward as possible for people to follow.

The ICO has published a DPIA template, but there is nothing to stop you adapting this to suit your business.  You may also choose to have a simplified version for less complex projects.

Does your process help your teams to identify and assess privacy risks? Do you provide examples of what types of mitigating actions could be taken? Clear guidelines on how to complete a DPIA are invaluable.

5. DPIA training

Key team members need to have the skills to conduct a DPIA: to understand what the process entails, how to brief key stakeholders and walking them through the process, explaining what sort of risks to look out for and so on.

The DPO, or data protection lead, can’t be expected to do this single-handed.  The ICO in their DPIA guidance specifically mentions the need to provide specialist training.

6. Awareness

If teams don’t know what DPIAs are, they may push forward with new projects and innovations, and fail to consider the potential data protection issues. This may come back to bite you just before a project launches… or worse afterwards if you receive a complaint, breach and/or regulatory scrutiny.

Once all your ducks are in a row; when you have a screening questionnaire and a decent DPIA template, it’s time to make sure people know about DPIAs across the business. Get your Comms team involved to spread the message far and wide.

7. Start early

Talk to your project leaders, change management (if you have them) and IT leaders. Make sure people who work on projects which involve personal data complete screening questionnaires as soon as possible. Assess whether a DPIA is needed, so you can start the process as soon as possible. This way you can find problems and fix them early on.

8. Collaborate

A DPIA is likely to need the input of people from different areas of the business. Get people collaborating so projects can proceed at pace, without unnecessary delays.

Engage business and project management stakeholders at an early stage, so you can scope out the processing and start to identify any potential privacy risks, and consider mitigating measures.

9. Keep revisiting your DPIA

Throughout the different stages of a project keep an ongoing dialogue with stakeholders, especially with Agile projects which may expand over time. Check if new ideas, new developments have an data protection impact.

10. Review

Once a DPIA is completed, set review dates, so you can check if things have changed.

For instance, you may have developed a new app, and six months later you want to improve the functionality, adding new features – what data protection issues could this raise?

Also keep you screening questionnaire, template and guidelines under review, there will always be enhancements you can make to make them more effective. Why not ask teams for feedback on how they can be improved?

DPIAs can feel a bit daunting, but the more familiar people are with the process, the risks they should be looking out for and the types of measures and controls that could be deployed to protect people’s data, the easier it all becomes.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.