How to get buy-in for DPIAs

February 2022

How do we get people engaged with Data Protection Impact Assessments?

DPIAs often get a bad rap. Privacy people often say their project managers and team leaders don’t understand and don’t like them.  They’re too onerous, they get started but often linger incomplete.

So, how do you get people in the business to understand and play along?

Let’s be clear – risk assessments (and a DPIA is one of these) can be one of the most useful tools in your data protection toolkit. Used properly, they can really help identify, assess and tackle risks before they even see the light of day.

When should you carry out a DPIA?

Just to recap we know we need to conduct DPIAs where our projects, initiatives, system changes and so on, are likely to represent a high risk to those whose data is involved. Note ‘high risk’. You’ll need to take account of the scope, type and manner of the proposed processing.

It’s not always easy to judge where this threshold falls, so some businesses end up carrying out far more DPIAs than needed, whilst others carry out too few. Fortunately the ICO have given examples of processing ‘likely to result in high risk’ to help you make this call.

Regulated sectors, such as financial services & telecoms, have more to think about and may adopt a cautious approach.

Engage with your teams

First rule of DPIA Club is… we MUST talk about it!

Build relationships with the people who ‘do new stuff’ with your data. The people who run development projects and the key stakeholders – such as heads of the main functions which process personal data across your business, e.g. Marketing, Operations, HR, etc. If you have a Procurement team, then target them too.

Ask what projects they have on the horizon. The aim is to make them aware of DPIA requirements and ask them to give you an early ‘heads up’ if they are looking to onboard a new service provider or indeed use data for an innovative new project.

Let them know tech projects and system migrations almost always involve some kind of personal data processing. They should be mindful of the potential for this to lead to privacy risks.

If they think about data protection from the outset it will save valuable time and money in the long run. Save unwelcome hiccups along the line. Give them examples of how things have gone wrong or could go wrong.

You could raise awareness across the business using your intranet, email reminders, posters, drop-in clinics … what ever it takes to get the message across.

A regular dialogue about upcoming technology projects, or using a DPIA screening form (or for larger businesses a technology ‘gating’ process) are good ways to get a heads up on new projects. These will help to quickly identify if a DPIA is needed or not.

Steve Priestly, Head of Data Protection (UK & MET), Travelex:

‘We place a key focus on highlighting to stakeholders of the benefits of early engagement in the DPIA process. Continual collaboration with your stakeholders is also key, understanding what they are trying to achieve. Lastly, ongoing DPIA education and awareness will help in the long-term to imbed a strong data privacy culture.’  

Use a good DPIA template

In my opinion too many businesses use complex and jargon-filled screening questionnaires and DPIA templates, which many people find hard to understand. They ask questions in ‘GDPR-talk’ which people find hard to grasp & answer and they often don’t really help people to identify what privacy risks actually look like.

Take a look at your DPIA template with fresh eyes. If you don’t like it use a better one, or adapt it to fit your business ways of working.

Be prepared for Agile working

So many development projects are Agile now and this requires adapting your approach. You won’t get all the answers you need at the start. Stay close to the project as it evolves and be ready to roll your DPIA in line with scheduled sprints or scrums, but before data migrates. DPIAs – How to assess projects in an Agile environment

DPIA approaches

It’s a good idea to keep tabs on how many data projects are in progress, how many lead to DPIAs and what the status of these is. This means you will know if you need to drum up more engagement or not.

Here are a couple of examples of the approaches taken by different businesses.

Use of technology tools

Stephen Baigrie, Managing Counsel, IT, Procurement & Privacy at Balfour Beatty:

“At Balfour Beatty we use an online privacy compliance platform to manage DPIAs and to enable early stakeholder engagement. We worked with our Group Data Protection Officer and Information Security team to formulate user-friendly assessment templates.

We use a pre-DPIA screening qualifier to help identify if a full DPIA is required and run a working group with Data Protection, Legal and Information Security stakeholders to track DPIAs and vendor due diligence matters.”

“Where appropriate, we adopt a self-service model for DPIA completion to help improve privacy awareness and seek to be agile by continuously improving and evolving our privacy processes.”

An integral part of the change governance process

Christopher Whitewood (CIPP/E, CIPM) Privacy & Data Protection Officer at Direct Line Group:]

“We have mandated that a risk assessment must be conducted as part of our change governance process. Our DPIA is included as part of a single online risk assessment form which allows for an early risk assessment by Privacy, Security and Business Continuity Teams.”

“A simple approach allows business areas to fill out one form with a layered question set to determine where further investigation is needed. The online form has been adapted to consider any data ethical concerns at an early stage, but also has the added bonus of the scored risk assessment to form the basis to drive assurance activity.”

So to conclude, I hope this has given you some fresh ideas how to engage with your colleagues about DPIAs. Good luck!

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Google Analytics Processing Data in US – is this a problem?

January 2022

Austrian DPA has found that continuous use of Google Analytics violates GDPR

Once again, Google is under fire from a regulator in Europe. This time in Austria. 

The Centre for Digital Rights (noyb), which is based in Austria and led by Max Schrems, filed 101 model complaints following the Schrems II decision in 2020. 

Following the complaint about Google Analytics, the Austrian regulator has determined that the continuous use of Google Analytics violates GDPR: 

“The Austrian Data Protection Authority (DSB) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb  in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB “task force”. It seems the Austrian DSB decision is the first to be issued.”  Source noyb

What does Google Analytics do?

Google Analytics operates by using cookies to capture information about website visitors. Google Analytics is free to use and it’s ideal for businesses who want to know more about:

  • Who visits their website
  • How their website is used
  • What’s popular on their website, and what’s not
  • Whether visitors return to their website

What information does Google capture?

You are likely to see a range of Google cookies that do different jobs. Here’s a short list showing some possible cookies that might be used:

  • _ga: Used to distinguish users and retained for 2 years
  • _gtd: used to distinguish users and retained for 24 hours
  • _gat: Used to throttle request rate and retained for 1 minute
  • AMP_TOKEN: Contains a token that can be used to retrieve a Client ID from AMP Client ID service and retained from 30 seconds to 1 year
  • _gac_<property-id>: Contains campaign related data for the user. This is used when Google Analytics and Google Ads are connected and retained for 90 days

These cookies range from simple identification to remarketing and advertising cookies which allows you to track and remarket individuals through Google Ads. The more one strays into using this data for remarketing, the more intrusive the data capture becomes. 

What does this mean in reality?

Since the advent of GDPR, the burden to demonstrate that consent has been freely given has become greater. 

In the UK, when the ICO published their cookie (and other technologies) guidance in 2019, many large websites became instantly non-compliant. The requirement to demonstrate that consent had been freely given had become stronger. 

The ICO also clearly highlighted that Performance Cookies (such as Google Analytics) required consent to be used. 

Since 2019, companies have used a variety of methods to notify users about the existence of Google Analytics cookies. Some compliant, some less so. 

It is also clear that many have taken a risk-based approach to what they should do. The ICO’s own guidance provides a level of ambiguity on the topic:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. Source: ICO

What are the issues?

  1. Google is a data processor unless you enable data sharing with Google Ads at which point you become a shared controller – ensuring that your privacy policies reflect these differing relationships is important. 
  2. Google stores most data in USA – since Privacy Shield became illegal this has presented some problems. Google is relying on SCC’s but the main concern is that the US has surveillance laws that require companies such as Google to provide US Intelligence agencies with access to their data. 
  3. Google does use data to improve their services. For a user, this can sometimes seem creepy. 

What could Google or US government do?

A rather obvious solution would be for Google to move the processing of EU data outside the US to server centres in Europe where the US government cannot exercise the same surveillance rights as in the US. 

Alternatively, the US government could introduce better protection for private citizens. Although this was unthinkable under the previous presidential regime, it may be conceivable under Biden/Harris. It still feels like a long shot. 

Realistically it’s quicker and more realistic for the Google’s of this world to set up data centres in Europe. Saas providers such as Salesforce addressed this issue years ago and it feels like it’s about time Google and Facebook did too. 

What should you do? 

  1. Make sure you have correctly set up your cookie banner on your website. Technically, visitors should opt-in to Google Analytics and this permission should be captured before any processing takes place
  2. Provide a clear explanation of what data you are collecting and what that data is used for in an accessible cookie notice supported by a coherent privacy policy. 
  3. Make sure you describe all the Google cookies you are using – from simple tracking through to remarketing and advertising. Ideally each cookie would be included including the technical details, duration and purpose.
  4. If you use Google Analytics a number of settings have been introduced that help protect privacy:
    • Turn on the IP anonymising tool. It removes the last three characters of the IP address and renders the address meaningless. 
    • Make use of the data deletion tool – this is a bulk delete tool and can’t be used for one user
    • Introduce data retention policies – there is a default setting of 26 months before data is deleted but maybe you can delete data sooner. 
    • Consider the use of alternative tracking tools that do not rely on the use of cookies or transferring data overseas. A quick search resulted in a non-exhaustive list of analytics tools that don’t rely on cookies. There will be other suppliers: 
      • Fathom
      • Plausible
      • Simple Analytics
      • Insights
      • Matomo

In conclusion

  • At the moment, this finding by Austrian DPA does not apply in the UK. However it’s possible other DPAs may follow suit. 
  • Having said that, there are plenty of lessons to learn about how to work with Google Analytics and other US-based companies who insist on holding data in the US
  • It’s essential that your cookie notice and privacy policy clearly set out what tools are being used and what data is being processed. This is particularly important if you are linking Google Analytics to Google Ads for remarketing. 
  • Given that the world is slowly turning against cookies, maybe now is the time to start looking at less intrusive performance tracking solutions. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing Erasure Requests or DSARs via Third-Party Portals

January 2022

Do organisations have to honour them? Well, it depends…

Over the past few years GDPR, the California Consumer Privacy Act (CCPA) and other privacy regulations have led to specialist companies offering to submit Erasure or Data Subject Access Requests (DSARs) on behalf of consumers.

These online portals say they want to help people exercise their privacy rights, while enabling them to make requests to multiple organisations simultaneously.

Companies on the receiving end of such requests often receive them in volume, and not necessarily from consumers they even know. Requests can quote swathes of legislation, some of which may be relevant, some which won’t apply in your jurisdiction.

If you haven’t had any yet, you may soon. Companies like Mine, Privacy Bee, Delete Me, Revoke and Rightly all offer these services.

They don’t all operate in the same way, so be warned the devil is in the detail.

How third-party portals work

Okay, bear with me, as said there are different approaches. They may use one, or a combination of, the following elements:

  • Offer to simply submit requests on the individual’s behalf, then the consumer engages directly with each organisation
  • Offer people the opportunity to upload their details and proof of ID, so the portal can submit requests on their behalf without the consumer needing to validate their ID each time.
  • Provide a bespoke link which organisations are invited to use to verify ID/authority. (Hmmm, we’re told not to click on links to unknown third parties, right?)
  • Allow consumers to select specific named organisations to submit requests too
  • Make suggestions for which organisations the individual might wish to ‘target’
  • Offer to scan the individual’s email in-box to then make suggestions about which organisations are likely to hold their personal data. (Again, really? Would you knowingly let any third-party scan your in-box?).

Is this a good thing? Does it empower the consumer?

On the surface, this all seems fairly positive for consumers, making it simpler and quicker to exercise their privacy rights.

For organisations, these portals could be seen as providing an easier way of dealing with rights requests in one place. Providing perhaps, a more secure way of sharing personal data, for example in responding to a DSAR.

I would, however, urge anyone using these portals to read the small print, and any organisation in receipt of these requests to do their homework.

Why it’s not all straight-forward

The following tale from one DPO may sound familiar…

We tend to find these requests slightly frustrating and time-consuming. First, we have to log all requests for our audit trails. We cannot simply ignore the requests otherwise this can cause regulatory issues, not to mention if they are genuine requests.

More often than not, they are sent in batches and do not contain the information we require to search and make the correct suppression. Where we do have enough information to conduct searches, we often find the personal details do not exist on our database.

Another concern is whether the requests are actually for meant for us. We recently received a number of requests for a competitor, who was clearly named on the requests. When we tried to contact the portal to explain this issue, we did not get a response and were essentially ignored, which leaves us in a predicament – do we continue with the with the request, was it actually for our organisation or not?

So, there’s a problem. Requests might be submitted on behalf of consumers who organisations have never have engaged with. Requests can arrive with insufficient information. We can’t always verify people’s identity, or the portal’s authority to act on their behalf. In these circumstances, do people genuinely want us to fulfil their Erasure or Access request?

What does the ICO say about third-party portals?

The regulator does reference online portals in is Right of Access guidance. It tells us we should consider the following:

  • Can you verify the identity of the individual?
  • Are you satisfied the third-party has authority to act on their behalf?
  • Can you view the request without having to take proactive steps (e.g. paying a fee or signing up to a service)?

The ICO makes it clear it would not expect organisations to be obliged to take proactive steps to discover whether a DSAR has been made. Nor are you obliged to respond if you’re asked to pay a fee or sign up to a service.

The Regulator says it’s the portal’s responsibility to provide evidence of their authority to act on an individual’s behalf. If we have any concerns, we’re told to contact the individual directly.

If we can’t contact the individual, the guidance tells us we should contact the portal and advise them we will not respond to the request until we have the necessary information and authorisation.

This all takes time…

This is all very well, but for some organisations receiving multiple requests this is incredibly time-consuming.  Some organisations are receiving hundreds of these requests in a single hit, as Chris Field from Harte Hanks explains in – You’ve been SAR-bombed.

In addition, we need to do our research and understand how the portal operates, checking whether we believe they’re bone fide or not.

Another DPO, whose company receives around thirty privacy requests from third-party portals a month says; “Often these tools don’t provide anything more than very scanty info, so they all require responses and requests for more info”. This company takes the following approach; “We deal with the individual if it’s a legitimate contact detail, or we don’t engage.”

It really is a question of how much effort is reasonable and proportionate.

We must respect fundamental privacy rights, understand third-party portals may be trying to support this, but balance this with our duty to safeguard against fraud or mistakes.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

How to focus data protection training on specific teams

January 2022

Is your GDPR training giving your teams the specific skills they need for their roles?

In any organisation, your people can be your greatest asset. But also from a compliance point of view, they might be your greatest risk.

We need to support the people who manage personal data in our businesses, to help them understand relevant aspects of the law and how the business expects them to behave.

Organisations are obliged to implement appropriate organisational measures under GDPR – staff awareness and training is a key part of this. I’d argue we should also show them how manage personal data securely, responsibly and ethically.

The good news is the DPN’s Privacy Pulse Report shows the message around training and awareness has landed – with 80% of responders saying their business had delivered data protection training within the last 12 months and a further 13% within 2 years.

But is the quality, depth and relevance of this training good enough? Does the training really help people in their day-to-day roles?

Different jobs require different levels of knowledge. Not everyone needs to know when to conduct a DPIA, not everyone needs to know how to go about this. Clearly some team members need to know more about international transfers, DSARs, processor due diligence and so on.

The Report shows 81% provide generic online GDPR / data protection courses, whilst 61% deliver face-to-face or online training tailored to specific departments or job roles.

Just 20% provide in-depth workshops or masterclasses for key people and 13% provide some other form of training.

It’s clear quite innovative approaches are being taken to get key messages across, such as ‘privacy moments’ (e.g. bite-sized topical themes), regular internal bulletins, drop-in data surgeries or intranet content. The pandemic has to be considered when most training and awareness activity of late has been provided remotely.

What does good training look like?

The ICO Accountability Framework gives some useful checklists covering training expectations (including specialised roles), such as:

  • Detail training and skills requirements in job descriptions.
  • Keep evidence to confirm key roles complete up-to-date and appropriate specialised training and professional development, and are subject to proportionate refresher training.
  • Keep records of the training material provided, as well as details of who receives the training.

Data protection training will have limited value if it’s ‘one-size fits all’ and doesn’t drill down and support teams who need to know more detail for their specific roles.

The application of the core data protection principles will vary enormously – from Marketing to Operations, from HR to a Contact Centre.

For example, marketers usually need to understand more about consent and legitimate interests, the right to opt-out, what the law says about profiling, and so on. Whereas HR teams need to understand how data laws apply to recruitment and the many different data tasks which take place for employment purposes; such as appraisals and development, health & sickness data, diversity, employee communications, payroll… and so on.

Ideally training should be provided separately to different key teams and tailored to provide useful examples, user-journeys or case studies, based on the different privacy aspects people need to consider for their own role.

Focusing on key teams

Naturally this could all become very time consuming and costly, so a pragmatic balance needs be found between benefits and time.

It’s worth thinking about where the biggest risks lie in your business, so you can focus your time and effort on the key teams which have greater exposure to, and influence over data risk. This will clearly differ for each business.

Some may choose to focus on their Sales & Marketing teams. Others may look to their HR teams to cover employee and contractors’ data, and recruitment practices. Whilst others may focus on customer-facing teams or developer teams.

Data Subject Access Requests (DSARs) and other data rights are usually handled by nominated people, who may need specialist in-depth training about how to handle them.

You’ll need decide, if you haven’t already done so, which teams to focus your efforts on.

Remember inductions and refreshers

Many organisations will include generic data protection training as part of a new starter’s induction. If this can be tailored to their role, all the better!

It’s also important to remind people of the principles, or expand on their knowledge. If you haven’t provided any data protection training for a year or two… now would be a good time to consider some refresher courses. Compare this to industry CPD requirements, such as HR or Financial Services which require regular training and refreshers. It’s all part of being able to do your job effectively.

To sum up, making sure people have appropriate skills and knowledge is one of the best ways to reduce the chance of privacy risks being overlooked and coming back to bite you! They say, a chain is only as good as it’s weakest link.

Take the initiative – it’s worth spending the time to pass on your knowledge to others. And just like any successful communication, it’s far more effective when you put your audience front and centre and tailor the message just for them.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Are Data Subject Access Requests driving you crazy?

January 2022

Complicated. Costly. Time-consuming...

… And driving me crazy. We’ve all heard the dreaded words, right? I’d like a copy of my personal data.

Which led me to think; is the fundamental privacy right of accessing our personal data becoming part of our increasingly litigious culture? The DSAR is now a staple opening shot for law firms handling grievance claims or employment tribunals, looking for potentially incriminating morsels of information.

Of course, this right must be upheld, but is the process fit for purpose? Employee-related requests, in particular, can entail a massive amount of work and the potential for litigation makes them a risky and complex area.

For some organisations, this is water off a duck’s back; they’ve always had access requests, anticipated volume would increase after GDPR, have teams to handle them, invested in tech solutions, have access to lawyers and so on.

Great stuff, but please spare a thought for others.

Plenty of businesses have lower volumes of DSARs. They’re unable to justify, or afford, extra resources. These guys are struggling under a system that assumes one size fits all.

Then there are businesses who’ve never even had a DSAR. For them, just one request can be an administrative hand grenade.

Of course some businesses are guilty of treating employees badly, but I wish things could be different. It’s about getting the balance right, that most elusive of things when creating regulatory regimes. Are the principles behind the DSAR important? Of course. Can the processes be improved? Definitely!

So be warned – here begins a micro-rant on behalf of the smaller guys. I’m feeling their pain.

What’s that sound? It’s wailing and the gnashing of teeth

It’s clear in our Privacy Pulse Report DSARs are a significant challenge facing data protection professionals. One DPO told us;

“Vexatious requests can be very onerous. Controllers need broader scope for rejection and to refine down the scope, plus criteria for when they can charge… In my view, the ICO should focus on helping controllers to manage complex and vexatious DSARs.”

Some access requests are straightforward, especially routine requests where ‘normal’ procedures apply. However, some requests are made by angry customers or disgruntled ex-employees on a mission… and there’s no pleasing them. A troublesome minority appear to be submitting DSARs because they want to cause inconvenience because they’re angry, but don’t go so far as to fall under the ‘manifestly unfounded’ exemption.

Anyhow, for all those of you out there dealing with this stuff, know that I feel your pain. Without any further ado…

My THREE biggest DSAR bugbears (there are others)

Everything!

We’re entitled to a copy of ALL our personal data (to be clear, this doesn’t mean we’re entitled to full documents just because our name happens to appear on them somewhere).

It’s true organisations are allowed to ask for clarification, and the ICO’s Right of Access Guidance, provides some pointers on how to go about this.

Yet that tiny glimmer of hope is soon dashed – we’re told we shouldn’t seek clarification on a blanket basis. We should only seek it if it’s genuinely required AND we process a large amount of information about the individual.

Furthermore; “you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them.”

Why?

Let’s take the hypothetical (but realistic) case of an ex-employee who believes they’ve been unfairly dismissed. They worked for the company for 10 years, they submit a DSAR but choose not to play along with clarifying their request. They want everything over a decade of employment.

Do they really need this information? Or are they refusing to clarify on purpose? Is this a fair, proportionate ‘discovery process’? As I’ve said before, large organisations may be better placed absorb this, it’s the not-so-big ones who can really feel the pain. And in my experience, much personal data retrieved after hours of painstaking work isn’t relevant or significant at all.

Emails!

I get conflicted with the requirement to search for personal data within email communications and other messaging systems.

On the one hand we have the ICO’s guidance, which to summarise tells us:

  • personal data contained within emails is in scope (albeit I believe GDPR has been interpreted differently by other countries on this point);
  • you don’t have to provide every single email, just because someone’s name and email address appears on it;
  • context is important and we need to provide emails where the content relates to the individual (redacted as necessary).

If you don’t have a handy tech solution, this means trying to develop reasonable processes for retrieving emails, then eliminating those which won’t (or are highly unlikely) to have personal data within the content. This takes a lot of time.

Why am I conflicted? In running a search of your email systems for a person’s name and email address, you’ll inevitably retrieve a lot of personal data relating to others.

They might have written emails about sensitive or confidential matters, now caught within the retrieval process. Such content may then be reviewed by the people tasked with handling the request.

I suspect this process can negatively impact on wider employee privacy. Yes, we’re able to redact third party details, but by searching the emails in the first place, we’re delving into swathes of lots of people’s personal data.

It seems everyone else’s right to privacy is thrown out in the interests of fulfilling one person’s DSAR.

It also makes me wonder; if I write a comment that might be considered disparaging about someone in an email, do I have any right to this remaining private between me and the person I sent it to? (Even if it wasn’t marked confidential or done via official procedure).

I know many DPOs warn their staff not to write anything down, as it could form part of a DSAR. I know others who believe they’re justified in not disclosing personal data about the requester, if found in other people’s communications. Which approach is right?

Time!

Who decided it was a good idea to say DSARs had to be fulfilled within ‘one calendar month’?

It wasn’t! This phrase led to the ICO having to offer this ‘clarification’;

You should calculate the time limit from the day you receive the request, fee or other requested information (whether it is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.

If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.

This means that the exact number of days you have to comply with a request varies, depending on the month in which an individual makes the request.

For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

I hope you got that.

Wouldn’t it have been easier to have a set number of days? And perhaps more realistic timescale?

Let’s take the hypothetical (but realistic) case; you receive a DSAR on 2nd December. You can’t justify an extension as it isn’t unduly complex.

Yes, I know you’re with me; bank holidays and staff leave suddenly means the deadline is horribly tight.

I wish there was specific number of days to respond. I wish they excluded national bank holidays and I wish there was a reprieve for religious festivals. I know, I’m dreaming.

DSARs and UK data reform

Is the UK Government going to try and address the challenges in their proposal to reform UK data protection law?

The consultation paper makes the right noises about the burden DSARs place on organisations, especially smaller businesses.

Suggestions include introducing a fee regime, similar to that within the Freedom of Information Act. One idea is a cost ceiling, while the threshold for responding could be amended. None of this is without challenges. There’s also a proposal to re-introduce a nominal fee.

On the latter point, GDPR removed the ability to charge a fee. You may recall prior to 2018 organisations could charge individuals £10 for a copy of their personal data.

Many will disagree, but I think the nominal fee is reasonable. I realise it could be seen a barrier to people on lower incomes exercising a fundamental right. However, my thoughts are organisations wouldn’t be forced to charge. It would be their choice. They would also be able to use their discretion by waiving the fee in certain situations.  It makes people stop and think; ‘do I really want this?’

Whatever transpires, I truly hope some practical changes can be made to support small and medium-sized businesses. Balancing those with individual rights isn’t easy, but that’s why our legislators are paid the big bucks.

And here, dear reader, endeth my rant!

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data breaches: when to notify Regulators and affected individuals

January 2022

European Data Protection Board (EDPB) publishes new case-based guidelines on data breach notifications

As we know, not all personal data breaches need to be reported to Supervisory Authorities, such as the UK’s Information Commissioner’s Office, nor indeed to affected individuals. It all depends on the nature of the incident and risk posed. This can be a tricky decision to make.

What the law says about notifying a data breach

UK GDPR tells us where a breach is unlikely to result in a risk to the rights and freedoms of individuals, it doesn’t need to be reported to the ICO. Furthermore, it tells us we should inform affected individuals only where it is likely to result in a high risk.

Assessing data breach risks

The key then, after establishing an incident involves personal data, is to assess the risk it poses to the people whose details are affected. This can sometimes be complex, and the law gives us a short timescale to make an assessment. As we know, personal data breaches which are likely to represent a risk to individuals need to be reported to the ICO (or other DPA) within 72 hours of becoming aware of the breach.

This leaves many to err on the side of caution; that’s to say they notify for fear of making the wrong decision.

Our Privacy Pulse Survey 2022 provides some interesting insight on the number of breaches organisations are experiencing, the volumes being reported to the ICO, and the numbers communicated to affected individuals.

Case studies to help our risk assessment

Helpfully, the EDPB has published new guidelines which provide some useful example. These are designed to be complementary to the previously published Guidelines on Personal data breach notification.

The types of scenarios covered include:

  • Ransomware
  • Exfiltration of data from websites
  • Data ‘stolen’ by an employee
  • Accidentally sending data to a trusted party
  • Lost or stolen devices and paper documents
  • Errors by postal mail
  • Social engineering

In each case a common scenario is posed, and we are taken through the decision-making process with the following sections:

  • ‘Prior measures and risk assessment’
  • ‘Mitigations and obligations’

It’s stressed the analyses provided relate explicitly to the specific cases under scrutiny. We’re clearly warned if our circumstances differ slightly, the risk posed will also differ.

I have picked out several examples (please note these have been summarised).

Accidental transmission to a trusted party

An insurance agent noticed that – made possible by the faulty settings of an Excel file received by e-mail – he was able to access information related to two dozen customers not belonging to his scope. He is bound by professional secrecy and was the sole recipient of the e-mail. The arrangement between the data controller and the insurance agent obliges the agent to signal a personal data breach without undue delay to the data controller. Therefore, the agent instantly signalled the mistake to the controller, who corrected the file and sent it out again, asking the agent to delete the former message. According to the above-mentioned arrangement the agent has to confirm the deletion in a written statement, which he did. The information gained includes no special categories of personal data, only contact data and data about the insurance itself (insurance type, amount). After analysing the personal data affected by the breach the data controller did not identify any special characteristics on the side of the individuals or the data controller that may affect the level of impact of the breach.

In this case, the combination of a low number of affected individuals, the immediate detection and the measures taken, leads to an assessment of ‘no risk’. In other words no obligation to notify a Supervisory Authority or individuals. The incident should, however, be logged internally.

Stolen device containing unencrypted data

The electronic notebook device of an employee of a service provider company was stolen. The stolen notebook contained names, surnames, sex, addresses and date of births of more than 100,000 customers. Due to the unavailability of the stolen device it was not possible to identify if other categories of personal data were also affected. The access to the notebook’s hard drive was not protected by any password. Personal data could be restored from daily backups available.

This is clearly a case where there’s an obligation to notify the Supervisory Authority and affected individuals. Other examples are given where devices where encrypted, which lead to a differing assessment of the risks posed and notification obligations.

Postal mail error

Two orders for shoes were packed by a retail company. Due to human error two packing bills were mixed up with the result that both products and the relevant packing bills were sent to the wrong person. This means that the two customers got each other’s orders, including the packing bills containing the personal data. After becoming aware of the breach the data controller recalled the orders and sent them to the right recipients. The bills contained the personal data required for a successful delivery (name, address, plus the item purchased and its price).

The EDPB says the controller should provide for a free return of the items and the accompanying bills, and should request the wrong recipients destroy / delete all copies of the bills containing the other person’s personal data.

In this specific set of circumstances, the assessment concludes the risk to be considered low. No special category data or other data is disclosed, which might lead to substantive negative effects on those involved. Therefore no obligation to notify to the Supervisory Authority nor affected individuals. Saying this, communication of the breach cannot be avoided with the individuals involved, as their cooperation is needed to mitigate the risk.

Ransomware attack with proper backup and without exfiltration

The computer systems of a small manufacturing company were exposed to a ransomware attack, and data stored in those systems was encrypted. The data controller used encryption at rest, so all data accessed by the ransomware was stored in encrypted form using a state-of-the-art encryption algorithm. The decryption key was not compromised in the attack, i.e. the attacker could neither access it nor use it indirectly. In consequence, the attacker only had access to encrypted personal data. In particular, neither the email system of the company, nor any client systems used to access it were affected…
…After analysing the logs and the data collected by the detection systems the company has deployed, an internal investigation supported by the external cybersecurity company determined with certainty that the perpetrator only encrypted data, without exfiltrating it.
A backup was readily available, and the data was restored a few hours after the attack took place.

The assessment reached in this scenario is the breach didn’t result in any consequences for the day-to-day operation of the manufacturing company, nor did it have any significant effect on the data subjects. Therefore, no obligation to notify the Supervisory Authority or communicate to individuals. The personal data breach should be internally logged.

There are further ransomware attack examples given, where the circumstances differ and notification would be required.

Our 7 key data breach takeaways

1. Develop a data breach plan and keep it under regular review
2. Assign a suitably knowledgeable data breach team (or have external experts on hand to support when required)
3. Have a methodology for assessing, evaluating and documenting risk (for example using a risk matrix)
4. Maintain a log of all personal data breaches, whether they’re judged notifiable or not
5. Keep a record of any justification for not notifying of a breach
6. Remember, a breach can be notified before all facts are known. A full assessment can run in parallel to notification and subsequent information learnt can be provided to the ICO (or other Supervisory Authority) in phases.
7. Training and awareness focused on data incident identification, expected actions and triage is essential for both controllers and processors.

In summary…

The EDPB case-based guidelines are another helpful tool to support organisations in their handling of data breaches, and factors to consider during the risk assessment process. The ICO also has detailed data breach guidance and has published some useful data breach examples.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection Officers – what does it take to do the job?

January 2022

The unique blend of traits and skills which make for a great DPO

What is it that makes a DPO effective and successful? Whether you’re recruiting or someone interested in the role, here are a few thoughts for you to chew over. I’m focussing here more on character traits, rather than the specialist knowledge & skills required for the job.

Be a good leader – not just a manager

A DPO should be a self-starter, with the energy and motivation to lead and inspire others. With the leadership skills to set the direction of travel for data protection across the organisation, laying out clear priorities and bringing others with them on the journey.

In the words of Mark Starmer; ‘Will the real leader please stand up?’, leadership is all about being able to influence. This means building effective relationships with everyone from senior management, clients, customers and so on. All this helps the DPO with their quest to embed data protection principles and processes across the organisation.

If they have direct reports, they’ll need to be someone who can lead and inspire their team. This includes recognising people’s individual strengths and weaknesses, their progress and achievements. Finding appropriate and perhaps innovative ways to recognise and reward each individual.

Thirst for knowledge

Not only does a DPO need to have an excellent grasp of the relevant laws, and ideally qualifications to evidence this, but they also need to be someone who is always on a quest to learn more. Someone who is happy to spend their spare time reading new guidance, privacy articles and opinions, case law and so on. Someone with a genuine interest in the data landscape and emerging trends.

Autonomy and independence

A DPO must also be able to act autonomously, independently and objectively, as the role requires. Not only looking at what the law requires, but also considering ethical and moral issues, to work out what is the right thing to do. Acting with genuine honesty and integrity.

Robert Bond, Senior Legal Counsel at Bristows:

“Data Protection Officers must be adept and be able to adapt and adopt as circumstances require. Above all they need to implement compliance & ethics with impartiality.”

A great communicator and diplomat

Strong communication skills are vital. Taking the time to actively listen, interpret and understand others.

A DPO is likely to work with a range of staff across the organisation, plus clients and suppliers. Often working across national borders too. This requires cultural awareness and sensitivity. They need to be able to change their approach, depending on who they are talking to.

As Fedelma Good, Director at PwC UK explains:

‘DPOs need to be great communicators and above all they need to be multi-lingual. They need to be able to communicate across a broad range of stakeholders, ranging from board members to web designers and quite often they need to act as the translator to ensure that technical, legal and business specialists really do all understand each other.’

Sympathetic but strong

A good DPO will be both understanding and assertive. There’ll be times when people are tricky to handle, be it disgruntled customers or even perhaps a member of the senior management team!

The role doesn’t exist to preserve the status quo. They may need to push back against established practices (‘we’ve always done it that way’) and challenge people to think differently and find creative solutions. This takes sheer persistence and the drive to make a difference.

Confidence

A DPO should to be a confident individual who is up for some straight-talking when needed. They must be ready to stand their ground. But they also need the confidence to show humility and say when they don’t know the answer. The laws are detailed and complex and no DPO can know it all.

To apply the law in practice, they often need time to think it through and deliberate. DPOs need to be clear when they need this time and need to resist the temptation (or demands) to respond immediately.

Well-organised

Sometimes everyone seems to be clamouring for a piece of the DPO. Juggling multiple conflicting priorities, means being well-organised is critical. Some demands will be urgent, others important but less urgent, some can wait. That data breach always seems to happen on a Friday afternoon!

A DPO will inevitably need to do their fair share of ‘fire-fighting’ when things crop up out of the blue. They need to manage not only their diary, but colleagues’ expectations too!

Even at the busiest times, it’s also important to try and remain approachable with an ‘open door’ to anyone in the organisation.

Finding workable solutions

Because of the specialist knowledge and obligations a DPO has, they need to work hard to show the business how their role acts as an enabler for the business. Nobody wants to be seen as ‘the department of No’.

In my view this often comes back to character and communication style – being ready not only to shine a light on compliance risks but also to go the extra mile, working closely with stakeholders to find pragmatic solutions.

Taking a more flexible solution-oriented approach builds much better relationships, where the rest of the business sees the DPO as someone who doesn’t put up barriers, but will help them navigate their way to reach their goals.

This is especially important during times of change. Someone who can embrace change, stay positive and focussed and keep working towards shared goals is more likely to succeed in the end.

In conclusion

Wow, the DPO role is certainly a demanding role which requires a lot of positive character traits and interpersonal skills!

All nicely summed up by Matt Kay, Deputy DPO at Metro Bank:

“It goes without saying that the role of a DPO is multi-faceted requiring a broad skillset with organisations valuing certain skills more than others, and this of course differs between organisations. For me I think the key skills are stakeholder engagement, the ability to project manage, navigate conflicting priorities and being able to take a pragmatic approach. Taking risk based decisions that balance the needs of data subjects and the organisation you work for.”

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Privacy Pulse Report 2022

Monitoring the heartbeat of the UK data protection community

Nearly four years after GDPR was implemented, data protection professionals are still grappling with DSARs, RoPAs and getting organisational buy-in…

  • How well resourced are data protection teams?
  • Is accountability being taken seriously?
  • What are privacy tech solutions being used for?

Find out the answers to these questions and more in the Privacy Pulse Report 2022.

>>Download Privacy Pulse Report<< 

Published in partnership with Exterro, this report is based on our November survey and a series of more in-depth interviews.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.