UK International Data Transfers - what next?

August 2021

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

The concept is fairly straightforward, however the practicalities have become rather complex in recent times.

You’d be forgiven for finding the whole topic of international transfers confusing. And that’s bad for business – we need real clarity on the requirements to keep data flowing between the UK and other countries.

Especially and as the UK begins to emerge from the massive economic (not to mention health & social) impacts of Coronavirus.

The complexity around data transfers comes from a few factors. First there’s impact of Brexit on data flows and the recent EC-UK Adequacy Decision.

But we must also consider the fallout from the now famous “Schrems II” ruling by the European Court of Justice. That’s the one which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data – resulting in recently updated SCCs being published by the European Commission, to take account of the ruling.

But what does this all mean for the UK?

  • Can UK businesses use European SCCs post-Brexit?
  • Do we need UK SCCs?

A public consultation on UK data transfers

The Information Commissioner’s Office (ICO) has announced a public consultation on its draft International Data Transfer Agreement (known as IDTA) and accompanying guidance.

The IDTA is a model contract which UK organisations would be able to use when transferring data to other countries. In particular, when transferring data to countries which do not benefit from an EC adequacy decision (or, in the future, a ‘UK adequacy regulation’).

In this situation, most organisations would normally look to use SCCs to ensure the transfers are lawful. However, EU SCCs don’t directly apply to the UK post Brexit and the ICO’s proposed replacement for the UK is the IDTA.

The ICO tells us this new agreement takes into account the binding judgment of the European Court of Justice from the Schrems II Ruling.

What’s in the consultation?

There are three key sections to the consultation:

  • Proposal and plans for the ICO to update its guidance on international transfers
  • Transfer risk assessments – including a new risk-assessment tool
  • The International Data Transfer Agreement.

The ICO is also proposing the use of a template Addendum to the EU SCCs, allowing organisations to adapt those SCCs to work in the context of UK transfers.

The UK Regulator has provided proposals and options which it would like us to consider and comment on.

On announcing the consultation Steve Wood, the ICO’s Executive Director of Regulatory Strategy said:

“The modern world involves increasing flows of personal data about citizens to deliver goods and services. Ensuring data is well-protected when transferred outside of the UK will be vital in maintaining people’s trust in the system. Our new IDTA is developed to ensure such protections are in place.

“We understand that international transfers can be complex, especially for smaller businesses. Our new guidance has been designed to be accessible and to ensure they support all organisations, from SMEs without the benefit of large legal budgets to multi-national companies. The agreements will help organisations to continue to trade freely while ensuring the correct protections are in place before transferring people’s data.”.

Would you like to take part?

The ICO is keen to hear feedback from all interested parties, from SME’s up to multinational, plus consultants and advisers like the DPN.

So if you would like to take part in the consultation, please do so. But note there’s limited time – the consultation closes on 7th October 2021. Take part in UK international data transfers consultation

What next for international data transfers?

Listen in as our expert panel explores how to tackle international data transfers. We set the scene, share some helpful tips and discuss what actions to take.

Host Robert Bond, Legal Counsel at Bristows LLP was joined by Julia Porter, Partner at Data Protection Network Associates, Joseph Byrne, Privacy Solutions Engineer at OneTrust and Yasmeen Rahman, Group DPO at Informa Group.

Where next with international data transfers?

April 2021

In July 2020, the Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield invalid. This was on account of the invasive US surveillance programmes in place, which meant the transfer of personal data on the basis of Privacy Shield Decision was declared illegal.

At the same time the Court stipulated stricter requirements for the transfer of personal data based on Standard Contractual clauses (SCCs).

It stated both Controllers and Processors must ensure the data subject is granted a level of protection equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights. If this wasn’t possible the transfer of personal data should cease.

This came as quite a shock to many organisations. In particular anyone who was using software as a service (SaaS), technology solutions had a big problem.

Many of these suppliers are US based and the entreaties from Max Schrems and co to buy from EU didn’t really cut much ice. Where were the European equivalents of the most successful SaaS suppliers? Nowhere to be found!

What are SCCs?

The ICO definition is pretty snappy:

SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR.

These need to be used when you are exporting data to any third country – such as USA. You do not need to use them if a country has an adequacy agreement with EU.

What to do after the ruling?

The initial advice was to ensure that anyone who was relying on Privacy Shield should be prepared to sign SCCs. However, signing SCCs isn’t entirely plain sailing.  The court didn’t automatically rule they were invalid but, instead, ruled their use needed to be assessed on a case-by-case basis and it might be necessary to put in place “supplementary measures” to protect the data subject.

What do “supplementary measures” look like?

The main challenge with the US, where the federal government has significant power, was the fear of government surveillance.

Can data be further encrypted? Can data be stored in EU data centres and kept separate from the US data centres? Are these measures sufficient?

The CNIL in France seemed to think so when they ruled that a Covid vaccination booking site (Doctolib) based in France could host its service with the US company Amazon Web Services (AWS) in Luxembourg.

AWS were deemed to have introduced sufficient “supplementary measures” to protect personal data by creating a data silo in Europe which is separate from their service in US.

The new SCCs – what do they look like?

Soon after the court ruling, the EU published their draft version of the updated SCCs which had been in the pipeline for some time.

This was a happy co-incidence although it’s likely these were rushed out once the CJEU judgement was passed down.

The old SCCs were out of date and inflexible with no provision for Processors so everyone welcomed the fact  more useful SCCs were on their way.

What are the differences?

  • The SCCs are now modular meaning that they can accommodate a number of different scenarios, where you can pick the pieces that relates to your particular situation.
  • The SCCs cover four different transfer scenarios and including processor scenarios:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

Once adopted the new SCCs need to be phased in within 12 months. For large organisations with many contracts, this may be difficult to complete on time.

What about “supplementary measures”?

At the heart of the Schrems II decision was the opinion that the US surveillance regime had excessive powers to access data and therefore presented a risk for data subjects. It was suggested companies need to consider the introduction of “supplementary measures” to protect data subjects:

  • The definition of supplementary measures is covered in guidance provided by European Data Protection Board meaning you have to read those recommendations as well as the SCCs themselves.
  • The draft SCCs include the need for the data exporter and the data subject to be notified if a legally binding request has been made to access personal data.
  • The draft SCCs suggests a risk-based assessment of whether such data requests have been made in the past and the likelihood of them happening in the future. This does contradict the EDPB which does not believe any subjective assessment of risk should be included.

The bottom line is any data exporter should consider what additional security arrangements should be made when considering transferring data to a third country and that determining those arrangements will, to a large extent, depend on the data protection regime in the recipient country.

How does Brexit affect all of this?

Any country with an adequacy agreement in place with EU does not need to worry about SCCs. The fact the UK has been issued with a draft EU decision is extremely promising news and if adopted means any contract with an EU company does not need to be subject to the inclusion of SCCs.

However there remains the challenge of updating all SCCs for any transfers outside EU (notably US) within the 12-month period once the SCCs been adopted. (And UK based companies are of course still subject to international transfer rules under UK GDPR).

What could you do now?

Until the new SCCs and the UK adequacy decision are finalised, companies are in a state of limbo. Having said that, there is plenty that can be done to reduce the risk:

  • Make sure you’ve mapped all the possible data transfers from UK to EU and other third countries
  • Evaluate which data is exported and ask yourself whether it needs to be exported
  • Consider which contracts already have SCCs in place and where they will they need to be updated
  • Ensure your contract due diligence is in place with a detailed questionnaire for potential suppliers
  • Pay particular attention to which jurisdiction data will be stored in and consider the level of risk – has your supplier created data silos
  • Review whether it’s possible to introduce supplementary measures to protect data. For instance encrypting data to protect it from surveillance
  • Investigate whether there are credible alternatives to US technology partners in EU

 

Need some advice about handling your businesses international transfers, or any other data protection matter? Get in touch – Contact Us 

European Commission publishes draft UK adequacy decision

February 2021

The European Commission has published a draft adequacy decision, under EU GDPR, which paves the way for the continued free flow of personal data from the European Economic Area and the UK.

However, before the decision is adopted, we need to await an opinion from the European Data Protection Board (EDPB) and a green light from a committee of EU Member States representatives.  There are still hurdles to overcome.

The draft decision states the Commission would continue to monitor relevant developments in the UK and invites the UK to inform the Commission of any material change to UK law which impacts on the legal framework of the decision.

(The EC has also published another draft decision for personal data related to law enforcement).

Why does adequacy matter?

This draft decision is significant as, outside the European Union, the UK becomes what’s termed a ‘third country’.

In the absence of an adequacy decision, in order for EU-UK data transfers to be conducted lawfully, additional measures would be required.

Where no adequacy decision exists, controllers and processors need to consider the following when transferring data from the EEA to a third country (like the UK):

  • Appropriate safeguards – for example, making sure rather onerous Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are in place between the parties, or
  • Exceptions for specific situations – for example, where an individual has given their explicit consent, or where the transfer is necessary to enter into or fulfil a contract with the individual.
  • A Union or State international agreement – which UK does not have with the EU.

Is adequacy in any doubt?

The Commission grants adequacy to countries which are assessed to have equivalent data protection laws to those in the EU. Some may be wondering why there are any worries the UK wouldn’t be granted adequacy. After all the UK implemented GDPR into UK law; now UK GDPR.

There have been some well-founded concerns UK surveillance law might throw a spanner in the works.

This fear was heightened last Autumn when the Court of Justice of the EU (CJEU) found UK law permitting intelligence agencies to collect bulk communications data was incompatible with EU law.

This draft decision under EU GDPR however appears to accept data protection law is essentially equivalent, but we are not out of the woods yet. 

Adequacy would bring a big sigh of relief!

The UK’s inclusion in the list of countries who’ve been granted adequacy, such as Israel, Argentina, New Zealand and Japan would be widely welcomed.

Robert Bond, Senior Counsel at Bristows;

“The adequacy decision will be a relief to so many organisations whether in the UK or the EU, and will ensure free flows of personal data between the EU and UK. It will be kept under review and will mean that the UK cannot diverge too far from the EU GDPR and related law such as E-Privacy.”

Thoughts echoed by Matthew Kay, Head of Data Privacy at Survitec;

“An adequacy ruling for the UK will be a welcome decision to many organisations worldwide. This will see data transported in a safe and secure manner increasing confidence and trust in the UK’s handling of personal data.”

Commenting on both draft decisions made on Friday 19 February, Information Commissioner, Elizabeth Denham said;

“The draft adequacy decisions are an important milestone in securing the continued frictionless data transfers from the EU to the UK. Today’s announcement gets us a step closer to having a clear picture for organisations processing personal data from the EU and I welcome the progress that has been made.”

What about transfers from the UK?

The rules regarding transfers from the UK to other countries broadly mirror the EU GDPR rules. So, you need to consider a) adequacy b) additional safeguards c) specific exceptions.

The UK has already declared data can freely flow from the UK to the EEA.

The UK Government now has the power to make its own adequacy decision in relation to other countries and these will be know as ‘adequacy regulations’. It has also said this will cover all adequacy decisions made by the European Commission (valid as at 31 December 2020).

What do we mean by data transfers?

In broad terms an international data transfer would occur where personal data is;

  • sent from an EEA country (or UK) to a another country
  • made accessible to a receiver outside the EEA (or UK)
  • is shared within the same corporate group outside the EEA (or UK)
  • is loaded onto a service which is available or may be accessed from outside the EEA (or UK) 

It doesn’t apply to sending personal data to someone employed by your company. Equally personal data that might be electronically routed through another country, but if it’s not accessed there, is not considered to be a restricted transfer.

Are existing EU Standard Contractual Clauses valid?

The ICO has confirmed the continued use of any EU SCCs (valid as at 31 December 2020) will be permitted for both existing restricted transfers or for new ones.

The EU has drafted revised SCCs, which address the big issue of government access to data. Revision of the SCCs was urgently needed after the Schrems II ruling by the Court of Justice of the EU in July 2020.

It’s proposed there will be a 12-month transition period to allow organisations to update contracts to adopt the revised SCCs. No small task for big organisations with multiple contracts to update!

But where does this leave UK controllers and processors? Will the UK adopt or accept these new SCCs? Hopefully we will get some clarity on this from the ICO soon.

We hotly await the final decision! 

 

Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service or just contact us and we can arrange a convenient time for a chat. 

UK Data protection and ePrivacy law post Brexit: Q&A

January 2021

To put it simply Brexit has not altered our general data protection obligations and responsibilities. The rules we need to abide by are essentially the same, but there are some aspects we need to be aware of (such as data transfers and representatives) and some details we should watch out for over the coming months.

Here’s a quick Q&A to answer some recent questions I’ve been asked:

1. Does GDPR still apply in the UK?

The ‘EU’ GDPR no longer applies in the UK, BUT…

a) GDPR has been retained in UK domestic law, renamed as ‘UK GDPR’. This means the key principles, rights and obligations remain the same. The UK now has the independence to keep this under review.

b) If your organisation offers good and services to EU citizens (or monitors their behaviour) EU GDPR will still apply to your handling of EU citizens data. This is because the territorial scope of EU GDPR extends beyond the European Economic Area.

2. Has the UK Data Protection Act 2018 changed?

The UK DPA 2018 remains in place and sits alongside UK GDPR. The legislation has been adapted to reflect the UK’s status outside the EU. A Keeling Schedule for the UK GDPR shows the amendments.

3. What about data transfers from the UK to the EEA, or elsewhere?

The UK Government says data transfers from the UK to the EEA can continue unrestricted for the time being.

Transfers to other countries may be subject to restrictions under UK GDPR. This essentially means, as you would have done in the past, you need to consider whether additional safeguard mechanisms are required. For more information see the ICO’s guidance on International Transfers after UK exit.

4. What about data transfers from the EEA to UK?

Outside the EU the UK becomes what is called a ‘third country’ and is subject to data transfer restrictions. However, under the Brexit trade deal, agreement has been reached whereby the UK will not be considered a ‘third country’ for up to four months, potentially extended to six months.

This allows more time for the European Commission to consider whether the UK can be granted ‘adequacy’.

If the UK is granted adequacy, transfers of data from the EEA to the UK will continue to flow freely with no requirement for additional safeguards – such as the use of EU Standard Contractual Clauses (SCCs). For more information see Brexit Deal and Data Transfers.

The ICO’s guidance on International Transfers after UK exit also covers considerations for transfers of personal data from non-EEA countries to the UK.

5. Do we need an EU Representative?

If you offer goods and services to EU citizens (or monitor their behaviour) you may need to appoint an EU Representative for data protection. If you are not sure if you fall under this requirement see Brexit: Do we need an EU representative?

6. Do we need a UK Representative?

It’s worth noting UK GDPR, like EU GDPR, has this extra territorial scope too – so if your organisation is based outside the UK, but offers goods and services to UK citizens (or monitors their behaviour) you may need to appoint a UK representative, if you don’t have an establishment within the UK.

Contact us if you would like to find out more about our UK Representative Service.

7. Do we need to update our privacy information or other documents?

You should update your privacy notices, data protection policies and processes to reflect changes in the UK data protection regime. In particular, you may need to change details in relation to international transfer arrangements.

It would also be a good idea to check any Data Protection Impact Assessments where international transfers are relevant.

If adequacy status is not granted, you may also need to review the data provisions in your contracts with EEA businesses. (Many organisations have already planned for the worst-case scenario and this is something the ICO still advising organisations to do).

8. Have marketing and cookie rules changed at all?

The simple answer is no. Marketing and cookie rules in the UK are governed by the Privacy and Electronic Communications Regulations (PECR). Based on an EU Directive these were enacted into UK law in 2003 (along with subsequent amendments), so remain in place. Recent changes made to reflect the UK’s status outside the EU are shown in a Keeling Schedule for UK GDPR.

If you target EU citizens online then country-specific marketing and cookie laws still apply.

9. Will the UK adopt the EU’s ePrivacy Regulation?

Remember this! Back in 2017 the first draft of a new ePrivacy Regulation was published, with the aim of bringing in updated and harmonised rules in tandem with GDPR (revising and expanding the scope of the EU ePrivacy Directive).

Fast-forward four years and the debate still continues, and an agreement has yet to be reach. The as yet an unanswered question is; will the UK adopt this new EU Regulation as and when it is agreed?

10. Is the UK’s data protection regime likely to diverge?

In theory the UK now has the independence to amend data protection legislation. However, the Brexit trade deal specifically mentions the EU and UK’s commitment to ensuring a high level of personal data protection and a willingness ‘to work together to promote high international standards’.

Furthermore, if the UK makes any changes to its data protection regime in the coming months, including Privacy and Electronic Communications Regulations, the arrangement whereby the UK is not yet considered a ‘third country’ for data transfers will automatically end and restrictions on transfers will be imposed. 

It seems unlikely the UK will want to rock the ‘data boat’ right now, if it hopes to be granted adequacy by the European Commission. What will be interesting, is the fallout if the EC does NOT grant adequacy to the UK. My hope is this will run smoothly, but until the ink is set, we just don’t know.

 

Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service.

Brexit: Do you need an EU Representative?

December 2020

Amongst the current whirlwind of Brexit-related stuff – international data transfers, adequacy decisions and possible UK data regime divergence – it would be easy to overlook the GDPR requirements regarding appointing an EU representative.

As of 1st January 2021 organisations in the UK, like others based outside the European Economic Area (EEA), may fall under this obligation. Conversely, organisations based outside the UK may fall under a requirement to have a UK representative.

Do you need an EU representative?

If you’re based in the UK and;

  • offer goods and services to individuals in the EEA
    or
  • monitor individual’s behaviour

And

  • you don’t have a branch, office or establishment in an EEA state

You’ll need to appoint an EU Representative.

What constitutes ‘Offering Goods and Services’?

The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provides helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.

Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.

Let’s take a look at what that means. Does your organisation;

  • describe products and services in the language of an EU member state?
  • offer prices in Euros?
  • actively run marketing and advertising campaigns targeting an EU country audience?
  • mention dedicated contact details to be reached from an EU country?
  • use any top-level domain names, such as .de or .eu?
  • describe travel instructions from one or more EU member state to where your service is provided?
  • mention clients/customers based in one or more EU states?
  • offer to deliver goods to EU member states?

Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Rep.

You will not need to appoint a representative if you are;

  • a public authority
    or
  • your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we are a small business and our answer to all the above questions is NO.

However, if you are actively targeting marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.

What does an EU Representative do?

You’ve established you need an EU Representative? You need to know what their responsibilities are before finding a company to provide this service.

Your EU representative has the following core responsibilities:

  • co-operating with the EU supervisory authorities on your behalf
  • facilitating communications between EU citizens and your organisation
  • being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
  • supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.

A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies.

However, you should be mindful you need to pick a relevant country, if your clients/customers are primarily Italian, your representative should be based in Italy.

What about UK Representatives?

Under UK GDPR (which will sit alongside an amended version of the UK DPA 2018) there will also be an obligation on organisations based outside the UK to appoint a UK representative if they have no office, branch, establishment in the UK and they;

  • offer good and services to UK citizens
    or
  • monitor the behaviour of UK citizens

Again, if your processing of UK citizen’s data is occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data, the requirement for a UK Rep will not apply.

Finally, if you haven’t done so already any UK organisation needs to update their policies and privacy notices to reflect that the UK will be outside the EU. You may also need to just double check any DPIAs and other assessments regarding international data transfers.

On a recent ICO Brexit webinar someone asked whether policies and notices need to be updated by 1st January 2021. The response was organisations should make efforts to make sure documentation is revised but, as always, the regulator would take a ‘proportionate and reasonable’ approach.

I think it’s fair to say there’s a little breathing space, but we recommend businesses do this sooner rather than later.

 

Need a UK Rep? If you are based outside the UK, we offer a UK Representative Service. Get in touch 

Also see the ICO’s Guidance on EU Representatives

 

Evaluating the management of privacy choices

November 2020

The challenge for multi-nationals when addressing privacy choices

Across international operations, different stakeholders and personal data and communication privacy laws around the world, multinational organizations are increasingly challenged with addressing choice.

This is especially true now that some privacy laws require organizations publish information on their website about the number of choices they receive, if they denied or complied with the choices and the average amount of time needed to fully address the choices specified.

From incorporating flags or building out existing systems, standing up ticketing systems to facilitate internal choice requests and enterprise-class preference centers, organizations have more solutions available today than ever before.

Yet, what is good for one organization might not be the right solution for another. In our experience, the right solution is effective, lean and nimble.

The following offers insight into how an organization might gather the information about their choice management efforts needed to prepare for change, address inefficiency or evaluate different strategies and solutions.

What choice means, how it applies and who is responsible

At the heart of the matter, “choice” is central tenant of privacy, marketing and communication laws all over the world. Organizations must understand what choice means in relation to their business; especially across internal stakeholders, processing activities, systems and business partners.

Choice may be relevant to whether an organization can process personal data lawfully or use it in support of a specific business purpose.

For example, some processing activities require the organization to establish a legal basis before processing can begin; which may be dependent upon offering and capturing “valid” choices.

Choice can also apply to how personal data is processed; such as whether an organization can leverage automated decision making or profiling techniques; or even if personal data can be transmitted or made accessible to an internal stakeholder located in another country.

Choice may relate to addressing mandatory privacy rights; such as data access, portability or deletion requests. Choice can even apply in the context of communicating with individuals in support of relational, transactional and marketing needs and objectives and across the organization’s different communication channels.

To fully appreciate the impact of choice, organizations must first catalog the applicable choices and the stakeholders responsible for addressing choice.

Organizations can often rely upon existing information to facilitate these review efforts; such as lists of processing activities, processing dataflows, and personal data inventories often maintained by privacy departments.

Additionally, getting a list of systems from IT, and a list of business partners from accounting can also help speed up and qualify the scope of the choice review.

It is also useful to build a coalition of relevant stakeholders from research and development, marketing, operations and legal to help fully inform or qualify the “choice” within the organization.

Understanding the impact of choice

With the list discrete choices defined, work with the relevant stakeholders to define or validate the impact of fully addressing each choice.

Start by having each responsible stakeholder help define the flow of the choice from expression to completion. Be sure to include all systems, other stakeholders and business partners relevant to the choice as it progresses along the dataflow.

Additionally, take note to define where choice is addressed using automated or manual procedures. After completely mapping out the dataflow, take the time needed to define or affirm the total labor (or cost) and duration required to fully address each choice.

Consider the following tips when working through this exercise.

  • Choices expressing an objection to the processing of personal data for legitimate interest or direct marketing purposes typically override the organization’s ability to lawfully process such data.
  • Choices related to preventing automated decision making, profiling and “do not sell” may need to be addressed a deletion choice to the extent the organization has no meaningful way honoring the choice as specified.
  • Choices can be addressed as a flag in a customer database, create a record in a suppression file or require the summary deletion of the personal data involved.
  • The impact of choice relates to what the choice expressed represents, and the total effort and time required to fully address choice.
  • Automated choice processes, such as automatically updating a flag or creating a suppression record, are most often associated with communication choices.
  • Processing choices typically have a greater impact; requiring more time, resources and systems to help the organization authenticate identity, compile data from across different source, prepare and delivering copies of information.
  • Time and duration measurements should begin when the choice is first expressed and end when all requisite actions are complete across all the relevant processing activities, stakeholders and systems.

Benefits

Cataloging and affirming the management of choice across the enterprise helps organizations in several ways. First, this exercise helps the organization focus upon the complexity and risk profile associated with addressing choice.

This exercise can also be used to document and affirmatively demonstrate the organization is reasonably managing compliance obligations.

By completing this exercise, organizations are better able to identify inefficiency associated with where choice management efforts might be duplicated, risks are present or where additional focus may be required to address identified risks.

Additionally, we strongly advise organizations complete this exercise in advance of making any fundamental change to their choice management efforts; especially related to implementing choice management solutions.

The resulting insight can be easily be translated into RFPs, used to create development requirements and evaluate how closely third-party solutions align to the organization’s needs.

You’ve been SAR-bombed!

July 2020

You are at the end of long day; just about to turn in for the night. You just do one last check of your inbox for any signs of a reported security incident. Suddenly you are aghast, the new email count in your inbox registers over 9,000 new emails! You quickly scan to fathom what on earth has happened…

All the emails come from the same sender and the subject lines all declare they are SAR (Subject Access Request) requests. Looking closer you note the emails include personal information, describe that “so-and-so” wants to exercise a privacy right and references different privacy laws.

Laws you know require you reasonably address privacy requests, with penalties should you fail to address the request in good faith and in a timely manner.

While I hope you never experience 9,000 requests in one hit, people seem to be increasingly relying on third parties and apps to facilitate their privacy rights. Indeed, some third-party portals are actively encouraging people to use their services.

Once your organisation is identified, you are likely to receive requests from the third party’s entire user base; all delivered to the email address published via your privacy statements.

Let’s explore this trend in more detail and give you a glimpse of how to tackle the SAR-bomb experience.

The Dawn of Privacy Preference Apps

Chances are you’ve already received or honoured an individual’s privacy request received via a third party in some fashion or another. Country and channel specific regulatory “do not contact” lists have for some years allowed people to ‘opt-out’ of direct marketing “en masse.” Some third parties offer people template letters to express privacy choices with a pre-defined list of organisations that should receive them.

Mobile apps are also available to help individuals exercise their requests. One such app seeks to help individuals to identify organisations they have previously transacted with for the purposes of exercising their privacy rights and another is designed to help individuals address legal disputes.

Of course, California’s Consumer Privacy Act (CCPA) now requires organisations to process privacy requests delivered by third parties (defined as “authorised agents”). As the world’s sixth largest economy, CCPA’s “authorized agent” mandates are likely to be replicated and influence individual’s expectations beyond California.

Mindset

When addressing privacy requests delivered to you via third parties, be sure your response plan considers first the people submitting these requests. They’ve already invested some time and energy and may have even paid for the help these parties and solutions offer.

People may have turned to such third parties to assert control over their data in as broad a manner possible. Some may be frustrated, confused or upset, and others may not be aware or care that your organisation has specific obligations under the law.

Your procedures to authenticate identity, validate the processing of personal data, address requests within your organisation and ensure the security of the data in your care, are likely of little concern to individuals.

Even though the law may require you to separately affirm certain requests received online, some individuals simply won’t appreciate your attempts to confirm the authenticity of their requests.

Furthermore your requests of people to follow your processes may be met with frustration, indifference and scepticism; especially when you need them to take additional action to facilitate their original request.

Your experience addressing sensitive SAR requests, such as those associated by disgruntled employees or customers punishing you for bad service, can be especially useful.

Getting to Work

With the individual’s mindset front and centre, let’s shift attention to some of considerations specific to being SAR-bombed. Time is of the essence and you need a systematic approach to establish whether you will deny, partially or fully comply with the request.

  • Get your arms around the situation – At a minimum, you need to identify each individual, extract the personal data (as needed to authenticate their identity and confirm the data exists within your organisation) and define the rights they wish to exercise. Conduct a quick test to see how much time is needed based on the total volume.

In our example, let’s say it takes you just 90 seconds to open one of emails, log the relevant details to your SARs system and archive the email. At 9,000 requests, you may need 225 hours to convert these SAR emails into requests that make sense within your organisation.

  • Create a structured dataset – The volume of SARs simply requires a repeatable process designed to convert the unstructured privacy email into a structured request that makes sense within your organisation. It may help to create a solution that can parse emails for relevant details and return data back to you in a structured format.

If your email platform supports it, consider exporting all the SAR emails into a Comma Separated Values or “CSV” file. Once in a CSV file, you can use your favourite spreadsheet program to make short work of your analysis and response.

  • Include key details within your structure dataset – Consider assigning a unique identifier specific to the request and sender to help you demonstrate the original request across the actions needed to address it. Pull forward the personal data related to the request in a way which reflects your existing SARs authentication and matching procedures.

You may also extract demographic information across specific columns; especially useful if the requests reference rights across different jurisdictions or laws. Denote the privacy right (or rights) for each request. Be sure to use terms your organisation understands to save time.

Consider assigning a reference to the jurisdiction (or law) applicable to the request; or the individual involved. For example, it may be useful to validate GDPR requests originating from Europeans differently from CCPA requests from Californians.

  • Questions relevant to developing your strategy

a. Do you have multiple requests for the same individual? Check if you have duplications i.e. the same individual requesting the same right.
b. Do you have requests that aren’t legally required? Check if those exercising a right are indeed subject to the right or law referenced. For example, is the individual a European (if referencing GDPR) or a Californian (if referencing CCPA)? Dependent on the volume and results of this analysis, you may need to address requests subject to the law first.
c. Can you act on the request as presented? Do you have evidence the third party has authority to act on the individual’s behalf? Are you able to verify their identity? If you need more information your response plan also needs to factor in developing and sending communications, and addressing the responses.

  • Creating records to demonstrate your reasonable efforts – Regardless of your specific response plan, be sure to keep records detailing what you did and the decisions you made. This may include:

1) details of your actions to assess the request
2) communications with the individual
3) actions taken internally to address the request
4) summary of results (for example whether you denied, partially or fully complied)
5) the timeframe taken to resolve

Adopting the approach above, my company, Harte Hanks, has addressed 9,254 email requests within just a few days. We identified that 96% of the requests delivered were simply duplicates.

The “sender” seems to have experienced a technical problem, delivering the same request on average at least 44 times and one over 1,600 times. Of the 326 “unique” requests delivered, 67 requests described rights under CCPA whereas the other 259 described rights under GDPR.

When considering the personal data delivered along with the request, we found all CCPA requests included personal details reasonably descriptive of a Californian whereas only 16 of the remaining “GDPR” request reasonably “described” a European.

Here’s to hoping you don’t ever experience such a deluge of requests at one time.

Further information

In the UK, the Information Commissioner’s Office addresses requests made via third party portals in its detailed Right of Access Guidance.

The ICO says to determine whether you need to comply with such a request you should consider whether you are able to verify the identity of the individual and are satisfied the third party portal is acting with the authority of and on behalf of the individual in question.

The regulator stresses you are not obliged to take proactive steps to discover that a SAR has been made. So, if you can’t view the SAR without paying a fee or signing up to a service, you have not ‘received’ a SAR and are not obliged to respond.

Furthermore, it’s the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. In responding to a SAR you are not obliged to pay a fee or sign up to a third party service. If you are in this position the regulator’s advice is to provide the information to the individual directly.  The draft code states:

“If you have concerns that the individual has not authorised the information to be uploaded to the portal or may not understand what information would be disclosed to the portal, you should contact the individual to make them aware of your concerns.”