Seven Deadly Data Protection Sins
We hear much about good GDPR compliance, and how to meet the seven data protection principles – to be accountable, transparent, lawful and so on. But sometimes, in order to understand what’s right, it can be helpful to consider what’s wrong.
A wise move is to learn from others to avoid making the same mistakes – which can lead to reputational damage and financial consequences.
So here, in no particular order, are the Seven Deadly Sins for processing personal data. Step into the data confessional, and remember to be honest. Ready?
Businesses that display these sins shall incur the wrath of the Data Gods (like Thor, honest) …
The First Sin – IGNORANCE
There are no excuses, brethren. We’ve known about the GDPR for a long time, and since the final text was carved on tablets of stone in May 2016, we had two years to prepare for The Enforcement. Claiming ignorance won’t wash if things go wrong – the Data Inquisitors at the ICO simply won’t have it.
Furthermore, employees can’t follow rules they haven’t been given. Training takes time and resources and might (unless you’re a data-geek like me) generate a yawn-factor. But even time, effort, costs and loss of momentum are no excuse.
Consider the tale of the ICO fining Heathrow Airport £120,000 over the loss of an unencrypted USB memory stick, which contained over 1,000 files containing personal data. It wasn’t even password protected.
In its rulings, the ICO found that while there was some internal guidance surrounding memory sticks, “the existence of guidance on an outdated intranet site was insufficient to ensure its existence was brought to the attention of staff”.
Heathrow Airport went onto admit that only TWO PERCENT of its 6,500 staff had received data protection training. This lack of training & awareness would have influenced the ICO’s decision on the size of the fine.
The ICO would expect a business to have updated GDPR training, annual refreshers, induction for new starters and specific training for specialist roles.
The alternative? A big ol’ £120,000 thunderbolt from Data Asgard.
The Second Sin – RECKLESSNESS
Repent! If you don’t know what personal data you’re processing, if you are careless as to how you collect, handle, store and share it, you cannot begin to ensure you are processing compliantly (and, as per the tablets of stone – lawfully, fairly and transparently). Understanding how personal data flows around your business is crucial – carelessness can lead to problems.
‘Ah’, you say, ‘we went to a hilltop and conducted a pre-GDPR audit. Surely this will keep the mighty Data Lords happy?’ Maybe for a while, but only if your compliance is constantly reviewed. Also, did your audit extend to those pesky cookies, third-party apps and tools you use on your website(s)? Perhaps not a high-risk area yet, but watch this space.
Recklessness is also the immortal enemy of Compliance. Have you underestimated the risks (as bad as over-estimating)? The importance of discovery and assessment of risks and implementing robust solutions (when needed) can’t be underestimated.
Again, consider the evidence before us, my liege. In September the ICO Data Lords issued Equifax Ltd with a £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017. (This was the maximum fine they could levy under the old law, DPA 1998, under GDPR / DPA 2018 it could have been substantially higher).
This was clearly a massive breach. In part, Equifax was found to have not conducted appropriate audits on the personal data it was processing and lacked adequate risk assessment surrounding security measures. Equifax was found to have been RECKLESS. And, verily, they were punished for it.
The Third Sin – UNPREPAREDNESS
Blessed are the Prepared. Many external privacy notices/policies stress that businesses respect and take the privacy of their customers seriously. But do you really? (this is the time to confess). To both demonstrate and meet the accountability principle under GDPR, you need to be prepared and have clear evidence to demonstrate how you comply.
Is Privacy by Design really embedded in the business or is it an afterthought?
Do you have the appropriate internal polices, processes and procedures to ensure you meet the data protection principles, process lawfully, protect the personal data you process and uphold individuals’ rights? And are your people both aware of and following the data protection policies?
|Do you have appropriate policies and procedures in place?|
|Are these policies signed off by senior management?|
|Are these policies in a consistent format with version control?|
|Are these policies regularly reviewed, is there a schedule for this?|
|Have policies/procedures been adequately communicated to staff?|
|Do staff have to read policies as part of their induction and sign to say they have read and understood?|
|Have you reviewed all the processes staff use when handling personal data?|
|Have you conducted a DPIA for any processing that could be intrusive to an individual’s privacy?|
|Is there a clear strategy for raising awareness of new/revised policies and procedures|
The Fourth Sin –UNPROTECTEDNESS
(not a word I know, but please give me a break)
Blessed are the Protected. GDPR Article 5.1 – Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The implementation of the terms ‘appropriate technical and organisational measures’ (TOMs) is nothing new. GDPR did not introduce these terms – they were well-established within previous legislation.
When assessing what measures and controls of information security and privacy you need to protect and secure personal data, you need to evaluate and understand the risk presented by the specific types of processing you are undertaking (see the first sin, IGNORANCE, and weep).
Back to the Equifax case,. They were found to have fundamentally failed to implement appropriate TOMs, leaving personal data with inadequate protection. The Regulator’s findings revealed that personal data was:
– accessible to multiple users
– files weren’t encrypted
– known IT vulnerabilities weren’t addressed
– software was out of date
And so on…
TalkTalk was another business which suffered the wrath of the Data Lords via inadequate TOMs. You may think their status as industry giants processing sensitive personal data put them in the spotlight, but the lesser amongst you should take heed. All businesses small and big need to consider the type of personal data they are processing and adopt adequate measures and controls to PROTECT it.
The Fifth Sin – TARDINESS
GDPR Article 5.1 – Personal data shall be:
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
Those who are tardy with the retention of data may attract the all-seeing eye of the Data Lords. This is why one of the key data protection principles is: don’t keep personal data for longer than it is needed for the purpose for which you collected and are using it.
One of the failings Equifax was found guilty of was retaining personal data when there was no longer a legitimate reason to so. Millions of records were leaked in the Equifax breach, some of which the ICO ruled should have been previously destroyed.
Data retention is also an area highlighted in the ICO’s report on eight charities in which they found personal data was being kept for too long, in some cases indefinitely. There was evidence it was being kept “in case it might be useful in future”.
It was also found that IT systems were not able to delete records, making it virtually impossible to fulfil the right to erasure. This represents a challenge for many organisations.
The message is clear – do not hold personal data for longer than you need it and ensure when it is no longer required it is deleted/disposed of securely. Old data with no lawful purpose represents an unnecessary risk.
Many organisations are ensuring they have a data retention policy and endeavouring to implement a clear retention schedule throughout the business. (See our Data Retention Quick Guide)
The Sixth Sin – INEFFECTIVENESS
The Sixth Sin is often spawned from a horrible union of the first two. If your staff are IGNORANT, and your business behaves in a RECKLESS way, you are likely to be INEFFECTIVE when it comes to handling individual rights and personal data breaches.
It’s like the original Seven Sins tend to overlap too, compounding the original offence (for example you go to a restaurant. You’re so jealous of your friend’s pudding you order two for yourself, thus displaying both ENVY and GLUTTONY. When you feel sick from eating too much, you miss work, which displays SLOTH).
In all seriousness, it’s apparent GDPR has led to more individuals exercising their rights – be it for subject access, rectification or erasure. For many businesses this is proving challenging, doubly so if processes to handle information rights aren’t match-fit.
The risks of getting it wrong go beyond individuals complaining to a supervisory authority. They also have the right to an “effective judicial remedy.” In plain English? They can lawyer-up and serve you papers directly. Forget thunderbolts, a battalion of lawyers can be much worse.
Inefficiency is also dangerous when it comes to data-breach reporting. Under the new notification regime (i.e. 72 hours of becoming aware of a breach representing a ‘risk’ to data subjects), it’s critical you act quickly and efficiently, capable of having processes to ensure you have all the facts and a plan to mitigate any risks.
Yes, an onerous task, but as the saying goes, fail to prepare and prepare to fail. Remember, you can always add to an initial notification with further information as your investigation continues.
The ICO recently revealed it has been receiving 500 ‘incident’ reports a week by telephone since GDPR came into force. A third of which were unnecessary or failed to meet the requirements for a data incident. ICO Deputy Commissioner, James Dipple-Johnstone revealed one mistake many organisations are making it think the ’72 hours’ is ‘working’ hours.
In reality, it is 72 hours contiguously from becoming aware of the breach. If this is on a Friday afternoon, you won’t be having a weekend. The ICO has also reported that many incident reports are incomplete, with some degree of ‘over-reporting’.
Back to Equifax, it was found guilty of not only a delay in reporting, but also the initial information provided was deemed to be incorrect.
|Are staff aware of what might constitute a data incident or breach?|
|Do we have a clear incident reporting process, and our staff aware of this?|
|Do we have a comprehensive and consistent incident log?|
|Have we identified and briefed a key group of people who will be called upon to manage a potential data breach efficiently and effectively?|
|Do we have a methodology for rating risk?|
|Do we have a communication strategy for when a ‘high risk’ to individuals is identified? (and thereby under the obligation to notify affected individuals)|
|Do we have a plan for managing reputational damage in the event of a breach?|
The Seventh Sin – COMPLACENCY
The COMPLACENT person thinks the Data Lords are too busy with others to notice his or her transgressions. “Ha,” they say (probably planning on ordering two puddings with lunch), “they’re too busy hurling thunderbolts at the Big Sinners to worry about little old me. More money in the budget for dessert. And a cheese-board.”
Indeed, the ICO has reported a 100% increase in complaints since GDPR, and many organisations might be tempted to think regulators are more interested in the ‘low-hanging fruit’ of high-profile, data-dependent businesses doing really bad stuff. Such complacency is dangerous, especially under the GDPR.
Even if you never catch the ICO’s eye… you don’t actually have to. Any disgruntled customer with an ounce of data-savvy (and a lot of them have nowadays) can issue a Subject Access Request, find fault in the information they’ve been provided with, hire a lawyer or engage an advocacy group. That, in turn, can lead to a forensic audit of your data protection arrangements by regulators or the courts.
The complacent will be UNPREPARED. And that’s a data-sin too.
So, don’t be a sinner! Sensible, transparent data protection arrangements help look after your customers. Happy customers engage with you, are more likely to trust you and less likely to want to waste your time. Sinners, on the other hand, may well get the customers they deserve.
Philippa Donn, October 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.