Using cookies – why should you bother to get match fit?

April 2021

In 2019, with new guidance, the ICO confirmed GDPR level consent is required for the placing of cookies (unless ‘strictly necessary’). In the same year, the ICO launched their investigation into AdTech and Real Time Bidding.

With the pandemic the data protection focus has been elsewhere but now, things are moving again:

  • French CNIL fined Google and Amazon fined €135m for failing to obtain consent
  • The ICO restarted its investigations into AdTech
  • The Spanish DPA fined Iberia for failing to allow for the option to reject cookies

Yet, in early 2020, a research study by from MIT/UCL/Aarhus Universities indicated only 1 in 10 UK websites were compliant!

What does this all mean, and should we care?

The cookie basics

Does your website have a cookie pop-up? Do you have a clear Cookie Notice explaining how you use cookies and similar technologies? Are you collecting consent for the cookies you use?

We’ve all seen the deluge of cookie notifications, some are strictly compliant, others aren’t, and plenty are downright confusing.

Not only that, but should we be thinking about more than just cookies? What about pixels, scripts, fingerprinting and plugins?

What does ‘good’ look like?

In the ICO’s updated Cookie Guidance published in 2019, the Regulator confirmed GDPR standard consent is required for the placing of cookies or similar technology, unless ‘strictly necessary’.

A lot of information can be captured with a cookie including IP addresses and device IDs. These are deemed to be personal data. The guidance says the following;

  • users should take a clear and positive action to consent to non-essential cookies
  • pre-ticked boxes or sliders defaulted to ‘on’ shouldn’t be used for non-essential cookies
  • non-essential cookies shouldn’t be dropped before you gain consent
  • websites and apps should tell users clearly what cookies will be set and what they do
  • it must be clear what third party cookies you use

In short, the ICO says people should be given control and it isn’t sufficient to tell them to go and change their browser settings.

‘Strictly necessary’, is strictly interpreted

Consent is not required for cookies that are ‘strictly necessary’, but these should be essential to the service you’re providing. The ICO has deemed analytics cookies to be non-essential.

(Interestingly there’s some discrepancy across European regulators on this point, the French CNIL does not take such a strict interpretation on analytics).

Where’s the harm?

In the same guidance document, the ICO also states:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals.

This sentence has been interpreted by some to mean analytics which cause low level intrusiveness, where a risk assessment has taken place and where measures have been taken to minimise harm, may be considered acceptable. Confused yet?

Where does Adtech fit in?

Also in 2019, the ICO launched a review into adtech and Real Time Bidding. This was designed to understand how the complexity of the adtech ecosystem presents a threat to the rights and freedoms of individuals.

It was particularly focussed on the compliant use of cookies – particularly 3rd party cookies. This review was paused during the pandemic but is up and running again now.

The more third-party cookies you deploy and the more sophisticated technology you use, the greater the risk of complaints to highlight your non-compliance.

In reality, though, the adtech cookie show has moved on. It’s likely 3rd party cookies will disappear by themselves as the browser companies stop supporting them. Google’s announcement to stop supporting third party cookies on Chrome in 2022 sounded the dead knell.

What do the public think?

Inevitably people have mixed feelings about cookies. There is increased public awareness about how we are tracked through websites, and some people are becoming savvier about how their data might be being used and shared.

Anyone can use a cookie scanner and check what cookies your website uses, and check whether you’re being open and upfront about what you do or not.

Equally there are others who really couldn’t care less.

What steps to take

Practically speaking it makes sense to share with consumers which cookies are deployed as well as what they are used for. Anyone without a cookie banner now needs to get their house in order. How rigorous your cookie notice is, is a matter of judgement, as well as a careful risk assessment.

In reality, businesses often find it hard to get organised with cookies because no one team manages them. In the short to medium term here are some pragmatic actions:

  • Understand what cookies are being placed on your website(s) – are they still used?
  • Make sure you have one central point to co-ordinate the management of cookies across the business
  • Categorise your cookies, so you can separate your strictly necessaries from your non-essentials
  • For any 3rd party cookies or other technologies make sure you have some oversight over what happens to the data that is captured from your site
  • For each cookie, review the retention periods and decide how long they should be kept for – some are defaulted to a surprisingly long time
  • Make sure your cookie notice is clear and up to date
  • Decide what level of technology is needed to manage your cookie consent – there are plenty of free consent platforms for small businesses so price is no reason not to

In conclusion providing no help for consumers to understand what cookies are used should be a thing of the past. How you interpret the ICO guidance is a matter of judgement and a risk assessment. So long as you carry out that assessment and are able to explain your decisions you are in a stronger position than if you did nothing.

Managing data deletion, destruction and anonymisation

March 2021

Clearing out personal data your business no longer needs is a really simple concept, but in practice it can be rather tricky to achieve! It throws up key considerations such as whether to anonymise and how to make sure its deleted or securely destroyed.

Let’s take a look at this in more detail…

Data retention and schedule

Businesses must only keep personal data as long as necessary and only for the purposes they have specified.

To manage this legal obligation successfully, you’ll need to start with an up-to-date data retention policy and schedule.

These should clearly identify which types of personal data your business processes, for what purposes, how long each should typically be kept and under what circumstances you might need to hold it for longer.

If your data retention policy or schedule is lacking, first focus on making sure they are brought up to scratch. If you’d like to find out more, please take a look at DPN’s Data Retention Guidance.

Steps to take when the retention period is reached

These are the 5 key steps when an agreed retention period (as shown on your retention schedule) is reached.

  1. Identify the relevant records which have reached their retention period
  2. Notify the relevant business owner to confirm they are no longer needed
  3. Consider any changes in circumstances which may require longer retention of the data
  4. Make a decision on what happens to the data
  5. Document the decision and keep evidence of the action

Making the right decision when the retention period is reached

There are different approaches an organisation can take when the data retention period is reached, such as:

  • Delete it – usually the default option
  • Anonymise it
  • Securely destroy it – for physical records, such as HR files

Deletion of records might seem the obvious choice, and it’s often the best one too.

But take care how you delete data. Sometimes deleting whole records can affect key processes on your systems such as reporting, algorithms and other programs.

Check with your IT colleagues first. In some situations, you may decide it’s better to anonymise the data.

Can and should we anonymise personal data?

Most organisations want to extract increasing information and value from their digital assets. In some situations, it can be helpful to remove any personal identifiers so you can keep the data that remains after the retention period has been reached. For example,

  • You might want to continue to provide management information or historical analysis, which you can do an anonymised form. This is quite common
  • If you have data of historic marketing campaign responders, you may wish to keep certain non-personal campaign data in an anonymised form for reporting or analytical purposes, such as response volumes by segment, phasing of responses, and so on
  • If you hold records of job applicants you may wish to keep certain demographics (such as gender or diversity information) in an anonymised form. This might support your equal opportunities endeavours

To be clear, anonymisation is the process of removing ALL information which could be used to identify a living person, so the data that remains can no longer be attributed back to any unique individuals.

Once these personal identifiers are deleted, data protection laws do not apply to the anonymised information that remains, so you may continue to hold it. But you have to make sure it is truly anonymised.

A word of caution…

The ICO highlights you should be careful when attempting to anonymise information. For the information to be truly anonymised, you must not be able to re-identify individuals

If you could, at any point, use any reasonably available means to re-identify the individuals, the data will not have been effectively anonymised, but will have merely been pseudonymised. This means it should still be treated as personal data.

Whilst pseudonymising data does reduce the risks to data subjects, in the context of retention, it is not sufficient for personal data you longer need to keep.

So the conclusion is simple – make sure you remove ALL personal identifiers so the data is truly anonymised.

How to manage deletion

There are software methods of deleting data, which may involve removing whole records from a dataset or overwriting them. For example, using of zeros and ones to overwrite the personal identifiers in the data.

Once the personal identifiers are overwritten, that data will be rendered unrecoverable, and therefore it’s no longer classed as personal data.

This deletion process should include backup copies of data. Whilst personal data may be instantly deleted from live systems, personal data may still remain within the backup environment, until it is overwritten.

If the backup data cannot be immediately overwritten it must be put ‘beyond use’, i.e. you must make sure the data is not used for any other purpose and is simply held on your systems until it’s replaced, in line with an established schedule.

Examples of where data may be put ‘beyond use’ are:

  • When information should have been deleted but has not yet been overwritten
  • Where information should have been deleted but it is not possible to delete this information without also deleting other information held in the same batch

The ICO (for example) will be satisfied that information is ‘beyond use’ if the data controller:

  • is not able, or will not attempt, to use the personal data to inform any decision about any individual or in a way that affects them;
  • does not give any other organisation access to the personal data;
  • has in place appropriate technical and organisational security; and
  • commits to permanently deleting the information if, or when, this becomes possible.

Destruction of physical records

Destruction is the final action for about 95% of most organisations’ physical records. Physical destruction may include shredding, pulping or burning paper records.

Destruction is likely to be the best course of action for physical records when the organisation no longer needs to keep the data, and when it does not need to hold data in an anonymised format.

Controllers are accountable for the way personal data is processed and consequently, the disposal decision should be documented in a disposal schedule.

Many organisations use other organisations to manage their disposal or destruction of physical records. There are benefits of using third parties, such as reducing in-house storage costs.

Remember, third parties providing this kind of service will be regarded as a data processor, therefore you’ll need to make sure an appropriate contract is in place which includes the usual data protection clauses.

Destruction may be carried out remotely following an agreed process. For instance, a processor might provide regular notifications of batches due to be destroyed in line with documented retention periods.

Don’t forget unstructured data!

Retention periods will also apply to unstructured data which contains personal identifiers. The most common being electronic communications records such emails, instant messages, call recordings and so on.

As you can imagine, unstructured data records present some real challenges. You’ll need to be able to review the records to find any personal data stored there, so it can be deleted in line with your retention schedules, or for an erasure request.

Depending on the size of your organisation, you may need to use specialist software tools to perform content analysis of unstructured data.

In summary… 

Whilst data retention as a concept appears straightforward, it does require some planning. There are situations where it might be best to keep certain data in an anonymised form, removing all personal identifiers, when it reaches its retention period.

And its important you don’t ignore unstructured data or physical data, as these may also contain personal data which needs action when its no longer necessary for you to keep it.

 

Need some help with data retention? Or any other data protection matter, Contact Us to discuss how DPN Associates could help you.

Help your teams to ‘do the right thing’ with personal data

January 2021

What does ‘good’ look like & how to support your teams to achieve it?

First let’s remind ourselves that data protection by design and by default requires businesses to adopt policies and procedures to make sure data protection is taken seriously across the business.

In my experience, most people are keen to ‘do the right thing’ with personal data. But sometimes they’re unsure how to go about it and if their current ways of working are adequate.

This is where well-crafted data policies can really help. Sadly, people often have a negative view of policies. In my view, that’s because there’s so much poor practice around.

People rarely volunteer to write a policy. They can gravitate towards becoming long winded legalese, only serving to restate what the law requires. This ‘vanilla’ one-size-fits-all approach has very little practical value.

There is a better way. A well-written easy to read policy should communicate what good looks like for your business and explain how your people should behave to deliver good practice.

Yes you need to take into account what the law says, but don’t shy away from stressing the benefits for your business of acting responsibly. Focus on the needs of your business sector and the unique nature of your businesses processing.

Make policies relevant. Even better if you can, tie-in the launch of improved data policies with training, which shares the main themes from the policies. This can bring them to life and improve awareness.

So where to start?

First decide which policies you actually need and how they should fit together. My favoured approach is to have just two ‘parent’ data policies, the Data Protection Policy & Information Security Policy, then link out to ‘child’ policies or procedures which sit below them.

You might consider a third parent policy, such as Acceptable Use, but personally I prefer information about acceptable use to be included within the Data Protection and Information Security policies, so people don’t have to search around.

I’d recommend you host policies on your Intranet, if you have one, and create them in the form of web pages rather than PDFs. It’s good practice to include hyperlinks to and from topic-specific guidance notes, so people can easily navigate to find more about a specific topic. This helps you to keep the parent policies short and concise – easy to digest.

Here’s a typical Policy Framework, showing the two ‘parent’ policies and examples of possible ‘child’ policies / procedures below. In practice the names & content of child policies may vary from business to business, reflecting the nature of your business.

Example of a Data Policy Framework

Let’s try some examples…

Imagine I’m processing some marketing data and want to know how long I should keep the data. I’d follow the link from the Data Protection Policy to the Data Retention Policy & Schedule – the Schedule will (hopefully) state the relevant data retention periods.

Perhaps I’d like to access my work emails via my new mobile device, so I click to move from the Information Security Policy into the BYOD (Bring Your Own Device) Policy.

There’s little point having a gleaming list of policies if nobody reads or uses them. So, make them easy to understand and easy to access. And remember they don’t have to read like War and Peace!

British Airways data breach – what can we learn?

October 2020

We’ve finally heard the UK Information Commissioner’s Office (ICO) has fined British Airways £20 million for failing to protect personal and credit card data in their 2018 data breach. A breach which affected more than 400,000 BA customers and staff.

A final decision on this has been expected for some time, we just didn’t know what the figure would be until now. The amount is a fraction of the £183 million initially announced in the ICO’s notice of intention to fine. After considering BA’s representations and factoring in the economic impacts of COVID-19 it has been significantly reduced. But it’s still an eye-watering sum, in fact, the largest fine issued by the ICO.

You can read the Information Commissioner’s penalty notice if you wish. But what are the key lessons other businesses can learn from BA’s painful experience?

Information security must be taken seriously at Board level

Modern businesses rely on data more and more to provide quality services for customers and to create competitive advantage.  However, the risks to personal data are numerous, varied and ever-changing. A data breach can massively harm a business’s reputation with its customers, staff and with the world at large.

It’s often said that with power comes responsibility, so businesses need to recognise their roles as guardian and protector of the personal data of their customers and employees. We have to deliver on the promises we make, for example, in our privacy notices. Any steps your business can take to properly protect personal data and demonstrate to staff and the public how seriously you take data protection will help protect them from harm and also may help you to stand out from competitors in these tough times.

Boards need to show leadership by insisting on a strong and vigilant information security regime. I guess that means they need to be prepared to fund it too! It also means asking tough questions about the levels of data protection in place across the organisation.

Rachel Aldighieri, MD of the Data & Marketing Association (DMA), believes this is a wake up call;

“Brexit and coronavirus have put businesses under immense financial strain. A fine of this magnitude will certainly get the attention of Board members of organisations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO. This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.

“Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers. This message should resonate with businesses now more than ever.”

Security measures must not only be ‘adequate’ but also checked and verified

The ICO said there were numerous measures BA could have used to mitigate or prevent the risk of an attacker accessing their network.

Martin Turner, Managing Director at cybersecurity specialists Full Frame Technology, believes BA missed the basics:

“As with so many serious data breaches, this one was caused by a failure to adopt the most basic security measures, including limiting access to applications, rigorous cybersecurity testing, and protecting accounts with multi-factor authentication.

Login credentials for a domain administrator account were stored in plain text. Software code wasn’t reviewed effectively. These are issues that a cybersecurity audit should have revealed, and BA has yet to explain why this didn’t happen.”

The ICO has (finally) shown us it has teeth!

Could this be a turning point? It’s been a long time coming and many expected it to happen much sooner. The ICO have finally issued a BIG fine more in keeping with the expectations most of us had when GDPR came into force.

Nevertheless, you might feel the ICO has shown a measure of pragmatism, reducing the fine down so much from the original £183m. But it’s not great timing for any business to suffer a body blow like this.

It will be interesting to see what figure the ICO finally decide to fine Marriott International for their Starwood data breach, which first came to our attention around the same time as BA. The ICO’s original ‘intention to fine’ for Marriott was £99 million.

Should we think again about data breach insurance?

You might be thinking afresh about breach insurance. We’d suggest you shop around and pay attention to the fine print, as data breach insurance policies can vary more than you might imagine.

Don’t just look at the price as no two policies are the same and there is little consistency in the way policies are worded. The levels of cover and features on offer can vary significantly. Keep an eye out for exclusions!

One key differentiator you may wish to delve into is the level of support your insurer will provide in the event of a breach or a cyber attack. Do they have a team of specialists in place who will advise and help you to triage a live situation? This is one area where you might get just what you pay for.

This fine was long anticipated and the pandemic has definitely played its part in reducing the final amount. The travel sector has been badly impacted by COVID and £20 million will hit BA hard. BA may decide to appeal against it. It goes to show how important it is to have robust data protection and security measures in place.

COVID-19 Data Protection Guide

October 2020

None of us, apart from science-fiction writers, could have anticipated the strange world of 2020. Businesses have had to adapt quickly and pick their way through the crisis. From a data protection perspective, it’s presented us with considerable challenges.

Many organisations had to rapidly move virtually their entire workforce to a remote working environment, and quickly turn their attention to how best to collect and share COVID-related employee health data.

Then came collecting customer data for Track and Trace, and moves by some to introduce measures to monitor staff at home. And last but not least, we’ve finally seen the launch of the NHS COVID app.

Employers have, by necessity, made risk-based decisions – some of which may well need revisiting. The good news is there’s plenty of guidance and information out there to help navigate the challenges.

Here’s a short guide and some useful resources … but first of all I’ve three golden rules:

1) Is what you are doing proportionate and within people’s reasonable expectations?
2) Have you told people what you are doing?
3) Have you put appropriate measures in place to protect people’s data?

Working from home

I was speaking to a friend the other day, who told me, “as my husband works for a bank, he was always told he could never work from home.” Now he is – necessity has disrupted even the most traditional working models.

Quickly moving an entire workforce to WFH was a huge challenge for many organisations. Less so for those where people were already able to work from home, with security and data protection considerations already in hand.

As Michael Sturrock, the DMA’s Head of Public Affairs, points out;

“We have been bombarded with a plethora of new online platforms to facilitate conference calls, team working and document sharing. Inevitably, each of these have terms and conditions and privacy notices hundreds of pages in length. But are you going to read them? Or, perhaps more pertinently, are you going to tell your boss that you don’t want to use the platform that everyone else in the office is using?”

It may be worth taking another look at those terms, policies or your own guidance, now you are not in such a hurry. Robert Bond, Senior Counsel at Bristows LLP says now’s the time to revisit and check whether you’ve appropriate measures in place to protect personal data and keep it secure;

“The lockdown has changed forever the way in which many of us work. In the first few weeks many of us were working from home in circumstances that were never anticipated by management. Now, we need to ensure that we manage our obligations regarding data protection, confidentiality, and information security if working from home and from the office have to sit side by side.”

At the beginning of lockdown, organisations had to move fast and were unlikely to have found the time to conduct a Data Protection Impact Assessment (DPIA) surrounding the move to WFH. Strictly speaking, this should have been done. And as WFH looks like it’s going to be more than a temporary measure it’s worth doing now.

A DPIA could help you to identify risks you might not have considered, and allow you to think about measures to improve your protection of personal data.

Depending on your business and operating procedures, this exercise might also help identify the need for further staff guidelines and/or necessary changes to your policies.

Useful resources:

Compliance in a work-from-home-environment by Robert Bond
Home working: preparing your organisation and staff from the National Cyber Security Centre
Data protection and working from home: what you need to know from the ICO
Getting you DPIA process on track from us here at the DPN

Employee health data

“Can we tell everyone that John in Accounts has got COVID?”

The next challenge was collecting new information about your employees and their health. In the past you didn’t necessarily need to keep a record of precisely why someone was off work. Suddenly, with a virus, you do need to know so you can protect other staff they may have come into contact with.

Furthermore, as the full lockdown lifted, some organisations have introduced temperature checks and other measures to protect their workforce.

The European Data Protection Board (EDPB) issued a helpful statement surrounding the lawful basis for processing health data of employees.

No, you don’t need consent (and in an employee context this would be tricky anyway as employees shouldn’t feel they have to consent to something). The EDPB confirmed the lawful bases were likely to be public interest or legal necessity.

The guidance also provides a helpful reminder that privacy notices should be updated to reflect the new processing of health data in the current circumstances.

Remember employees have the right to be informed, just like your customers.

My colleague Simon Blanchard has taken a look at this more detail and in particular biometric data: Are you monitoring your staff’s health during Covid-19?

(As for John in Accounts, it probably isn’t okay to tell ‘everyone’ he has COVID).

Useful resource

Statement on the processing of personal data in the context of the COVID-19 outbreak from EDPB

Monitoring staff working from home

How do you make sure your employees are actually working from home?

The majority of organisations will probably rely on a mixture of trust and evidence. However, more regulated industries will be required to have measures in place. For example, where you need to protect client confidentiality, monitor trading and or check for market abuse.

Anecdotally, I have heard that companies providing software monitoring employee activity have experienced a spike in demand this year!

This is an area to tread very carefully. Remember the golden rule – is the processing you intend to carry out proportionate and within people’s reasonable expectations?

Just because you can do something, doesn’t necessarily mean you should.

Track and Trace

There have been sensational headlines about the misuse of contact details collected for track and trace purposes; stories about bar staff contacting people to ask them on a date.

And then there’s the bus worker in Cornwall who lost his job after sending ‘creepy’ messages to a woman who left her details for contact tracing purposes only!

Some organisations will be in the fortunate position of already having systems in place which can be adapted for collecting data for track and trace purposes. Others, like pubs might be collecting their customers’ data for the first time.

Here are some simple rules to follow:

1) Only collect what’s necessary (e.g. name, contact number, arrival/departure time)
2) Tell people why you need their details
3) Keep the details secure and limit access to only those who need it
4) Only share when officially requested to do so (and be aware there are scammers about)
5) Don’t use the details for any other purpose and issue clear guidance to staff
6) Delete the information securely (for example in England the requirement is to only keep this data for 21 days).

Remember, you cannot force someone to download the NHS COVID App and use the QR code. You need to offer an alternative method of collecting the information.

Useful resources

Collecting customer and visitor details for contact tracing, from the ICO
Contact tracing: 7 quick steps for collecting people’s data, from the DPN

The NHS App

The Government has faced many challenges, not least getting a contact tracing app up and running. It’s finally operational and I for one have downloaded it. Despite some issues, I believe any concerns for me are outweighed by the benefits. I know there are others that may not be so sure.

My colleague Julia Porter takes a look into the app’s privacy credentials; Is the new COVID app safe to use?

The DMA’s Michael Sturrock has also assessed it; Coronavirus contacting tracing app is privacy secure but still has issues.

There may be further data challenges ahead (anything seems possible at the moment), the key is to keep checking that what we’re doing is reasonable, that we’ve told people and consider data security at every step.

Are you monitoring staff health during COVID-19?

October 2020

As part of a suite of measures to protect their workforce against the spread of Coronavirus, some companies have put in place new measures to monitor their staff’s health in the workplace.

Some may be using questionnaires, while others have opted for more intrusive biometric measures, such as temperature testing employees as they enter the building.

A symptom commonly associated with COVID-19 is a rise in body temperature or fever. The latest Government guidelines states that anyone with a fever should self-isolate as a precaution. Of course, a rise in body temperate might not be caused by COVID-19.

Not all COVID-19 patients have a fever, and fevers could be caused by other conditions. However, temperature testing is one method used to identify which individuals might potentially pose a risk to others.

What steps should you take if you are considering introducing new tests?

Any collection and use of health data should be conducted with care, in line with the principles of data protection law. Here are some pointers.

1. Plan out your process

  • How and where will carry out the testing? You should use contact-less thermometers. If its in the reception area is this likely to cause delays to people arriving for work?
  • How will you manage the contact tracing? If you will be testing visitors as well as employees and contractors, you will need be sure you can contact them later if the need arises.
  • What steps will you take when a high temperature is detected?
  • Will you be recording negative test results, or just positives?

Also see the ICO guidance on collecting customer and visitor details for contact tracing.

2. Be open and transparent

  • Explain why you require employees to be tested and what may happen if they object to the test. It’s wise to ask employees to notify you in advance if they object.
  • Remind employees they should not attend work if they have a temperature or any other symptoms which may be related to COVID-19, or if they have had a positive test, or if they are supposed to be self-isolating.

3. Decide on your lawful basis

The European Data Protection Board (EDPB) issued a helpful statement regarding the processing employee health data. They confirmed the lawful bases were likely to be public interest or legal necessity. They’ve said you will not need consent for this processing.

The EDPB also provided a timely reminder that your employee privacy notice should be updated to reflect any new processing of health data. By the way, you might also need to consider updating your public privacy notice if you intend to conduct temperature testing on any members of the public, e.g. visitors to your office.

4. Adopt data protection measures

  • Decide what specific data you need to capture and confirm where will the data be stored.
  • How do you plan to use the data, particularly data on positive results?
  • Who will have access to it and for what specific purposes? Don’t use it for any other purposes.
  • How long will data be retained? The retention period may differ for positive and negative results. Make sure you erase the data in a timely manner.

Also see the ICO guidance on simple security measures you can take.

In line with ICO guidance, it’s wise to carry out a Data Protection Impact Assessment (DPIA) before commencement, particularly where biometric data is gathered. A DPIA should cover:

  • Details of the proposed activity and its purpose;
  • Ensure the activity is both necessary and proportionate to the requirement;
  • Confirm how managers and employees will be notified about this new processing;
  • Identify any data protection risks;
  • Confirm any actions required to mitigate these risks.

Matthew Kay LLM, Data Protection Officer EMEA at Thomson Reuters commented:

“Covid 19 has presented challenges worldwide across different areas of business for organisations to contend with, including the requirements for close scrutinisation in respect of employee monitoring to ensure the health and safety of individuals.

But this should not be at a cost to an individual’s privacy and we must be mindful of an organisation’s responsibilities to comply with GDPR. Finding the right balance in respect of these considerations is key.”

Whilst there’s usually a strong justification for COVID-19 related measures such as this, you should bear in mind that potentially intrusive processing of employee data, may give rise to new concerns and compliance risks. Particularly if it could be viewed that this processing was excessive or disproportionate.

On 1 October the Hamburg Data Protection Authority (DPA) issued a £35.3 million Euros fine to H&M, relating to serious breaches of employee privacy within H&M’s Service Centre in Nuremburg.

The DPA found that H&M’s workforce had been subject to extensive recording of details about their private lives since 2014.

This should serve as a timely reminder about data minimisation: organisations should collect and use only the data you really need for specified purposes. Take care not to expand your requirements beyond what is absolutely necessary and proportionate.

Data Protection by Design: Part 3 – Data Protection Impact Assessments

September 2020

Getting your DPIA process on track

Deciding when to carry out a Data Protection Impact Assessment (DPIA), and understanding how to conduct one effectively, is a challenging area.

I’ve come across cases where DPIAs are not being conducted when necessary, or left incomplete. Less frequently, DPIAs are over-used, creating an unnecessary burden on key teams.

DPIAs sit at the heart of Data Protection by Design, and this is part 3 of our series, following on from:

Part 1: Data Protection by Design – The Basics 

Part 2 – How to approach Data Protection by Design

Just to be clear – we may be hearing the term DPIA more frequently, but it’s not a new idea – what changed under GDPR is they were made mandatory in certain circumstances. And even if not mandatory they can be a very useful tool in your data protection toolbox.

So how do you make sure your DPIA process is on track? I’ve taken a look at the key stages you should have in place, and how to get people on-board and improve their understanding.

But first things first.

What is a Data Protection Impact Assessment?

Just to recap, a DPIA is a management tool which helps you:

  • Identify privacy risks
  • Assess these risks
  • Adopt measures to minimise or eliminate risks

It’s a way for you to analyse your processing activities and consider any risks they might pose. It focuses on identifying any risks to people’s rights and freedoms, and considers the principles laid down in data protection law.

The key is to start the assessment process early so you can make sure any problems are found (and hopefully fixed) as soon as possible in any project – be this implementing a new system, designing a new app or creating new processes.

When is a DPIA mandatory?

When considering new systems, technologies or processes a DPIA should be conducted if these might result in a high risk to the rights and freedoms of individuals. A DPIA may also be conducted retrospectively if you believe there are inherent risks.

It’s mandatory, under the GDPR to conduct a DPIA in all of the following scenarios:

  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
  • a systematic monitoring of a publicly accessible area on a large scale

Each EU regulatory authority has published their own list of other scenarios in which a DPIA would be mandatory. You can find the UK Innformation Commissioner’s Office’s in its DPIA Guidance. This includes;

  • use innovative technology (note the criteria from the European guidelines)
  • process biometric data or genetic data (note the criteria from the European guidelines)
  • match data or combine datasets from different sources
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (note the criteria from the European guidelines)
  • track individuals’ location or behaviour (note the criteria from the European guidelines)
  • profile children or target marketing or online services at them – it’s also worth checking the new ‘Children’s Code’ aimed at protecting children online

When a DPIA is not mandatory… but a good idea

The ICO says it’s “good practice to do a DPIA for any other major project which requires the processing of personal data.” Here are some examples of where it might be advisable to conduct a DPIA, if your processing;

  • would prevent or restrict individuals from exercising their rights
  • means disclosing personal data to other organisations
  • is for a new purpose (i.e. not the purpose the data was originally collected for)
  • will lead to transfer of personal data outside the European Economic Area (EEA)
  • involves contacting individuals in a manner which could be deemed intrusive.

What the ICO expects you to do

The ICO DPIA guidance has a handy checklist of areas to focus on:

  • provide training so staff understand the need to consider a DPIA at the early stages of any plan involving personal data
  • make sure existing policies, processes and procedures include references to DPIA requirements
  • understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary
  • create and document a DPIA process
  • provide training for relevant staff on how to carry out a DPIA

How to build a robust DPIA process

So how do you go about fulfilling the ICO’s expectations above? Here are some steps to take.

A. Getting Board / Senior Management buy-in

Growing awareness and buy-in from across the organisation is crucial. It can be helpful to highlight why DPIAs are a good thing, for example;

    • they’re a warning system – they alert compliance teams, and the business as a whole, of risks before they occur. Prevention is always better than cure
    • by identifying risks before they’ve an adverse impact, DPIAs can protect you against potential damage to your brand reputation, e.g. from complaints or enforcement action
    • they help management make informed decisions about how your processing will affect the privacy of individuals
    • they show you take data protection seriously and provide evidence, should you need it, of your compliance

Training is also important, I’ll come on to this in a bit, but first you need to make sure your process is fit for purpose….

B. Creating a screening questionnaire

Create a quick set of questions for business owners or project leads to use, which help to identify if a DPIA is required or not.
These can ask about the type of personal data being used, whether it entails any special category data or children’s data, what the aim of the project is and so on.

The answers can be assessed to judge whether a more detailed assessment is really required or not. (It can also show where more training might be needed, if people struggle to answer the questions).

C. The DPIA itself

You need to develop a robust process for conducting a DPIA. The ICO has a template you can use, but it’s good idea to adapt this to suit your business. Make sure it’s easy to understand and not full of data protection jargon.

These are the core aspects it needs to cover:

    • describe the processing you are planning to do – it’s nature, scope, context and purposes
    • assess its necessity and proportionality
    • identify and asses any risks
    • identify solutions and integrate into a plan
    • sign off and record outcomes
    • implement risk control plans
    • and finally, keep your DPIA under review

Let’s look at these seven key stages in a little more depth…

1. Describe your processing

These are some of the type of questions you’d want answers to (this is not an exhaustive list):

    • how is personal data being collected/used/stored and how long it is retained for?
    • what are the source(s) of the personal data?
    • what is the relationship with individuals whose data will be processed?
    • what types of personal data does it involve, does this include special category data, children’s data or other vulnerable groups?
    • what is the scale of the activity – how many individuals will be affected?
    • is the processing within individuals’ reasonable expectations?
    • will data be transferred to a third party and is this third party based outside the EEA?
    • what risks have already been identified?
    • what are the objectives? Why is it important to the business and / or beneficial for individuals?

2. Necessity and proportionality

Consider the following questions (again, this is not an exhaustive list):

    • what is the most appropriate lawful basis for processing?
    • is there another way to achieve the same outcome?
    • have you ensured that the minimum amount of personal data is used to achieve your objectives (i.e. data minimisation)?
    • how can you ensure data quality and integrity is maintained?
    • how will you inform individuals about any new processing?
    • how will individuals’ rights be upheld?
    • are any processors used and if so how will you ensure their compliance?
    • how will international transfers be protected, what safeguard mechanisms will be used?
    • who will have access to personal data, does this need to be restricted?
    • where will data be stored and how will it be kept secure?
    • how long will data be retained and how will data be destroyed when no longer required?
    • have the relevant staff received appropriate data protection training?

3. Identify and assess the risks

Identify any privacy issues with the project and associated risks. These may be risks to the individuals whose data is being processed, compliance or commercial risks.

Is there potential for harm, whether this be physical, material or non-material? A DPIA should ideally benchmark the level of risk using a risk matrix which considers both the likelihood and the severity of any impact on individuals.

You don’t have to eliminate all risks, but they should be documented, and any residual risks need to be understood and, if appropriate, accepted by the business.

If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.

4. Identify solutions and integrate into a plan

Develop solutions which will eliminate or minimise privacy risks and then consider how these solutions impact on the project.

It can be helpful to use the established ‘four strategies for risk management’ (the 4Ts), i.e.

    • Treat the risk, i.e. adopt measures to minimise or eliminate risk
    • Transfer the risk, e.g. outsource the processing
    • Tolerate, e.g. accept risk if its within the organisations accepted level of risk
    • Terminate it, i.e. stop that specific processing or change the process in such a way that the risk no longer exists

5. Sign off and record outcomes

Someone must sign-off that the DPIA is complete and be accountable for any residual risks. It’s a good idea to log residual risks in your Risk Register.

6. Implement risk control plans

7. And finally, keep your DPIA under review

There’s also lots of useful content on this in the ICO’s DPIA Guidance.

D. Awareness and Training

Once you have your questionnaire and DPIA process ready to go, it’s time to make sure people know about it! If people aren’t aware they’ll be busy doing fabulously innovative things, not considering the potential data protection issues and impact on people’s privacy.

Making sure your teams know what a DPIA is, in simple layman’s terms, is an important step – building an understanding about why it’s important and the benefits to the business as a whole.

Creating short, easy to understand, guidelines and raising awareness via other means helps reinforce the message that DPIAs are a good thing and people need to think data protection in their day to day work.

It’s also important to develop people’s skills. After all the DPO (or team/person responsible for data protection) can’t do this single-handed. You need key people to know;

    • what a DPIA entails
    • how to answer the questions
    • what are the types of risks to look out for
      and
    • what type of solutions will mitigate any identified risks

Holding workshops with relevant staff to discuss how you conduct a DPIA, and / or perhaps run through an example, can help improve people’s skills. My key tip would be to try and not over-complicate things and to keep it straightforward.

In summary, whether you are required by law or not to complete a DPIA they are a useful way to make sure data protection is considered from the outset, with no nasty surprises just before your project launches!

“But it’s essential that we go live on Friday!” If I had a penny for every time I’ve heard this one. If only they’d known, or thought of, speaking to the people responsible for data protection.

Often a DPIA won’t required, but there’ll be times when it’s mandatory or just a very good idea.

 

Data Protection team over-stretched?  We can review your existing DPIA process or help you to develop one. We can also do remote DPIA workshops for key members of your teams – Get in touch

Data Protection by Design: Part 2 – How to approach it

September 2020

How to implement Data Protection by Design 

Following my colleague Phil Donn’s popular article on Privacy By Design (Part 1), I’m delving into the detail of what to consider when you are developing new applications, products and service and the how to approach the assessment process.

Good privacy requires collaboration

As a reminder, Data Protection By Design requires organisations to embed data protection into the design of any new processing, such as an app, product or service, right from the start.

This implies the DPO or Privacy team need to work with any project team leading the development, from the outset. In practice, this means your teams need to highlight any plans at the earliest stages.

A crucial part of a data protection or privacy role is encouraging the wider business to approach you for your input into changes which have implications for privacy.

Building strong relationships with your Project and Development teams, as well as with your CISO or Information Security team, will really help you make a step change to embed data protection into the culture as well as the processes of the organisation.

What are the key privacy considerations for Data Protection by Design?

Here are some useful pointers when assessing data protection for new apps, services and products.

  • Purpose of processing – be very clear about the purpose(s) you are processing personal data for. Make sure these purposes are both lawful and carried out fairly. This is especially important where any special category data or other sensitive data may be used.
  • End-to-end security – how will data be secured both in transit (in and out of the app, service or product) and when it’s at rest?
  • Access controls – check access to data will be restricted only to those who need it for specific business purposes. And make sure the level of access (e.g. view, use, edit, and so on) is appropriate for each user group.
  • Minimisation – collect and use the minimum amounts of personal data required to achieve the desired outcomes.
  • Default settings – aim to agree proactive not reactive measures to protect the privacy of individuals.
  • Data sharing – will personal data be shared with any third parties? If so, what will the lawful basis be for sharing this data?
  • Transparency – have we notified individuals of this new processing? (Remember, this may include employees as well as customers). If we’re using AI, can we explain the logic behind any decisions which may affect individuals? Have we told people their data will be shared?
  • Information rights – make sure processes are in place to handle information rights. For example, can data be accessed to respond to Subject Access Requests? Can data be erased or rectified?
  • Storage limitation –appropriate data retention periods should be set and adhered to. These need to take into account any laws which may apply. To find out more see our Data Retention Guidance.
  • Monitoring – what monitoring will or needs to take place at each stage to ensure data is protected?

The assessment process

If there’s likely to be high risk to individuals, you should carry out a Data Protection Impact Assessment. This should include an assessment covering the requirements above.

Many organisations use a set of screening questions to confirm if a DPIA is likely to be required and I would recommend this approach.

In most cases it will also be appropriate for the Project team to consult with their CISO or Information Security Team. It’s likely a Security Impact Assessment (SIA) will also need to be carried out.

In fact, adopting a joint set of screening questions which indicate if there’s a need for a security assessment and/or a DP assessment is even better!

Embrace the development lifecycle

The typical stages involved when developing a new app, product or service are:

Planning > Design > Development > Testing > Early life evaluation > Production

Sometimes these stages merge together, it’s not always clear where one ends and another starts, or they may run in parallel.

This can make the timing of a data protection assessment tricky, particularly if your business uses an Agile development methodology, where the application design, development and testing happen rapidly in bi-weekly ‘sprints’.

I find when Agile is used the answers to certain data protection questions are not necessarily available early on. Key decisions affecting the design may be deferred until later stages of the project. The final outcomes of the processing can be a moving feast.

I always take the data protection assessment process for new developments step by step. Engaging with the Project team as early as possible and starting with the privacy fundamentals.

For example, try to establish answers to the following questions:

  • What data will be used?
  • Will any new data be collected?
  • What are the purposes for processing?
  • What will the outcomes look like?
  • How will individuals be notified about any new processing?
  • Is the app, service or product likely to enable decisions to be made which could affect certain individuals?

An ongoing dialogue with the Project team is helpful. This can be scheduled in advance of key development sprints and any budget decisions which could affect development.

This way the more detailed data protection requirements can be assessed as the design evolves – enabling appropriate measures and controls to protect personal data to be agreed prior to development and before any investment decisions.

Let me give you an example…

I recently helped a to carry out a DPIA for a new application which aimed to improve efficiency by looking at operational workflow data, including certain data on employees who carried out specific tasks.

When we started the design was only partially known, it wasn’t yet agreed whether certain components were in or out of scope, let alone designed. Therefore data protection considerations such as the minimisation of data (to include only that necessary for the processing), appropriate access controls and specific retention periods had not and couldn’t be decided.

We worked through these items as the scope was agreed. I gave input as possible designs were considered, prior to development sprints. We gradually agreed and deployed appropriate measures and controls to protect the privacy of individuals.

Too often in my experience the privacy team is called in too late.  This only leads to frustration if privacy issues are raised in the later stages of a project.  It can cause costly delays, or the poor privacy team is pushed into making hasty decisions. All of which is unnecessary, if teams know to go to the privacy team from the outset.

It can take time and perseverance to get your colleagues on board.  To help them to understand the benefits of thinking about data protection from the start and throughout the lifecycle of projects. But once you do, it makes your business operations run all the more smoothly.

 

Can we help? Our experienced team can support you with embedding Data Protection By Design into your organisation, or with specific assessments –  contact us