Emma Willis

After a turbulent few months, the Privacy Shield was re-approved by the EU Commission at the end of last year and with Brexit looming, if you are a Privacy Shield participant there are some steps you may need to take before 30th March 2019 to ensure you can continue to receive personal data from the UK.

I say ‘may need to take’ because it all depends on whether the Brexit Withdrawal Agreement is approved by the UK Parliament. If approved, there is an 18 month transitional period so Privacy Shield commitments will not need to be updated until 31 December 2020.

However, if the Agreement is not approved then Privacy Shield commitments will need to be updated by 30th March 2019 so it is advisable to start to look at this now.

So what do you need to do?

• Update publicly facing privacy policies to specifically state that Privacy Shield Commitments extend to personal data received from the UK.
• If transferring HR data then the HR Privacy Policy will also need to be updated.
• Maintain your certification by completing an annual re-certification.

If you are a UK business that deals with a Privacy Shield Certified business then you should make sure that steps are being taken to make the relevant changes in time.

Get in touch

If you need help with this or any of the other regulatory compliance changes that are happening this year then don’t hesitate to contact us today.

It’s been six months since GDPR came into effect on 25th May. Despite the Y2K like panic in the run up to May, the world did not come crashing down and despite some high profile data breaches, the ICO is yet to issue its first fine under the new regime.

But what has happened in the last 6 months and what is still to come?

ICO updates

Over the last six months the ICO have made several updates to their online guidance, including:

• A more comprehensive and in-depth analysis of what constitutes personal data has been added to the online guide and also a separate detailed publication – here
• Individual sections on each core principle including guidance and practical examples – here
• A significantly expanded section on international transfers – here
• A significantly expanded section on the exemptions, including those in schedules 2-4 of the Data Protection Act 2018 – here
• Updated security guidance – here
• New guidance on encryption and passwords for online services – here

The ICO have also updated their guidance on the right of erasure in respect of backups. They have confirmed that the right is also applicable to data held in backups and the updated guidance emphasises the need to ensure erasure from backup systems as well as from live systems. For delayed erasure for backups they maintain the position that it is important to put the data ‘beyond use’. They’ve also finalised the detailed guidance on children and the GDPR.

The ICO have confirmed that the number of self-reported data breaches for the first half of 2018 was more that for the whole of 2017. As a result, the ICO have issued an update to remind organisations that reports only have to be made where the breach is likely to threaten an individual’s security. Organisations are encouraged to call the ICO helpline before making a report – and remember if you are in any doubt you can always ask Teal Compliance who are always on hand to help!

Consultations/Feedback

On 12th November 2018, the ICO issued it’s consultation on the new proposed Direct Marketing Code.

The Data Protection Act 2018 required the Commissioner to produce an improved code which provides practical guidance and promotes good practice. The new code will only cover the rules under PECR and will only be updated once the new E-Privacy Directive is finalised. The consultation is open until 24th December.

The ICO is also asking parents, carers, and those who work with children to give their views on the draft Age Appropriate Design Code which set the standards which must be followed by those who provide online services and apps for children – this consultation is open until 5th December 2018.

Fines/court cases

Whilst we are yet to see the first ‘GDPR’ fine, there have been a number of high profile ICO enforcement actions and some high profile Court cases in the last six months.

WM Morrisons Supermarkets Plc v Various

The Court of Appeal ruled that the supermarket must pay compensation to thousands of employees who were victims of a data beach in 2014. The High Court ruled in 2017 that the supermarket was vicariously liable for this breach so Morrisons took the claim to the Court of Appeal. Morrisons had argued that they should not be liable for this breach because they had safeguards in place to protect the data. This stance was challenged by more than 5,000 past and current staff. Morrisons have indicated that they will now take the decision to the Supreme Court. This is a stark warning to employers that they can be held viciously liable for data breaches caused by employees even if they have appropriate safeguards in place.

Lloyd v Google LLC

The High Court has refused to grant leave to serve a claim form on Google Inc outside the English Jurisdiction in relation to the ‘Safari workaround’ which involved Google allegedly using cookie technology on the iPhone safari browser to obtain browser-generated information about iPhone users between 2011-2012 without their knowledge.

ICO Prosecution under the Computer Misuse Act 1990

A motor industry employee has received a six month prison sentence following the first prosecution to be brought by the ICO under the Computer Misuse Act 1990. The worker, who was employed by Nationwide Accident Repair Services accessed thousands of customer records containing personal data without permission, using his colleagues’ log-on details to access the Audatex system. He then continued to do this when he changed employer. Confiscation proceedings under the Proceeds of Crime Act are in progress to recover any benefit obtained as a result of the offending.

Enforcement Decisions

• Metropolitan Police 16th November 2018 – issued an enforcement notice on concerns relating to the Gangs Matrix
• Facebook Ireland Ltd – 24th October 2018 – £500,000 fine for breaches of data protection law
• Heathrow Airport – 8th October 2018 – £120,000 fine for failing to ensure the security of personal data
• Equifax Ltd – 20th September 2018 – £500,000 fine for failing to protect personal data relating to a cyber attack in 2017
• Bupa Insurance Services Ltd – 28th September 2018 – £175,000 for failing to have effective security measures in place

In addition, there have been a number of fines relating to nuisance emails/calls –

• Secure Home Systems £80,000 (for 84,347 nuisance calls to TPS subscribers)
• ACT Response Ltd £140,000 (for 496,455 nuisance calls to TPS subscribers)
• Boost Finance Ltd £90,000 (for nuisance emails about pre-paid funeral plans)
• Oaklands Assist UK Ltd £150,000 for nuisance direct marketing calls

All of these cases highlight that ICO will act where it becomes aware of a data breach or due to breaches of PECR, so it’s more important than even to make sure that your processes are up to date being used by your employees AND just as importantly that you have all the documentation you need to demonstrate accountability just in case the ICO do get in touch with you.

E-Privacy update

The controversial update to PECR is experiencing further delays and is now not expected to be ready until Spring 2020. Keep an eye on our website for the latest updates.

Get in touch

Contact our experts at Teal Compliance if you have any data compliance related questions. An initial call is always free.

With just over six months to go until the UK exits the European Union, the Government has started to issue guidance on what will happen if there is ‘no deal’ by the 29th March 2019.

As we all know, the current data transfer rules are set out at European level in the General Data Protection Regulations (GDPR) which came into force on 25th May 2018.  Under the current rules, transfers within the EEA are permitted BUT, on 29th March 2019 the UK will become a ‘third country’ for the purpose of the applicable legislation.

So, what does this mean?

The Data Protection Act 2018 will remain in force and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside the domestic legislation.

UK-EU Transfers

The Government has recognised the ‘unprecedented degree of alignment’ between the UK and EU data protection regimes and has confirmed that at the point of exit they will allow the free flow of personal data from UK to the EU (this will be kept under review).

EU-UK Transfers

These transfers become more complicated as the UK will be deemed a ‘third country’.  Under the GDPR, transfers to a ‘third country’ can only take place in defined circumstances –

• There is an ‘adequacy decision’ in place; or

• There are appropriate safeguards in place.

Adequacy decisions are currently in place for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.  The adequacy finding for Canada only covers data subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the finding for the US is for transfers covered by the EU-US Privacy Shield Framework (currently subject to challenge by the EU Commission).

Appropriate safeguards are –

• A legally binding and enforceable instrument between public authorities or bodies;

• Binding corporate rules (BCRs);

• Standard data protection clauses adopted by the Commission;

• Standard data protection clauses adopted by a supervisory authority and approved by the Commission;

• An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;

• Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;

• Contractual clauses authorised by a supervisory authority.

So, how does this impact me and what do I need to do?

The UK Government has expressed its intention to apply for an adequacy decision but the EU has stated that the process cannot be started until after 29th March 2019 and obtaining a decision can be a lengthy process. This means that EU-UK transfers will need to have appropriate safeguards in place.

If your organisation transfers data from the EU to the UK, or if you are an organisation in the UK that receives data from EU then you should look to implement standard contractual clauses as a matter of urgency – the latest approved version can be found on the EU Commission’s website.  It’s important to note that the current version was approved pre-GDPR and should be updated.

UK organisations who offer goods and services to data subjects within the EU will need to appoint a representative within the EU.

You can find out more here through these links:

• Gov.UK – Data Protection if there’s no Brexit deal
• ICO – International Transfers

Get in touch

If you’d like to discuss our data protection services, then contact one of our helpful experts today.

With conflicting advice still available on the ICO website there seems to be a lot of confusion around exactly what a data subject is entitled to when they exercise their right of access under GDPR.

Many data subjects still seem to think that this right entitles them to receive a full copy of their file free of charge, when actually that will not be the case 99.9% of the time.

The Right to Be Informed

Individuals have the right to be informed about the collection and use of their personal data, including-

• The purpose for processing the data and how you will process the data

• The retention periods you will apply

• Who you will share the data with.

You provide this information in your privacy notice which should be given at the point of collection and you will provide a link to the information on your website.

The Right of Access

Individuals have the right to access their data, and can make a ‘subject access request’ verbally, in writing or even via social media (don’t forget to check your tweets!).

You now have one calendar month instead of 40 days to respond to the request and you can no longer charge a fee.

The data subject is entitled to –

• Confirmation that you are processing their data

• A copy of their ‘personal data’ (we will come back to this in a minute!)

• Other ‘supplementary’ information which is basically the information you provide in your privacy notice.

But what exactly does ‘a copy of the data’ mean?  You will be pleased to know that by and large this does not mean that they are entitled to a copy of the entire file of papers.  A ‘copy of the data’ is basically that, a list of the data fields that you process, which can identify the data subject (name, address, date of birth etc.).

Where it becomes slightly complicated is if it is possible to identify the data subject from the information you are processing then that information may also be personal data.  In a recent ICO live chat I was given the example of where you hold on file an email from an individual complaining about the data subject.  Whilst I did engage in a long debate with the representative about whether this would be appropriate for a law firm to disclose, or potentially for an employer to disclose where an investigation was being carried out for example, the conclusion from the ICO was that I would need to consider this type of document carefully and make a decision about whether there was a valid reason to withhold the document or not.

In situations where you are simply instructing a third party, for example a letter to an expert which sets out the name, address and contact details of the data subject, but is then just a business to business email giving instructions on work to be carried out, then a copy of this letter would not need to be provided.

General Points

• Review the types of communications you will have on your files – if any of them ‘could’ fall within the definition of personal data then make sure your staff are aware to consider these and flag them to the DPO for confirmation of whether they need to be included in the response of not.

• Data subjects can only be given a copy of their own data – an individual cannot request information on behalf of a partner for example.

• If a data subject requests something specific, for example a copy of a specific email by date or a copy of a specific call recording then you should look to provide this.

• You should ensure your staff are trained to recognise a request (remember social media!).

• You should have a documented process and should keep a log of all requests.

• The ICO’s Subject Access Request Code of Practice has not been updated for GDPR yet.

Get in touch

99% of the requests you receive will be straight forward but for that 1% which you maybe aren’t so sure about, remember you can use our ‘Ask Teal’ service, or simply contact one of our experts today.

GDPR 25th May….  It’s the date we have all been working towards, some of us for many months. But what happens on 26th May, and the day after that?

Well, initially we all have a well-deserved rest over a bank holiday weekend, and then it’s business as usual from Tuesday 29th May.  But what is ‘business as usual’?

For those who have not been able to complete their GDPR preparations prior to 25th May, you should have an action plan to take you through the following weeks and month on the journey to compliance with the principles of the GDPR and to demonstrate ongoing accountability.

But if you have completed your preparations it doesn’t mean that you don’t have any ongoing work to do.  In order to demonstrate accountability, you will need to test your processes, test your staff and create an audit programme.

1.  Test your processes

You have created a lovely shiny process to be followed if a data subject exercises one of their rights; but does it work? You may not receive a request straight away so why not run a workshop on the basis that you have received a request and work out the steps you need to follow to comply with the 30 day timescale – use the outcome to refine your process where necessary.

2.  Test your staff

You have trained your staff but how much have they actually understood? Are your policies and procedures embedded? Test them. Send in a ‘dummy request’ and see what happens. Don’t forget to also test from a cyber security point of view – simulated phishing email tests are a useful exercise.

3.  Create an audit programme

How will you demonstrate ongoing compliance? DPOs should consider regular spot checks, especially if your business has more than one site – are the team keeping paper that you think has been destroyed? Are visitor processes being followed – turn up unannounced and you will find out!  Don’t forget that root cause analysis of complaints and data breaches will provide you with valuable insight on how well your GDPR programme has been embedded. Check your websites on a regular basis to make sure they haven’t reverted back to old versions of any of your policies. Monitor social media for mentions of your business, which can be an early indicator of a data breach.

4.  Keep up to date

The draft Data Protection Bill had a provisional report stage on 9th May and as progress continues to be slow, it may not be enacted before 25th May. The E-Privacy Directive is also still stalled and could arrive at any time in the coming months so it’s definitely one to watch, and it’s always worth checking in with the ICO’s website to see updates on how they intend to enforce GDPR and what they will be looking at in the coming months.

Get in touch

Here at Teal we will of course keep you up to date through our blogs and our experts are always available to offer advice or even to come in and test your processes for you.  Find out more about our data protection services or simply get in touch with one of our experts.