Data Protection

Someone going through paperwork on a desk with others

Demystifying the role of a DPO: What is a Data Protection Officer?

At Teal, we’re often asked questions about whether law firms need a Data Protection Officer (DPO). In this blog, we’ll answer the question ‘what is a Data Protection Officer?’ and go through what the guidance says, when a DPO must be appointed, who can be a DPO, and the crucial role they play in ensuring GDPR compliance.

What is a Data Protection Officer (DPO)?

The primary responsibility of a Data Protection Officer is to inform and advise the organisation and staff on GDPR compliance. This comprehensive role encompasses monitoring compliance, raising awareness, training staff, conducting internal audits, and serving as the initial point of contact for supervisory authorities and individuals affected by data processing. The DPO takes centre stage in adopting a risk-based approach, concentrating on high-risk activities and actively participating from the earliest stages in decision-making processes.

Additionally, it’s important to emphasise that a DPO extends beyond their immediate responsibilities. Although not directly accountable for overall compliance – a duty retained by the data controller or processor – the DPO undeniably assumes a key role in the oversight of the implementation of the data protection strategy. Their invaluable contribution becomes instrumental in ensuring the organisation fulfils its data protection obligations, thereby setting up a solid foundation for a robust and compliant approach.

What the guidance says about DPOs

Under the GDPR, the appointment of a Data Protection Officer (DPO) is a nuanced decision. Some organisations find it mandatory, while others may opt for a voluntary appointment or decide it’s unnecessary. The WP29 guidance, which replaced the European Data Protection Supervisor, advises organisations to document internal analyses to determine DPO necessity. The default assumption is that a DPO is needed unless proven otherwise. This commitment to GDPR compliance places specific obligations on the appointed DPO.

GDPR requirements

GDPR outlines scenarios requiring a DPO, including when an organisation is a public authority, engages in regular monitoring of individuals, or processes large-scale special data categories. The flexibility of sharing a DPO between organisations and the possibility of an existing employee taking on the role highlights the pragmatic approach of GDPR.

The Data Protection Bill

The Data Protection Bill seamlessly incorporates GDPR into UK legislation, addressing general processing and the Law Enforcement Directive. While not all businesses are obligated to appoint a DPO, adhering to best practices suggests appointing someone solely responsible for data privacy matters. 

Embracing the GDPR principles of privacy by design, having a dedicated data protection champion within your business is considered essential. This strategic move aligns with the evolving legal landscape, emphasising proactive measures for privacy and data protection.

When must a Data Protection Officer be appointed?

Under the GDPR, a DPO must be appointed if the organisation is a public authority, engages in large-scale monitoring of individuals, or processes large-scale special categories of data or data related to criminal convictions.

The definition of ‘large scale’ isn’t outlined, but the guidelines say you should consider the following factors:

  • The number of data subjects concerned
  • The volume of personal data being processed
  • The range of different data items being processed
  • The geographical extent of the activity
  • The duration or permanence of the processing activity

Should you decide not to appoint a DPO, GDPR requires organisations to maintain records of their processes and any data breaches. Ensuring your business has adequate staff and resources is crucial to effectively fulfil its obligations under the GDPR.

Who can and can't be a Data Protection Officer?

The GDPR stance on appointing a DPO centres on their ability, experience, and knowledge of data protection law. While the regulations don’t suggest specific credentials, they stress that these qualifications should align with the type of processing undertaken, considering the necessary level of protection of personal data. A DPO having familiarity with your industry, sector, and the intricacies of your data protection needs enhances their effectiveness.

Opting for an external DPO is a strategic move to avoid potential conflict issues. This approach proves invaluable when an internal candidate isn’t readily available within your business to undertake the role.

The WP29 guidance offers valuable insights into individuals within a firm who are ill-suited for the DPO role due to potential conflicts of interest. This includes high-ranking positions like:

  • Chief Executive Officer
  • Chief Operating Officer
  • Chief Financial Officer
  • Head of Marketing
  • Head of Human Resources
  • Head of IT

Lesser senior roles may also pose conflicts if they involve deciding the purpose and means of processing.

For law firms, the Compliance Officer for Legal Practices (COLP) may be a suitable DPO, depending on their other responsibilities. The GDPR ensures DPOs receive the necessary support, maintain independence, and enjoy protected employment status, shielding them from unjust actions for performing their duties.

Law firms and Data Protection Officers

According to insights from the Law Society, the consensus is that most law firms might not require the appointment of a Data Protection Officer (DPO), because they typically don’t engage in systematic monitoring of data subjects on a large scale. This viewpoint was first outlined in a March 2018 article and then recapped in August 2019 “Appoint a Data Protection Officer (DPO)”.

Exceptions arise when law firms handle special categories of data, such as health, ethnicity, political or religious beliefs, trade union membership, or the sexual orientation of their clients. In such cases, especially if processing occurs on a large scale, the consideration for a mandatory DPO appointment gains significance.

Opting for a voluntary DPO appointment can be beneficial, particularly when uncertainty exists. Seeking specialist advice is advisable for firms lacking expertise in data protection. Law firms are encouraged to keep a concise record of their decision-making process.

The decision to appoint a Data Protection Officer (DPO) is important, but regardless of your choice, promoting awareness amongst all staff about the individual handling data protection matters is crucial. This person, whether a DPO or another designated individual, should have a direct line to top-level management.

It’s important to clarify that, if appointed, a DPO isn’t directly responsible for overall compliance – that responsibility lies with the data controller or processor. Nevertheless, the DPO, along with other appointees, plays a key role in overseeing the implementation of the data protection strategy and fulfilling the organisation’s obligations.

Get in touch

At Teal, we’re here to support your journey towards compliance that works.

We understand that compliance can be a daunting word, but it’s also the key to unlocking your firm’s full potential.

Get in touch with our experts to find out how we can help with data protection compliance.

Demystifying the role of a DPO: What is a Data Protection Officer? Read More »

Computer coding on a screen

How to prepare for a cyber attack

Knowing how to prepare for a cyber attack is extremely important. This is especially so when you have a duty to protect your client’s data.

Most of us have faced that dreaded email which sends shivers down your spine. It starts with a simple greeting, but what follows can cause much panic and stress.

“Hi, I’ve received an email from one of your team, and we suspect it may be a scam, I thought you should know.”

The action you take within the first hour of a cyber attack may spare you from potential harm, and allow you to navigate through the intricate web of digital deception unscathed. That’s why knowing how to prepare for a cyber attack is essential.

The reality of cyber attacks

We often find ourselves falling into the trap of thinking a cyber attack will never happen to us. However, the truth is that the landscape has evolved significantly. With the rise of hybrid working and increasingly sophisticated hackers, the potential risks have intensified. It takes just one unsuspecting click on a seemingly harmless link for everything to unravel.

The Cyber Security Breaches Survey 2022, sheds light on the harsh reality of cyber attacks. The findings provide valuable insights into the prevalence, impact, and consequences of these incidents. Key findings from the survey paint a compelling picture of the evolving landscape of threats that businesses and individuals face in the digital age.

1. Prevalence of cyber attacks

The survey reveals that cyber attacks continue to be a significant concern, with a staggering 46% of businesses reporting that they’ve experienced cybersecurity breaches or attacks in the past year. This highlights the pervasive nature of the threat, and the need for heightened vigilance across industries.

2. Financial impact

The financial implications of cyber attacks are substantial, with businesses estimating an average cost of £8,460 for identified breaches. The survey reveals that larger organisations tend to face higher costs, with the average cost reaching £15,000. These financial consequences emphasise the importance of robust cybersecurity measures as a critical investment.

3. Human factors

Human error is still a leading cause of cybersecurity incidents, with phishing attacks being the most prevalent method of compromise. The survey highlights the need for comprehensive training and awareness programmes to empower individuals to recognise and mitigate potential threats effectively.

4. Consequences of cyber attacks

The impact of cyber attacks extends beyond immediate financial losses. Breaches can lead to reputational damage, loss of customer trust, and legal ramifications. The survey underscores the importance of incident response and recovery plans to minimise the long-term consequences of cyber incidents.

5. Proactive measures

The survey highlights the increasing adoption of proactive cybersecurity measures among businesses. This includes implementing cybersecurity policies, conducting regular risk assessments, and investing in security software and hardware. These measures show the growing recognition of the need to prioritise cybersecurity to safeguard sensitive data.

Now more than ever, it’s crucial for organisations to acknowledge the real and imminent dangers posed by cybercriminals. The evolving tactics and techniques employed by these individuals demand heightened awareness, proactive measures, and a collective commitment to cybersecurity.

What to do during a cyber attack

When faced with a cyber attack, you need to understand the urgency of the situation and move swiftly. Within the first hour, you should implement your response plan to contain the issue. We recommend the following proactive steps should be taken within the first hour.

1. Thorough system analysis

Engage an IT expert who specialises in cyber attacks. They’ll meticulously examine your systems to assess the extent of the breach. This comprehensive analysis provides crucial insights into the nature and impact of the attack.

2. Reinforcing security measures

Securing your digital assets is important. So, swiftly take actions such as changing email logins and passwords. Additionally, isolate the data breach to prevent further contamination of your systems, safeguarding the unaffected areas.

3. Strengthening authentication

To fortify your defences, promptly implement 2-factor authentication if you’ve not done so already. This adds an extra layer of security to protect sensitive information and ensure authorised access only.

4. Dedicated support team

To address the concerns and enquiries of your stakeholders, assign a dedicated member of your team to respond promptly and provide accurate information. Their role is crucial in keeping open lines of communication and offering reassurance during the incident.

5. Communication

There’s a need for seamless communication so make sure you brief your call team. This will ensure there’s an uninterrupted service and streamlined communication channel for your clients and stakeholders.

6. Transparent communication

Openness and transparency are paramount. We would suggest posting a detailed explanation of the incident on your website, ensuring your clients are informed about the situation.

Simultaneously, send an update to your mailing list. Recommend that if they’ve received the scam email that they contact their IT department immediately.

Incidents like these often serve as a stark reminder of the cunning and sophistication of cybercriminals. Despite regular screening of your systems, you can still experience an attack due to the ever-evolving threats we face from the baddies!

How to prepare for a cyber attack

Here are our top three tips on how to prepare for a cyber attack, which will enable you to respond  swiftly to a cyber attack situation and ensure effective damage control.

1. Have a comprehensive plan in place

One of the key factors that will enable you to respond quickly is ensuring you have a well-defined disaster recovery plan ready to be implemented as soon as an issue arises.

It’s crucial for every organisation to proactively establish a plan before any potential exploitation occurs. This plan can be as simple as naming a point of contact who’s familiar with disaster recovery protocols and can immediately initiate necessary actions to mitigate further damage.

While the aftermath can be addressed over time, having someone who knows how to promptly secure the systems is essential.

2. Build relationships with cybersecurity experts

In the face of an attack, wasting valuable time searching for reliable cybersecurity professionals is an unfortunate setback. We highly advise establishing connections with competent cyber experts in advance, and have their contact details readily accessible.

By having trusted experts on hand, you can swiftly engage their services during emergencies, minimising response time. This will optimise the chance of a successful resolution. If needed, we’re happy to share the details of our own cybersecurity specialist, whose expertise has been invaluable to us. Get in touch.

3. Prepare clear and transparent communications

When faced with a crisis, it may be tempting to keep the situation under wraps and avoid acknowledging any issues. However, we firmly believe that adopting an open and honest approach is the most effective way to handle such situations.

By being transparent with stakeholders and those who may be affected, firms can prove their commitment to protecting individuals and keeping trust. It’s crucial to have a well-thought-out communication strategy in place, ensuring that key messages are prepared in advance to promptly inform and address concerns.

It’s important to recognise that even major institutions with substantial worth have vulnerabilities and have experienced exploitations, such as ransomware attacks. While it’s impossible to completely avoid all risks, being prepared to handle problems swiftly when they arise is an invaluable skill.

Gaining valuable insights from a cyber attack

One fundamental truth holds: you can’t glean valuable insights from a situation that’s swept under the carpet and hidden from view. By embracing this principle, you can swiftly recognise the approach you should choose, enabling you to draft the necessary wording promptly and issue your message effectively.

When this happened to us, we were able to effectively reflect on the experience. We realised the potential benefits of preparing such communications in advance, as a proactive measure. With this realisation, we’ve now taken proactive steps to create a repository of pre-drafted messages, ensuring we’re better equipped for any future challenges that may arise.

We were also reminded of the strength and resilience that lies within our network. It was the collective watchfulness and genuine care of individuals in our community that helped to fortify our defences against cyber threats.

While we sincerely hope that you never encounter a day like the one, we experienced, we believe that preparation is key. Having a well-defined plan in place in advance will undoubtedly enhance your readiness and ability to navigate unforeseen circumstances.

Get in touch

As data protection experts, we work with firms to ensure that procedures and controls are in place to protect the data they process. We offer training courses for staff on protecting clients and themselves from cybercrime and data loss. If you’d like to speak to one of Teal’s experts about how we can help, simply get in touch.

How to prepare for a cyber attack Read More »

British passports (red)

Do you have to collect CDD on employees of clients?

This is a question I get asked loads of times!

In fact, last week I had a client who has a policy of asking for ID for employees, and their client refused citing Data Protection concerns. I’m not planning to go into the data protection issues here, but instead whether you have to ask for it.

To get to the answer here, we need to start with the law.

The law requires, in connection with a client who is not a natural person (I prefer using the word human here!) that you need to obtain and verify certain information about entity. For a company that is

  • name,
  • company number,
  • registered office,
  • the law to which it is subject,
  • its constitution,
  • the full names of the board and senior persons responsible for it.

In addition, you need to identify and verify the ultimate beneficial owners.

So, do we need ID from directors, or people who instruct us on behalf of a company?

In the original 2003 Money Laundering Regulation it was a requirement to identify and verify at least 2 directors, but this was removed by the 2007 regulations. I’ve found despite this change many firms still have that process, whether as a legacy from the original regulations or as a risk management measure – so that they have proof a real person is connected with the company. After all, the whole point of passports and utility bills is so you can tell the police which door to knock on, to talk to about the entity.

I think many of the more recent queries I have had come from confusion arising from Money Laundering and Terrorist Financing Regulations, which introduced in 2017 Regulation 28(10).

(10) Where a person (“A”) purports to act on behalf of the customer, the relevant person must—

(a) verify that A is authorised to act on the customer’s behalf;

(b) identify A; and

(c) verify A’s identity on the basis of documents or information in either case obtained from a reliable source which is independent of both A and the customer.

There was concern when this first came in that an employee or director might be thought to be purporting to act on behalf of the client. Fortunately, the Legal Sector Affinity Group Guidance helps here:

Section 6.6

Examples of someone purporting to represent might include:

  • a parent on behalf of an adult child.
  • an individual not employed by your client; or
  • a situation where the instructing persons authority to instruct is not clear or does not make sense.

Section 6.14.9

Someone employed by your client (depending on their position or seniority) or a director of your client may be considered as having apparent or ostensible authority to provide instructions on behalf of the client, though you may seek comfort of this on a risk sensitive basis. They should not be considered to be intermediaries, agents, or representatives. Where it is not clear or apparent what their authority to instruct on behalf of the client is, CDD should not be considered to be complete.

Accordingly, it is now much clearer in that “purports to act” is not intended to mean officers or employees of a company. That said, many firms still do carry out individual CDD on Directors and sometimes on employees instructing who are not directors, and whilst that is not required by the Regulations, it can be useful to provide an audit trail for the client in case you are challenged later on as to why you acted on instructions provided on behalf of the non-human client.

 

Get in touch

For more information about our AML services, please get in touch with one of our helpful experts.

Do you have to collect CDD on employees of clients? Read More »

Keyboard with a large yellow button which says 'Data Protection' and has an image of a padlock

Do you need a data protection officer under the GDPR?

At Teal, one of the questions we often get asked is whether or not an organisation needs a Data Protection Officer (DPO).

 

What the guidance says

Under the GDPR, it’s mandatory for some organisations to appoint a person to act as their DPO – others may choose to either appoint a DPO on a voluntary basis or decide that one is not required for the purpose of the Regulations and instead, they’ll just appoint someone to deal with data protection matters. In each case, your business will need to consider who this person should be, what their duties will be and what your business’s obligations are in relation to this person.

The WP29 guidance (the WP29 was an advisory body made up of representatives from the data protection authorities of each EU member state, the EU Commission and the European Data Protection Supervisor, which has now been replaced by the European Data Protection Board) recommends that organisations document the internal analysis carried out to determine whether or not they need to appoint a DPO. This can, for example, be via a memo to your governing body making recommendations as to whether a DPO should be appointed or not, as well as noting any decisions flowing from the recommendations. Whilst the appointment of a DPO isn’t always essential, the guidance states that organisations should assume that one is necessary unless they can demonstrate otherwise.

Although a DPO appointment will show your commitment to complying with the GDPR, you need to bear in mind that once you appoint one, they’ll have to comply with the obligations of a DPO contained in the regulations.

 

Under the GDPR, when must a DPO be appointed?

Under the GDPR, controllers and processors must appoint a DPO if:

  • They are a public authority or body
  • Their core activities involve large scale, regular and systematic monitoring of individuals
  • Their core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences

So, it’s the nature of processing undertaken by you, as a data controller or processor, that determines whether or not you need a DPO and you need to consider to what extent you need to process personal data to function properly as an organisation. If it is essential, it is likely that you will need a DPO.

Whilst what constitutes “large scale” isn’t defined, the guidelines say that when determining if processing is on a large scale, you should take the following factors into consideration:

  • The numbers of data subjects concerned
  • The volume of personal data being processed
  • The range of different data items being processed
  • The geographical extent of the activity
  • The duration or permanence of the processing activity

Even if you decide not to appoint a DPO, the GDPR require organisations to keep records of their processes and any data breaches and it’s important to ensure that your business has sufficient staff and resources to enable it to discharge its obligations under the GDPR.

 

Who can and can’t be a DPO?

The GDPR requires appointment of a DPO to be on the basis of a person’s ability to carry out those tasks, in particular, their experience and knowledge of data protection law. The regulations don’t specify the precise credentials a DPO is expected to have, but they do state that they should be proportionate to the type of processing being carried out and take into consideration the level of protection the personal data requires. Clearly it would be an advantage for a DPO to have a good knowledge of the relevant industry or sector, as well as your data protection needs and processing activities.

You can appoint an external DPO which would avoid any conflict issues and this is useful where there is no-one suitable within your business to take on the role. The WP 29 guidance provides useful suggestions regarding the individuals within a firm that shouldn’t be the DPO given that they are likely to be in a position of conflict as they may be responsible for determining the purposes and means of processing personal data, this includes the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Head of Marketing, Head of Human Resources and Head of IT. Other less senior roles may also be conflicted if they lead to determination of the purposes and means of processing. In many law firms, for example, it is likely that the Compliance Officer for Legal Practice (COLP) would be a suitable DPO. However, you would need to consider any other roles that the COLP fulfils for the firm, in particular if the COLP is also managing partner or has another senior management role.

The GDPR contains a number of protections for DPOs and places obligations on the data controllers and processors regarding their DPO, a key one being to support the DPO by providing resources to enable them to carry out their tasks. DPOs must be independent, avoid conflicts of interest and cannot receive instruction regarding the performance of their tasks. The GDPR provides DPOs with protected employment status, meaning that you cannot dismiss or sanction a DPO simply for doing their job.

 

What’s the DPO’s role?

The DPO’s main responsibility is to inform and advise your organisation and staff about your obligations to comply with GDPR and other data protection laws. They are responsible for monitoring compliance with the law and regulation and with your data protection policies and also for raising awareness of data protection issues. This includes training staff and conducting internal audits where necessary. They are also responsible for advising on and monitoring any data protection impact assessments that you may undertake, and are the first point of contact for supervisory authorities and the individuals whose data you process. The ICO expects a DPO to take a risk based approach and, for example, to focus on the more risky activities that a business may undertake (e.g. if you process special category data).

The DPO, or his/her team, should be involved from the earliest stage possible in all issues relating to data protection., This should include regular participation in senior management meetings and involvement in any decision which has a data protection implication, with all relevant information being provided to them as early as possible. You should ensure that due weight is given to the DPO’s opinion and, in case of disagreement, the reasons for not following the DPO’s advice should be documented.

 

Law Firms

The Law Society in its March 2018 advice article (Appointing a Data Protection Officer) took the view that most law firms will not need to appoint a DPO given that they would not be systematically monitoring data subjects on a large-scale and reiterated this view in further advice in August 2019 (Appoint a Data Protection Officer). At the same time they acknowledged that some firms might need to appoint a DPO where they are processing special categories of data, e.g. concerning health, ethnicity, political or religious beliefs, trade union membership, or sexual orientation of the firm’s clients, or relating to their criminal convictions and offences, and such processing might be conducted on a large scale.

Whilst firms might conclude that their processing falls outside the criteria for the mandatory DPO appointment, they may still wish to appoint a DPO on a voluntary basis – particularly if they are in any doubt on the matter. Some firms might also benefit from taking specialist advice on the matter, if they do not have the necessary expertise in their practice. Firms should keep a full record of their decision-making.

Whether you decide to appoint a DPO or not, you should ensure that all staff are aware of the existence of the person responsible for dealing with data protection matters within your organisation and the importance of their role. They must have a direct feed into your top-level management. It’s important to note that a DPO, where appointed, is not responsible for your business’s compliance with data protection law – this remains the responsibility of you as data controller or processor. However, a DPO, and indeed any other person appointed to deal with data protection matters clearly play a crucial role in being responsible for overseeing your data protection strategy and its implementation and helping you to fulfill your data protection obligations.

 

Get in touch

To find out more about our data protection and GDPR services, contact one of our helpful experts today.

Do you need a data protection officer under the GDPR? Read More »

someone calculating bills on a calculator

Don’t forget to pay your ICO fee!

The UK Information Commissioner’s Office (ICO) has recently launched a campaign to send reminders to all UK registered companies to ensure that they comply with their legal obligation to pay an annual data protection fee, where this applies. This is the start of an extensive project to ensure that the ICO fee is paid by everyone who needs to pay it.

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt – this fee replaces the old annual registration fee. If you are an organisation holding personal information for business purposes on any electronic device, including using CCTV for crime prevention purposes, it’s likely that you’ll need to pay the fee. The ICO maintain a public register of those registered, so your clients will be able to check whether you take your data protection obligations seriously.

The amount of the data protection fee depends on a company’s size and annual turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60 (you can reduce the cost by £5 if you sign up by direct debit). As it’s a statutory fee, no VAT is payable on the fee. The ICO provides a useful self-assessment tool which will calculate how much you need to pay (see self-assessment) – and is definitely worth using to ensure that you are paying the correct amount. In terms of exceptions, charities pay £40 regardless of size or turnover and public authorities only need to go by staff numbers. There are a number of exemptions. You don’t need to pay a fee if you are processing personal data only for one or more of the following purposes:

  • Staff administration
  • Judicial functions maintaining a public register
  • Accounts and records
  • Not-for-profit purposes
  • Advertising, marketing and PR
  • Personal, family or household affairs
  • Processing personal information without an automated system such as a computer

Since introduction of the latest data protection fee in May 2018, over half a million organisations have registered with the ICO to pay it. However, between 1 July and 30 September 2019 the ICO issued 340 monetary penalties to organisations who haven’t paid the fee. You are breaking the law if, as a controller, you process personal data or are responsible for the processing of personal data, for any of the non-exempt purposes and you have either not paid a fee or not paid the correct fee.

In addition to a fine, the ICO names the majority of those failing to pay. This clearly has reputational implications for your business.

The very fact that GDPR exists at all suggests that data protection is being taken more seriously than before. Although fines tend to be the ICO’S last resort, the data protection fee is going to be vital to the ICO if it’s to function properly as whilst money received from fines is passed to the Government, the data protection fee is used by the ICO to fund its data protection work. Clearly, if organisations ignore the requirement to pay en masse, this could drive the ICO to flex its muscles by making an example of some of them.

If your fee is a renewal you should receive a payment reminder from the ICO – but don’t rely solely on this and ensure you diarise the payment date as a key date, so you don’t end up with fine which could easily have been avoided. If you don’t pay when you need to, you’ll receive a notice of intent from the ICO 14 days after expiry. You’ll then have 21 days to pay or make representations as to why you think you don’t need to. If you still don’t pay or fail to notify the ICO that you no longer need to pay, you may be issued with a fine of up to the maximum penalty of £4,350 (150% of the top tier fee) – so it’s clearly important that you pay the correct fee, if due, and on time.

 

Get in touch

To find out more about our data protection services, contact our experts today. 

Don’t forget to pay your ICO fee! Read More »

3 office workers sat around desk working on laptops

What happens to GDPR on exit day?

GDPR during the transition period

As we’re all well aware, the UK will finally leave the European Union later today. The UK and the EU will then have until 31 December 2020 (the “transition period”, provided for in the withdrawal agreement) to negotiate an agreement setting out their future relationship. This raises the question: will the UK still be bound by the GDPR post-Brexit? In short, yes. During the transition period, GDPR will continue to apply and the data protection landscape will remain unchanged.

The current regime consists of the EU GDPR, supplemented by the UK Data Protection Act 2018 (DPA). As well as modifying the EU GDPR, the DPA applies a similar data protection regime (referred to as the “applied GDPR”) to areas falling outside the scope of EU GDPR. So for now you should continue to follow the current rules and regulations and ICO guidance.

During the transition period, if you are offering goods and services to customers in the EU, the ICO has confirmed that you do not yet need to appoint a European representative but may need to do so from the end of the transition period.

What happens at the end of the transition period?

Following through on its commitment to incorporating EU GDPR into domestic UK law on exit day, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “Exit Regulations”), which will apply changes needed to the EU GDPR so that it remains relevant to the UK after Brexit (such as removing references to the UK’s participation as a member state), and merges the EU GDPR with the DPA to ensure that the UK data protection framework continues to function correctly. This regime will be known as the UK GDPR.

The EU GDPR will continue to apply in the UK until the end of the transition period – from this point on UK GDPR will apply. What the exact data protection landscape will look like post 2020 will depend upon the negotiations that take place during the transition period, but we believe, based on the information available to us now, that it’s unlikely there will be any change to the existing main data protection principles.

Currently all personal data moving from the UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The good news is that the Exit Regulations will ensure that this arrangement will continue so that data still flows from the UK to the US. However, US entities will need to update their privacy notices to expressly extend protection to transfers from the UK.

Adequacy Decisions

What we also know is that from the end of the transition period, the UK may be classified as a “third country” for the purposes of EU GDPR. The EU GDPR places restrictions on data transfers to third countries (i.e. countries other than EU member states and the three EEA states that have adopted a national law implementing GDPR (Norway, Iceland and Liechtenstein)). To date, the EU has granted a number of adequacy decisions, where they determine whether a country offers personal data an adequate level of protection, including in favour of the Isle of Man, Jersey and Guernsey.

It’s highly likely that the UK will apply for adequacy status from the EU and the EU has already indicated that it’s prepared to consider this but won’t do so until after exit day. But unless this happens before 31 December 2020, UK businesses processing data on behalf of EU data controllers will only be able to transfer data if appropriate safeguards are in place to protect the data transfer to the UK. This includes putting in place some form of data transfer agreement with the EU business incorporating the standard data protection contractual clauses (known as “Model Clauses”) approved by the EU, as a legal basis to protect the transfer of personal data to the third country.

However, once adequacy status is granted, the UK would no longer be classified as a third country and the need for Model Clauses or other safeguards to be put in place would fall away. Just how long this process will take is unknown, but it’s unlikely to happen quickly and there’s no guarantee it’ll happen before 31 December. Businesses dealing with third countries should therefore follow developments regarding the granting of an adequacy decision closely, as breaches of the requirements relating to this particular area of EU GDPR are subject to the higher level of fines (up to €20 million or 4% of annual global turnover, whatever is higher).

If your business transfers data to countries outside of the EU where the EU has already made an adequacy decision, then the position will remain unchanged and your data can continue to flow. The UK government has confirmed that it will recognise existing EU adequacy decisions made prior to exit date. However, you should still keep a close eye on developments as you may see the situation where the EU subsequently grants an adequacy decision to a country and the UK takes a different stance and chooses not to adopt it.

Summing Up

At the current time, whilst we’re in the transition period, there shouldn’t be too much for businesses to do with the majority of data protection rules staying the same, but it’s important that businesses follow developments as we move towards the end of the transition period. As the ICO says in its guidance on post Brexit data protection, your best preparation at this point in time is to ensure you comply with GDPR now.

Get in touch

To find out more about our data protection services, simply get in touch with one of our experts today.

 

What happens to GDPR on exit day? Read More »

Woman looking at screen in office, contemplating

The ICO has teeth, and is not afraid to use them!

So, we all knew that the ICO had been equipped with a fine set of gnashers by the GDPR and DPA legislation. What we didn’t know was what it would take to get them to bare them or actually use them. Or what the consequences of an ICO mastication would look like when the bits had been spat out.

Well this last week has given us some strong clues in the shape of the BA and Marriott International reports giving details of proposed penalties. Both proposed fines are, in real terms, huge at £183M and £99M respectively. Both organisations are considering appeals.

But are the fines in line with expectations? They certainly fall well short of the maximum possible under the GDPR. Speculation when the BA breach first hit the headlines was that the total damage could end up well north of £1bn once damages paid to individual data subjects and costs had been taken into account, with the fine fines accounting for up to half the final sum. In the event, the proposed fine amounts to more like 1.5% of their world-wide turnover rather than the 4% maximum permitted by the Act.

It will therefore be very interesting to read the decision notice in each case once they are issued. In previous reports published by the ICO it appears that it is the attitude of the firm to the handling of the breach, the levels of co-operation in dealing with the fallout, and the data protection culture of the firm as a whole that are the influential factors when the level of punishment for a breach is considered.

What is clear though is that even if the punishment thermometer can be reduced to a factor of, say, 1.5% of turnover this is a highly significant sum to bear for any size of firm. Would your firm be able comfortably to digest it?

For fines aren’t the whole story. There may well be other costs to pay in damages to affected data subjects, not to mention the reputational damage to the firm as a whole. And this is without taking into account the often significant time expenditure in investigating and reporting on the breach, working on putting it right with possibly large numbers of data subjects, working with the ICO in their investigation, and retraining of staff in data protection awareness and minimisation of risk. How many organisations have made provision in their financial statements for the possibility of breach related fines?

So, in analysing the events of the past few days: –

Don’t…

  • Think that the GDPR and DPA don’t apply to you? They Do!
  • Think that the ICO won’t act if you have a breach? They clearly will!
  • Relax in the mistaken belief that to have a set of paper policies alone is sufficient to demonstrate compliance? It’s not!
  • Forget to keep your Statement and Data Protection related policies and procedures under regular review and updated? The Regulation requires it!
  • Ignore the importance of regular awareness training for all staff at all levels and for new staff inductions to place an appropriate level of emphasis on the firm’s data protection culture? It’s a vital contributor to effective breach recognition and management!
  • Afraid of enlisting outside help? A third pair of eyes can assist objectively and save huge amounts of valuable internal time!

Do…

  • Ensure that DPOs/persons responsible for data protection or Heads of Compliance are fully aware of their responsibilities.
  • Ensure that your Privacy Statement is up to date and the internal contact details are accurate.
  • Ensure that your DP policies are up to date and regularly reviewed, and the reviews documented.
  • Ensure that your IT systems are up to the task and, if appropriate regularly “pen” tested and the findings acted upon.
  • Ensure that your DP team is meeting regularly, and their meetings and action plans documented.
  • Ensure that a regular refresher awareness and breach awareness and management training programme is in place for all levels of staff.
  • Ensure that your outsourced contracts contain provisions dealing with the Controller/Processor elements of DP and that their own DP operation is compatible with your requirements.
  • Ensure that there is an embedded data protection culture in the firm that is perceived to be – and is – led from the top.

Get in touch

The ICO’s actions this week have issued a statement of intent to be ignored at our peril – how does your DP package shape up?

If you’d like more information on data protection, or would like to find out how we can help, simply get in touch with our experts today.

The ICO has teeth, and is not afraid to use them! Read More »

Two screens on a desk containing data spreadsheets

Time to audit data compliance?

We’re nearly a year since the frantic preparations for GDPR. How is it all going? Should we be checking? Should we audit data compliance?

Why do I need to complete a data compliance audit?

An audit allows an organisation to understand whether it is complying with the requirements of the Data Protection Act 2018, GDPR and PECR. Art 5(2) of GDPR states that

“The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles]”.

This is often referred to as the ‘accountability’ principle – completing and audit will allow an organisation to demonstrate accountability with the principles.

If the worst happens, and your organisation does suffer a data breach, the ability to demonstrate that you have completed regular audits and reviews of your data protection arrangements may assist in mitigating against a GDPR fine.

Data protection compliance is an ever evolving journey and not a destination. Audits allow organisations to assess any gaps in compliance and any improvements that can be made.

Initial Audit/GAP Analysis

If you haven’t already completed one, its a good idea to start with a full audit/GAP Analysis to benchmark the current level of compliance within your organisation. This audit will then form the basis of any improvements.

You should consider:

  • Do you have the relevant policies and procedures?
  • Have you completed a data audit, clearly documenting what personal data you process and the legal basis for processing it?
  • Do you have up to date data flow maps showing how data moves through your organisation?
  • Do you have a process for dealing with data subject requests within one month?
  • Do you have a process for dealing with data breaches and incidents?
  • Have you updated your contracts of employments and issued a privacy notice to all employees detailing how their data will be processed?
  • Do you have contracts in place with anyone who processes data on your behalf?
  • Do you have training scheduled or already completed?
  • Do you have a culture of privacy by design and default including a DPIA process?

Annual Compliance Audit

Once you have completed the work identified in your initial audit, the annual audit should be a much shorter exercise. The aim of this exercise is to test your process and controls to provide assurance that your organisations policies are being followed and to identify any improvements that can be made.

For an annual audit you should consider:

  • Are your policies and procedures up to date?
  • Do they reflect any process changes which have taken place?
  • Refresh your data audit – are your data flow maps up to date?
  • Is your Data Retention Policy being followed – ask IT to check whether you are holding data that should have been deleted?
  • Are data subject requests being responded to within one month?
  • Are data subject complaints being responded to promptly?
  • Is training up to date?Is there a good level of employee awareness?
  • Do you have contracts in place with all your data processors?

Report to the Board

Following the annual audit, you may want to complete a report to the Board detailing the findings together with MI on the number of data subject requests, data related complaints, breaches, incidents and any contact with the ICO.

How can Teal Compliance help?

Our Teal experts can help you with any aspect of data protection compliance, from carrying out a gap analysis, assisting you with a data audit or creation of policies/procedures to carrying out an independent annual audit. This can be done as a stand alone piece of work or as part of our DPO support service. Get in touch with our experts today.

Time to audit data compliance? Read More »

Stack of paperwork with 2 stamps on top. One marked "Regulations" and one marked "Rules"

The Data Protection Regulations Amendment 2019

Draft Regulations to create a ‘UK GDPR’ were published by the Government this week to ensure that the UK is ready for Brexit. The Data Protection Regulations Amendment 2019 introduce a large number of technical amendments to the GDPR, Data Protection Act 2018 (DPA18) and the Privacy Electronic Communications Regulations 2003 (PECR). The Withdrawal Act makes provision for the GDPR to form part of UK domestic law from 30th March 2019 as a ‘UK GDPR’.

But what does this mean in practice?

  • The text of UK GDPR is fundamentally the same as the GDPR which came into force on 25th May 2018, but it will correct language deficiencies from the European text
  • Extra-territorial application is retained – non-UK controllers and processors that sell into the UK or monitor UK residents online will have to comply with the UK GDPR
  • In some circumstances, non-UK controllers will need to appoint a representative within the UK
  • Previous EU adequacy decisions are revoked BUT the UK will deem EEA countries, EU and EEA Institutions and Gibraltar as having adequacy decisions
  • The ICO will be responsible for standard contractual clauses to facilitate the export of personal data from the UK and will not need EU Commission approval
  • The ICO will continue to be able to authorise new binding corporate rules
  • The ICO will be responsible for any tasks previously undertaken by other EEA Supervisory Authorities for processing of personal data or UK residents
  • PECR will be amended to align the definition of consent with the UK GDPR

UK based businesses that deal solely with UK based personal data will largely remain unaffected. But, if your business deal with non UK business partners and there is a transfer of UK personal data then you will need to review carefully whether any of the changes will affect you (don’t worry Team Teal can help!).

The Regulations still need to be approved by Parliament so watch this space.

Get in touch

If you need help with data protection and GDPR, get in touch with our experts today.

The Data Protection Regulations Amendment 2019 Read More »

EU flag flying on grey skies

EU-US Privacy Shield and Brexit – What you need to know

After a turbulent few months, the Privacy Shield was re-approved by the EU Commission at the end of last year and with Brexit looming, if you are a Privacy Shield participant there are some steps you may need to take before 30th March 2019 to ensure you can continue to receive personal data from the UK.

I say ‘may need to take’ because it all depends on whether the Brexit Withdrawal Agreement is approved by the UK Parliament. If approved, there is an 18 month transitional period so Privacy Shield commitments will not need to be updated until 31 December 2020.

However, if the Agreement is not approved then Privacy Shield commitments will need to be updated by 30th March 2019 so it is advisable to start to look at this now.

So what do you need to do?

  • Update publicly facing privacy policies to specifically state that Privacy Shield Commitments extend to personal data received from the UK.
  • If transferring HR data then the HR Privacy Policy will also need to be updated.
  • Maintain your certification by completing an annual re-certification.

If you are a UK business that deals with a Privacy Shield Certified business then you should make sure that steps are being taken to make the relevant changes in time.

Get in touch

If you need help with this or any of the other regulatory compliance changes that are happening this year then don’t hesitate to contact us today.

EU-US Privacy Shield and Brexit – What you need to know Read More »