Data Protection

The UK Information Commissioner’s Office (ICO) has recently launched a campaign to send reminders to all UK registered companies to ensure that they comply with their legal obligation to pay an annual data protection fee, where this applies. This is the start of an extensive project by the ICO to ensure that the fee is paid by everyone who needs to pay it.

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt – this fee replaces the old annual registration fee. If you are an organisation holding personal information for business purposes on any electronic device, including using CCTV for crime prevention purposes, it’s likely that you’ll need to pay the fee. The ICO maintain a public register of those registered, so your clients will be able to check whether you take your data protection obligations seriously.

The amount of the data protection fee depends on a company’s size and annual turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60 (you can reduce the cost by £5 if you sign up by direct debit). As it’s a statutory fee, no VAT is payable on the fee. The ICO provides a useful self-assessment tool which will calculate how much you need to pay (see self-assessment) – and is definitely worth using to ensure that you are paying the correct amount. In terms of exceptions, charities pay £40 regardless of size or turnover and public authorities only need to go by staff numbers. There are a number of exemptions; you don’t need to pay a fee if you are processing personal data only for one or more of the following purposes: staff administration; judicial functions; maintaining a public register; accounts and records; not-for-profit purposes; advertising, marketing and PR; personal, family or household affairs and processing personal information without an automated system such as a computer.

Since introduction of the latest data protection fee in May 2018, over half a million organisations have registered with the ICO to pay it. However, between 1 July and 30 September 2019 the ICO issued 340 monetary penalties to organisations who haven’t paid the fee. You are breaking the law if, as a controller, you process personal data or are responsible for the processing of personal data, for any of the non-exempt purposes and you have either not paid a fee or not paid

the correct fee. In addition to a fine, the ICO names the majority of those failing to pay. This clearly has reputational implications for your business.

The very fact that GDPR exists at all suggests that data protection is being taken more seriously than before. Although fines tend to be the ICO’S last resort, the data protection fee is going to be vital to the ICO if it’s to function properly as whilst money received from fines is passed to the Government, the data protection fee is used by the ICO to fund its data protection work. Clearly, if organisations ignore the requirement to pay en masse, this could drive the ICO to flex its muscles by making an example of some of them.

If your fee is a renewal you should receive a payment reminder from the ICO – but don’t rely solely on this and ensure you diarise the payment date as a key date, so you don’t end up with fine which could easily have been avoided. If you don’t pay when you need to, you’ll receive a notice of intent from the ICO 14 days after expiry. You’ll then have 21 days to pay or make representations as to why you think you don’t need to. If you still don’t pay or fail to notify the ICO that you no longer need to pay, you may be issued with a fine of up to the maximum penalty of £4,350 (150% of the top tier fee) – so it’s clearly important that you pay the correct fee, if due, and on time.

GDPR during the transition period

As we’re all well aware, the UK will finally leave the European Union later today. The UK and the EU will then have until 31 December 2020 (the “transition period”, provided for in the withdrawal agreement) to negotiate an agreement setting out their future relationship. This raises the question: will the UK still be bound by the GDPR post-Brexit? In short, yes. During the transition period, GDPR will continue to apply and the data protection landscape will remain unchanged.

The current regime consists of the EU GDPR, supplemented by the UK Data Protection Act 2018 (DPA). As well as modifying the EU GDPR, the DPA applies a similar data protection regime (referred to as the “applied GDPR”) to areas falling outside the scope of EU GDPR. So for now you should continue to follow the current rules and regulations and ICO guidance.

During the transition period, if you are offering goods and services to customers in the EU, the ICO has confirmed that you do not yet need to appoint a European representative but may need to do so from the end of the transition period.

What happens at the end of the transition period?

Following through on its commitment to incorporating EU GDPR into domestic UK law on exit day, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “Exit Regulations”), which will apply changes needed to the EU GDPR so that it remains relevant to the UK after Brexit (such as removing references to the UK’s participation as a member state), and merges the EU GDPR with the DPA to ensure that the UK data protection framework continues to function correctly. This regime will be known as the UK GDPR.

The EU GDPR will continue to apply in the UK until the end of the transition period – from this point on UK GDPR will apply. What the exact data protection landscape will look like post 2020 will depend upon the negotiations that take place during the transition period, but we believe, based on the information available to us now, that it’s unlikely there will be any change to the existing main data protection principles.

Currently all personal data moving from the UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The good news is that the Exit Regulations will ensure that this arrangement will continue so that data still flows from the UK to the US. However, US entities will need to update their privacy notices to expressly extend protection to transfers from the UK.

Adequacy Decisions

What we also know is that from the end of the transition period, the UK may be classified as a “third country” for the purposes of EU GDPR. The EU GDPR places restrictions on data transfers to third countries (i.e. countries other than EU member states and the three EEA states that have adopted a national law implementing GDPR (Norway, Iceland and Liechtenstein)). To date, the EU has granted a number of adequacy decisions, where they determine whether a country offers personal data an adequate level of protection, including in favour of the Isle of Man, Jersey and Guernsey.

It’s highly likely that the UK will apply for adequacy status from the EU and the EU has already indicated that it’s prepared to consider this but won’t do so until after exit day. But unless this happens before 31 December 2020, UK businesses processing data on behalf of EU data controllers will only be able to transfer data if appropriate safeguards are in place to protect the data transfer to the UK. This includes putting in place some form of data transfer agreement with the EU business incorporating the standard data protection contractual clauses (known as “Model Clauses”) approved by the EU, as a legal basis to protect the transfer of personal data to the third country.

However, once adequacy status is granted, the UK would no longer be classified as a third country and the need for Model Clauses or other safeguards to be put in place would fall away. Just how long this process will take is unknown, but it’s unlikely to happen quickly and there’s no guarantee it’ll happen before 31 December. Businesses dealing with third countries should therefore follow developments regarding the granting of an adequacy decision closely, as breaches of the requirements relating to this particular area of EU GDPR are subject to the higher level of fines (up to €20 million or 4% of annual global turnover, whatever is higher).

If your business transfers data to countries outside of the EU where the EU has already made an adequacy decision, then the position will remain unchanged and your data can continue to flow. The UK government has confirmed that it will recognise existing EU adequacy decisions made prior to exit date. However, you should still keep a close eye on developments as you may see the situation where the EU subsequently grants an adequacy decision to a country and the UK takes a different stance and chooses not to adopt it.

Summing Up

At the current time, whilst we’re in the transition period, there shouldn’t be too much for businesses to do with the majority of data protection rules staying the same, but it’s important that businesses follow developments as we move towards the end of the transition period. As the ICO says in its guidance on post Brexit data protection, your best preparation at this point in time is to ensure you comply with GDPR now.

So, we all knew that the ICO had been equipped with a fine set of gnashers by the GDPR and DPA legislation. What we didn’t know was what it would take to get them to bare them or actually use them. Or what the consequences of an ICO mastication would look like when the bits had been spat out.

Well this last week has given us some strong clues in the shape of the BA and Marriott International reports giving details of proposed penalties. Both proposed fines are, in real terms, huge at £183M and £99M respectively. Both organisations are considering appeals.

But are the fines in line with expectations? They certainly fall well short of the maximam possible under the GDPR. Speculation when the BA breach first hit the headlines was that the total damage could end up well north of £1bn once damages paid to individual data subjects and costs had been taken into account, with the fine fines accounting for up to half the final sum. In the event, the proposed fine amounts to more like 1.5% of their world-wide turnover rather than the 4% maximum permitted by the Act.

It will therefore be very interesting to read the decision notice in each case once they are issued. In previous reports published by the ICO it appears that it is the attitude of the firm to the handling of the breach, the levels of co-operation in dealing with the fallout, and the data protection culture of the firm as a whole that are the influential factors when the level of punishment for a breach is considered.

What is clear though is that even if the punishment thermometer can be reduced to a factor of, say, 1.5% of turnover this is a highly significant sum to bear for any size of firm. Would your firm be able comfortably to digest it?

For fines aren’t the whole story. There may well be other costs to pay in damages to affected data subjects, not to mention the reputational damage to the firm as a whole. And this is without taking into account the often significant time expenditure in investigating and reporting on the breach, working on putting it right with possibly large numbers of data subjects, working with the ICO in their investigation, and retraining of staff in data protection awareness and minimisation of risk. How many organisations have made provision in their financial statements for the possibility of breach related fines?

So, in analysing the events of the past few days: –

Don’t…

Think that the GDPR and DPA don’t apply to you; they do.Think that the ICO won’t act if you have a breach; they clearly will.Relax in the mistaken belief that to have a set of paper policies alone is sufficient to demonstrate compliance; it’s not.Forget to keep your Statement and Data Protection related policies and procedures under regular review and updated; the Regulation requires it.Ignore the importance of regular awareness training for all staff at all levels and for new staff inductions to place an appropriate level of emphasis on the firm’s data protection culture; it’s a vital contributor to effective breach recognition and managementBe afraid to enlist outside help – a third pair of eyes can assist objectively and save huge amounts of valuable internal time.

Do Ensure…

That DPOs/persons responsible for data protection or Heads of Compliance are fully aware of their responsibilities.That your Privacy Statement is up to date and the internal contact details are accurate.That your DP policies are up to date and regularly reviewed, and the reviews documented.That your IT systems are up to the task and, if appropriate regularly “pen” tested and the findings acted upon.That your DP team is meeting regularly, and their meetings and action plans documented.That a regular refresher awareness and breach awareness and management training programme is in place for all levels of staff.That your outsourced contracts contain provisions dealing with the Controller/Processor elements of DP and that their own DP operation is compatible with your requirements.That there is an embedded data protection culture in the firm that is perceived to be – and is – led from the top.

The ICOs actions this week have issued a statement of intent to be ignored at our peril – how does your DP package shape up?

After a turbulent few months, the Privacy Shield was re-approved by the EU Commission at the end of last year and with Brexit looming, if you are a Privacy Shield participant there are some steps you may need to take before 30th March 2019 to ensure you can continue to receive personal data from the UK.

I say ‘may need to take’ because it all depends on whether the Brexit Withdrawal Agreement is approved by the UK Parliament. If approved, there is an 18 month transitional period so Privacy Shield commitments will not need to be updated until 31 December 2020.

However, if the Agreement is not approved then Privacy Shield commitments will need to be updated by 30th March 2019 so it is advisable to start to look at this now.

So what do you need to do?

Update publicly facing privacy policies to specifically state that Privacy Shield Commitments extend to personal data received from the UK.If transferring HR data then the HR Privacy Policy will also need to be updated.Maintain your certification by completing an annual re-certification.

If you are a UK business that deals with a Privacy Shield Certified business then you should make sure that steps are being taken to make the relevant changes in time.

If you need help with this or any of the other regulatory compliance changes that are happening this year then don’t hesitate to ask Teal.

It’s been six months since GDPR came into effect on 25th May. Despite the Y2K like panic in the run up to May, the world did not come crashing down and despite some high profile data breaches, the ICO is yet to issue its first fine under the new regime.

But what has happened in the last 6 months and what is still to come?

ICO updates

Over the last six months the ICO have made several updates to their online guidance, including –

A more comprehensive and in-depth analysis of what constitutes personal data has been added to the online guide and also a separate detailed publication(https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ )

Individual sections on each core principle including guidance and practical examples (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/ )

A significantly expanded section on international transfers (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/)

A significantly expanded section on the exemptions (including those in schedules 2-4 of the Data Protection Act 2018 (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions )

Updated security guidance (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/)

New guidance on encryption and passwords for online services (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/ )

The ICO have also updated their guidance on the right of erasure in respect of backups. They have confirmed that the right is also applicable to data held in backups and the updated guidance emphasises the need to ensure erasure from backup systems as well as from live systems. For delayed erasure for backups they maintain the position that it is important to put the data ‘beyond use’. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure

The ICO have also finalised the detailed guidance on children and the GDPR https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/

The ICO have confirmed that the number of self-reported data breaches for the first half of 2018 was more that for the whole of 2017. As a result, the ICO have issued an update to remind organisations that reports only have to be made where the breach is likely to threaten an individual’s security. Organisations are encouraged to call the ICO helpline before making a report (and remember if you are in any doubt you can always ask Teal Compliance who are always on hand to help!).

Consultations/Feedback

On 12th November 2018, the ICO issued it’s consultation on the new proposed Direct Marketing Code https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/call-for-views-direct-marketing-code-of-practice/

The Data Protection Act 2018 required the Commissioner to produce an improved code which provides practical guidance and promotes good practice. The new code will only cover the rules under PECR and will only be updated once the new E-Privacy Directive is finalised. The consultation is open until 24th December.

The ICO is also asking parents, carers, and those who work with children to give their views on the draft Age Appropriate Design Code which set the standards which must be followed by those who provide online services and apps for children https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/call-for-views-age-appropriate-design-code/ – this consultation is open until 5th December 2018.

Fines/court cases

Whilst we are yet to see the first ‘GDPR’ fine, there have been a number of high profile ICO enforcement actions and some high profile Court cases in the last six months.

WM Morrisons Supermarkets Plc v Various – the Court of Appeal ruled that the supermarket must pay compensation to thousands of employees who were victims of a data beach in 2014. The High Court ruled in 2017 that the supermarket was vicariously liable for this breach so Morrisons took the claim to the Court of Appeal. Morrisons had argued that they should not be liable for this breach because they had safeguards in place to protect the data. This stance was challenged by more than 5,000 past and current staff. Morrisons have indicated that they will now take the decision to the Supreme Court. This is a stark warning to employers that they can be held viciously liable for data breaches caused by employees even if they have appropriate safeguards in place.

Lloyd v Google LLC – the High Court has refused to grant leave to serve a claim form on Google Inc outside the English Jurisdiction in relation to the ‘Safari workaround’ which involved Google allegedly using cookie technology on the iPhone safari browser to obtain browser-generated information about iPhone users between 2011-2012 without their knowledge.

ICO Prosecution under the Computer Misuse Act 1990 – a motor industry employee has received a six month prison sentence following the first prosecution to be brought by the ICO under the Computer Misuse Act 1990. The worker, who was employed by Nationwide Accident Repair Services accessed thousands of customer records containing personal data without permission, using his colleagues’ log-on details to access the Audatex system. He then continued to do this when he changed employer. Confiscation proceedings under the Proceeds of Crime Act are in progress to recover any benefit obtained as a result of the offending.

Enforcement Decisions

Metropolitan Police 16th November 2018 – issued an enforcement notice on concerns relating to the Gangs Matrix

Facebook Ireland Ltd – 24th October 2018 – £500,000 fine for breaches of data protection law

Heathrow Airport – 8th October 2018 – £120,000 fine for failing to ensure the security of personal data

Equifax Ltd – 20th September 2018 – £500,000 fine for failing to protect personal data relating to a cyber attack in 2017

Bupa Insurance Services Ltd – 28th September 2018 – £175,000 for failing to have effective security measures in place

In addition, there have been a number of fines relating to nuisance emails/calls –

Secure Home Systems £80,000 (for 84,347 nuisance calls to TPS subscribers)

ACT Response Ltd £140,000 (for 496,455 nuisance calls to TPS subscribers)

Boost Finance Ltd £90,000 (for nuisance emails about pre-paid funeral plans)

Oaklands Assist UK Ltd £150,000 for nuisance direct marketing calls

All of these cases highlight that ICO will act where it becomes aware of a data breach or due to breaches of PECR so it’s more important than even to make sure that your processes are up to date being used by your employees AND just as importantly that you have all the documentation you need to demonstrate accountability just in case the ICO do get in touch with you.

E-Privacy update

The controversial update to PECR is experiencing further delays and is now not expected to be ready until Spring 2020. Keep an eye on our website for the latest updates.

Contact Teal Compliance at hello@tealcompliance.com if you have any data related questions. An initial call is always free.

[vc_row][vc_column][vc_single_image image=”384″ img_size=”full” alignment=”center”][vc_column_text]

With just over six months to go until the UK exits the European Union, the Government has started to issue guidance on what will happen if there is ‘no deal’ by the 29th March 2019.

As we all know, the current data transfer rules are set out at European level in the General Data Protection Regulations (GDPR) which came into force on 25th May 2018.  Under the current rules, transfers within the EEA are permitted BUT, on 29th March 2019 the UK will become a ‘third country’ for the purpose of the applicable legislation.

So, what does this mean?

The Data Protection Act 2018 will remain in force and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside the domestic legislation.

UK-EU Transfers

The Government has recognised the ‘unprecedented degree of alignment’ between the UK and EU data protection regimes and has confirmed that at the point of exit they will allow the free flow of personal data from UK to the EU (this will be kept under review).

EU-UK Transfers

These transfers become more complicated as the UK will be deemed a ‘third country’.  Under the GDPR, transfers to a ‘third country’ can only take place in defined circumstances –

• There is an ‘adequacy decision’ in place; or

• There are appropriate safeguards in place.

Adequacy decisions are currently in place for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.  The adequacy finding for Canada only covers data subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the finding for the US is for transfers covered by the EU-US Privacy Shield Framework (currently subject to challenge by the EU Commission).

Appropriate safeguards are –

• A legally binding and enforceable instrument between public authorities or bodies;

• Binding corporate rules (BCRs);

• Standard data protection clauses adopted by the Commission;

• Standard data protection clauses adopted by a supervisory authority and approved by the Commission;

• An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;

• Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;

• Contractual clauses authorised by a supervisory authority.

So, how does this impact me and what do I need to do?

The UK Government has expressed its intention to apply for an adequacy decision but the EU has stated that the process cannot be started until after 29th March 2019 and obtaining a decision can be a lengthy process. This means that EU-UK transfers will need to have appropriate safeguards in place.

If your organisation transfers data from the EU to the UK, or if you are an organisation in the UK that receives data from EU then you should look to implement standard contractual clauses as a matter of urgency – the latest approved version can be found on the EU Commission’s website.  It’s important to note that the current version was approved pre-GDPR and should be updated.

UK organisations who offer goods and services to data subjects within the EU will need to appoint a representative within the EU.

You can find out more here –

https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/