Data Protection

Computer coding on a screen

How to prepare for a cyber attack

Knowing how to prepare for a cyber attack is extremely important. This is especially so when you have a duty to protect your client’s data.

Most of us have faced that dreaded email which sends shivers down your spine. It starts with a simple greeting, but what follows can cause much panic and stress.

“Hi, I’ve received an email from one of your team, and we suspect it may be a scam, I thought you should know.”

The action you take within the first hour of a cyber attack may spare you from potential harm, and allow you to navigate through the intricate web of digital deception unscathed. That’s why knowing how to prepare for a cyber attack is essential.

 

The reality of cyber attacks

We often find ourselves falling into the trap of thinking a cyber attack will never happen to us. However, the truth is that the landscape has evolved significantly. With the rise of hybrid working and increasingly sophisticated hackers, the potential risks have intensified. It takes just one unsuspecting click on a seemingly harmless link for everything to unravel.

The Cyber Security Breaches Survey 2022, sheds light on the harsh reality of cyber attacks. The findings provide valuable insights into the prevalence, impact, and consequences of these incidents. Key findings from the survey paint a compelling picture of the evolving landscape of threats that businesses and individuals face in the digital age.

1. Prevalence of cyber attacks

The survey reveals that cyber attacks continue to be a significant concern, with a staggering 46% of businesses reporting that they’ve experienced cybersecurity breaches or attacks in the past year. This highlights the pervasive nature of the threat, and the need for heightened vigilance across industries.

2. Financial impact

The financial implications of cyber attacks are substantial, with businesses estimating an average cost of £8,460 for identified breaches. The survey reveals that larger organisations tend to face higher costs, with the average cost reaching £15,000. These financial consequences emphasise the importance of robust cybersecurity measures as a critical investment.

3. Human factors

Human error is still a leading cause of cybersecurity incidents, with phishing attacks being the most prevalent method of compromise. The survey highlights the need for comprehensive training and awareness programmes to empower individuals to recognise and mitigate potential threats effectively.

4. Consequences of cyber attacks

The impact of cyber attacks extends beyond immediate financial losses. Breaches can lead to reputational damage, loss of customer trust, and legal ramifications. The survey underscores the importance of incident response and recovery plans to minimise the long-term consequences of cyber incidents.

5. Proactive measures

The survey highlights the increasing adoption of proactive cybersecurity measures among businesses. This includes implementing cybersecurity policies, conducting regular risk assessments, and investing in security software and hardware. These measures show the growing recognition of the need to prioritise cybersecurity to safeguard sensitive data.

Now more than ever, it’s crucial for organisations to acknowledge the real and imminent dangers posed by cybercriminals. The evolving tactics and techniques employed by these individuals demand heightened awareness, proactive measures, and a collective commitment to cybersecurity.

What to do during a cyber attack

When faced with a cyber attack, you need to understand the urgency of the situation and move swiftly. Within the first hour, you should implement your response plan to contain the issue. We recommend the following proactive steps should be taken within the first hour.

1. Thorough system analysis

Engage an IT expert who specialises in cyber attacks. They’ll meticulously examine your systems to assess the extent of the breach. This comprehensive analysis provides crucial insights into the nature and impact of the attack.

2. Reinforcing security measures

Securing your digital assets is important. So, swiftly take actions such as changing email logins and passwords. Additionally, isolate the data breach to prevent further contamination of your systems, safeguarding the unaffected areas.

3. Strengthening authentication

To fortify your defences, promptly implement 2-factor authentication if you’ve not done so already. This adds an extra layer of security to protect sensitive information and ensure authorised access only.

4. Dedicated support team

To address the concerns and enquiries of your stakeholders, assign a dedicated member of your team to respond promptly and provide accurate information. Their role is crucial in keeping open lines of communication and offering reassurance during the incident.

5. Communication

There’s a need for seamless communication so make sure you brief your call team. This will ensure there’s an uninterrupted service and streamlined communication channel for your clients and stakeholders.

6. Transparent communication

Openness and transparency are paramount. We would suggest posting a detailed explanation of the incident on your website, ensuring your clients are informed about the situation.

Simultaneously, send an update to your mailing list. Recommend that if they’ve received the scam email that they contact their IT department immediately.

Incidents like these often serve as a stark reminder of the cunning and sophistication of cybercriminals. Despite regular screening of your systems, you can still experience an attack due to the ever-evolving threats we face from the baddies!

How to prepare for a cyber attack

Here are our top three tips on how to prepare for a cyber attack, which will enable you to respond  swiftly to a cyber attack situation and ensure effective damage control.

1. Have a comprehensive plan in place

One of the key factors that will enable you to respond quickly is ensuring you have a well-defined disaster recovery plan ready to be implemented as soon as an issue arises.

It’s crucial for every organisation to proactively establish a plan before any potential exploitation occurs. This plan can be as simple as naming a point of contact who’s familiar with disaster recovery protocols and can immediately initiate necessary actions to mitigate further damage.

While the aftermath can be addressed over time, having someone who knows how to promptly secure the systems is essential.

2. Build relationships with cybersecurity experts

In the face of an attack, wasting valuable time searching for reliable cybersecurity professionals is an unfortunate setback. We highly advise establishing connections with competent cyber experts in advance, and have their contact details readily accessible.

By having trusted experts on hand, you can swiftly engage their services during emergencies, minimising response time. This will optimise the chance of a successful resolution. If needed, we’re happy to share the details of our own cybersecurity specialist, whose expertise has been invaluable to us. Get in touch.

3. Prepare clear and transparent communications

When faced with a crisis, it may be tempting to keep the situation under wraps and avoid acknowledging any issues. However, we firmly believe that adopting an open and honest approach is the most effective way to handle such situations.

By being transparent with stakeholders and those who may be affected, firms can prove their commitment to protecting individuals and keeping trust. It’s crucial to have a well-thought-out communication strategy in place, ensuring that key messages are prepared in advance to promptly inform and address concerns.

It’s important to recognise that even major institutions with substantial worth have vulnerabilities and have experienced exploitations, such as ransomware attacks. While it’s impossible to completely avoid all risks, being prepared to handle problems swiftly when they arise is an invaluable skill.

Gaining valuable insights from a cyber attack

One fundamental truth holds: you can’t glean valuable insights from a situation that’s swept under the carpet and hidden from view. By embracing this principle, you can swiftly recognise the approach you should choose, enabling you to draft the necessary wording promptly and issue your message effectively.

When this happened to us, we were able to effectively reflect on the experience. We realised the potential benefits of preparing such communications in advance, as a proactive measure. With this realisation, we’ve now taken proactive steps to create a repository of pre-drafted messages, ensuring we’re better equipped for any future challenges that may arise.

We were also reminded of the strength and resilience that lies within our network. It was the collective watchfulness and genuine care of individuals in our community that helped to fortify our defences against cyber threats.

While we sincerely hope that you never encounter a day like the one, we experienced, we believe that preparation is key. Having a well-defined plan in place in advance will undoubtedly enhance your readiness and ability to navigate unforeseen circumstances.

Get in touch

As data protection experts, we work with firms to ensure that procedures and controls are in place to protect the data they process. We offer training courses for staff on protecting clients and themselves from cybercrime and data loss. If you’d like to speak to one of Teal’s experts about how we can help, simply get in touch.

Do you have to collect CDD on employees of (non-natural person) clients?

This is a question I get asked loads of times!

In fact, last week I had a client who has a policy of asking for ID for employees, and their client refused citing Data Protection concerns. I’m not planning to go into the data protection issues here, but instead whether you have to ask for it.

To get to the answer here, we need to start with the law.

The law requires, in connection with a client who is not a natural person (I prefer using the word human here!) that you need to obtain and verify certain information about entity. For a company that is

  • name,
  • company number,
  • registered office,
  • the law to which it is subject,
  • its constitution,
  • the full names of the board and senior persons responsible for it.

In addition, you need to identify and verify the ultimate beneficial owners.

So, do we need ID from directors, or people who instruct us on behalf of a company?

In the original 2003 Money Laundering Regulation it was a requirement to identify and verify at least 2 directors, but this was removed by the 2007 regulations. I’ve found despite this change many firms still have that process, whether as a legacy from the original regulations or as a risk management measure – so that they have proof a real person is connected with the company. After all, the whole point of passports and utility bills is so you can tell the police which door to knock on, to talk to about the entity.

I think many of the more recent queries I have had come from confusion arising from Money Laundering and Terrorist Financing Regulations, which introduced in 2017 Regulation 28(10).

(10) Where a person (“A”) purports to act on behalf of the customer, the relevant person must—

(a) verify that A is authorised to act on the customer’s behalf;

(b) identify A; and

(c) verify A’s identity on the basis of documents or information in either case obtained from a reliable source which is independent of both A and the customer.

There was concern when this first came in that an employee or director might be thought to be purporting to act on behalf of the client. Fortunately, the Legal Sector Affinity Group Guidance helps here:

Section 6.6

Examples of someone purporting to represent might include:

  • a parent on behalf of an adult child.
  • an individual not employed by your client; or
  • a situation where the instructing persons authority to instruct is not clear or does not make sense.

Section 6.14.9

Someone employed by your client (depending on their position or seniority) or a director of your client may be considered as having apparent or ostensible authority to provide instructions on behalf of the client, though you may seek comfort of this on a risk sensitive basis. They should not be considered to be intermediaries, agents, or representatives. Where it is not clear or apparent what their authority to instruct on behalf of the client is, CDD should not be considered to be complete.

Accordingly, it is now much clearer in that “purports to act” is not intended to mean officers or employees of a company. That said, many firms still do carry out individual CDD on Directors and sometimes on employees instructing who are not directors, and whilst that is not required by the Regulations, it can be useful to provide an audit trail for the client in case you are challenged later on as to why you acted on instructions provided on behalf of the non-human client.

Don’t forget to pay your ICO fee!

The UK Information Commissioner’s Office (ICO) has recently launched a campaign to send reminders to all UK registered companies to ensure that they comply with their legal obligation to pay an annual data protection fee, where this applies. This is the start of an extensive project by the ICO to ensure that the fee is paid by everyone who needs to pay it.

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt – this fee replaces the old annual registration fee. If you are an organisation holding personal information for business purposes on any electronic device, including using CCTV for crime prevention purposes, it’s likely that you’ll need to pay the fee. The ICO maintain a public register of those registered, so your clients will be able to check whether you take your data protection obligations seriously.

The amount of the data protection fee depends on a company’s size and annual turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60 (you can reduce the cost by £5 if you sign up by direct debit). As it’s a statutory fee, no VAT is payable on the fee. The ICO provides a useful self-assessment tool which will calculate how much you need to pay (see self-assessment) – and is definitely worth using to ensure that you are paying the correct amount. In terms of exceptions, charities pay £40 regardless of size or turnover and public authorities only need to go by staff numbers. There are a number of exemptions; you don’t need to pay a fee if you are processing personal data only for one or more of the following purposes: staff administration; judicial functions; maintaining a public register; accounts and records; not-for-profit purposes; advertising, marketing and PR; personal, family or household affairs and processing personal information without an automated system such as a computer.

Since introduction of the latest data protection fee in May 2018, over half a million organisations have registered with the ICO to pay it. However, between 1 July and 30 September 2019 the ICO issued 340 monetary penalties to organisations who haven’t paid the fee. You are breaking the law if, as a controller, you process personal data or are responsible for the processing of personal data, for any of the non-exempt purposes and you have either not paid a fee or not paid

the correct fee. In addition to a fine, the ICO names the majority of those failing to pay. This clearly has reputational implications for your business.

The very fact that GDPR exists at all suggests that data protection is being taken more seriously than before. Although fines tend to be the ICO’S last resort, the data protection fee is going to be vital to the ICO if it’s to function properly as whilst money received from fines is passed to the Government, the data protection fee is used by the ICO to fund its data protection work. Clearly, if organisations ignore the requirement to pay en masse, this could drive the ICO to flex its muscles by making an example of some of them.

If your fee is a renewal you should receive a payment reminder from the ICO – but don’t rely solely on this and ensure you diarise the payment date as a key date, so you don’t end up with fine which could easily have been avoided. If you don’t pay when you need to, you’ll receive a notice of intent from the ICO 14 days after expiry. You’ll then have 21 days to pay or make representations as to why you think you don’t need to. If you still don’t pay or fail to notify the ICO that you no longer need to pay, you may be issued with a fine of up to the maximum penalty of £4,350 (150% of the top tier fee) – so it’s clearly important that you pay the correct fee, if due, and on time.

What happens to GDPR on exit day?

GDPR during the transition period

As we’re all well aware, the UK will finally leave the European Union later today. The UK and the EU will then have until 31 December 2020 (the “transition period”, provided for in the withdrawal agreement) to negotiate an agreement setting out their future relationship. This raises the question: will the UK still be bound by the GDPR post-Brexit? In short, yes. During the transition period, GDPR will continue to apply and the data protection landscape will remain unchanged.

The current regime consists of the EU GDPR, supplemented by the UK Data Protection Act 2018 (DPA). As well as modifying the EU GDPR, the DPA applies a similar data protection regime (referred to as the “applied GDPR”) to areas falling outside the scope of EU GDPR. So for now you should continue to follow the current rules and regulations and ICO guidance.

During the transition period, if you are offering goods and services to customers in the EU, the ICO has confirmed that you do not yet need to appoint a European representative but may need to do so from the end of the transition period.

What happens at the end of the transition period?

Following through on its commitment to incorporating EU GDPR into domestic UK law on exit day, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “Exit Regulations”), which will apply changes needed to the EU GDPR so that it remains relevant to the UK after Brexit (such as removing references to the UK’s participation as a member state), and merges the EU GDPR with the DPA to ensure that the UK data protection framework continues to function correctly. This regime will be known as the UK GDPR.

The EU GDPR will continue to apply in the UK until the end of the transition period – from this point on UK GDPR will apply. What the exact data protection landscape will look like post 2020 will depend upon the negotiations that take place during the transition period, but we believe, based on the information available to us now, that it’s unlikely there will be any change to the existing main data protection principles.

Currently all personal data moving from the UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The good news is that the Exit Regulations will ensure that this arrangement will continue so that data still flows from the UK to the US. However, US entities will need to update their privacy notices to expressly extend protection to transfers from the UK.

Adequacy Decisions

What we also know is that from the end of the transition period, the UK may be classified as a “third country” for the purposes of EU GDPR. The EU GDPR places restrictions on data transfers to third countries (i.e. countries other than EU member states and the three EEA states that have adopted a national law implementing GDPR (Norway, Iceland and Liechtenstein)). To date, the EU has granted a number of adequacy decisions, where they determine whether a country offers personal data an adequate level of protection, including in favour of the Isle of Man, Jersey and Guernsey.

It’s highly likely that the UK will apply for adequacy status from the EU and the EU has already indicated that it’s prepared to consider this but won’t do so until after exit day. But unless this happens before 31 December 2020, UK businesses processing data on behalf of EU data controllers will only be able to transfer data if appropriate safeguards are in place to protect the data transfer to the UK. This includes putting in place some form of data transfer agreement with the EU business incorporating the standard data protection contractual clauses (known as “Model Clauses”) approved by the EU, as a legal basis to protect the transfer of personal data to the third country.

However, once adequacy status is granted, the UK would no longer be classified as a third country and the need for Model Clauses or other safeguards to be put in place would fall away. Just how long this process will take is unknown, but it’s unlikely to happen quickly and there’s no guarantee it’ll happen before 31 December. Businesses dealing with third countries should therefore follow developments regarding the granting of an adequacy decision closely, as breaches of the requirements relating to this particular area of EU GDPR are subject to the higher level of fines (up to €20 million or 4% of annual global turnover, whatever is higher).

If your business transfers data to countries outside of the EU where the EU has already made an adequacy decision, then the position will remain unchanged and your data can continue to flow. The UK government has confirmed that it will recognise existing EU adequacy decisions made prior to exit date. However, you should still keep a close eye on developments as you may see the situation where the EU subsequently grants an adequacy decision to a country and the UK takes a different stance and chooses not to adopt it.

Summing Up

At the current time, whilst we’re in the transition period, there shouldn’t be too much for businesses to do with the majority of data protection rules staying the same, but it’s important that businesses follow developments as we move towards the end of the transition period. As the ICO says in its guidance on post Brexit data protection, your best preparation at this point in time is to ensure you comply with GDPR now.

The ICO has teeth, and is not afraid to use them!

So, we all knew that the ICO had been equipped with a fine set of gnashers by the GDPR and DPA legislation. What we didn’t know was what it would take to get them to bare them or actually use them. Or what the consequences of an ICO mastication would look like when the bits had been spat out.

Well this last week has given us some strong clues in the shape of the BA and Marriott International reports giving details of proposed penalties. Both proposed fines are, in real terms, huge at £183M and £99M respectively. Both organisations are considering appeals.

But are the fines in line with expectations? They certainly fall well short of the maximam possible under the GDPR. Speculation when the BA breach first hit the headlines was that the total damage could end up well north of £1bn once damages paid to individual data subjects and costs had been taken into account, with the fine fines accounting for up to half the final sum. In the event, the proposed fine amounts to more like 1.5% of their world-wide turnover rather than the 4% maximum permitted by the Act.

It will therefore be very interesting to read the decision notice in each case once they are issued. In previous reports published by the ICO it appears that it is the attitude of the firm to the handling of the breach, the levels of co-operation in dealing with the fallout, and the data protection culture of the firm as a whole that are the influential factors when the level of punishment for a breach is considered.

What is clear though is that even if the punishment thermometer can be reduced to a factor of, say, 1.5% of turnover this is a highly significant sum to bear for any size of firm. Would your firm be able comfortably to digest it?

For fines aren’t the whole story. There may well be other costs to pay in damages to affected data subjects, not to mention the reputational damage to the firm as a whole. And this is without taking into account the often significant time expenditure in investigating and reporting on the breach, working on putting it right with possibly large numbers of data subjects, working with the ICO in their investigation, and retraining of staff in data protection awareness and minimisation of risk. How many organisations have made provision in their financial statements for the possibility of breach related fines?

So, in analysing the events of the past few days: –

Don’t…

Think that the GDPR and DPA don’t apply to you; they do.Think that the ICO won’t act if you have a breach; they clearly will.Relax in the mistaken belief that to have a set of paper policies alone is sufficient to demonstrate compliance; it’s not.Forget to keep your Statement and Data Protection related policies and procedures under regular review and updated; the Regulation requires it.Ignore the importance of regular awareness training for all staff at all levels and for new staff inductions to place an appropriate level of emphasis on the firm’s data protection culture; it’s a vital contributor to effective breach recognition and managementBe afraid to enlist outside help – a third pair of eyes can assist objectively and save huge amounts of valuable internal time.

Do Ensure…

That DPOs/persons responsible for data protection or Heads of Compliance are fully aware of their responsibilities.That your Privacy Statement is up to date and the internal contact details are accurate.That your DP policies are up to date and regularly reviewed, and the reviews documented.That your IT systems are up to the task and, if appropriate regularly “pen” tested and the findings acted upon.That your DP team is meeting regularly, and their meetings and action plans documented.That a regular refresher awareness and breach awareness and management training programme is in place for all levels of staff.That your outsourced contracts contain provisions dealing with the Controller/Processor elements of DP and that their own DP operation is compatible with your requirements.That there is an embedded data protection culture in the firm that is perceived to be – and is – led from the top.

The ICOs actions this week have issued a statement of intent to be ignored at our peril – how does your DP package shape up?

Time to audit data compliance?

We’re nearly a year since the frantic preparations for GDPR. How is it all going? Should we be checking? Should we audit?

Why do I need to complete an audit?

An audit allows an Organisation to understand whether it is complying with the requirements of the Data Protection Act 2018, GDPR and PECR. Art 5(2) of GDPR states that “The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles]”. This is often referred to as the ‘accountability’ principle – completing and audit will allow an organisation to demonstrate accountability with the principles.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/

If the worst happens, and your organisation does suffer a data breach, the ability to demonstrate that you have completed regular audits and reviews of your data protection arrangements may assist in mitigating against a GDPR fine.

Data protection compliance is an ever evolving journey and not a destination. Audits allow organisations to assess any gaps in compliance and any improvements that can be made.

Initial Audit/GAP Analysis

If you haven’t already completed one, its a good idea to start with a full audit/GAP Analysis to benchmark the current level of compliance within your organisation. This audit will then form the basis of any improvements.

You should consider:

Do you have the relevant policies and procedures?Have you completed a data audit, clearly documenting what personal data you process and the legal basis for processing it? Do you have up to date data flow maps showing how data moves through your organisation?Do you have a process for dealing with data subject requests within one month?Do you have a process for dealing with data breaches and incidents?Have you updated your contracts of employments and issued a privacy notice to all employees detailing how their data will be processed?Do you have contracts in place with anyone who processes data on your behalf?Do you have training scheduled or already completed?Do you have a culture of privacy by design and default including a DPIA process?

Annual Compliance Audit

Once you have completed the work identified in your initial audit, the annual audit should be a much shorter exercise. The aim of this exercise is to test your process and controls to provide assurance that your organisations policies are being followed and to identify any improvements that can be made.

For an annual audit you should consider:

Are your policies and procedures up to date? Do they reflect any process changes which have taken place?Refresh your data audit – are your data flow maps up to date?Is your Data Retention Policy being followed – ask IT to check whether you are holding data that should have been deleted?Are data subject requests being responded to within one month?Are data subject complaints being responded to promptly?Is training up to date?Is there a good level of employee awareness?Do you have contracts in place with all your data processors?

Report to the Board

Following the annual audit, you may want to complete a report to the Board detailing the findings together with MI on the number of data subject requests, data related complaints, breaches, incidents and any contact with the ICO.

How can Teal Compliance help?

Our Teal experts can help you with any aspect of data protection compliance, from carrying out a gap analysis, assisting you with a data audit or creation of policies/procedures to carrying out an independent annual audit. This can be done as a stand alone piece of work or as part of our DPO support service. Contact us at hello@tealcompliance.com

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

Draft Regulations to create a ‘UK GDPR’ were published by the Government this week to ensure that the UK is ready for Brexit.

The Regulations introduce a large number of technical amendments to the GDPR, Data Protection Act 2018 (DPA18) and the Privacy Electronic Communications Regulations 2003 (PECR). The Withdrawal Act makes provision for the GDPR to form part of UK domestic law from 30th March 2019 as a ‘UK GDPR’.

But what does this mean in practice?

The text of UK GDPR is fundamentally the same as the GDPR which came into force on 25th May 2018, but it will correct language deficiencies from the European text;Extra-territorial application is retained – non-UK controllers and processors that sell into the UK or monitor UK residents online will have to comply with the UK GDPR;In some circumstances, non-UK controllers will need to appoint a representative within the UK;Previous EU adequacy decisions are revoked BUT the UK will deem EEA countries, EU and EEA Institutions and Gibraltar as having adequacy decisions;The ICO will be responsible for standard contractual clauses to facilitate the export of personal data from the UK and will not need EU Commission approval;The ICO will continue to be able to authorise new binding corporate rules;The ICO will be responsible for any tasks previously undertaken by other EEA Supervisory Authorities for processing of personal data or UK residents;PECR will be amended to align the definition of consent with the UK GDPR.

UK based businesses that deal solely with UK based personal data will largely remain unaffected. But, if your business deal with non UK business partners and there is a transfer of UK personal data then you will need to review carefully whether any of the changes will affect you (don’t worry Team Teal can help!).

The Regulations still need to be approved by Parliament so watch this space.

EU-US Privacy Shield and Brexit – What do you need to know?

After a turbulent few months, the Privacy Shield was re-approved by the EU Commission at the end of last year and with Brexit looming, if you are a Privacy Shield participant there are some steps you may need to take before 30th March 2019 to ensure you can continue to receive personal data from the UK.

I say ‘may need to take’ because it all depends on whether the Brexit Withdrawal Agreement is approved by the UK Parliament. If approved, there is an 18 month transitional period so Privacy Shield commitments will not need to be updated until 31 December 2020.

However, if the Agreement is not approved then Privacy Shield commitments will need to be updated by 30th March 2019 so it is advisable to start to look at this now.

So what do you need to do?

Update publicly facing privacy policies to specifically state that Privacy Shield Commitments extend to personal data received from the UK.If transferring HR data then the HR Privacy Policy will also need to be updated.Maintain your certification by completing an annual re-certification.

If you are a UK business that deals with a Privacy Shield Certified business then you should make sure that steps are being taken to make the relevant changes in time.

If you need help with this or any of the other regulatory compliance changes that are happening this year then don’t hesitate to ask Teal.

GDPR six months on……

It’s been six months since GDPR came into effect on 25th May. Despite the Y2K like panic in the run up to May, the world did not come crashing down and despite some high profile data breaches, the ICO is yet to issue its first fine under the new regime.

But what has happened in the last 6 months and what is still to come?

ICO updates

Over the last six months the ICO have made several updates to their online guidance, including –

A more comprehensive and in-depth analysis of what constitutes personal data has been added to the online guide and also a separate detailed publication(https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ )

Individual sections on each core principle including guidance and practical examples (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/ )

A significantly expanded section on international transfers (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/)

A significantly expanded section on the exemptions (including those in schedules 2-4 of the Data Protection Act 2018 (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions )

Updated security guidance (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/)

New guidance on encryption and passwords for online services (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/ )

The ICO have also updated their guidance on the right of erasure in respect of backups. They have confirmed that the right is also applicable to data held in backups and the updated guidance emphasises the need to ensure erasure from backup systems as well as from live systems. For delayed erasure for backups they maintain the position that it is important to put the data ‘beyond use’. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure

The ICO have also finalised the detailed guidance on children and the GDPR https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/

The ICO have confirmed that the number of self-reported data breaches for the first half of 2018 was more that for the whole of 2017. As a result, the ICO have issued an update to remind organisations that reports only have to be made where the breach is likely to threaten an individual’s security. Organisations are encouraged to call the ICO helpline before making a report (and remember if you are in any doubt you can always ask Teal Compliance who are always on hand to help!).

Consultations/Feedback

On 12th November 2018, the ICO issued it’s consultation on the new proposed Direct Marketing Code https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/call-for-views-direct-marketing-code-of-practice/

The Data Protection Act 2018 required the Commissioner to produce an improved code which provides practical guidance and promotes good practice. The new code will only cover the rules under PECR and will only be updated once the new E-Privacy Directive is finalised. The consultation is open until 24th December.

The ICO is also asking parents, carers, and those who work with children to give their views on the draft Age Appropriate Design Code which set the standards which must be followed by those who provide online services and apps for children https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/call-for-views-age-appropriate-design-code/ – this consultation is open until 5th December 2018.

Fines/court cases

Whilst we are yet to see the first ‘GDPR’ fine, there have been a number of high profile ICO enforcement actions and some high profile Court cases in the last six months.

WM Morrisons Supermarkets Plc v Various – the Court of Appeal ruled that the supermarket must pay compensation to thousands of employees who were victims of a data beach in 2014. The High Court ruled in 2017 that the supermarket was vicariously liable for this breach so Morrisons took the claim to the Court of Appeal. Morrisons had argued that they should not be liable for this breach because they had safeguards in place to protect the data. This stance was challenged by more than 5,000 past and current staff. Morrisons have indicated that they will now take the decision to the Supreme Court. This is a stark warning to employers that they can be held viciously liable for data breaches caused by employees even if they have appropriate safeguards in place.

Lloyd v Google LLC – the High Court has refused to grant leave to serve a claim form on Google Inc outside the English Jurisdiction in relation to the ‘Safari workaround’ which involved Google allegedly using cookie technology on the iPhone safari browser to obtain browser-generated information about iPhone users between 2011-2012 without their knowledge.

ICO Prosecution under the Computer Misuse Act 1990 – a motor industry employee has received a six month prison sentence following the first prosecution to be brought by the ICO under the Computer Misuse Act 1990. The worker, who was employed by Nationwide Accident Repair Services accessed thousands of customer records containing personal data without permission, using his colleagues’ log-on details to access the Audatex system. He then continued to do this when he changed employer. Confiscation proceedings under the Proceeds of Crime Act are in progress to recover any benefit obtained as a result of the offending.

Enforcement Decisions

Metropolitan Police 16th November 2018 – issued an enforcement notice on concerns relating to the Gangs Matrix

Facebook Ireland Ltd – 24th October 2018 – £500,000 fine for breaches of data protection law

Heathrow Airport – 8th October 2018 – £120,000 fine for failing to ensure the security of personal data

Equifax Ltd – 20th September 2018 – £500,000 fine for failing to protect personal data relating to a cyber attack in 2017

Bupa Insurance Services Ltd – 28th September 2018 – £175,000 for failing to have effective security measures in place

In addition, there have been a number of fines relating to nuisance emails/calls –

Secure Home Systems £80,000 (for 84,347 nuisance calls to TPS subscribers)

ACT Response Ltd £140,000 (for 496,455 nuisance calls to TPS subscribers)

Boost Finance Ltd £90,000 (for nuisance emails about pre-paid funeral plans)

Oaklands Assist UK Ltd £150,000 for nuisance direct marketing calls

All of these cases highlight that ICO will act where it becomes aware of a data breach or due to breaches of PECR so it’s more important than even to make sure that your processes are up to date being used by your employees AND just as importantly that you have all the documentation you need to demonstrate accountability just in case the ICO do get in touch with you.

E-Privacy update

The controversial update to PECR is experiencing further delays and is now not expected to be ready until Spring 2020. Keep an eye on our website for the latest updates.

Contact Teal Compliance at hello@tealcompliance.com if you have any data related questions. An initial call is always free.

The impact of ‘Brexit’ on Data Transfers

[vc_row][vc_column][vc_single_image image=”384″ img_size=”full” alignment=”center”][vc_column_text]

With just over six months to go until the UK exits the European Union, the Government has started to issue guidance on what will happen if there is ‘no deal’ by the 29th March 2019.

As we all know, the current data transfer rules are set out at European level in the General Data Protection Regulations (GDPR) which came into force on 25th May 2018.  Under the current rules, transfers within the EEA are permitted BUT, on 29th March 2019 the UK will become a ‘third country’ for the purpose of the applicable legislation.

So, what does this mean?

The Data Protection Act 2018 will remain in force and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside the domestic legislation.

UK-EU Transfers

The Government has recognised the ‘unprecedented degree of alignment’ between the UK and EU data protection regimes and has confirmed that at the point of exit they will allow the free flow of personal data from UK to the EU (this will be kept under review).

EU-UK Transfers

These transfers become more complicated as the UK will be deemed a ‘third country’.  Under the GDPR, transfers to a ‘third country’ can only take place in defined circumstances –

  • There is an ‘adequacy decision’ in place; or

  • There are appropriate safeguards in place.

Adequacy decisions are currently in place for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.  The adequacy finding for Canada only covers data subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the finding for the US is for transfers covered by the EU-US Privacy Shield Framework (currently subject to challenge by the EU Commission).

Appropriate safeguards are –

  • A legally binding and enforceable instrument between public authorities or bodies;

  • Binding corporate rules (BCRs);

  • Standard data protection clauses adopted by the Commission;

  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission;

  • An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;

  • Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;

  • Contractual clauses authorised by a supervisory authority.

So, how does this impact me and what do I need to do?

The UK Government has expressed its intention to apply for an adequacy decision but the EU has stated that the process cannot be started until after 29th March 2019 and obtaining a decision can be a lengthy process. This means that EU-UK transfers will need to have appropriate safeguards in place.

If your organisation transfers data from the EU to the UK, or if you are an organisation in the UK that receives data from EU then you should look to implement standard contractual clauses as a matter of urgency – the latest approved version can be found on the EU Commission’s website.  It’s important to note that the current version was approved pre-GDPR and should be updated.

UK organisations who offer goods and services to data subjects within the EU will need to appoint a representative within the EU.

You can find out more here –

https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/