Author: mydatafix

You have to feel sorry for data processors. Having only had to worry about contractual liability which they have been able to negotiate, sometimes successfully, GDPR is changing things big time. It makes data processors directly liable for certain non-compliance and their contractual liabilities are significantly increased by virtue of the prescriptive Article 28. On top of that there is now a chain of compliance required. Processors will be contractually bound to ensure their sub-processors enter into substantially similar processing clauses as they have. Despite this, the data processor is still liable to the data controller.

How should processors go about managing this chain of compliance? Should they fix their chain of sub-processing out first so that they don’t over commit themselves in their data controller processing agreements? Or should they sign up to processing clauses with their data controllers and work hard to flow these down? Either route will have timing implications at this stage and neither is a guarantee of success. Relying on third parties to simply sign up to more onerous processing agreements is also not guaranteed.

Most data practioners advise adopting a risk based approach to determine which of your sub-processors you should concentrate your efforts on. I agree that this is a good starting point but if you have a standard processing agreement you need all your sub-processors to sign up to then send it out asap to all of them. The risk based approach helps you decide who to chase the most and who you will possibly negotiate your standard processing agreement with.

I am about to call the ICO SME helpline to understand what it means if you can’t get everyone to sign up or even if you can, what it means if they have signed up but their processes and procedures don’t add up. Watch this space for an update.

The serious countdown to 25th May will soon start and more and more organisations are realising that GDPR compliance is the tip of the iceberg.

What do I mean by that? Well, the Regulations itself is lengthy but fairly straightforward. Yes, it expands existing data protection responsibilities including making data processors liable in their own right. Yes, it grants greater rights to data subjects to ensure that they know what their personal data is being used for, by whom and where. And yes, it has potentially significant fines but the ICO has stated and continues to state that any penalties they will impose will be proportionate. All of these require changes to contracts, policies and procedures or if not already in place, the creation of some.

What I really mean is that in undertaking probably the biggest personal data due diligence exercise an organisation has ever undertaken, it has probably uncovered all sorts of other gaps and failings that have nothing to do with processing personal data but  probably need fixing as part of achieving GDPR compliance.

I also mean that achieving GDPR compliance, whether this is at midnight on the 24th May this year or at some point later, is only the start of the journey. GDPR compliance is an ongoing requirement. DPIAs will need to become standard procedure and the process to undertake one embedded in standard operating practice. Breach notification using the ICO’s new telephone hotline will also become part of life for some organisations.

Here’s to data protection expertise becoming standard.

Roll on the next phase. E-privacy Regulation – where are you?

Drafting GDPR compliant privacy policies is a real skill even with a complete data map in front of you.

Articles 12, 13 and 14 GDPR set out in detail the information that must be included in privacy notices.  In 2016 the ICO consulted on revised guidance for privacy notices and have updated their issued guidance to cover GDPR. They are reviewing this guidance again and hope to publish any further changes shortly. There is lots of talk of layered privacy notices and blended notices but what does this mean in practice for organisations that publish their privacy notices on their websites? Only that organisations are dependent on the functionality of their websites. If hyperlinks can be used within the privacy notice to allow readers to read the detail behind the summary then great. Otherwise, privacy notices will look and feel like online terms and conditions – lengthy, detailed, non-negotiable and very rarely read by those who use the product/website until something goes wrong.

How then can we make them interesting and readable? My view is to pretend you are a data subject reading the notice and think about what you are interested in when you are asked to provide your personal data. Here are my top 5 concerns without my data privacy hat on:

1.Is my data going to be safe?

With all the media headlines about data breaches, the genuine number one concern is does the organisation have sufficient data security measures in place and what are these?

2.Is my data going to be shared and if so with whom?

I am providing my personal data to organisation A for a reason. If there is a genuine need for it to be shared in order for that reason to be achieved/fulfilled then fine, otherwise I only want to give my personal data to those I choose to give it to. Please tell me who is going to have access to it and why.

3.How long is my data going to be kept for?

This really links into number 2. If I am buying something online and choose to check out as a guest, I only want my personal data to be kept for as long as necessary to complete my purchase and possibly deal with a return or complaint. If I am subscribing to a monthly newsletter then of course I expect my personal data to be kept for as long as my subscription is valid. The most important point here is the purpose for which you are providing your personal data.

4.Who do I contact and how if I have a concern?

Something has gone wrong – who do I contact and how. I want a name, an email address and a telephone number. I may not be confident emailing my concern so also want a postal address.

5. What are my rights when something has gone wrong or I have changed my mind?

Setting out clearly the data subjects’ rights listed in Chapter III GDPR is important but make them user-friendly. What does the right to erasure mean in layman’s terms? What is data portability and is this really relevant to the service/product you have provided your personal information to receive?

Everything else needs to be included too but make sure you structure your privacy notice carefully to capture attention, make reading it straight forward and lastly but as important to ensure it is GDPR compliant.

I am now living, eating and breathing GDPR on assignment and with other individual clients.

For lots of organisations GDPR compliance is real and genuinely being worked on. This means a complete review of data assets to create data map flows and understand what personal data they collect and process and in what capacity: data controller and/or data processor. This foundation work is the key to achieving and maintaining compliance and the only way organisations can understand their responsibilities.

Joint and several liability for data processing breaches as set out in Article 82(4) is a potential risk if organisations don’t understand their data controller responsibilities with respect to their processors (Article 28) and data processors don’t manage their sub processors properly (Article 28(4)).  The neatest way to achieve this is to determine each party’s role and draft GDPR compliant processing agreements.

However, equally important and something that needs to be worked on sooner rather than later is processor due diligence. Amending processor agreements to enshrine Article 28 may feel like enough to achieve compliance but without underlying due diligence being carried out well in advance of 25 May 2018, all that you may have created is a contract breach on 26 May 2018. Article 29(3)(h) requires processors to make available to the controller all information necessary to demonstrate compliance with the obligations set out in Article 28. This effectively gives controllers the right to audit their processors to ensure they feel that processor compliance is genuine and matches with the processor’s contractual obligations.

Privacy policy redrafts next month.

With all the attention on GDPR and the Article 29 Working Party guidance it would have been easy this month to overlook the Digital Economy Act 2017 and its impact on the funding of the ICO.

Whilst the ICO receives an annual grant-in-aid from the Department for Culture, Media and Sport it also funds itself through the current legal notification obligation and fee payment by data controllers under the Data Protection Act 1998. GDPR removes the notification requirement as it increases responsibility for data processors and takes a wider view at the overall processing function irrespective of which party is actually doing the processing. The Digital Economy Act 2017 includes a provision prospectively repealing the notification and fee obligation and states”the secretary of State may by regulations require data controllers to pay charges of an amount specific in the regulations to the Information Commissioner.”

The ICO may now be confident of its future, but can data controllers also be confident that fining under GDPR will not be the sole source of funding for the UK regulator and that a similar approach to fining  by the ICO will continue in the new post GDPR world? Only time will tell – watch this space for more.

With the GDPR countdown underway it is time to get organised and having mapped your data usage think about what you need to do to be GDPR compliant by 25 May 2018 (or as close as possible to that date). For those organisations in the UK, there is the added complication of Brexit less than a year later and no certainty whether our national data protection legislation will be deemed adequate and what status the ICO will have on the European data protection stage. Exciting times ahead for all data protection lawyers and with that in mind I am taking the plunge and launching myself into a solo career. It’s early days but keep viewing to follow my progress.

Attending the ICO Data Protection Practitioner’s Conference in Manchester on Monday it felt good to be surrounded by other people who live, eat and breathe data protection. It also felt good to get close to those at the Information Commissioner’s Office and hear what they had to say about the changing world of data protection legislation in Europe – the General Data Protection Regulation (“GDPR”) will be published in July this year with a 2 year implementation period. The ICO has created a website dedicated to its publication, providing advice for organisations on how they should get ready for the GDPR – see Data Protection Reform in Europe. Case law in the meantime continues to develop data protection concepts and the theory is that the EU Data Protection Charter will be the basis for the judgements from the EU Court of Justice and the ECHR.

Cyber security and the increasing threat of breaches was also on the agenda and breach management is an important responsibility for all organisations but will become even more so under the GDPR with obligatory breach reporting for data controllers becoming part of the new regulatory framework.

I attended the digital platforms and privacy notices seminar which only briefly touched on alternative privacy notice and consent methods using non-traditional means. Suggestions like the use of video (Youtube clip style) or icons which would provide high level information but enable a click through to the detail sounded great. It would be even better if the ICO would take a lead on this and recommend icons which could be universally adopted enabling individuals to start giving consent in an environment where they recognised what was being asked and what their rights were. Even better would be a national consent data base which organisations could access to process an individual’s personal data.

The media is reporting this week a situation in the US where Apple Inc. is being asked to develop and provide a software tool that will prevent the telephone records and voicemail message history of an iPhone used by one of the San Bernardino gunmen to be deleted after 10 failed password attempts. The reasoning behind this? Not surprisingly, the iPhone records cannot be accessed without the password which died with its owner. After 10 failed password attempts, factory settings are reinstated as standard and all personal settings and phone history is wiped.

All online accounts, whether they be bank accounts, store accounts or social media accounts are personal, protected and secure by virtue of the password system. When the owner of the account dies without sharing their passwords, access to these accounts dies with them. Their digital legacy is frozen in time. Sharing passwords with loved ones may seem to solve this from a practical perspective but legally, logging into a third party’s account using their login and password breaches most organisations’ terms and conditions of use and is likely to result in the organisation locking the account. Facebook and Google+ have created concepts of a legacy contact and digital heir respectively, thereby enabling the author’s materials to be inherited by a nominated third party after the author’s death.

The issue relating to the Apple Inc. request links more into the right to access personal information without the owner’s consent. Prior consent from the owner of the personal information is required for a third party to store, process, copy, alter, retain etc. that personal information. This is a right enshrined in most privacy laws around the world. Providing an individual’s personal information to a third party without their consent is not permitted unless such disclosure is exempt from consent. Assisting law enforcement bodies with their investigations and as part of formal legal proceedings are 2 common exemptions.

The issue here is that the request is not for personal information in the form of digital communications – a right that is possible for a state law enforcement agency in certain circumstances under the terms of the the recently enacted Electronic Communications Privacy Act in California. It is a step back from this. It is a request for software tools to be invented to enable a request for access to digital communications to be made. Potentially this means that your personal information is accessible without your consent after your death even if an exemption does not apply? Will your personal information still be yours? Yes it will, but can you control who you are sharing it with and for what purpose, after you die? If Apple Inc. develop this tool then the answer is certainly no.

Welcome to My Data Fix, a chance to reflect on how data impacts on our life from a technical and social perspective.

As a lawyer and data protection expert but also a Gen X parent, I am observing and participating in our digital obsession with enthusiasm, reluctance and trepidation all at the same time. Travelling recently on Qatar Airways I noticed that the overhead no smoking symbols have been replaced by mobile phone symbols. Does that reflect the addictive nature of our digital world or simply that we can’t switch off? Perhaps it is both? This blog is my space to explore these ideas plus provide useful updates on data protection developments.