GDPR: One year on 19 June 2019 Gareth Yates & Nathan Bilton - - PowerPoint PPT Presentation

Newcastle | Leeds | Manchester

Gareth Yates & Nathan Bilton 19 June 2019

GDPR: One year on

Newcastle | Leeds | Manchester

Guest WiFi email: guest@wardhadaway.com | Guest WiFi password: F1rew0rk$

Housekeeping

2

Newcastle | Leeds | Manchester

• ICO Decisions
• Accountability
• Data Breaches and Reporting Obligations
• Subject Access Requests

Introduction

3

Newcastle | Leeds | Manchester

• The majority of enforcement actions have concerned the Data Protection Act 1998
• The ICO received 14,072 breach notifications between May 2018 and May 2019, 4 times more than it

received the previous year

• Between 25 May 2018 and 24 May 2019:
• The ICO issued 34 monetary penalties
• The ICO issued 15 enforcement notices
• The ICO made 9 prosecutions

ICO Decisions

Newcastle | Leeds | Manchester

• HMRC launched a voice recognition system which requested callers to use their voice to confirm their

identity, approximately 7 million callers were enrolled on this service

• Callers were not given the choice to opt out of the service
• The ICO investigation found that HMRC had failed to give callers sufficient information about the

processing of their biometric data and had not given them the opportunity to give or withhold consent

• The ICO held that the system represented a significant breach of the GDPR due to:
• the large number of individuals affected; and
• the significant power imbalance between HMRC and its customers
• HMRC was issued with an enforcement notice and was required to delete all biometric data it held

under the voice recognition system which it did not have explicit consent for

HMRC

5

Newcastle | Leeds | Manchester

• Newham Council was fined £145,000 after a Council employee sent a police intelligence database to 44

recipients

• The database recorded information relating to more than 200 gang members including their home

address and associated gang

• Rival gang members obtained photographs of the database
• When issuing the fine, the ICO placed emphasis on the fact that:
• there was a real risk that the loss of control over the database would result in physical harm;
• the Council failed to notify the ICO;
• the investigation carried out by the Council was limited; and
• the Council provided inaccurate and misleading responses to the ICO

London Borough of Newham

6

Newcastle | Leeds | Manchester

• The ICO fined TVP £120,000 for unlawfully filming at a maternity clinic
• TVP placed CCTV-style cameras and microphones in examination rooms, for use in a Channel 4

documentary

• TVP posted notices near to the cameras and left letters on waiting room tables
• The ICO investigation found that despite having the permission to be on site, TVP did not adequately

inform patients that they would be filmed and nor did TVP get prior explicit consent from the patients affected by the filming

True Visions Productions

7

Newcastle | Leeds | Manchester

• The ICO fined Uber £385,000 for failing to protect its customers’ personal data during a cyber attack
• Due to a series of avoidable security flaws, cyber attackers were able to access and download the

names, email addresses and phone numbers of approximately 2.7 million UK customers and the records of around 82,000 UK drivers

• The ICO found that the security arrangements adopted by Uber US (who acted as a processor on

behalf of Uber) were inadequate

• Uber did not notify the ICO or the affected individuals either at the time of the attack or when it first

became aware of the attack

• Uber also failed to take mitigating measures such as monitoring accounts or offering fraud protection

until 12 months later

Uber

8

Newcastle | Leeds | Manchester

• The ICO fined Facebook £500,000 for failing to protect its users’ personal data
• Between 2007 and 2014, Facebook allowed third parties to operate apps on its platform and to obtain

Facebook users' personal data without their consent

• The third parties had access to the personal data of:
• Facebook users who installed the app;
• their Facebook friends who had not installed the app; and
• those who exchanged Facebook messages with app users
• One app, which was used by 300,000 Facebook users worldwide, harvested approximately 87 million

user profiles. The data was shared with various organisations, including SCL Elections Ltd which controls Cambridge Analytica, and was used to target voters in political campaigns

Facebook Ireland Ltd and Facebook Inc

9

Newcastle | Leeds | Manchester

• The ICO fined Heathrow Airport £120,000 for failing to ensure that the personal data held on its network

was properly secured

• A member of the public found a USB stick belonging to a Heathrow Airport employee which contained
• ver 1,000 files
• The USB stick was not password protected or encrypted and contained sensitive personal data

including the name, nationality, date of birth, passport details and phone numbers of various individuals

• The USB stick was handed to a national newspaper who made copies of the file
• The ICO investigation found a "catalogue of shortcomings in corporate standards" and that only 2% of

the workforce had been trained in data protection

Heathrow Airport Limited

10

Newcastle | Leeds | Manchester

• The ICO fined Equifax Ltd £500,000 for failing to ensure that its US parent and processor protected UK

customers' personal data

• Equifax suffered a data breach which affected 146 million individuals, including 15 million UK citizens
• The affected personal data included names, dates of birth, addresses, passwords, and financial details
• The ICO's investigation revealed serious inadequacies which resulted in data being retained for longer

than necessary and vulnerable to unauthorised access

• When issuing the fine, the ICO placed emphasis on the fact that:
• the loss of personal data by a credit rating agency is likely to cause individuals particular stress;
• some of the personal data had the potential to be misused in the furtherance of fraud; and
• the significant scale of the data breach is likely to undermine trust in the wider financial system

Equifax Ltd

11

Newcastle | Leeds | Manchester

• Bounty (UK) Limited fined £400,000 for illegally sharing personal information belonging to more than 14 million people.
• Bounty’s “pregnancy and parenting club” collected personal information for the purpose of membership registration through its

website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.

• Bounty also operated as a data broking service until 30 April 2018, supplying data to third parties for the purpose of electronic direct

marketing.

• Bounty breached the Data Protection Act 1998 by sharing personal information with a number of organisations without being fully

clear with people that it might do so.

• The company shared approximately 34.4 million records between June 2017 and April 2018 with credit reference and marketing

agencies, including Acxiom, Equifax, Indicia and Sky.

• The personal information shared was not only of potentially vulnerable, new mothers or mothers-to-be but also of very young

children, including the birth date and sex of a child.

Bounty

Newcastle | Leeds | Manchester

• Former administration assistant at a used car dealership
• Prosecuted for unlawfully obtaining the personal data of customers and other employees
• Ms Morgan-Davis forwarded several work emails to her personal email account which contained

personal data of customers and employees

• Admitted 3 offences of unlawfully obtaining personal data in breach of s.55 DPA 1998
• Penalties:
• £200 fine
• £590 costs
• £30 victim surcharge

Jayana Morgan-Davis

13

Newcastle | Leeds | Manchester

• Former senior local government officer
• Prosecuted for sharing the personal information of rival job applicants with his partner who had applied

for a job at the Council

• Mr Bunsell accessed the recruitment system and emailed the personal information of 9 shortlisted

candidates to his partner’s email account

• Penalties:
• £660 fine
• £713.75 costs
• £66 victim surcharge

Kevin Bunsell

14

Newcastle | Leeds | Manchester

• Former doctor’s surgery employee
• Prosecuted for inappropriately accessing records of patients and staff members
• Ms Pepper accessed the records of 228 patients and 3 staff members outside of her role
• Penalties:
• £350 fine
• £643.75 costs
• £35 victim surcharge

Hannah Pepper

15

Newcastle | Leeds | Manchester

• A former customer service advisor at Stockport Homes - prosecuted for accessing records

relating to anti-social behaviour without authorisation.

• An internal investigation found that she had inappropriately accessed cases without any

business reason to do so - the records related to victims, witnesses and perpetrators of anti-social behaviour.

• Penalties:
• fined £300
• £364.08 costs
• victim surcharge of £30

Wendy Masterson

Newcastle | Leeds | Manchester

• Make sure you understand all the types of data you are processing
• Have you identified the correct lawful base for processing?
• Are you only processing data you actually need?
• Can you justify why you are processing the data?
• Have you clearly notified individuals what you are doing with their data?
• Has appropriate training been given?
• Do you share data? Have you carried out a data protection assessment? Have you

reviewed the Data Sharing Code?

What can be learnt from these cases?

Newcastle | Leeds | Manchester

• Do you have an Information Security Policy?
• Are your security measures being regularly tested?
• Do you have a breach notification and response plan?
• Do you have effective monitoring systems in place?
• Do you have appropriate access controls in place?

What can be learnt from these cases?

Newcastle | Leeds | Manchester

Article 5 Principles relating to processing of personal data

• 1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

Accountability – The Principles

19

Newcastle | Leeds | Manchester

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or

• rganisational measures (‘integrity and confidentiality’).

Accountability – The Principles

20

Newcastle | Leeds | Manchester

Article 5 Principles relating to processing of personal data

• 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Accountability – The Principles

21

Newcastle | Leeds | Manchester

• The GDPR introduced the concept of accountability
• Establishing data protection policies and procedures is insufficient
• Controllers are responsible for and must be able to demonstrate compliance with the GDPR, by

providing evidence of:

• internal policies and procedures that comply with the GDPR’s requirements
• the implementation of policies and procedures into the organisation’s activities
• effective internal compliance measures
• Failure to comply with the accountability principle may result in reputational damage and fines of up to

€20 million or 4% of total worldwide revenue

Accountability

Newcastle | Leeds | Manchester

• UK Information Commissioner, Elizabeth Denham, stated in her blog:
• "The focus for the second year of the GDPR must be beyond baseline compliance -
• rganisations need to shift their focus to accountability with a real evidenced

understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability."

ICO’s Comment

23

Newcastle | Leeds | Manchester

• Establishing a Privacy Governance Structure
• Internal Policies and Procedures
• Privacy Notices
• Employee Training
• Testing and Auditing

Demonstrating Accountability

24

Newcastle | Leeds | Manchester

• Establishing and maintaining a comprehensive privacy governance structure will help demonstrate

compliance with the GDPR

• This may include:
• establishing a privacy office and delegating responsibility for implementing the privacy compliance

program to a privacy officer;

• educating management about the requirements of the GDPR and the impact of non-compliance;
• developing a privacy framework; and
• designating roles with specific tasks and responsibilities

Privacy Governance Structure

25

Newcastle | Leeds | Manchester

• The data controller must integrate data protection measures into corporate policies throughout the
• rganisation
• The following internal policies and procedures should be implemented and maintained:
• personal data retention and secure destruction;
• security breach management;
• obtaining valid consent;
• maintaining data quality;
• secondary uses of personal data; and
• using personal data for direct marketing

Internal Policies and Procedures

26

Newcastle | Leeds | Manchester

• Data controllers are required to provide information to data subjects about the processing of their

personal data, the GDPR is more prescriptive as to what information privacy notices must contain

• A common complaint is that privacy notices are often overly complex
• Privacy notices should be:
• concise;
• transparent;
• intelligible;
• easily accessible; and
• in clear and plain language

Privacy Notices

27

Newcastle | Leeds | Manchester

• It is vital that all employees understand their obligations and responsibilities under the GDPR
• Organisations should:
• implement a training program which includes specialised training based on the employee’s job role;
• provide employees with regular training sessions;
• implement a process to record which employees have completed the required training;
• enforce the requirement to complete data protection training; and
• issue regular bulletins to deliver updates and reminders regarding data protection matters

Employee Training

28

Newcastle | Leeds | Manchester

• To demonstrate compliance with the GDPR, organisations must do more than implement internal

policies

• Organisations must also:
• regularly review processes and policies and update them where necessary;
• carry out regular tests and audits to measure the effectiveness of the privacy measures;
• keep a record of all tests and audits carried out; and
• use the results of the tests and audits to evaluate and improve existing privacy measures

Using Testing and Auditing to Demonstrate Compliance

29

Newcastle | Leeds | Manchester

• 32% of UK businesses have experienced a cyber security breach in the past 12 months
• The GDPR introduced new data breach notification requirements
• In the event of a personal data breach, organisations are required to:
• notify the relevant supervisory authority without undue delay, and not later than 72 hours after

becoming aware of the breach, if the breach poses a risk to people’s rights and freedoms; and

• notify the data subject without undue delay, if the breach is likely to result in a high risk to people’s

rights and freedoms

• Organisations are required to keep a record of all personal data breaches regardless of whether they

have notified the relevant supervisory authority

Data Breaches and Reporting Obligations

Newcastle | Leeds | Manchester

• Recent statistics revealed that 91% of reports made to the ICO failed to include all of the necessary

information

• In order to comply with the GDPR, a breach notification should:
• describe the nature of the breach;
• detail the categories and approximate number of data subjects concerned;
• include details of the data protection officer;
• describe the likely consequences of the breach; and
• describe the mitigation and remediation steps taken or proposed

Breach Notifications

31

Newcastle | Leeds | Manchester

• The evidence suggests that since the GDPR came into force, organisations have adopted a cautious

approach which has resulted in over reporting

• Of the 14,072 reports received by the ICO between May 2018 and May 2019:
• 0.5% resulted in either an improvement plan or a civil monetary penalty;
• 17.5% required action from the organisation; and
• 82% required no action;
• There is a fine line between disclosing information that is required by the GDPR and disclosing

information voluntarily

Reporting Trends

32

Newcastle | Leeds | Manchester

• The following documentation will help demonstrate compliance with the GDPR’s data breach

notification requirements:

• a security breach response plan;
• template breach notification letters;
• a log for recording security breaches; and
• details of the analysis used to determine whether a security breach or incident poses a high

enough risk to trigger the data breach notification requirements

• Q: Who decides how to record and respond to a data incident in your organisation?

Documentation Demonstrating Compliance

33

Newcastle | Leeds | Manchester

• GDPR – Article 5, para 1(e):
• You must not keep personal data for longer than you need it.
• You need to think about and be able to justify how long you keep personal data - This will depend on your purposes for

holding the data.

• You need a policy setting standard retention periods wherever possible to comply with documentation requirements.
• You should also periodically review the data you hold - erase or anonymise it when you no longer need it.
• You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer

need the data.

• You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical

research, or statistical purposes.

Storage Limitation

34

Newcastle | Leeds | Manchester

• The GDPR does not dictate how long you should keep personal data.
• It is up to you to justify your decision based on your purposes for processing - you are in

the best position to judge how long you need it.

• You must also be able to justify why you need to keep personal data in a form that permits

identification of individuals. If you do not need to identify individuals, you should anonymise the data so that identification is no longer possible.

• You can keep data so long as one of your purposes for processing still applies - but you

should not keep data indefinitely “just in case” or if there is only a small possibility that you will use it.

How should we set retention periods?

35

Newcastle | Leeds | Manchester

• A bank holds personal data about its customers.
• This includes details of each customer’s address, date of birth and mother’s maiden name.
• The bank uses this information as part of its security procedures.
• It is appropriate for the bank to retain this data for as long as the customer has an account

with the bank.

• Even after the account has been closed, the bank may need to continue holding some of

this information for legal or operational reasons for a further set time.

Example #1

36

Newcastle | Leeds | Manchester

• A bank may need to retain images from a CCTV system installed to prevent fraud at an

ATM machine for several weeks, since a suspicious transaction may not come to light until the victim gets their bank statement.

• In contrast, a pub may only need to retain images from their CCTV system for a short

period because incidents will come to light very quickly. However, if a crime is reported to the police, the pub will need to retain images until the police have time to collect them.

Example #2

37

Newcastle | Leeds | Manchester

• A tracing agency holds personal data about a debtor so that it can find that individual on

behalf of a creditor.

• Once it has found the individual and reported to the creditor, there may be no need to

retain the information about the debtor

• Therefore the agency should remove it from their systems unless there are good reasons

for keeping it.

• Such reasons could include if the agency has also been asked to collect the debt, or

because the agency is authorised to use the information to trace debtors on behalf of

• ther creditors.

Example #3

38

Newcastle | Leeds | Manchester

• A business may need to keep some personal data about a previous customer so that they

can deal with any complaints the customer might make about the services they provided.

• A business receives a notice from a former customer requiring it to stop processing the

customer’s personal data for direct marketing.

• It is appropriate for the business to retain enough information about the former customer

for it to stop including that person in future direct marketing activities.

Example #4

39

Newcastle | Leeds | Manchester

• An employer should review the personal data it holds about an employee when they leave the
• rganisation’s employment.
• It will need to retain enough data to enable the organisation to deal with, for example, providing

references or pension arrangements.

• However, it should delete personal data that it is unlikely to need again from its records – such as the

employee’s emergency contact details, previous addresses or death-in-service beneficiary details.

• An employer receives several applications for a job vacancy. Unless there is a clear business reason

for doing so, the employer should not keep recruitment records for unsuccessful applicants beyond the statutory period in which a claim arising from the recruitment process may be brought.

Example #5

40

Newcastle | Leeds | Manchester

• You should review whether you still need personal data at the end of any standard retention period and erase or

anonymise it unless there is a clear justification for keeping it for longer.

• Automated systems can flag records for review, or delete information after a pre-determined period. This is particularly

useful if you hold many records of the same type.

• It is good practice to review your retention of personal data at regular intervals before this, especially if the standard

retention period is lengthy or there is potential for a significant impact on individuals.

• If you don’t have a set retention period for the personal data, you must regularly review whether you still need it.
• However, there is no firm rule about how regular these reviews must be. Your resources may be a relevant factor here,

along with the privacy risk to individuals. The important thing to remember is that you must be able to justify your retention and how often you review it.

• You must also review whether you still need personal data if the individual asks you to. Individuals have the absolute

right to erasure of personal data that you no longer need for your specified purposes.

When should you review?

41

Newcastle | Leeds | Manchester

• However, there is no firm rule about how regular these reviews must be.
• Your resources may be a relevant factor here, along with the privacy risk to individuals.
• You must be able to justify your retention and how often you review it.
• You must also review whether you still need personal data if the individual asks you to.
• Individuals have the right to request erasure of personal data that you no longer need for

your specified purposes.

When should you review?

42

Newcastle | Leeds | Manchester

• Danish furniture store (IDdesign) failed to implement and enforce a data retention policy.
• Regulator seeking a fine of €200,000.
• IDdesign's failure led to its storage of personal data relating to approximately 385,000 users – including

their name, address, email and purchase history – on an old computer system for longer than was necessary.

• The computer system was phased out between March and July 2015, but the company did not delete

the data stored on it.

• IDdesign had an internal data deletion deadline but it had not implemented it.
• Regulator seriously criticised the lack of any documented follow-up procedure for data deleted from

IDdesign’s internal HR and recruitment system – should have been regular audits to ensure the policy was being implemented.

IDdesign

43

Newcastle | Leeds | Manchester 44

wardhadaway.com @WardHadaway Ward Hadaway Newcastle | Leeds | Manchester