GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle - - PowerPoint PPT Presentation

Newcastle | Leeds | Manchester

GDPR Update

3 October 2019 Phil Tompkins and Dean Murray

Newcastle | Leeds | Manchester

• GDPR to date
• How to handle data subject access requests
• Data security and handling data breaches
• What’s new
• Case law

What we will look at today

2

Newcastle | Leeds | Manchester

• Legal obligations
• Reputation and goodwill
• Fines and enforcement
• Other data protection liabilities
• Compensation
• Criminal penalties
• Vicarious liability

Why does data protection matter?

3

Newcastle | Leeds | Manchester

• Personal data
• What is personal data
• Identifies living individual
• Anything about the individual
• Examples
• Paper and digital/ Staff and customer records/ CCTV/ Website/photos/ Applications

/biometrics/ location data/identifiers

• Special category data (criminal offence/conviction data)

What data does the GDPR protect?

4

Newcastle | Leeds | Manchester

• You must process personal data in accordance with the data protection principles:
• Lawfulness, fairness & transparency
• Specific, explicit and legitimate purpose -use for that purpose only (purpose limitation)
• Adequate, relevant and limited (data minimisation)
• Accurate and up to date (use every reasonable step)
• Keep only as long as necessary (e.g. retail orders, ticket forms etc.)
• Appropriate security
• NB: Need to be able to demonstrate compliance with the above – "Accountability Principle"

Data protection principles

5

Newcastle | Leeds | Manchester

• Article 5(2)
• “The controller shall be responsible for, and be able to demonstrate compliance with

paragraph 1 (accountability).”

• Organisations need to develop a proactive, systematic and ongoing approach to GDPR

compliance

• Risk based approach
• How to demonstrate accountability
• Policies and procedures (Information Governance Framework)
• Other documentation

Accountability

6

Newcastle | Leeds | Manchester

GDPR to date – security breaches in 2018

7

200 400 600 800 1000 1200 1400 1600 1800 2000 March April May June

Newcastle | Leeds | Manchester

GDPR to date – personal data breach reports to date

8

Newcastle | Leeds | Manchester

GDPR to date – increase in exercise of information rights

9

0% 5% 10% 15% 20% 25% 30% 35% Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree

There has been an increase in individuals exercising their information rights

Newcastle | Leeds | Manchester

• “the public has woken up” E Denham
• 471,224 contacts via helpline, chat and written advice (66% increase)
• Data protection complaints rose from 21,019 in 2017/18 to 41,661 in 2018/19
• 11 assessment notices issued
• 2 intentions to fine announced

GDPR to date – personal data breach reports to date

10

Newcastle | Leeds | Manchester

How to Handle Data Subject Access Requests

Dean Murray

Newcastle | Leeds | Manchester

• Right of access to own personal data
• Right of access is to:-
• Confirmation personal data is being processed
• Access copy of personal data
• Supplemental information
• Supplemental information
• Purpose of processing/ categories of personal data/ recipients (including outside

EEA)/ retention period (where possible)/ subject rights/ sources of data/ automated decision making or profiling/ safeguards for transfers outside EEA

Basics: What are data subject access requests and what must I provide?

12

Newcastle | Leeds | Manchester

• Provision of information:-
• Provide in concise, transparent, intelligible and easily accessible format
• Use plain and clear language
• Provide in writing (orally if requested)

How do I provide information requested?

13

Newcastle | Leeds | Manchester

• Personal data held at the time the request is received
• Held in paper or electronic records
• Personal data which relates to the individual
• No requirement to provide exempt information

What do data subjects get a right of access to?

14

Newcastle | Leeds | Manchester

• Right of access is subject to a number of exemptions:-
• Information already held by data subject
• Impossible to provide or disproportionate effort
• Third party data
• Request for large volume of data
• Can request data subject specifies information
• UK derogations

Some information is exempt…

15

Newcastle | Leeds | Manchester

• Check if the personal data requested falls within an exemption
• The exemptions include:-
• Crime and taxation (prejudice)
• Legal professional privilege
• Management forecasts (prejudice)
• Negotiations (prejudice)
• Health/Social work/Education data (serious harm)

What specific exemptions are there and how do I use them?

16

Newcastle | Leeds | Manchester

• Confirm identity of requestor
• Requests by parent/carer/spouse/solicitor on behalf of data subject
• Requests by others
• Public authority - Freedom of Information Act 2000/ EIR 2004
• Not a public authority
• Legal right of access (e.g. HMRC/police)

How do I handle third party requests?

17

Newcastle | Leeds | Manchester

• No need to supply personal data requested if it contains information about other

people unless:

• Have consent
• Reasonable to supply without consent
• Factors to take into account where you don’t have consent:
• Type of information/ Any duty of confidentiality /Steps taken to obtain consent /Is individual

capable of giving consent /Any express refusal of consent

• What to do with third party data
• Obligation is to provide information not documents
• Redact or edit documents to exclude third party data

Reviewing third party data requests

18

Newcastle | Leeds | Manchester

• Check identity of individual
• Log the request
• Timescales
• Without undue delay and in any event, one month
• Time extensions up to 3 months
• Keeping the data subject informed
• Must provide free of charge unless manifestly unfounded or excessive
• Searching for data
• Search systems and locations. Provide personal data requested unless exempt etc
• Form of response

Handling requests

19

Newcastle | Leeds | Manchester

• All refusals must be writing
• Keep record of what sent and reasons why
• Set out
• Reason for refusal
• Sufficient to say they aren’t entitled to information as it is exempt
• No requirement for detailed explanation why refused
• Right to complain to ICO

Refusing requests

20

Newcastle | Leeds | Manchester

• Metropolitan Police Service
• Enforcement notice re handling of DSARs
• On 17 April 2019 it was processing 1,535 DSARs and over 94% outside statutory time

frame for a response

• By 13 June 2019 – 1,727 DSARs with 1,169 overdue and 689 over 100 days old
• ICO considers delay causes damage or distress
• Met to use best endeavours to:-
• Answer all DSARs by 30 September
• Make changes to it internal systems so can answer future DSARs properly

Data subject access requests – case law

21

Newcastle | Leeds | Manchester

Data Breaches and Data Security

Phil Tompkins

Newcastle | Leeds | Manchester

• GDPR obligation
• Personal data shall be processed in a manner that ensures appropriate security of the

personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or

• rganisational measures (integrity and confidentiality)
• Security should be appropriate to likelihood and severity of risks
• Failure to keep data secure leads to personal data breaches

What do we mean by the term data security?

23

Newcastle | Leeds | Manchester

• GDPR requires;-
• Controllers to ensure a level of security appropriate to risk
• Risk analysis
• Proportionality test
• Take into account
• State of the art
• Cost of implementation
• Nature, scope, context and purposes of processing
• Risk of varying likelihood and severity for the rights and freedoms of natural persons
• Risks presented by processing

The requirement to use technical and organisational measures….

24

Newcastle | Leeds | Manchester

• What measures are appropriate?
• Pseudonymisation and encryption
• Managing, limiting and controlling access to personal data
• Ensure the ongoing confidentiality, integrity, availability of data
• Resilience of processing systems to restore availability and access to personal data in the event of

an incident

• Regular testing, assessment and evaluation of security measures
• Approved codes of conduct and certification mechanisms
• Record measures you take
• Art 30(2)(d) – processing record (accountability)

What are appropriate measures?

25

Newcastle | Leeds | Manchester

• Governance
• Contracts and data sharing
• Training and awareness

What do we mean by “organisational security”?

26

Newcastle | Leeds | Manchester

• Management structures
• Policies, procedures and documentation
• Compliance and assurance
• Identify and manage risks
• Use of data protection impact assessments
• Data protection by design and default

What is “Governance”?

27

Newcastle | Leeds | Manchester

• Carry out due diligence on processors and those you share data with
• Consider nature of processing and risks
• Contracts-
• Processors – need “sufficient guarantees” to appoint:-
• To comply with GDPR
• Protect data subject rights
• Expert knowledge, resources and reliability
• Data sharing (i.e. controller to controller transfers):-
• Where share personal data carry out due diligence on sharing partner

What do we need to consider with contracts and data sharing?

28

Newcastle | Leeds | Manchester

• What do we mean by due diligence?
• Compliance with industry standards
• Level of technical expertise
• Check accreditations/references
• Check GDPR compliance – compliance audit/documentation/breaches?
• If work performed off site, check site
• Assessment of security procedures
• Adherence to code of conduct/certification scheme

What do we mean by due diligence?

29

Newcastle | Leeds | Manchester

• Contract with controllers
• Article 28 clauses/other clauses
• Contracts with data sharing partners
• Controller – controller transfers not covered by Article 28
• Ensure data sharing partner contractually bound to:-
• Comply with data protection legislation
• Use data for specific purpose only
• Keep personal data secure
• Report breaches

What contract terms do we need?

30

Newcastle | Leeds | Manchester

• Raising awareness
• Training
• Training strategy
• When to train (on induction and annual refresher)
• Training needs analysis
• Specialist training
• Temporary and agency worker training
• Accountability and training
• Training record
• Use of KPIs

Do we need to perform training and awareness raising activities?

31

Newcastle | Leeds | Manchester

• Technical controls framework
• E.g. cyber essentials
• Secure configuration
• Set up and configure software for your needs
• Patch and software version management
• Increased vulnerability over time
• Software update policy
• What to do with unsupported software
• Responsibility for updates

What do we mean by “technical security”?

32

Newcastle | Leeds | Manchester

• Up to date malware protection
• Manage & monitor your network
• Periodic testing/assessment/evaluation
• Access rights
• Concept of “least privilege”
• Default settings/passwords
• Password protection
• Encryption/pseudonymisation

What do we mean by “technical security” (2)?

33

Newcastle | Leeds | Manchester

• ICO particularly concerned with personal data breaches-
• “personal data breach means a breach of security leading to the accidental or unlawful

destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed” - Article 4(12)

• NB Not all breaches of GDPR are personal data breaches. Not all fines will be for

personal data breaches

• Types of breach
• Confidentiality/Integrity/Availability breach

What is a data security breach?

34

Newcastle | Leeds | Manchester

• Notify without undue delay and where feasible within 72 hours of becoming aware
• Unless the breach is unlikely to result in a risk to the rights and freedoms of natural

persons

• When do you “become aware”?
• If not notified within 72 hours must include reason for delay in notification to supervisory

authority

• Must document the breach to enable supervisory authority to verify compliance
• Failure to notify is a breach

When must we notify personal data breaches to the ICO

35

Newcastle | Leeds | Manchester

• Notify unless breach unlikely to result in risk
• Need to assess risk
• Types of risk
• Physical
• Material/non-material damage
• Risks include:
• Loss of control/ limitation of rights/ discrimination/ identity theft or fraud/ financial loss/

unauthorised reversal of pseudonymisation/ damage to reputation/ loss of confidentiality

Is there guidance on what breaches must be notified to ICO?

36

Newcastle | Leeds | Manchester

• Notify individuals where there is a high risk to rights and freedoms of individuals
• Where personal data breach results in high risk, must communicate breach without

undue delay

• What is a high risk?
• Where breach may lead to physical, material or non-material damage
• Loss or disclosure of special category and criminal data – likely to be high risk

You have to notify individuals of breaches in some circumstances…

37

Newcastle | Leeds | Manchester

• What is the difference between a risk and a high risk?
• Likelihood and potential severity
• Type of breach
• Nature, sensitivity and volume of data/numbers affected
• Other circumstances
• Ease of identification – pseudonymisation?
• Severity of consequences
• E.g. discrimination, identity theft, physical harm, fraud, financial loss, damage to reputation
• Intentions of recipient of data
• special characteristics of individual/controller
• What protections are in place to minimise the risk of damage and to mitigate ongoing impact?
• Is information encrypted/pseudonymised?
• Was it already publicly available?

How do we decide if a breach is a risk or a high risk?

38

Newcastle | Leeds | Manchester

What’s new?

Phil Tompkins and Dean Murray

Newcastle | Leeds | Manchester

• Brexit
• Data sharing code
• DSARs
• Retention of personal data
• Offence of knowingly or recklessly retaining personal

data without the consent of the controller

• Certification and Codes of Conduct
• Cases

What’s new?

40

Newcastle | Leeds | Manchester

• UK government intends to write GDPR into UK law, so called “UK GDPR”
• No deal planning:
• International transfers
• Permitted to EEA and countries with adequacy decisions
• Privacy shield issues – US organisation must update public commitment to include transfers from UK
• No adequacy decision? Must use appropriate safeguards
• Contract wording
• Privacy notices
• Update any DPIA involving international data flows

I hoped I wouldn’t hear the word Brexit this morning….

41

Newcastle | Leeds | Manchester

• Fine of €460,000 for insufficient internal security on patient records
• Celebrity patient file viewed by over 197 hospital staff
• Dutch DPA reviewed security measures for compliance with:-
• Article 32
• Specific health sector security standards
• No alert to administrators if someone viewed a file they weren’t entitled to view
• Inadequate control of access logs – should be “systematic, risk-orientated or intelligent control”
• Lack of two-factor authentication
• If no improvement in security by 2 October the Dutch authority will require payment of an extra

€100,000 a week up to maximum of €300,000

Case 1 – Haga Hospital - Netherlands

42

Newcastle | Leeds | Manchester

• Fine of €250,000
• To combat piracy La Liga used app to collect data without consent
• App covertly collected audio and location data – it detected bars where La Liga

matches were on but not paying the fee.

• App got consent to activate microphone on the mobile (so it could detect sounds of

football) but didn’t tell users why it did this - consent not specific and therefore inadequate

• Privacy notice inadequate
• Didn’t give users ability to withdraw consent

Case 2 – La Liga - Spain

43

Newcastle | Leeds | Manchester

• Fine of 1.5m DKK (€200,800)
• Failure to delete data about 385,000 customers
• Fine followed supervisory visit and audit question regarding deadlines for deletion of

customer data

• ID Design ran two separate customer systems. Data in the old system had never been
• deleted. It included names, addresses, telephone number, email addresses and purchase
• history. No deadline had been set for deletion from the old system
• Danish DPA concluded there was a breach of principle 5 (keep only as long as necessary)

Case 3 – ID Design - Denmark

44

Newcastle | Leeds | Manchester

• Fine of 1.2m DKK (€160.754)
• Retention of data for too long
• Taxa deleted customer names and addresses after 2 year but kept phone numbers for

further 3 years

• Taxa argued telephone numbers an essential part of its IT system and couldn’t be deleted

as quickly

• Danish DPA said a failure in the IT system can’t justify a serious breach of data protection

laws (data minimisation)

Case 4 – Taxa 4x35 - Denmark

45

Newcastle | Leeds | Manchester

• Proposed fine of £183.39m
• Cyber attack led to user traffic to BA website being diverted to fraudulent site
• 500,000 customer details compromised including payment card, name and address
• Breach due to poor security arrangements
• Known vulnerability which had not been updated since 2012.

Case 5 – British Airways - UK

46

Newcastle | Leeds | Manchester

• Proposal to fine £99,200,396
• Cyber incident lead to 7m guest records in UK disclosed (30m in EU and 339m worldwide)
• Vulnerability arose out of acquisition of Starwood hotels group.
• Starwood systems compromised in 2014, bought by Marriott in 2016, discovered 2018
• Marriott failed to undertake adequate due diligence on the corporate acquisition – should

have done more to secure systems

Case 6 – Marriott Hotels - UK

47

Newcastle | Leeds | Manchester 48

wardhadaway.com @WardHadaway Ward Hadaway Newcastle | Leeds | Manchester