Some of the hype about the General Data Protection Regulation (the GDPR) has been given renewed focus over the last couple of weeks by the issuing of two Notices of Intent by the Information Commissioner’s Office (ICO) with a nominal value of over £283m. It is worth reiterating what many have already said before me – Marriott International and British Airways, the two organisations involved, may never actually receive a fine. This is only the start of the process and there is a long way to go.
Nevertheless, what this has undoubtedly done is raise the profile of data protection legislation and the newly acquired abilities of the regulator (the ICO) to issue substantially increased fines compared to those available under previous legislation. This will almost certainly result in some discussion in boardrooms and, for those that have yet to appoint a Data Protection Officer (DPO), probably a much more serious discussion about whether or not they should. Even those that don’t need a DPO may still choose to appoint one, or someone specifically responsible for data protection compliance.
If you are newly appointed to the role, the most important point to remember is that you are not alone. While the role of DPO is new to the GDPR, the majority of data protection law requirements have been around for some time in the UK, some since 1984, so there are lots of things we can learn from what has happened under previous legislation.
It is likely to seem like a daunting task at first and I think that most would agree that there is a huge amount of information to take in before you can even think about applying it. Data protection has also suffered from significant volumes of misinformation that need to be sifted out so where do you start if you are given the role of DPO?
This article provides some basic advice as well as links to reliable sources for those new to the DPO role as well as for those responsible for managing data protection compliance. This draws on my own experiences of working with data protection for the past 20 years, including as a DPO for a number of organisations since 25 May last year.
What is a Data Protection Officer?
A DPO is a role established by the GDPR with specific tasks and responsibilities laid down by the legislation. The role is required by an organisation (either a controller or processor1) where:
- They are a public authority except for courts acting in their judicial capacity;
- The core activities of the organisation require regular and systematic monitoring of data subjects on a large scale. One example of regular and systematic monitoring will be CCTV but there are lots of others;
- The core activities consist of processing on a large scale of special categories of personal data (Article 9 of the GDPR) or personal data relating to criminal convictions and offences (Article 10). Special categories of personal data include medical information, racial or ethnic origin, religious beliefs and trade union membership along with others.
If you haven’t already, it may be helpful to review the guidance issued by the Article 29 Working Party, endorsed by European Data Protection Board on the role on the DPO as it expands on several important points, including the need to avoid a conflict of interest when making the appointment. It also helps with interpretation of key terms such as “large scale”, and discusses the need to conduct a data protection impact assessment to determine whether you need a DPO if it is not clear in terms of the legislation.
I would recommend that you don’t call yourself a DPO unless the law specifically requires your organisation to have one, or a decision has been made at board level or equivalent that your organisation should have one. If you call yourself a DPO, both you and your organisation must then comply with all aspects of the law for DPOs.
What do I need to do?
There is no set job description and the role is likely to differ according to sector, size and a range of other factors. However the GDPR lays down a number of tasks (Article 39) that have to be completed by the DPO as a minimum:
- To advise the organisation that you work for as well as their employees about their obligations under the GDPR and other data protection law;
- Monitor compliance with the GDPR and other data protection law as well as with the policies of your organisation that relate to the protection of personal data. The legislation mentions the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- Provide advice on data protection impact assessments and monitor their performance in terms of ensuring compliance with the GDPR;
- Cooperate and act as the point of contact with the supervisory authority. In the UK this will be the Information Commissioner’s Office.
When carrying out their tasks, the GDPR requires the DPO to have due regard to the risk associated with processing operations. It is also worth noting that the DPO must be accessible to data subjects and is bound by secrecy and confidentiality regarding the performance of tasks.
There are other responsibilities placed on the controller or processor with regard to the DPO and you can find out more about these in the GDPR as well as the EDPB guidance referred to above.
Who I am responsible to?
The DPO should report into the highest level of your organisation, which is usually board level. Further information about this is available from the ICO’s website. It should be noted that there is nothing in the legislation or the EDPB guidance that allows the role to be delegated by an existing board member that is, in effect, DPO in name only although that is an approach a number of organisations seem to have taken. The organisation must also ensure that the DPO is does not receive any instructions regarding the exercise of their tasks.
What skills and competencies should I have?
The GDPR states that the DPO …”shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”…, as well as being able to fulfil the tasks listed above.
I am sure it goes without saying but for the avoidance of doubt, anyone in the role of DPO should have at least a basic knowledge of data protection laws, and an understanding of how the law is applied is a must. That said, these are skills that the vast majority of us have learnt once in the job but it is really helpful to familiarise yourself with reference materials (including codes of practice) and applicable legislation. As highlighted above, make sure the information you are using is from a trusted and reliable source.
To comply with the requirements of legislation, information governance skills are likely to be very helpful, with business knowledge of the organisation you are working for essential. As yet, the ICO hasn’t issued any additional guidance for the UK although you may find it useful to look through the frameworks of competence published by the Spanish and French authorities. These are fairly consistent in the areas of competence that they are expecting a DPO to have. We are going to cover the area of emerging required competencies of DPOs in a later blog.
Is being a DPO a permanent role and can I do it alongside what I am doing?
Assuming your organisation meets the criteria for requiring a DPO, it will be an ongoing legal obligation although whether it is introduced as a permanent role will decided by your organisation. The legislation specifically allows for the role to be an employee or to be contracted in as a service. If you are going to contract in a service, make sure you undertake the necessary due diligence.
The role can be fulfilled by someone with other responsibilities although, as mentioned above, there cannot be any conflict of interest between the two roles that you might have, for example, it is unlikely that the role of DPO could be held by the Head of HR or the Head of IT, or equivalent roles in your organisation.
Are there any associations that I could join?
Some of the organisations that provide support for compliance with data protection laws include:
What training is available?
If you are looking to formally develop competencies, there is a wide range of training available. Again, make sure you do your due diligence to make sure any events you decide to attend is going to provide what you need it to. Note that there are no certifications under the GDPR in the UK, at least not yet, and there are unlikely to be any for training for DPOs.
Tkm offers a number of data protection qualifications that are certified by the BCS or the SQA, one of the UK’s qualification’s regulators.
Tkm’s courses include:
- Diploma/Certificate in Managing Data Protection Compliance
- Certificate in Data Protection Compliance
- BCS Foundation Certificate in Data Protection
- BCS Practitioner Certificate in Data Protection
Courses are run throughout the UK and can also be delivered in house. In house training can be fully customised according to the needs of your organisation. Please don’t hesitate to contact us if you would like to discuss your requirements. The IRMS also has other training partners that provide courses on a range of information governance topics – see Leadership Through Data.
1 – controllers and processors are defined by the GDPR. A controller determines the means and purposes of processing personal data, and a processor processes personal data on behalf of the controller. If you are regularly processing personal information, you are likely to be either a controller or processor or both. See the ICO’s website for further information.
Tkm is delighted to be launching a suite of 3 approved data protection qualifications on 9 April 2018 at the Information Market as part of the ICO’s Data Protection Practitioners Conference.
The qualifications are based on specific learning outcomes and performance criteria, and have been designed to help people apply UK data protection legislation. They will also assist organisations with demonstrating that key staff have the necessary skills and competencies to manage data protection compliance. These awards are approved and certificated by the SQA, one of the UK’s qualification regulators.
Data Protection Qualifications
The data protection qualifications available are:
Certificate in Data Protection Compliance
The primary learning objective of this qualification is to enable those attending to develop a basic knowledge of data protection legislation that they are able to apply to simple, common scenarios. It is a one day course and rated as level 6 on the SCQF, equivalent to RQF level 3 and EQF level 4 (qualifications frameworks).
Certificate in Managing Data Protection Compliance
On successful completion of the qualification, those attending will be able to demonstrate competencies in implementing data protection legislation in a range of complex scenarios, as well as understand and apply best practice set out by codes of practice. Candidates will also be able to demonstrate competencies required to deliver compliance programmes and manage aspects of information governance. This qualification is usually delivered over 5 consecutive days and is level 8 on the SCQF, equivalent to RQF level 5 and EQF level 5.
Diploma in Managing Data Protection Compliance
On successful completion of the qualification, candidates will be able to demonstrate competencies in assessing and evaluating levels of compliance together with the risks of non-compliance within the context of their workplaces, as well as develop prioritised implementation plans. This qualification is usually delivered over 5 consecutive days and requires the completion of a work-based assignment. The qualification is level 10 on the SCQF, equivalent to RQF level 6 and EQF level 6.
Further information about the course content is available from our data protection qualifications and training pages. The courses are continually reviewed and updated to ensure they reference current UK data protection and associated legislation, including the General Data Protection Regulation (GDPR) and what will become the Data Protection Act 2018. If you would like any help with deciding which level of training is right for you, please get in touch.
Come and say hello at the Information Market on 9 April when we will be offering a limited number of discounted places – we look forward to seeing you then!
Tkm is an approved training company of the Information and Records Management Society (IRMS) and discounts are available for current members.
Courses are scheduled throughout the UK and we have places available for courses in Bristol, Glasgow, Gatwick and Newcastle. Courses can also be delivered in-house and may be more cost effective if you have 4 people or more. Prices start from £350 plus VAT for a one day course, and £1,600 plus VAT for the 5 day course. To book and find further information please see our course pages, contact us,or book through Eventbrite.
Training of staff is going to be a vital investment to ensure compliance with the GDPR for many organisations, although it can also be a significant cost. It is therefore essential to make sure your organisation has a training solution that is right for them.
Following on from our first blog on data protection training, this focuses on helping to ensure you get value for money.
How Do I Chose the Best Training Option for my Organisation?
Successful data protection training programmes rely on accurately analysing and identifying the training needs of your organisation. These can be complex when implementing programmes such as those for compliance with GDPR as it can potentially involve large numbers of staff who are going to be affected by the legislation in many different ways. The points below provide an overview of the points you may wish to consider when choosing the training solution that is going to best for your organisation.
What data protection tasks require completion?
It is vital to consider this in stages, starting with preparations for the implementation of the GDPR, followed by maintenance and ongoing compliance. Are you going to require staff to develop a compliance programme, and interpret and apply the legislation within the context of the organisation? If so, any members of staff tasked with this are likely to require a considerably higher level of competence than a member of staff tasked with basic maintenance tasks once the legislation is in place. Similarly, if ongoing compliance tasks are likely to have a high degree of complexity or involving processing Special Categories of data, this should also be taken into consideration.
What is the current skills gap?
This is a fundamental consideration when considering what data protection training and support is required as you need to understand what gaps in competence require managing by a training programme. Do staff already have a good working knowledge of the DPA 1998? If so, the training may simply address the differences between existing and new legislation. If staff have very little knowledge, more detailed training to help them understand why compliance is important may be beneficial.
You should also think about the processing activities staff will undertake. Having a basic knowledge of data protection legislation may be appropriate for someone undertaking simple, basic and routine tasks involving personal data. However, it would not be an appropriate level for someone undertaking more difficult or complex processing operations, for example staff in the HR department.
To what extent will staff need to apply their knowledge?
Are business processes routine, simple and supported by tools such as IT software that limit errors? Staff engaged in this type of processing are likely to require a lower level of competence than staff involved in complex, bespoke and highly manual processing of personal information.
What are the risks associated with processing activities?
This should consider the frequency, complexity, and volume of personal information together whether it is inherently higher risk, for example, the information includes Special Categories of personal data or detailed financial information. It may also be worthwhile to conduct a data protection impact assessment for some of the highest risk processes if this hasn’t been completed previously as there may be alternative solutions to training. For example, there may be options to automate highly complex, high risk processing through systems development rather than developing data protection training for a manual process.
What ongoing support will staff have available to them in the workplace?
Once staff have undertaken training, what support will be available to them to help integrate data protection competencies into their role and make sure staff understand how to apply their knowledge in a relevant context?
How are you going to maintain levels of competence?
It is essential to maintain the levels of competence required for compliance and this is likely to require a comprehensive monitoring programme together with refresher training. The required frequency is likely to depend upon roles as well as risks associated with processing operations they undertake.
Tkm Can Help
Tkm offers a range of training solutions and can also help with conducting a training needs analysis. To discuss the options available for your organisation, including accredited foundation and practitioner qualifications, please contact us.
Data protection training is going to be an essential part of preparing for compliance with the General Data Protection Regulation (GDPR). Time is already becoming limited to develop and implement a comprehensive training programme to enable compliance with the GDPR. Furthermore, some evidence suggests that there will be a significant skills shortage and therefore the competencies required to comply with the legislation should be identified as soon as possible. Tkm can help with every stage of training planning and delivery with further information provided at the end of the blog.
Training for staff is not a new requirement to comply with data protection laws. The ICO considers training as an “appropriate organisational measure” under Principle 7 of the Data Protection Act 1998 (DPA 1998), and it is likely that the GDPR will reinforce and strengthen this requirement.
As discussed in a previous blog, the Data Protection Article 29 Working Party’s guidance on the role of Data Protection Officer (DPO) discusses competencies being commensurate with the risks associated with processing. This is likely to be a useful approach when determining all training needs of your organisation and not just those of the DPO.
It is important to ensure that your training programme delivers the best value for money. In this context, for most organisations, this means that any investment in training facilitates sustainable, long term compliance with the GDPR. Data protection training should also deliver against relevant corporate objectives.
The success of training programmes is generally determined by the extent to which training needs are accurately identified. Once identified, the next step is to develop or acquire a solution that has the best fit with those needs. This blog covers the options available and key points to consider when deciding what training would offer best value for money to your organisation.
What Data Protection Training Solutions are Available?
There are a number of different options to consider when looking for the best training solution for your organisation. These depend upon the format and content of the training, as well as the method of delivery.
Format and Content of Training
Accredited Data Protection Qualifications
There are accredited data protection qualifications although it is important to check which body is accrediting the training. It should be an organisation that is recognised as a provider of qualifications, which you should be able to check through the accreditors’ websites. Qualifications generally provide an assurance of consistency of what is going to be covered, with those completing them reaching a demonstrable level of competence. Some providers also offer flexible learning options. It is not always possible to customise accredited qualifications, particularly for intensive courses, therefore those attending need to be capable of applying the relevant knowledge to their own working environments on completion.
Customised training does not usually have accreditation although can often significantly aid implementation and integration of learning points into business processes. Training providers will often develop customised training in consultation with their clients. There is therefore likely to be an opportunity to influence the content to match your organisation’s specific training requirements. You may find that some training providers can offer a qualification that is customised to meet the needs of your organisation.
Method of Training Delivery
In house Training
The availability of this option is likely to be determined by available budget. In house can be cost prohibitive for smaller organisations although worth considering and investigating for organisations of any size. The main advantage of in house training is that there can usually be more of a focus on the organisation, for example during discussions on application, particularly around sensitive business areas. These types of topic may not be discussed at a course with general attendance. There is also typically more flexibility about how and when the training is provided.
There are a number of different types of attended training, seminars and conferences available that focus on GDPR. Whichever option you choose, you need to be confident it will be of benefit to attend. Part 2 of our blog will look at this in more detail. In the meantime, some key points to consider are:
- Is the training accredited by a recognised qualifications body? This is likely to be particularly important if you are looking for attendance to demonstrate competence.
- Is the event going to focus on areas that are important to your organisation? The GDPR contains a number of new legal requirements and they may not all be relevant to your organisation.
- Which staff will be attending? Senior managers are more likely to require events that focus on implications of the legislation. Those responsible for practical implementation may need more detail that they can apply in their own working environment.
- Consider knowledge and competencies. There are some excellent seminars and conferences being publicised. However, it is unlikely to represent value for money to attend an event that covers the theoretical side of the legislation if those attending have no competencies in interpretation and application. There are also some great events on relevant topics such as information security. These are unlikely to be benefit to those attending if they don’t have at least a background knowledge of the topic being covered.
Tkm Can Help Plan, Prepare and Delivery Your Training
Tkm is highly experienced and has developed and delivered data protection training programmes for a wide range of clients. Able to deliver both accredited qualifications and customised training, Tkm can help from the beginning of the planning process. Services include training needs analysis as well as all aspects of data protection training programme development and delivery. Tkm can help to ensure your organisation get best value for money for your investment in training staff. New, accredited qualifications in data protection are planned for later in 2017. Further details will be added to our data protection training page.
Please contact us to discuss your training requirements.
I attended a seminar last year where an organisation presented a new database that they had been developing. In my view, it was great. Genuine issues recognised by both the organisation and the sector involved would be addressed and the tool, without doubt, would facilitate better management of those issues.
As the presentation went on, however, it became clear that nobody seemed to have considered compliance with data protection legislation. In my experience, this is not unusual in the vast majority of IT projects, in particular, new system development. The system contained many features that generally prevent most of us working with data protection from sleeping at night, namely multiple uses of the dreaded free text field. These were specifically designed to allow staff to enter potentially highly subjective information about identified individuals.
There is a high probability that those who are identified either by having a dedicated record in the database or from information in the free text field will have no knowledge that information is being captured and recorded about them. In fact, I strongly suspect I have, or will have, a record in the database and as yet have not been informed about the existence of the database. Additionally, one of the purposes of recording information is to inform significant decisions about those individuals as and when required at some point in the future.
Any Processing of Personal Data Must Comply with Data Protection Laws
There are many data protection issues that the database raises including accuracy, retention, as well as rights of, and accessibility by, those identified in the information. The purpose of this blog is to highlight one further issue; the need to identify the legal basis for processing data. This is fundamental for processing to be lawful. While some processing in the database above would be justifiable, I am not clear on the legal bases that cover all processing activities.
Under the Data Protection Act 1998 (DPA 1998), to be fair and lawful (Principle 1), processing must satisfy at least one of the conditions at Schedule 2. These conditions remain essentially the same under the GDPR although organisations will be required actively inform people about the legal basis that is being used to process their data. The size of the task to establish the legal basis for all processing is likely to be significant for some organisations and should not be underestimated. With a year to go, it would be worthwhile beginning this task as soon as possible.
If you are unable to identify the legal basis and justify the processing, it is potentially unlawful. The consequences could be significant with substantial fines for breaches of the legislation. There may also be compensation claims where the information has been used to inform decisions about people when it’s capture and subsequent use was unlawful. There could also be costly and rapid changes required to non-compliant systems.
Ensuring Your Processing is Lawful
This blog is probably contains some slightly more technical jargon than others. However, the summary below covers terms that, if you are responsible for data protection compliance, you will need to become familiar with. Briefly, for processing to be lawful under the GDPR at least one of the following must apply in every circumstance (Article 6):
- The person has given their consent for purposes of processing. The rules surrounding the obtaining consent are becoming far stricter and will be covered in a later blog;
- The processing is necessary for the performance of a contract to which the individual is party (or in order to enter into that contract at the request of the individual);
- Processing is necessarily for compliance with a legal obligation to which the Controller (the organisation responsible for the information) is subject. This must be a specific responsibility laid down by law;
- Processing is necessary to protect the “vital interests” of the individual or other person. This means the processing is “essential for the life” (Recital 46);
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, which should have a basis in law;
- Processing is necessary for the purposes of legitimate interests pursued by the Controller, although this must be balanced with the interests and fundamental rights and freedoms of the individual. This can be a difficult condition to justify and furthermore, public sector organisations are prevented from using this under the GDPR. Public sector organisations that are solely relying on legitimate interests will need to either implement measures to ensure another applies, such as obtaining consent, or change or potentially stop their processing activities.
Many of the justifications above are similar to the existing requirements. However, under GDPR you must also provide the legal basis to people in privacy notices and included in responses to a Subject Access Requests (SARs).
The processing of sensitive personal data is also currently subject to Schedule 3 of the DPA 1998. This type of information is dealt with under Article 9 of the GDPR.
Using your information asset register, ensure you understand the legal basis for all processing activities. Remember that the justification needs to cover every potential processing activity. For example, it is likely to be justifiable for staff managing payroll to have access to certain personal finance information. In most organisations, this is likely to be justifiable under a number of the legal bases above. These could include performance of a contract, and compliance with a legal obligation where information about tax and national insurance is processed. However, that justification will not extend to those that may work in a wider finance team with no payroll responsibilities. Access (and therefore ability to process) must therefore be restricted accordingly.
It is also worth noting that the GDPR requires systems to have data protection considerations by “design and default”. Data protection impact assessments (DPIA) will become mandatory in some cases and should be conducted at the planning stages of systems projects. DPIA will be discussed further in a later blog. Begin to consider required changes to your business processes to ensure the DPIA is conducted at the right stage in any project.
Tkm can help with identifying the legal basis for processing. If you would like help with this or any other preparations for the GDPR please contact us.
exploit – protect – comply
With one year to go, it must be time for a GDPR checklist! It is essential to make a start on preparations for compliance with the GDPR as there is lots to do. The list below provides high level tasks that should be in your preparation programme and references the part of the GDPR that applies.
The GDPR is likely to require significant change for many organisations and you will need to do some groundwork.
- Awareness raising is essential at all levels of the organisation. It is particularly important for senior management as they need to understand the scale of both change required and the task in hand, as well as the implications of being non-compliant.
- Identify the personal data that you hold. You should also identify information falling within the Special Categories (Article 9) or data relating to criminal convictions and offences (Article 10). It is important to identify all personal data being processed including that relating to your own staff, customers, suppliers and other third parties.
- Identify each of your specific purposes for processing personal data.
- Keep up to date with information issued by the Information Commissioner (ICO).
Ensuring Your People Are Ready
Your employees will be an essential part of any programme of change.
- Where required, appoint a Data Protection Officer (Article 37).
- Develop and implement a training programme. This will be essential for many aspects of compliance, including implementing appropriate security (Article 32). Training should be commensurate to people’s data protection responsibilities and will be the topic of future blogs.
Making your Business Processes Compliant
You will need to review all processes that relate to personal data.
- Wherever you process personal data, identify the legal basis for processing (Article 6). This will be the topic of our next blog.
- Review your procedures to obtain consent where you are relying on it for the legal basis of processing as they may need to be changed to comply with the GDPR. This will be particularly important where you may be currently assuming consent (permitted by current legislation where it is reasonable to do so) (Article7).
- Amend processes that will not have a legal basis for processing. One example is those in the public sector that currently rely on the legitimate interests condition.
- If you process personal data relating to children, ensure your processes have the specific protection required by the GDPR. This has a number of references including Article 8 and Article 12.
- Ensure your processes for managing business change include procedures for conducting data protection impact assessments and prior consultation (Section 3).
- Develop procedures for reporting data breaches. The GDPR requires that organisations notify both the ICO and data subjects (Articles 33 and 34).
- Develop procedures for demonstrating compliance (accountability) (Article 5). These should include assessment of the effectiveness of technical and organisational measures for ensuring the security of processing (Article 32).
- The GDPR has specific references to profiling. You should check the compliance of any processing using profiling techniques such as marketing and automated decision making.
- Where you transfer, share, or provide data to other organisations, make sure these are documented. You will need this information to comply some of the individual’s rights listed below.
- Ensure the appropriate safeguards are in place for any international transfers.
Ensuring Your Systems are Compliant
System compliance, for many, is likely to be a significant piece of work.
- All processing requires data protection by design and default (Article 25). This will apply to processes as well as systems although it is likely to have the largest impact on systems. This article also requires that the personal data being processed is strictly limited to that which is required for the purpose of processing.
- Begin implementing system change for compliance. Most of us will need to start this now if we are going to be ready for 25 May 2018.
- Even if you don’t operate internationally, check the geographic location of where your data is being processed. You may find it is outside of the EEA and you need to take action to be compliant.
- Consider the requirements for pseudonymisation and encryption, other appropriate security requirements, and the ability to restore data (Article 32).
- Check that your systems have all the necessary functionality to comply with each part of the GDPR, in particular retention and the right to be forgotten.
Producing the Relevant Documentation
Accountability and transparency are key requirements of the GDPR. You should take steps to:
- Develop privacy notices that contain all the necessary information (Articles 13 and 14).
- Develop your records of processing activities, if required (Article 30).
- Review and revise contracts and agreements where required. This will be particularly important where the agreements relate to personal data. It will also be important to review information sharing agreements and data processing agreements.
- Consider which records you are going to use to demonstrate compliance (accountability) (Article 5). You may need to create new audit and assessment procedures.
Managing the Rights of Individuals
The GDPR introduces new and amended rights for data subjects. The first task is to ensure you understand what each of the rights mean in practice. You then need to:
- Review your procedures for processing subject access requests and make sure they comply with the new requirements (Article 15).
- Develop procedures to implement the right of rectification (Article 16).
- Develop procedures to implement the right to be forgotten. In certain circumstances, organisations will need to erase personal data on request. Where the organisation has made that data public, they must also take steps to prevent others from processing that data (Article 17).
- Develop procedures to implement the right to restrict processing (Article 18).
- Individuals will have a right to data portability meaning that they can request that their personal data is transferred to another organisation in a structured, commonly used format (Article 20).
- Implement procedures that will manage an individual’s right to object to processing (Article 21).
Please contact us to discuss how Tkm can help with your preparations.
I’m not sure any information management blog would be complete without comment on the recent news. There have been two stories that caught my eye. The first, I am sure, almost goes without saying and relates to the malware attack and importance of cyber security. The second was less prominent although still relating to the on-line environment and looks at the right to be forgotten introduced by the General Data Protection Regulations (GDPR).
The Increasing Profile of Cyber Security
It is very unlikely that you have managed to escape the fact that there has been a ransomware attack on global scale affecting huge numbers of organisations. IT security is often an area where costs are cut without a full awareness of risks associated with poor security.
Without proper arrangements in place, organisations may be in a situation where they have quite literally lost all of their information, records and documents. For some this will almost certainly mean that they will have to stop operating or trading. Even if organisations can continue operating, what is the real cost of losing financial, customer and operational records? They are likely to be substantial and this is without considering risks to the organisation’s reputation.
Are You Managing Key Risks?
As with any loss of data, this may also be considered a data breach by the Information Commissioner, regardless of whether access has been compromised. Under data protection legislation organisations must take appropriate technical and security measures to keep personal data secure (Principle 7 under the Data Protection Act 1998).
There is already a huge amount of guidance and advice that has been issued from a number of reputable sources, one of which is the NCSC. Just to reiterate, there are basic steps everyone can take to improve their information security and protect themselves against on-line threats:
- Keep all of your software up to date, particularly operating systems. Your network can be compromised in a number of ways, it is not limited to e-mail.
- Ensure you have a comprehensive anti-malware software and other appropriate on-line protection.
- Make sure you have a reliable back up of all your critical business information. This should be separate from your main systems. You should also test your back up regularly.
- Train your staff and others using equipment on your systems or with access to your network. Basic training about the importance of information security is essential.
The Right to be Forgotten
The increasing cyber security risks wasn’t the only story to catch my eye recently. I read with interest that one of the political parties issued an election pledge to pass legislation that enables people to remove their records from social media. The records would need to relate to a time before they were 18 years old. While I am not going to get into legal technicalities in this blog, it would seem that they may not be aware of the General Data Protection Regulation (GDPR).
The GDPR provides a right to erasure, or the “right to be forgotten” (Article 17). It has been designed to tackle people’s lack of control of their own information in the on-line environment. It will, however, apply to all personal data and not just information published on-line. The GDPR has no restrictions on who can make a request and the right applies to everyone, not just those who are under 18.
You should check your systems will allow your organisation to comply with the right to be forgotten. With cloud-based computing and the ability to restore back ups, it may not be straightforward. The GDPR also introduces significantly enhanced protection for personal data that relates to children. Anyone processing the personal data of children should check the new legal requirements as a priority.
One pro-party article I read said that the party will introduce a new data protection act to tackle these issues. Good news! No need, the job is already done!
Tkm can help with your preparations for the GDPR. To discuss your requirements for data protection consultancy and training, please contact us.
With just over a year to go until the implementation of the General Data Protection Regulation (GDPR) one of the tasks to get started with for certain types of organisations is the appointment of a Data Protection Officer (DPO).
The Article 29 Data Protection Working Party (WP29) has recently published some useful guidance (5 April 2017) that describes the DPO as being at the “heart of this new legal framework”, and this blog summarises key elements of the guidance and associated annex.
Who is required to appoint a DPO?
There are 3 cases where it is mandatory for a DPO to be appointed by a Controller and a Processor (Article 37(1)):
- Where the processing is carried out by an organisation considered to be a public authority or body except for courts acting in their judicial capacity. The WP29 guidance suggests that, as good practice, private organisations carrying out public tasks (such as energy supply, public housing and others) should also designate a DPO.
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. The WP29 guidance defines “core activities”, “large scale”, as well as what constitutes “regular” and “systematic”, and discusses useful examples such as the use of closed circuit television.
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories (Article 9) of data or personal data relating to criminal convictions and offences. As above, the WP29 guidance has some useful examples of what processing is likely to fall within this definition.
Unless obvious, the WP29 guidance recommends organisations should conduct “internal analysis” to determine whether a DPO is to be appointed.
If a DPO is not mandatory for our organisation, should we still appoint one?
Organisations can voluntarily appoint a DPO. However, it should be noted that the WP29 guidance states that where a DPO is designated on a voluntary basis, the requirements laid down under Articles 37 to 39 will apply as if the designation had been mandatory. This means that if you do not have to appoint a DPO, roles should only be given the title of DPO if they will be tasked with all obligations laid down in the Articles above. They are also responsible for all processing operations carried out by the organisation with regard to personal data, meaning that you cannot be selective about which processes the DPO may cover.
What are the DPO’s responsibilities?
Tasks of the DPO are laid down by Article 39(1) and are summarised below. These are to:
- Inform and advise the Controller or the Processor and the employees who are processing personal data of their obligations under the GDPR;
- Monitor compliance with the GDPR;
- Provide advice regarding data protection impact assessments and monitor their performance;
- Cooperate with the supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK;
- Act as the contact point for the ICO on issues related to the processing of personal data.
Article 39(2) requires the DPO to have a risk-based approach to undertaking their duties, taking into consideration the nature, scope, context and purposes of processing operations. The accessibility of the DPO should also be effective, with the controller or processor required to publish the contact details of the DPO and also provide them to the ICO.
It is important to note that a DPO is not personally responsible for compliance with the GDPR. This remains the responsibility of the Controller or Processor (Article 24(1)). There are additional organisational responsibilities with regard to the DPO and these will be covered in a later blog.
Who can be a DPO?
Article 37(5) states that the DPO, who can be a staff member or contractor, “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. The WP29 guidance states that although required level of expertise is not defined, “it must be commensurate with the sensitivity, complexity and amount of data an organisation processes”.
It is worth noting that although Article 38(6) allows DPOs to “fulfil other tasks and duties”, an organisation must ensure there is no conflict of interest. The WP29 guidance suggests this will depend on each organisation although may preclude senior management such the Chief Executive, Chief Financial Officer, Head of Human Resources, and Head of IT amongst others from the role of DPO.
What should I do next?
The first step is to identify whether a DPO is required in your organisation and, if so, who should fill the role. You should check the text of the GDPR, the WP29 guidance, and also the information available from the Information Commissioner’s website on DPOs to make sure you understand how these requirements will apply to your organisation.
You can then begin the process of recruitment, contracting and training new and existing staff as appropriate. It is essential that your organisation has developed the necessary competencies to comply with the GDPR by 25 May 2018. Training is a key organisational measure in preparing for the GDPR and Tkm can help. If you are interested in training for DPOs please contact us.
Tkm is in the process of adding accredited data protection qualifications to their portfolio and also delivers in house training that can be fully customised according to your business sector and the individual learning needs of your staff.
Look out for our next blog which will provide some guidance on choosing the right training for your organisation, helping to ensure best value for money.
The material contained in this article constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.
exploit – protect – comply
I couldn’t help but smile over the Christmas break when the other half was playing with their latest gadget, a well-known Voice Service speaker. Having started to become familiar with how it operated, the requests were getting shorter and shorter. It would appear that manners are included for free – when the commands were eventually reduced to a single word, the speaker responded with “that wasn’t a very nice way to ask” and the request had to be rephrased before being actioned!
The technology in these devices is amazing although it once again highlights the increasing issues with privacy. Devices are constantly “listening” and monitoring the environment, collecting data about the way in which we are choosing to live our lives. And how many of us actually check what happens to this data or take any steps to control how it is used? We have already seen a case in the USA where the police have issued warrants for the data collected by such a device. While they were refused, the police were still able to extract the data they were looking for from the device itself, and I am sure a cases will follow in the UK.
The explosion of new technology highlights the need for reform of privacy-related laws, and the General Data Protection Regulation (GDPR) will offer much greater control than existing laws. With less than 18 months until it comes into effect, it is time to begin preparations. It is a fairly complex piece of legislation with potentially significant implications so where do we start?
This blog is going to go back to basics, discussing what information falls within the GDPR. This will inform and underpin many of topics discussed in later blogs as well as provide an opportunity for you to assess your readiness for the GDPR.
Relevant Key Terms
We are going to start by briefly discussing the key terms used in this blog and their interpretation. The first terms to be considered are “personal data” and “controller”.
The definition of personal data is broadening from the existing definition under the Data Protection Act 1998 (DPA 1998) (see Note 1). The GDPR applies to personal data which is defined as (Article 4):
“…any information relating to an identified or identifiable natural person”.
The definition goes on to state that an identifiable person is one who can be identified directly or indirectly by reference to an identifier, and includes online identifiers.
If you are responsible for personal data, you are likely to currently be considered a data controller. The term “controller” and its definition is essentially retained under GDPR, which states the controller:
“…determines the purposes and means of the processing of personal data”.
Alongside identifying any responsibilities for personal data, it is also important to identify what personal data your organisation is processing, as they may not necessarily be the same. The term “processing” essentially covers anything you do with information, including collection and storage (see Note 2).
Where an organisation is processing personal data on behalf of a data controller, they are likely to currently be considered a data processor. The term and meaning of “processor” is retained by the GDPR although there are new responsibilities for data processors which will be discussed in future blogs (see Note 3).
Documenting Your Organisation’s Personal Data
Before we can start on compliance activities, the crucial first step is to identify the personal data for which your organisation is responsible, as well as personal data being processed by your organisation. This may seem obvious and straightforward, and often can be, although it is always worthwhile spending some time auditing activities to determine exactly where personal data is held, and why and how it is processed.
There are many different ways of auditing the information held by your organisation. The audit needs to establish the properties of personal data, which will help determine levels of compliance and what changes need to be made. It is recommended that the interpretation of personal data is as wide as possible at this stage to ensure nothing is missed. If information allows or enables people to be identified, including information that requires a secondary source to make that identification, it should be documented as personal data.
Under GDPR there is much more of a focus on accountability, which places a greater emphasis on knowing where your personal data came from, and where it goes. Therefore rather than looking at static datasets and collections of information, it may be more effective to base the audit on business processes and looking at inputs and outputs. In addition to identifying the information associated with that process, this approach will also enable you to understand how data flows through your organisation.
It will be important to document as much as you can about how personal data is managed. For each business process, this should include:
- Personal data held by your organisation. If not already known, it would also be helpful to note whether your organisation is likely to be considered the data controller, and the format in which it is held;
- Personal data held and processed on your behalf by a third party. GDPR is likely to require changes to existing contracts and this will be revisited in a later blog;
- Personal data being processed by your organisation on behalf of a third party;
- The purposes for which personal data is processed. Remember that different parts of your organisation may be using the same information for different purposes and each purpose should be documented;
- How personal data is processed and any resulting changes to that dataset or information. It will also be important to identify whether there is any automated processing and who can access the data;
- How long personal data is kept and how it is destroyed;
- Sources of personal data, and whether personal data from your organisation is made available or accessible to a third party;
- It would also be helpful to document existing safeguards in place such as contracts, data processing agreements, or data sharing agreements, and which role in your organisation has overall responsibility for the personal data you identify.
There are many ways to approach the audit or review and the most appropriate method for your organisation is likely to depend upon many factors including size and type of business activity (see Note 4). You may wish to create an information asset register (IAR), which can be developed and updated as the various measures for compliance are implemented. This type of document should provide you with current high level risks of non-compliance to your organisation, as well as provide a record of the measures taken to ensure compliance.
Remember, GDPR builds on existing data protection legislation and organisations should already be compliant with the DPA 1998. Once you have documented your personal data, it would be useful to do a check on current compliance, and identify whether any immediate actions are required.
We are going to use this information in a number of future blogs to assess your readiness for the GDPR so make sure you keep it handy. Questions, comments, feedback and special requests are always welcome.
Note 1: The current definition of personal data and guidance on its interpretation is available from the Information Commissioner’s (ICO) website. The ICO is the UK regulator for the Data Protection Act 1998 and will also regulate the GDPR.
Note 2: ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Note 3: Data controllers are currently responsible for ensuring any processing of personal data for which they are responsible complies with data protection legislation. GDPR introduces distinct requirements for data processors which will be covered in a later blog, and it is important to understand your role with regard to personal data that your organisation is processing from the outset.
It is possible for an organisation to be a data controller and a data processor. For example, if you are an organisation providing employment services for others such as HR services to other organisations, you are likely to be a data controller for your own client (where they are individuals, sole traders or partnerships) and employee information. You are also likely to be a data processor of personal data relating to third party employees.
In practice, these relationships can often be extremely complex. The relationship should be documented by contract and further guidance on this is available from the ICO’s website.
Note 4: The first place for guidance is always the ICO’s website. There are also the relevant BSI standards which relate to managing records and information. For a more detailed approach using business process, there is some useful guidance in DIRKS https://www.records.nsw.gov.au/recordkeeping/advice/dirks/step-b. This was written primarily for Australian public sector organisations, however, the principles can be applied to any organisation and it is widely accepted as best practice. If you are interested in Tkm to providing this service for your organisation and assessing your readiness for the GDPR, please get in touch.
The material contained in this article constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.
The Current Situation
As many of us will already know, if we use personal information we are likely to be subject to data protection laws that govern the way in which we are able to use that information. Whether we have a simple contacts and appointments book as a self-employed or freelance worker, post pictures on social media promoting our business or charity, or have many thousands of individual client records within a large business, we are likely to be required to comply with the Data Protection Act 1998.
While some organisations have excellent standards of compliance, I think it would be fairly safe to say that many remain unaware of their obligations under the legislation and, perhaps for some, even that the law exists or that it applies to them. Arguably that has been due, at least in part, to the minimal risks facing most from non-compliance. The Information Commissioner’s Office (ICO) can and does issue fairly significant fines, and we have recently seen Talk Talk given a record £400k fine for failing to appropriately secure personal information. However, for many, the circumstances that give rise to these headline-grabbing penalties are likely to seem a world away from their own operations.
What is Changing?
Every organisation that uses personal information should be aware that the most significant change to data protection law in decades is on the horizon. After a time of uncertainty, the way forward for the implementation of the General Data Protection Regulation (GDPR) seems to be emerging. The new EU Regulation on data protection was adopted earlier this year, becoming effective in all EU member states in May 2018.
Being an EU Regulation, naturally there was some confusion (and, perhaps for some, wishful thinking!) about whether it would actually come into force following the Brexit vote. However, we now have confirmation that the ICO considers the Regulation as being in force (just not in effect), as well as the widely reported proposal from the UK Government that all existing EU legislation will be transposed into domestic legislation by the Great Repeal Bill.
The UK Government may chose to amend some aspects of certain EU Regulations although in the case of GDPR, most are unlikely to be in a position where they can afford to wait and see what happens. With fines in the new legislation of up to an eye-watering 4% of annual global turnover or €20M, there can now be little doubt that it is definitely time to get started with changes required to implement the new standards. We also need to remember that the Regulation (in its current form) is highly likely to come fully into force before we leave the EU.
What Does My Organisation Need To Do?
This blog will help you prepare for the new data protection legislation and manage key risks to your organisations.
We will be issuing a regular blog that looks at the practicalities of implementing new requirements, draws together any relevant advice and guidance that has been issued, and keeps you informed on the meaning of any legislative change that could effect implementation. Topics that will be covered will specifically discuss some of the new GDPR requirements and will include:
- Implementing a breach reporting procedure that informs the ICO and people where their data has been put at risk;
- The practical implications of the “right to be forgotten”. Individuals can request, at any time, that information you hold about them is deleted and you must be able to comply with this request unless there are legitimate grounds to continue holding it, for example, for tax purposes. By implication, you will need to know what information you are holding, how long you need to hold it for, when you are able to destroy it, and provide confirmation it has been destroyed, which is arguably already a requirement under existing legislation;
- The meaning of “data protection by design and default”. Adequate controls to safeguard personal information must be integrated into systems and procedures from the planning stages, and in some cases will require a privacy impact assessment;
- Understanding the legal basis for processing personal information, which means you are able to justify, in terms of the legislation, why you are processing personal information. While this may sound like legal jargon, it is going to be an area that organisations will need to familiarise themselves with in order to comply and we will try to break this down into simple tasks. People will have a right to this information, and it will also need to be included in privacy notices;
- Following on from above, consent is one of the conditions for processing that you may be currently using the rules for the use of consent are changing. Again this is likely to be a major task for some organisations. Our blog will look at what procedures may require change and ways of integrating the obtaining of consent into existing processes that comply with the new legislation;
- Some organisations will require a data protection officer and we will look at their role and how that should facilitate compliance.
Key Action Points
There is some information available from the ICO’s data protection reform site and all organisations should start by reviewing the 12 steps for preparing for GDPR. At the very least, organisations should be looking at their compliance with the current legislation and taking action to address gaps. Building on the ICO’s guidance, two key tasks to get started on are to:
- Identify what personal data you hold, where it was obtained from and who it is shared with. As discussed above, you should also understand why you are
holding it (the purpose), how long you need to retain it for, and ensure it can be destroyed when it is no longer required;
- Raise awareness of the new legislation within your organisation. Change is likely to require resources and senior management buy-in which will be supported by key people in your organisation fully understanding the risks.
As always, feedback and requests for topics are always welcome.
Liz has worked with data protection for nearly 20 years and helps organisation with managing their information as well as practical compliance with information-related legislation.
The material contained in this site and in this blog constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained in this site without first taking professional advice appropriate to their particular circumstances.