In our blog today, we look at the implications for Data Protection in the event of a No Deal Brexit. An increasingly likely scenario, given the inability of the politicians in both houses, to agree on a sensible approach.
A very informative article by FieldFisher explains that the EU Withdrawal Agreement seeks to ensure there is no disruption to data flows after Brexit.
Currently, the EU Withdrawal Agreement proposes that during the Implementation / Transition phase, ie the period between March 2019 and until the Treaty governing the future relationship is agreed, existing EU laws will apply within the United Kingdom.
This means that businesses and practises still require to be compliant with the existing regulations – UK Data Protection Act 2018 & EU General Data Protection Regulation. So, no change there.
The UK government and businesses on both sides of the channel, would like continued free flow of personal data after the Transition period ends. To achieve this, once the UK is outside of the EU, it would take the form of an adequacy decision, similar to adequacy decisions given by the EU to countries for example, the United States, Canada, New Zealand and Argentina which ensure the free flow of data.
An adequacy ruling from the EU Commission effectively means that the Data Protection laws in a country are adequate to ensure the protection of individuals rights regarding personal data.
The Political Declaration
The political declaration on the future relationship between the UK and the EU, describes the ‘endeavour’ to adopt an adequacy decision by the end of the Transition period.
Given that the UK government adopted all of the GDPR provisions into the UK Data Protection Act 2018, my personal opinion is that it would be astounding and rather disingenuous if the EU did not grant the UK an adequacy decision.
But what happens if there is No Deal before March 2019?
The UK ceases to be a member of the EU in March 2019, instead becoming a Third country. If the EU Withdrawal Agreement Bill does not go through UK Parliament, there will be no agreement for either the Transition period or a plan for a future trading agreement.
In becoming a Third Country from a Data Protection perspective, Third countries either require an adequacy decision OR must implement other safeguards for data transfers from EU to third countries and vice versa.
…. What are the other safeguards?
A legally binding and enforceable instrument (eg contract, agreement) between public If you are a private organisation, this is not the solution.
Binding Corporate rules – BCRs are an internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s EEA entities to non-EEA group entities. However, BCRs must be submitted for approval to an EEA Supervisory authority – which can be a lengthy and expensive process. If you are a SME private organisation, this is not (or unlikely to be) the solution.
Standard contract clauses (or model clauses) adopted by the EU commission – these can be used in contracts and have been approved by the EU, but have yet to be updated to reflect the EU GDPR. The clauses cover the transmission or processing of personal data from / to non-EEA countries, BUT only when used in their entirety and without amendment.
So the standard contract clauses need to exist in any contract where the transfer of personal data occurs outside the UK (currently outside the EEA).
If we exit the EU without a deal, your organisation or practise very quickly needs to:
Understand what data you have, how it flows and which countries the data is received from or flows to.
Be prepared to review and possibly update any contract with another organisation outside of the UK where data flows from and to.
If you have not yet done your homework or analysis on your organisation’s data, I strongly recommend this is a priority task for January 2019, especially if the EU Withdrawal Agreement Bill is not approved by UK Parliament in a few weeks. You should have done this anyway, as part of Data Protection compliance.
Something to think about in January.
Today’s fact. Did you know that data in transit only through a country is not liable to EU GDPR? This means that the data must not be stored, processed, accessed or amended in any way, it just passes through.
=> At least that’s one thing you don’t need to worry about!
That’s it from me for 2018. I’ll be back in January 2019 with an update on the implications of Brexit for Data Protection.
Wishing you and your families a very happy festive season!
In our blog today, from Karen Heaton at Data Protection 4 Business, we look at Data Protection Officers? But do you need one?
Well… probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority.
Ok, you don’t. BUT you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and the Data Protection Act. So, somebody needs to be responsible!
Responsible for what?
Even for small and medium sized organisations, someone will need to be skilled and available to undertake these tasks:
Responding to Subject Access Requests and managing Data Breaches
Reviews of security – physical and IT
Making sure your organisation is compliant or has a work plan to become compliant
Training staff in all areas and respond to any queries from clients, suppliers or staff – remember the lessons from Data Breaches in our earlier blog? Staff can be a high source of data breaches – unintentionally or not!
Working across all business functions, such as IT, Marketing, Finance and operations to understand the data in use and ensure operational procedures are in place
Policing the operations to ensure procedures are being followed AND are effective
What skills are needed? Can this be outsourced? Absolutely yes.
A good DPO should be able to wear many hats and have a wide range of skills.
Strong IT knowledge, detailed understanding of the regulations, know what ‘being compliant’ looks like and good project management skills to manage the changes needed within an organisation
Be active in the Data Protection space, follow trends, keep abreast of risks and continually scan for solutions e.g. software products to automate tasks
Save you time and money. For small and medium sized organisations, training up a member of staff or a small team can be costly and time consuming, so outsourcing can be a cost-effective solution
Support your organisation in Data Protection Impact Assessments to identify business risks
Be independent and objective. A key requirement of the role according to the regulations
Internal resource or an outsourced service?
This depends on a number of factors and it can be a long list! But it mainly boils down to a) what risks your organisations may be running and b) what skills your resources have.
? What are your data risks? Do you process Sensitive or Child data? Do you store financial details? ? How many customers, staff, suppliers do you have? ? Where are your data stored? ? Do you sell things via your website? ? Is your industry a target for cyber attacks?
There’s a lot to think about, that’s for sure.
Today’s fact. According to the GDPR and Data Protection Act, the DPO role can be outsourced to another organisation.
=> This may be a more efficient solution for your business. However, do check their credentials first!
The fees are explained here– SME’s fees range from £40 – £60 per annum
7. Decide who will be responsible for Data Protection within your organisation – it must be someone!
The ICO use a number of factors to decide what fines (or other actions) to take against organisations. In fact, when submitting Data Breach information to the ICO, organisations must answer questions about staff training and the operational measures that were in place to prevent breaches.
=> Put the essential operational measures in place now to avoid issues in the future.
Our fifth blog from Karen Heaton of Data Protection 4 Business covers how to handle a request from a patient or customer for details of the information that you hold on them.
In our blog today, we look at a data subject’s right to access, a powerful tool for individuals who have concerns about what information organisations hold about them. Unfortunately, it can also be used for litigious purposes and such a request should be taken very seriously within your organisation, so please read on!
A data subject, in other words, you or I, can request a free copy of all personal data relating to us that an organisation holds – in any format – paper files, digital, videos or voice records. Ok, do I have your attention now? Even for a small organisation, that can amount to a lot of data.
Oh, and you have one calendar month to respond.
So, what must you provide and what is exempt? Well, let’s see…
What information must I provide?
You must provide the following long list of information in relation to the personal data being processed as well as the data itself:
the purposes of your processing
the categories of personal data concerned
the recipients or categories of recipient you disclose the personal data to
your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it
the existence of their right to request rectification, erasure or restriction or to object to such processing
information about the source of the data, where it was not obtained directly from the individual
the existence of automated decision-making (including profiling)
the safeguards you provide if you transfer personal data to a third country or international organisation
the right to lodge a complaint with the ICO or another supervisory authority
I have a question or two: would you know where to find the data? Would you be able to respond to the other information points above regarding the data you hold? This is not a simple task and can amount to an operational headache for many organisations.
What information can I withhold?
The most common type of data that should be withheld is data mentioning third parties (unless they have given consent for their data to be shared or it is reasonable not to require such consent – confused?). For example, an email chain where people other than the data subject are mentioned would need to be considered for redacting. How easily can your organisation find, review and redact third party information?
Other examples of exempted information:
Specific information regarding medical organisations
Often, my clients have concerns that some law firms may use SARs to obtain medical data for free that was previously chargeable.
Subject Access Request (free) vs Access to Medical Records Act 1988 (chargeable):
Requests from Solicitors acting on behalf of a Patient
The British Medical Association advises that a patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a medical practice will be able to lawfully decline such requests. In this instance, you should ask the person acting on their behalf if there is specific data that they require, for example, are they requesting data covering a specific time period or illness or operation? This is a valid question for you to ask if the patient data file is substantial.
Tip: Don’t forget to get valid consent from the patient to disclose their personal and sensitive data to the Solicitor or third party.
If, however, the request is asking for a report to be written or it is asking for an interpretation of information within the record, this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act 1988, for which a fee may be charged.
Requests from an Insurance company
The British Medical Association, ICO and Association of British Insurers currently advise that Insurance companies should use the provisions of the Access to Medical Reports Act 1988 to seek access to medical records and that the use of SARs to obtain medical information for life assurance purposes is an abuse of subject access rights.
So, that scenario is a bit more clear cut.
The bottom line is….
Your organisation or medical practice must take the time to consider and plan how to respond to a Subject Access Request from an operational perspective. Don’t wait until you receive one to work out how it should be done. The clock starts ticking from the day you receive the request.
Today’s fact. Access to your data is a basic Right under GDPR and Data Protection Act 2018. A data subject can make a complaint to the ICO if an organisation fails to respond to a Subject Access Request. Further failures to respond to requests from the ICO and any Enforcement Notice they serve, is a criminal offence.
=> This is worst case scenario and easily avoided. Ensure you have a robust operating procedure to handle Subject Access Requests and train your staff in how to respond, when to respond and what information to provide.
In the fourth in our series of data protection blogs, Karen Heaton from Data Protection 4 Business Ltd reviews and explains how to identify a data breach and when to report it.
GDPR and data breaches
We have discussed in our previous blog the potential level of fines for data breaches and some common causes of these breaches.
Our blog today, answers the questions of: what exactly constitutes a reportable data breach? Whose responsibility is it to report it? We will look at guidance from the European Data Protection Board on examples of data breaches and whether to report them to, the data subject/s or the Information Commissioner’s Office (ICO).
What constitutes a data breach?
Data Breach Definition – defined in the GDPR Article 4(12) as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
What this means in practise is that all data breaches are security failures, but not all security failures are data breaches. And… not all data breaches have to be reported to either (or both) the data subject/s or ICO.
So, how do you know what to report or not? Have you had a breach? How would you know?
Examples of how you may identify a data breach
Employee loses a bag, phone, USB stick
Monitoring software identifies unauthorised access to an account or file
Large attachments are sent in outgoing emails to an employee’s private email account
A supplier (data processor) tells us that they have had a cyber-attack and data has been compromised
A client phones to say they have received an odd email from your company, asking for bank details for an unexpected refund
Assessing a breach for reporting
When assessing a security incident, the Data Controller should a) assess whether the security incident has or is likely to, result in a loss of personal data and then b) decide whether that breach is likely to or there is high risk to the rights and freedoms of the data subject. Of course, this depends on the type, volume or subject matter of the data. Each breach will have its own unique characteristics depending on the organisation and data affected. See the full list of guidance from the European Data Protection Board here.
How to report a data breach
It is the responsibility of the Data Controller to assess, resolve and report data breaches. Any suppliers (data Processors) who are involved in the incident must assist the Data Controller in the investigation, and provide fixes where appropriate. Therefore, it is important to Know Your Data (KYD) and ensure that you understand your responsibilities in each potential scenario.
Once the Data Controller has assessed that the data breach is likely to result in a high risk to the data subjects he/she must complete a Data Protection breach notification form and send this to the ICO within 72 hours of becoming aware of the breach which requires to be reported.
The Data Controller must then decide how and when to notify the data subjects affected. It is essential to have an operational process or plan for staff to follow.
Today’s fact. Did you know that the ICO’s website lists organisations who have or are being audited in addition to lists of organisations being monitored for concerns about compliance??
=> Take your data protection responsibilities seriously, know your data (KYD) and be operationally compliant to avoid the reputational damage from your company name being listed on the ICO website.