Welcome To Simplydocs

Category : Data Protection

How to Report a Data Breach

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), any business or organisation which suffers a personal data breach is required to carry out an assessment. Depending on the seriousness, it may be necessary to report a breach to the Information Commissioner’s Office (ICO). In this post, we will explain the circumstances under which it may be necessary to report personal data breaches, how to report them, and we will look at some of the potential consequences.

What is Considered a Data Breach?

The ICO defines a personal data breach as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In order to be considered a data breach under the regulations, the data which has been breached should have been of a personal nature; general data which does not relate to an identifiable living individual is not covered under the UK GDPR or DPA.

Data breaches are often caused by a cyberattack. In this case, malicious hackers might target a business and attempt to extract information held, for example, in databases. Alternatively, the organisation may fall victim to a computer virus which is circulating online, inadvertently enabling a trojan horse to automatically gain access to confidential data (when an employee accidentally clicks on a link in a spam email, for example).

That being said, a data breach does not always have to be the result of a cyberattack, or even occur online. There have been several publicised cases where members of staff have forgotten a USB stick or paper files containing personal data on a train or other public places. These are also considered to be data breaches, as are cases where an employee has accidentally emailed confidential files to an unintended recipient who is not authorised to access the personal data inside.

It’s also worth noting that the data does not necessarily need to fall into the wrong hands to be considered a data breach. If an authorised person deliberately or mistakenly alters or deletes personal data improperly, this also contravenes the rules.

How Serious are Data Breaches?

Depending on the circumstances, the ICO may fine any organisation which suffers a data breach up to a maximum of £17.5 million or 4% of its annual global turnover (whichever is higher). British Airways was fined £20 million for infringements of the GDPR in relation to a data breach in 2018 which exposed names, addresses, and payment card details of customers and staff.

In addition to potential ICO penalties, businesses in certain sectors may also have to contend with their own regulatory bodies. For example, law firms which suffer a data breach as a result of failure to implement sufficient cybersecurity measures may face enforcement action from the Solicitors Regulation Authority (SRA).

Furthermore, businesses which are publicly exposed as having incurred a significant data breach will inevitably suffer a certain degree of reputational damage. This can result in loss of clients and potentially missing out on future business opportunities.

Finally, data breaches which involve a cyberattack will result in damage to IT infrastructure, and there will often be extensive work which needs to be carried out to rebuild security protocols, issue new passwords and so on.

What is the Maximum Fine for a Data Breach?

The “higher maximum level” of fine for breaching the UK GDPR is £17.5 million or 4% of its annual global turnover (whichever is higher). This level can apply to infringement of key aspects of the UK GDPR including the data protection principles, the rights of individuals, and provisions relating to the transfer of personal data to third countries.

The “standard maximum level” of fine – which applies to other types of infringement (such as those relating to certain obligations of controllers and processors, and certain obligations of certification and monitoring bodies) – is the higher of £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year.

A number of factors will be considered when deciding whether or not to impose a fine and how much the fine will be. Some key factors taken into consideration will include (note that this is not an exhaustive list):

  • The nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the personal data processing involved, the number of individuals affected, and the level of damage suffered by them;
  • The intentional or negligent nature of the infringement;
  • Action taken to mitigate the damage suffered by individuals;
  • The degree of responsibility taking account of the technical and organisational measures implemented by the data controller and/or processor involved;
  • Previous infringements;
  • The degree of co-operation with the ICO in remedying the infringement and mitigating its adverse effects;
  • The categories of personal data affected by the infringement;
  • The manner in which the infringement became known to the ICO (whether or not the organisation responsible for the breach notified the ICO themselves, for example);
  • Compliance with approved codes of conduct; and
  • Other aggravating or mitigating factors.

Fines under the UK GDPR must be “effective, proportionate, and dissuasive”. In practice, both of these maximum levels of fine only apply to the largest companies with the most significant infringements, caused by egregious data protection failings. The ICO notes that: “Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case-by-case basis.

When should a Data Breach be Reported?

Any business which suffers a personal data breach is required to carry out an assessment of the likelihood of any risk to the rights and freedoms of individuals. If a risk is considered to be likely, the data breach should be reported to the ICO.

Who Should You Report a Data Breach To?

The ICO should be notified within 72 hours of awareness of any reportable breach. Follow the ICO’s guidance on breach notification on their website.

In addition to notifying the ICO, any individuals whose data has been involved in the breach should also be personally notified if the breach is likely to result in a high risk to the rights and freedoms of these individuals.

What Processes Should You Have in Place to Report a Data Breach?

Businesses should put in place data breach policies which cover the following steps:

  • Initial reporting – there should be a process for staff to report any suspected breach to management.
  • Assessment – how a breach is recorded and assessed to determine whether it needs to be reported to the ICO etc.
  • ICO reporting – the process for reporting relevant data breaches to the ICO.
  • Individual notification – process for reporting data breaches to the individuals involved (where it meets the threshold).

Simply-Docs has a wide array of documents and policies relating to data breaches and other key areas of data protection.

What Happens After You’ve Reported a Data Breach?

Aside from reporting relevant data breaches, organisations will have a lot of work to do following a data breach, particularly where this is the result of a cyberattack.

An investigation should be carried out to find out exactly what caused the data breach. The immediate issues should be resolved, new passwords issued where relevant, and disciplinary action taken if appropriate.

New measures should also be put in place to avoid similar data breaches occurring in future, which may involve updating company policies, upgrading software, and carrying out staff training.

The GDPR Two Years On

After a long build-up, a great deal of commentary, fear, and anticipation, the EU’s General Data Protection Regulation or “GDPR” came into effect on 25 May 2018. At the time, a great deal of attention was focused on the wider scope of the GDPR and, in particular, how “personal data” was defined. Individuals or “data subjects” had more and better rights bestowed upon them, and any organisation that breached those rights would face tough new penalties.

So, what actually happened? At the time, many businesses scrambled to become compliant with the new GDPR regime. Inboxes throughout Europe and beyond became clogged with messages about updated privacy policies. Internet users suddenly found their favourite websites blocked because American companies either didn’t know how to comply with the GDPR or didn’t want to. Far from being taken as a (mostly) sensible and practical evolution of existing data protection legislation, the GDPR became a source of fear for many. Scarcely an article about it could be found that didn’t talk of fines reaching into the tens of millions.

The GDPR itself requires the European Commission to review it every two years. Here in 2020, the outcome of that review is now due and should have been published in April, but at the time of writing, it is now expected in June. Now is also a good time for businesses and other organisations handling personal data to review the GDPR themselves.

  • After getting compliant in 2018, have you stayed compliant since?
  • There was considerable confusion around the GDPR two years ago; have things been clarified?
  • Has the GDPR been a success; is people’s personal data safer and have organisations taken more steps to truly protect privacy?
  • Has there been a wider impact; what happened to all those American websites that cut us off?
  • Has the GDPR been a force for change in other jurisdictions?

Moreover, as the oft-falsely attributed curse goes, may you live in interesting times. Both Brexit and the COVID-19 pandemic are significantly changing the business and legal landscape, not least where data protection is concerned.

In this post, we will take a look at the GDPR two years on, discussing those questions above (if not providing definitive answers!), and considering where we go from here. Whatever shape the UK’s domestic data protection legislation takes (initially as the “UK GDPR”), the EU GDPR and indeed the EU itself will remain central to many business’ compliance after the transition period ends. Meanwhile, the prevalence of home working and the increase in sensitive medical data changing hands within organisations as the world endeavours to press on through the coronavirus pandemic, also raise important issues that were unforeseen just two short years ago.

What did the GDPR ever do for us?

Data protection legislation is still, in the grand scheme of things, in its relative infancy. Privacy has been protected to some degree by law for much longer, but the first Data Protection Act in the UK only dates back to 1984. This was succeeded by the Data Protection Act 1998, and again by the Data Protection Act 2018 and the GDPR.

Technology, particularly the internet, has been a major catalyst for the development of data protection law. In the mid-1990s, the internet was still quite new, but the implications for privacy and the widespread use of personal data were clearly recognised from an early stage. The EU passed its Data Protection Directive in 1995, setting out minimum data privacy and security standards. Being a Directive, it was then up to EU Member States to implement it through their own domestic legislation and, thus, the Data Protection Act 1998 was born.

As the world settled into the 21st Century, the internet’s appetite for personal data stepped up the pace. In 2010, the European Commission adopted a communication entitled “A comprehensive approach on personal data protection in the European Union” and so began the work to update the 1995 Directive and, considering the growth of the internet, not before time. In 1995 less than 10% of UK households had internet access. By 2010, this number had risen to over 70%. In 2016, the General Data Protection Regulation was born, due to enter into effect in all EU Member States on 25 May 2018.

The definition of “personal data” expanded significantly to include not only the obvious forms of personal data such as names and contact details, but also less obvious – at first glance, anonymous – forms of data such as IP addresses. The amount of information to be provided to data subjects was increased, and rules surrounding consent where tightened up. Greater emphasis was placed on accountability and record-keeping, and higher standards for “lawful processing” applied.

The GDPR also brought with it a much greater territorial scope than had been seen before. Simply put, if an organisation processed the personal data of anyone residing within the EU, regardless of that organisation’s location, the GDPR applied.

More information was required to be given to individuals when collecting their personal data. This requirement was designed to promote transparency, ensuring that individuals were more informed about what their personal data was being used for, how, why, and what rights they had in relation to that. In practice, it also triggered a veritable blizzard of “we have updated our privacy policy” emails.

The GDPR was designed to raise both standards and hurdles when it came to the use of personal data. In particular, new rules over consent were introduced, including a stricter standard for consent. Consent and explicit consent would now require a clear affirmative action from the individual. Consent would now have to be freely given, specific, informed, and unambiguous. Data controllers were also now required to make it easy to withdraw consent at any time and, unless they had another legal basis on which to continue using the personal data in question, would have to cease using it upon such withdrawal.

Not only were the requirements for consent toughened up, but so were other lawful bases for personal data processing such as “legitimate interests”. Under the old Data Protection Act 1998 regime, the UK had taken a rather generous position on this particular basis, but the GDPR narrowed things down, placing a stricter emphasis on ensuring that such interests were not overridden by the rights and freedoms of data subjects.

Key new rights were bestowed upon individuals, not least the so-called “right to be forgotten”, which gave individuals the right to require organisations to delete all personal data relating to them. In practice, particularly with so much data being backed up in various forms and spread across multiple systems, the prospect of complying with this right was a source of considerable concern for many.

New requirements concerning accountability were introduced. Chief among these were the requirement to notify supervisory authorities (such as the ICO) of data breaches within 72 hours if the breach was likely to pose a risk to the rights and freedoms of individuals. Where there was a high risk that the rights and freedoms of individuals would be adversely affected, the individuals themselves were also to be notified. The GDPR also introduced new requirements relating to Data Protection Officers, making it mandatory for a wide range of organisations to appoint one. Also important under the heading of accountability was record keeping. Even in situations where a decision had been made to not do something, for example, because of a low risk to individuals’ rights, it would need to be documented.

How Did We React?

The majority of news items about the new GDPR were keen to emphasise one element above all others: the fines and penalties. In broad terms, the GDPR introduced two categories of fines, the highest of which could reach up to €20m or up to 4% of an organisation’s total worldwide turnover, whichever was higher. Cooler heads remarked that for many businesses that were already taking their Data Protection Act 1998 compliance seriously, there was little need to worry and that the change was easily manageable. Nevertheless, predictions of doom persisted.

Many were also confused about their obligations, leading in some cases to over-reactions and in others, to apathy. The over-emphasis in commentary on topics such as consent, for example, even led some to believe that it was now the only basis upon which they could use any personal data. Particularly for online operations in the US, so demanding and threatening was the GDPR that the preferred choice was simply to block all EU-based users from their websites.

Further concern stemmed from the fact that a great deal of guidance on data protection, including some of that available from official bodies, was outdated, referring only to the Data Protection Act 1998 / Data Protection Directive 1995 regime.

Where Are We Now?

What happened to all those huge fines that were going to put everyone out of business? There have certainly been fines, but, as the ICO was keen to point out in its blog post GDPR – sorting the fact from the fiction back in August 2017, “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm…Issuing fines has always been and will continue to be, a last resort…we intend to use those powers proportionately and judiciously.”

There have been some big fines, certainly, but looking at them more closely, they are still far from the top end. The French supervisory authority, CNIL, issued a €50m fine to Google. This, however, amounted to a mere 0.04% of Google’s global turnover – arguably more the cost of doing business than a deterrent. Last year, the ICO announced its intention to fine British Airways £183.39m in relation to a cyber incident which took place in 2018. Again, big money, but only equal to around 1.5% of BA’s global turnover. Moreover, at the time of writing, BA has not yet been issued the fine after a series of delays and there are now questions over whether the ICO may take the financial impact of the COVID-19 pandemic into account, the effect of which would presumably be to reduce the fine or perhaps defer it.

The fines may not have turned out to be as bad as feared, but does this mean that people’s personal data is better protected? Is the GDPR doing its job? Certainly, awareness is much higher, even outside of the UK and EU. Some of the biggest names in technology have adopted GDPR standards of data protection worldwide, rather than focusing only on Europe. Small businesses that might previously have overlooked data protection entirely are now keen to get their privacy policies in place, and it is clear that the GDPR itself prompted a surge of updates to business practices and documentation, both inwardly and outwardly.

Moreover, much more useful guidance has emerged over the past two years, including comprehensive guidance on compliance from bodies such as the ICO, and certain issues that caused confusion in the early days have been clarified.

Has it all been good news, however? It would be difficult to argue that this is the case. The GDPR continues to be a source of uncertainty and increased costs, particularly where technology is concerned and in areas such as analytics and ad tech. A 2019 survey conducted by German trade association, Bitkom, found that for many, the GDPR represents a barrier to innovation, particularly where new technologies are concerned. Nor is it necessarily ideal for individuals, many of whom have long since tired of emails informing them of privacy policy changes. Moreover, while many have heard of the GDPR, it is at the very least open to question how many of those people really understand what it means for them. Then, there is also the issue noted above – the geo-blocking of online content, particularly from the US – solely on GDPR compliance grounds. One must ask whether this is a benefit to individuals at all. It will be interesting to see if the Commission’s review considers such real-world impacts and, if so, what improvements may emerge.

What Did You Do Back in 2018?

Two years feels like a long time. Longer now, probably, given that the past two months have felt like an eternity as the world collectively hangs on the pause button. The advent of the GDPR caused no small amount of panic. Many scrambled to make their businesses compliant in time for the 25 May 2018 deadline that loomed like a threatening spectre.

Since then, however, the important question has become not so much “how did we do then?” as “how have we done since?”. Getting your business compliant in 2018 was but the first step of what a less jaded author might call your “GDPR journey”. Now that things have had time to settle down and guidance has become more widespread and fleshed-out, it is an ideal time to take a fresh look at data protection within your business. As a starting point, consider these questions:

  • Am I maintaining awareness of data protection within my business?
  • Have the changes I made in 2018 been successful? What could I do better?
  • Is my privacy information up-to-date and is it easily accessible?
  • Am I keeping proper records? Is there any way I can improve upon them?
  • Have I had any data breaches? Have they been handled properly?
  • Am I being proactive about data protection when considering new uses of personal data?

A Data Protection Audit is a useful exercise to carry out on a regular basis as it prompts you to ask and answer questions like these in more detail, considering all aspects of your business’s data protection compliance. If you haven’t carried one out before or perhaps haven’t carried one out since preparing for the GDPR, now is a good time to get started. It might also be the case that you have avoided an audit because you are afraid of what it might turn up. That is not an invalid concern but consider this – it is an internal exercise and the ICO would rather you identified your weaknesses and fixed them than ignored them. You aren’t going to get a €20m fine landing in your lap because your internal audit identified room for improvement or even outright failings. It is better to find out what is wrong and fix it, so cast aside the fear and get going!

Another side to ongoing compliance is the Data Protection Impact Assessment. A DPIA is a valuable (and indeed mandatory in some cases) tool which helps you to evaluate new projects from a data protection perspective, identifying and minimising the risks from a variety of angles. Again, a DPIA is not an exercise that should be carried out once and forgotten about. A system, product, or feature that began as a new project back in 2018 will quite possibly have changed in some way since then. Perhaps without even realising it, the way in which you collect, use, or store the personal data involved has changed. DPIAs should, therefore, be regularly reviewed and repeated if necessary.

The Picture in 2020

Brexit and Data Protection

Until recently, one of the biggest topics up for discussion in data protection circles was Brexit. We know that, at the end of the transition period, the EU GDPR will cease to apply in the UK and that it will be replaced with a “UK GDPR” – a direct copy in many respects, with necessary contextual changes to accommodate its status as a solely domestic instrument (references to EU laws, institutions, and powers, for example, will be removed or replaced with UK equivalents).

We also know that, whatever the outcome of Brexit, it will remain possible to transfer personal data to the EU and EEA and to “third countries” covered by an existing EU Commission adequacy decision without constraint, as is the case now. Not only that, but the UK will also recognise the current EU Standard Contractual Clauses as a valid mechanism for international transfers of personal data.

We do not, however, know what the UK’s status will be from the European perspective. Despite the similarities in our data protection legislation, the European Commission must still assess the UK’s post-Brexit data protection framework and grant an adequacy decision in order for personal data to flow as freely into the UK from the EU and EEA as it can in the other direction. It is far from certain that an adequacy decision will be made before the end of the transition period.

If an adequacy decision is not granted before the end of the transition period – and many commentators think it unlikely that one will be – other safeguards will be needed to cover personal data moving from the EU into the UK such as the aforementioned Standard Contractual Clauses or binding corporate rules (to name just two examples). Another key change to data protection compliance will be the need to appoint an EEA representative from the end of the transition period if your organisation offers goods or services to individuals in the EEA or monitors their behaviour.

Home is where the Work Is – Data Protection and COVID-19

Just a few short months ago, we might have thought it impossible that any subject could knock Brexit of the top spot of things we were tired of hearing and worrying about, but along came the coronavirus, making Brexit look like proverbial small potatoes.

From a data protection perspective, the pandemic has resulted in a rapid increase in medical data changing hands within businesses of all shapes and sizes. Medical information is, of course, “special category” (formerly “sensitive”) personal data and thus requires greater levels of care and security. Not only that, but such data is also moving around in an inherently less secure environment in many cases. Instead of being confined to secure and tightly-controlled networks and equipment that is constantly kept up to date with the latest security patches and new software, business personal data is now finding itself residing on home computer systems and home networks – some lacking in the latest security software (or indeed any at all), left vulnerable by older equipment and weak passwords. Other security threats are also seeking to exploit the decline in secure IT environments with activities such as phishing reportedly (and dramatically) on the rise.

Not only does the increase in home working pose potential security threats, but it may also make it harder for some organisations to comply with requests from individuals to exercise their rights. With personal data less centralised, for example, it may be harder to locate it in response to a subject access request.

Maintaining awareness and providing regular training is essential in overcoming such new challenges. Having an up to date Data Protection Policy can help to underpin your staff’s knowledge and serve as a reminder of things that, again, might have been fresh back in 2018 but may have given way to complacency or simple forgetfulness by now. Where possible, other practical steps such as the use of VPNs and the issuing of centrally administered computers and other devices can be taken to help reduce the risks associated with individual staff working with personal data on their own devices.

Such challenging circumstances will undoubtedly make assessing the GDPR’s success a harder exercise, both for regulators and for organisations. It remains vitally important to protect personal data and to use it lawfully, fairly, and transparently. At this point, no virus-specific changes are planned for data protection law and it is doubtful that they will be. What is important to note, however, is that authorities such as the ICO are not oblivious to the difficulties. The ICO recently issued a statement reassuring us all that while the law itself remains unchanged, “We understand that resources…might be diverted away from usual compliance or information governance…We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.” In short, keep calm and carry on!

Where To?

It is clear that while data protection regulation has evolved to keep up with modern technology and contemporary uses of personal data, there remain many problems. Perhaps the greatest of these is that the law appears to be too heavy handed. The law and technology have been at odds in many areas for a long time, and this shows no signs of abating.

Business, technology, and the law itself need to evolve to accommodate one another. Whether or not they will is a different matter. It does seem evident, however, that this is understood on all sides. Enforcement powers and penalties exist to punish those who break the rules knowingly or carelessly and put the rights and freedoms of individuals at risk. Does this mean that small businesses will be fined for innovating? Arguably not.

It will be particularly interesting to see how the UK’s data protection laws evolve after Brexit. While keeping closely in tune with EU legislation, it is arguable that a desire to make the UK an attractive economy for innovation and investment in technology may lead to new developments in the data protection framework. The UK GDPR will be the same as the EU GDPR for all intents and purposes – particularly from the SME perspective – but what comes next will make for interesting viewing.

Processing and Transferring Personal Data

If you process personal data, that processing is currently subject to the Data Protection Act 1998. As of next May, the EU General Data Protection Regulation – the GDPR – will take over. Continuing the changes, the new Data Protection Bill introduced recently will bring much of the GDPR, with a few minor differences, into UK law post-Brexit.

Changes in the Law

Much media attention has been devoted recently to the GDPR. Some of this has provoked questions about the future legal position on data transfer not only within the UK but also to other countries outside the EU or EEA. The good news is that, in our view, what you will need to do in the future will not really change in practical terms.

To Where are You Transferring Personal Data?

You might need to transfer personal data within or outside the UK, to a location within the EU or EEA, or to a non-EU/EEA country (a “third country”). In addition to general requirements for processing personal data, particular requirements apply to transfer of data within the UK or abroad as outlined below.

Transferring Personal Data Within the UK or EEA

Where a UK data controller has a data processor within the UK or the EEA processing personal data for it, currently the law requires a written contract obliging the data processor to act on instructions from the data controller and to comply with obligations equivalent to those in the Data Protection Act’s Seventh Data Protection Principle. The GDPR also requires the contract to detail the processing and the data processor’s obligations. Our template document Data Processing Agreement – Personal Data Security (UK/EEA) meets the current requirements for such a contract.

There are no officially recognised standard clauses for such a contract. There may be in future, but there are none on the horizon, so you may continue to use our template. If the position changes, we will, in addition to making any necessary changes to our template, advise you accordingly.

Transferring Personal Data Outside the EEA

The Act’s Eighth Data Protection Principle and the EU Directive 95/46/EC (often referred to as the “Data Protection Directive”) only allow data controllers to transfer personal data outside the EU if the destination country has an adequate level of protection for the rights of the data subjects concerned. A number of alternative methods of ensuring such protection exist, as follows, but we believe that the “model terms” option (see below) is the best and easiest solution. This is because in practice another method may not be available or it may be relatively difficult to use it. The alternatives are as follows:

1) Recognised Destination

The EU Commission website lists those countries which it recognises as satisfying the test of “adequate level of protection”. The current Act and the GDPR provide for such recognition as a means of satisfying the test for an adequate level of protection. Transfer of data from the UK to the USA is complicated. The USA is not listed as “recognised” but a transfer will be permitted if the USA recipient (“data importer”) has self-certified compliance with the Privacy Shield framework.

2) Adequate Level of Protection

If the destination country is not “recognised”, then the requirements of the Act’s Eighth Data Protection Principle may be met if the data controller concludes that there is an adequate level of protection for the person who is the subject of the data, having regard in particular to the “adequacy criteria” set out in the Act.

It may not always be easy to properly apply these adequacy criteria. Further, the self-assessment basis of ensuring an adequate level of protection will be different and reduced under the GDPR. All in all, we think it will be very difficult for you to make proper use of this method.

3) An Exemption

Schedule 4 of the current Act provides several exemptions from the application of the Eighth Data Protection Principle. Similar exemptions will apply under the GDPR. If one of them applies, you would not need to consider whether there is an “adequate level of protection” or to take any other special steps in relation to the transfer.

4) Agreement on “Model Terms”

In view of the uncertainties and difficulties of ensuring an “adequate level of protection”, it will often be easier and preferable to make use of the following means instead.

The relevant EU Directive provides that an adequate level of protection will be achieved if a data controller and data processor sign an agreement governing transfer of data on model terms issued by the EU Commission for such purposes. The Commission issued the model terms in 2010. The current Act gives effect to this means of compliance and the Information Commissioner authorised the EU Commission model terms. This creates a “safe harbour” for UK data controllers transferring personal data outside the EU or EEA. Our template document Data Processing Export Agreement – Personal Data Security (Non-EU) contains the model terms and it may be used where transferring personal data outside the EU or EEA.

Although the GDPR supersedes the EU Directive, it does not alter the model terms regime so our template can be used after the GDPR and, subsequently, the new Act come into effect. It appears unlikely that the model terms will be amended in the foreseeable future. If they are, we will amend our template to take account of those changes.

Your Experience

Do you transfer personal data to another organisation to process it in the UK/EEA or outside the EU or EEA? If so, we would like to hear about how you ensured compliance with the current Act and the Directive, and how you plan to ensure compliance with the GDPR and the new Act. If you transferred data outside the EU or EEA, then, in order to do so, have you made use of the “model terms”? Have you relied on some other option instead? Are you confident that you are complying with all legal requirements relating to data transfer?

 

Charities and Loss of Personal Data

One of the major risks faced by UK charities is loss of data. “Loss” includes wrongful transfer, disclosure, corruption, or deletion of data, or wrongful access to data. Charities often hold large amounts of personal data, some of which is particularly sensitive. It may relate to donors or supporters, beneficiaries or service users (including children and vulnerable adults) and their families, carers, staff, or volunteers of the charity. The range of personal data held by charities is often very broad. For example, it often includes bank details, details of donations made, contact details (home or email addresses, phone numbers), dates of birth, information about mental or physical health, or care needs.

How Does Loss of Data Occur?

There are numerous ways in which data may be lost. For example:

  • ● loss or theft of a laptop or memory stick containing unencrypted personal details;
  • ● hacking into IT systems to obtain such details;
  • ● hacking or a virus attack which corrupts or erases data, e.g. ransomware which in effect locks up data until a ransom is paid;
  • ● leaving paper documents in places accessible to thieves;
  • ● unauthorised disclosure by staff or volunteers;
  • ● IT system breakdown or destruction where there is no data backup or disaster recovery facility;
  • ● staff responding to forged emails purporting to come from a legitimate source.

 

High-Profile Examples

There have been some high-profile cases of personal data loss. A break-in took place at the premises of the children’s charity Plan UK in November 2015, when five servers containing data including supporters’ contact and bank information were stolen, although in this case it would have been very difficult for the thieves to extract that data. In March 2012, a hacker broke into the IT systems of the British Pregnancy Advisory Service and obtained sensitive personal data about their clients. In January 2016, volunteers at The Alzheimer’s Society used personal email addresses to receive and share sensitive information about clients of the charity, stored unencrypted data on their home computers, and failed to keep paper records locked away. The Society’s volunteers had not been trained in data protection, did not understand charity policies and procedures, and had little supervision. The Society also suffered a hacking incident in 2015, and in 2010 unencrypted laptops were stolen from its premises. In 2011, a social worker at the charity Norwood Ravenswood left a detailed paper report about four children at the side of a house in London after attempting to deliver them to the children’s prospective adoptive parents, and the report was stolen.

What Are the Consequences of Data Loss?

Loss may impact the charity’s own activities, for example, where a database of individuals’ details is deleted or corrupted, and the charity has no other record of them to use as a backup. Alternatively, loss may adversely impact the individuals who are the subject of data held by the charity, for example, where an unauthorized third party gains possession of the data. Apart from the direct financial cost (and other effects) of recovering from its data security being compromised, a charity is likely to suffer damage to its reputation and that may have an adverse impact on the level of donations and trust of donors, supporters, volunteers, and beneficiaries. Indirect possible effects include substantial fines being imposed by the Information Commissioner’s Office (ICO) where the charity is in breach of data protection legislation – the ICO is no longer reluctant to issue substantial fines to charities just because they are charities.

Increasing Risk of Data Security Breaches

It is clear that the risk of data falling into the wrong hands is prevalent and has been rising significantly over the past few years, both for charities as well as other organisations. Although the ransomware attacks in 2017 did not appear to target charities, experts think they could well be prime targets in future because of the large amount of sensitive stakeholder data that they hold – they often hold more sensitive data than other organisations, and personal data is often a saleable commodity. Charities are often seen as easy targets partly because they, more than larger commercial organisations, often lack the resources and expertise to guard against security breaches.

Tighter Regulation

The new requirements of the General Data Protection Regulation (GDPR), which comes into force in May 2018, reflect the degree to which a data breach is now regarded as a very serious issue. In particular the GDPR will require any organisation suffering a breach of personal data to report it to the ICO without undue delay unless it is unlikely to result in a risk to the rights of individuals.

How Can My Charity Prevent Data Loss?

It appears from a Third Sector Insight survey, conducted in 2016, that the majority of charities are not sufficiently well protected against loss of personal data. So, what steps do charity trustees need to take to improve the security of personal data? Here are some measures that might be implemented:

  • ● Review (“audit”) the activities of your organisation, identify weak spots, assess the risks and take steps to mitigate them.
  • ● Adopt a data protection and handling policy. Not only will this assist your charity to comply with the law, it will also confer a range of other benefits: adopting and implementing an effective data policy within a charity will protect your charity’s reputation, while also increasing donor, supporter, and volunteer confidence in the running of the charity. It will also, by making sure all information is kept accurate, save your charity time and money when you market to your fundraising base.
  • ● Appoint a Data Protection Officer to take responsibility for GDPR compliance.
  • ● Have procedures to detect, report, and investigate a personal data breach.
  • ● Make sure that all charity staff and volunteers are fully trained so that they understand their legal obligations (i.e. under the Data Protection Act (DPA), and, when the GDPR comes into force, both the GDPR and the parts of the DPA not repealed at that time). Training should be appropriate to ensure that they know in practical terms what they must do to comply with the law. For this purpose, you should adopt and implement procedures and organisational measures designed to meet the requirements of the legislation. New employees and volunteers should receive data protection training to explain how they should handle, store and transfer personal data. Existing employees and volunteers should be provided with refresher training every couple of years.
  • ● Make sure you use strong passwords on files and portable devices: a weak password, easily guessable, is very poor protection for personal information. Use combinations of upper and lower-case letters, numbers and (where possible) symbols in passwords (If you want to see how long it would take a computer to crack your password, try it out at How Secure Is My Password?).
  • ● Encrypt laptops, backup discs, USB memory sticks, and any other portable devices or media. Also consider installing a remote ‘wiping’ solution that will delete your hard drive in the event it is stolen.
  • ● Consider whether your IT servers (including email) and connected devices (on or off site) are as secure from unauthorised access as they reasonably can be.
  • ● Look at what data (in electronic or hard copy form) might be lost in transit or when staff and volunteers work remotely (e.g. at home), and ensure that your data policy and procedures extend to how they should deal with data not kept at all times within the charity’s office.
  • ● Ensure that when data leaves your charity, the most secure means is used (for example, use VPNs for electronic data and couriers for hard copies).
  • ● Only keep data for as long as necessary. Make sure your charity has established retention periods and has put a process in place whereby personal information is deleted when it is no longer required.
  • ● Implement a system to update information. If you can, ask those whose details are on your database to check and update those details. You can do this via email or by checking their details if they telephone you.
  • ● Make sure that your premises (and physical records and IT equipment there) are secure, that there are proper controls over who comes into the building, and that you know who (including staff, volunteers, cleaners, visitors) is able to and does enter your premises.
  • ● If you outsource data storage to specialists (larger charities may need to do so) then first check their data protection policies and credentials to ensure that they are trustworthy.
  • ● If you store personal or other data on your own systems (i.e. you do not use third party systems), then you would be well advised to frequently backup your data on separate media or secure cloud storage.
  • ● Adopt a data and/or disaster recovery plan, and consider including, as part of that plan, arranging for third party backup data centre facilities to be available so that you can recover data if you suffer an IT failure, data corruption, or a hacking incident.

 

What Are Your Experiences?

Are you a trustee or employee of a UK charity? Do you think your charity is well protected from a potential data breach? Does your charity follow the recommendations we have set out above? Has your organization suffered a loss of data, and what was the result? What should have been done to prevent that loss?

We are, as always, keen to hear your views.

Charity Fundraising and Data Protection

Damage to a charity’s reputation often diminishes the level of trust in the charity on the part of its donors and supporters, leading to a decline in funding. Reputation of a charity is a key influencing factor in a prospective donor’s decision to donate to that charity.

 

Damage to Reputation

Reputational damage can arise from a number of causes. For example, supporters might become aware of a serious incident which reduces their confidence in the charity. A serious incident at a charity might consist of fraud, theft, significant financial loss, abuse or serious harm of beneficiaries, links to extremism, investment in or support by an organization whose aims or activities are at odds with those of the charity, or loss of personal data (e.g. theft of a charity laptop containing personal details of beneficiaries, staff or donors, or the hacking of IT systems to obtain such details).

Improper Processing of Donor or Supporter Personal Data

Other matters can also adversely affect reputation, and in this post, we are focusing on one in particular: a charity’s failure to deal with donor/supporter data correctly. A number of well-known charities were recently fined by the Information Commissoner’s Office (ICO) for misusing donors’ personal data. Media coverage adversely affected not only the reputation of the particular charities involved, but also that of the charity sector generally.

The ICO found that the charities concerned had been using personal data of individual donors in ways which breached the Data Protection Act 1998 (DPA). The breaches comprised failure to be sufficiently transparent about the charity’s use of donors’ personal data, and failure to obtain their consent to that use of data. The charities had been sharing personal data with other charities, using personal data to estimate donors’ wealth (wealth screening), and using what personal data they had about individuals to discover missing information (data matching), all without being transparent or having consent from those donors to do so.

How Will the GDPR Affect Fundraising?

These issues have come increasingly to the fore because of the impeding implementation of the European General Data Protection Regulation (GDPR) which will require all organizations, including charities, to comply with new consent and transparency requirements that will be tougher than those under the DPA. If a charity fails to comply with those GDPR requirements, there will be a consequent decline in its reputation because people will tend not to trust it to deal properly with their personal information. That distrust will have a clear and direct adverse twofold impact on donations. Firstly, potential supporters/donors will be disinclined to donate to the charity (or even make contact with it with a view to supporting it in some other way). Secondly, current or past donors will no longer be inclined to donate, and they might ask the charity to no longer contact them and to delete their personal information. In order to ensure that donations to charities do not fall due to misuse of donor information (and to avoid the risk of substantial fines for breaching the GDPR) it will now be more important than ever that charities review their fundraising practices to ensure that they comply with the transparency and consent requirements of the new GDPR in relation to personal data of donors and others. The ICO has issued draft guidance on data protection and consent under the GDPR, and the Fundraising Regulator has recently issued a best practice guide, “Personal Information and Fundraising; Consent, Purpose and Transparency”, available here, designed to help charity trustees understand their responsibilities under the GDPR.

Even if a charity has met the transparency requirement to tell individual donors that they are processing their data, what it is being processed for, and any other information needed to make it fair to process the data, the charity also needs to establish a clear legal basis for using the data. We will not try to cover that in any detail here, but in general terms this means – depending on the particular circumstances – either having a “legitimate interest” for that use, or consent to that use. Where consent is required by the GDPR (e.g. for direct marketing by electronic means), it will be express consent that will be required. This will be stricter than under the current law, and as a result it is now a hot topic. The existing DPA consent requirements will be tightened up under the GDPR so that from May 2018, the data subject must have the right to withdraw consent at any time and it must be as easy to withdraw as it is to give, and consent mechanisms will need to be genuine and granular (‘catch-all’ consents will likely be invalid), and individuals must take affirmative action to provide their consent such as signing a form or ticking a box.

What Will be the Effect of Complying with the GDPR?

There are two opposing general attitudes to these changes, and we would like to hear your views about them.

One view amongst charities and critics is that those outside the charity sector (including legislators and regulators) do not understand fundraising and have approached it in a legalistic way without taking account of reality, with the result that the GDPR and the manner in which it is interpreted by regulators will lead to fundraising being destroyed in some charities. In particular, they see “opt in” (express) consent as leading to decline in fundraising because it requires a positive act whereas the normal tendency is towards inertia. The argument is that when one looks at the donor experience in practice, donors do not need or want to have to opt in, and they would be just as satisfied with an effective system that allows them to opt out of contact quickly and easily. Those against the new strictures of the GDPR also point out that the burden imposed by the GDPR on fundraising involves charities having to spend a great deal of time and money working on implementing strategies and processes to comply.

The opposite view is that the new requirements of the GDPR actually create an opportunity for charity fundraisers to increase donations and contact with supporters. The argument is that by complying with the GDPR, charities will actually improve and increase engagement with donors, and will build and strengthen trust amongst existing and prospective donors, and that this will outweigh the issues raised by those who take a negative view of the effects of GDPR on fundraising. The proponents of this positive view say that complying with GDPR will entail charities explaining why data is being collected and what it will be used for, that this can be coupled with an explanation of how the funds raised will be used, and that this will encourage individuals to “opt in” to being contacted and to allow use of their data in the way the charity has explained.

On which side of the argument do you stand?

Data Protection: The GDPR is Coming

In just over a year’s time, on the 25th May 2018, the new EU General Data Protection Regulation, more often known simply as the “GDPR” comes into force. The GDPR is designed both to harmonise data protection throughout Europe and to modernise it, taking into account significant advances in science and technology that have taken place in recent years. In particular, the growth of the internet and the huge increase in the amount of personal data being transferred, stored and processed online (looking at you, cloud storage and social media), means that data protection legislation is long overdue for a refresh.

The first thing to get out of the way, since the “EU” part will doubtlessly be leading some to question whether or not the GDPR will be around for long, is that the UK government has confirmed that the GDPR will not be affected by Brexit. It is quite likely, then, that the Great Repeal Bill (see our previous post, here) will take care of that. Now we’ve said “Brexit”, we’ll move on.

Who Does The GDPR Affect?

In the most basic terms, if you already have obligations under the Data Protection Act 1998, you still will under the GDPR. The GDPR will apply to organisations operating within the EU and to organisations outside the EU that deal with individuals inside it.

What Does The GDPR Apply To?

As with the Data Protection Act, the GDPR applies to “personal data”. This is where one of the key modernisation points arises, for the GDPR expands its definition of personal data to personal identifiers such as IP addresses. Even personal data that has been anonymised – by using coding or pseudonyms, for example – may still count as personal data if it can be traced to a particular individual. In short, almost any kind of personal data, whether it was previously caught under the Data Protection Act or not, will likely be included under the GDPR.

The good news, however, for many businesses – especially SMEs – is that in the case of things like HR records, customer lists, contact details and so forth, the new definition will make little practical difference. That being said, for those who do a lot with online data behind the scenes, it’s certainly worth brushing up to be on the safe side.

Another key point to note is that the GDPR now applies to “data processors” as well as “data controllers”. Those processing personal data purely in a service provider capacity for a data controller will thus now also need to ensure compliance.

What Does The GDPR Say About Consent?

Organisations will need to be more proactive, and clearer with the language they use, when it comes to obtaining consent to the collection and processing of personal data. Individuals must know how their information will be used, and organisations cannot rely on silence or inactivity on the part of those individuals as consent. Not only that, but if the purpose for which you want to use someone’s data changes after getting their initial consent to use it, you must get fresh consent for the new use.

Again, in some cases, particularly for those who already pay careful attention to privacy and data protection, this will simply mean business as usual; but for others, particularly those who use customer data for marketing purposes, consent mechanisms may need to be re-thought, and clear, detailed information must be made easily accessible to customers, explaining the whats, whys, and hows of the organisation’s personal data collection and use.

How Will This Change The Way I Do Things?

Simply put, organisations need to take a more proactive approach to data protection, maintaining a much sharper awareness of privacy throughout their activities, systems, and projects. One key way in which this should be done is through the use of Privacy Impact Assessments, another new requirement introduced by the GDPR. A Privacy Impact Assessment or “PIA” should be conducted wherever a particular activity presents a risk of privacy being breached so as to minimise the risks to the individuals whose data is involved.

You may also have heard about the so-called “right to be forgotten”, especially in the context of search engines. The GDPR now brings this one to your doorstep too. If an individual requests that you delete the data you hold about them, you must do so.

Will I Need A Data Protection Officer?

If an organisation’s “core activities” involve the “regular and systemic monitoring of data subjects on a large scale” or the “processing on a large scale of special categories of data”, then it will need to appoint a Data Protection Officer.

This will apply regardless of the size of the organisation itself, so small businesses are by no means off the hook. Particularly as a result of the growth in online business, even small businesses with only a few employees may potentially be dealing with the personal details of thousands of individuals.

Among the Data Protection Officer’s responsibilities will be the carrying out of Privacy Impact Assessments, designed to identify and assess privacy risks for a given project which will involve the use of personal data (see above).

What If Something Goes Wrong?

If there is a data breach, the GDPR requires that the local data protection authority (in the UK’s case, the Information Commissioner’s Office) be informed within 72 hours of discovering it. Not only does this mean increased accountability, but for many this will also mean changes to internal systems, policies, and procedures to make it quicker and easier to spot and respond to breaches.

It’s under this heading that it’s also worth mentioning the F word. No, not that one (although you’d probably say it in the circumstances). Fines: that’s the one we mean. The GDPR is serious about increasing data protection, and penalties are no exception. Organisations that fail to comply with their obligations can face fines of up to 4% of their annual global turnover or €20 million, whichever sum is greater.

I’m Going To Be Very Busy, Aren’t I?

That depends. If your organisation is already taking data protection and compliance with the Data Protection Act seriously, the GDPR shouldn’t be anything to be afraid of. What’s more, you have a year to determine what changes need to be made and to make them, and provided you don’t mess about, that should be plenty of time.

Start by getting all relevant staff up to speed, appoint someone to oversee data protection, then evaluate your existing methods of data collection, obtaining consent, holding data, processing it, and handling individuals’ requests to see that data or have it erased. Your next step should be to determine what (if anything) needs to be improved and to get a plan in place for implementing those improvements in the time available. Remember the new responsibilities of data processors too: make sure that your suppliers and service providers are aware of their responsibilities under the GDPR and are taking the necessary steps to comply. Last but not least, don’t panic!

As ever, we want to hear your thoughts. Will the GDPR come as a shock to the system or is your business already hot on data protection? Do you think the modernisation of data protection law is overdue or do you see it as adding unwelcome burdens? Have you already started preparing? What steps would you recommend to other businesses?

Over the coming weeks and months we will be adding a range of new documents to our portfolio to help you get up to speed and up to spec with the GDPR, plus comprehensive new information on the various aspects of the GDPR with best practice guidance on how to comply. Stay tuned!

Top