Does the following sentence sound familiar?
“I have read and accepted the privacy policy.”
This checkbox is found beneath various online forms. It’s completely superfluous. There is no need to accept a privacy policy because it merely serves an informational purpose. You don’t need to accept the privacy policy. If you are asking your clients to, then you are getting it wrong!
Since the EU GDPR / UK GDPR was introduced, there has been panic surrounding consent and the legal basis for data processing. Every company must have a privacy policy on its website, but contacts do not have to accept the policy to justify data processing.
Our customers often face the same GDPR issues around data protection and information security. These mistakes can have vastly different consequences. These range from slight inconveniences through to negative reviews on comparison sites or worse. Here are some examples:
- Incorrect email dispatches
- CV databases of head-hunters and HR departments
- Incorrect and superfluous checkboxes beneath website forms
- Lack of employee training on data protection topics
- Incorrect assignment of responsibilities between processors and controllers
- Fear of supervisory authorities
Let’s now look at each one of these mistakes and show you how to best avoid them.
Incorrect Email Dispatches
It’s one of the classic cases of data protection infringement: sending emails while cc’ing recipients who shouldn’t be there in the first place. And you might be thinking, “That won’t happen to me!” But unfortunately, our daily experiences prove otherwise. Having a visible list of recipients continues to be one of the most common data breaches in companies.
Each and every day, there are millions of emails sent with other people in the cc (carbon copy). Usually, nothing happens. The cc recipients can see the exact email addresses to which the message was sent, similar to the regular recipients. What’s more, the entire email history is visible. This can lead to problems if there are recipients who…
- should not become aware of the email addresses of the other recipients
- can access personal information that should not be shared with them from the email history.
If an email address can be assigned to a natural person, it is considered to be a piece of personal data in accordance with Art. 4 (1) UK GDPR. And such information may only be provided to a third party with either consent or with another legal basis in place. If the email address is shared, as is the case with a visible email list, this constitutes a data protection infringement.
HERE’S AN EXAMPLE OF SUCH AN ERROR
HIV Scotland deal with some very sensitive data and sadly, revealed this data. The data protection breach involved an email to 105 people. Recipients including patient advocates representing people living in Scotland with HIV.
All the email addresses were visible to recipients, and 65 of the addresses identified people by name.
The Information Commissioner’s Office (ICO) issued a penalty of £10,000 after a probe. You can read more here.
FINES
In 2018, a Premiership football club emailed 3,000 supporters informing them of ticket allocation for an away game. Unfortunately, all three thousand email addresses were in the ‘to’ box and so 2,999 email addresses were illegally shared. The club concerned reported themselves to the Information Commissioners office after sending a retraction email to the same group, again in the ‘to’ box. Oops! They were fined £20,000!
A National League side would repeat this error a year later but due to their poor financial condition a fine was not issued.
Recruitment Databases
We love these…not!
Wouldn’t it be convenient to store all applicants‘ data indefinitely? This way, you’d have a bunch of suitable candidates for every vacancy. All you need to do is contact them. This is such a promising idea. Many HR departments and head-hunters create entire databases of resumes and employer references. It may sound great, but it’s not legal.
Resumes, employer references, and applicant files are classed as personal data. They can only be processed and stored if there is a legal basis (Art. 6 UK GDPR). If this legal basis no longer applies, the data must be deleted. What’s more, data subjects (applicants) must, among other things, be informed of the purpose and duration of data processing, as described in Art. 13 UK GDPR.
Article 6 of the GDPR lists the following legal basis for the processing of personal data:
- Consent of the data subject
- Performance of a contract
- Compliance with a legal obligation
- Necessary to protect the vital interests of the data subject
- Performance of a task carried out in the public interest
- Necessary for the purposes of the legitimate interests pursued by the controller
The Data Protection Act 2018 (DPA 2018) provides the legal basis for data processing during the application process. Also, the Information Commissioner’s Office (ICO) has also issued guidance on this in the form the Employment Practices Code. As a best practice, only personal data that is relevant to the recruitment decision should be collected.
After rejecting an applicant, the application documents may be stored for a certain legally permissible period, but they must be destroyed/deleted after this period expires.
Data Retention
Data may only be stored beyond this period with the consent of the data subject. The duty to provide information in accordance with Article 13 (UK GDPR) must always be observed. Data subjects must be informed of the data processing, among other things.
- Purposes of data processing
- The legitimate interests that underpin the legality of data processing, if these provide the legal basis for processing.
- Information on transmitting data outside the UK
- The duration of data processing
- Reference to the right to provide information, submit a complaint, and withdraw consent
How to avoid this situation.
The creation of a data retention policy, with associated schedule, will dictate how your business behaves. It must be enforced internally and reviewed in your annual GDPR audit which is a legal requirement.
As most CV’s arrive via email they can sit in inboxes, sent items and deleted items indefinitely so a policy for cleansing your email must be put in place and enforced. An understanding of how such data arrives in your business must be recorded in your Data Flow Map.
However, the greatest challenge is when recruiters change employers. I am constantly sent vacancies that might suit me from recruitment agencies I have never interacted with. How does this happen? A recruiter moves from one agency to another and takes contacts to the new employer. The recruiter moves on in the future but leaves the data behind as well as taking it with them to another employer. Now my data is with at least three recruitment companies with only one having consent. Recruitment firms must take GDPR seriously.
INCORRECT AND OR SUPERFLUOUS CHECKBOXES BENEATH WEBSITE FORM
Data processing for marketing purposes is very often underpinned by the legal basis of data subject consent. This should be great surprise as there is no legal basis for meeting to prospects. You will recall in may of 2018 that companies were hungry for your consent. However, not all consents are of any use. The important information is often left out when companies are busy creating their checkboxes.
The UK GDPR does not provide any boilerplate templates for checkbox designs. No doubt many companies would be happy to have them. What the UK GDPR does do, however, is provide clear guidelines on the process behind obtaining consent.
We recommend including at least the following elements on the form:
- Information on the purpose of data collection (principle of purpose limitation pursuant to Art. 5 (I) (b) (UK GDPR)
- Reference to the option to withdraw consent
- Voluntary checkbox for a consent to the distribution of marketing information and/or sales reaching out to the consenting party
- In accordance with Art. 7 UK GDPR, consent must be given freely and without duress to be effective.
Consent
Article 7 (4) GDPR states the following, “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
In this example, the customer is not being given the opportunity to give clear, unambiguous consent. Therefore this is not compliant. Their data cannot be used for marketing purposes. This is an example of bundled consent. This is where the consent request is bundled into the agreement of the acceptance of a privacy policy. Such consent must be freely freely given, specific, informed and an unambiguous decision.
Make sure you separate the necessary from the optional. If a website visitor requests to receive a checklist by email, there’s no way around data processing for exactly this purpose. More detailed marketing information, for example, such as a newsletter is, however, optional. Make sure to never mix these two purposes. Consent to a newsletter must stay voluntary. Consent must be given by choice, and not a requirement to receive a freebie such as an e-book or webinar.
LACK OF EMPLOYEE TRAINING ON DATA PROTECTION
You might have the strictest security measures for your server rooms. You may have the cleverest encryption, and most watertight Data Processing Agreement in place. No piece of data is safe if your employees become careless. Employee training is one of the key tasks of a data protection officer (DPO) under the UK GDPR.
However, the UK GDPR does not specify what such training should look like. Here too, the data protection officer has quite a bit of leeway. The law does not prescribe any given training form or course refresher cycles. Processing operations usually evolve continuously. New technologies are used and people tend to forget what they’ve learned if they don’t repeat it in their day to day activities. Training should be carried out annually as a minimum.
SOME EXAMPLES OF EMPLOYEE TRAINING TOPICS
Besides the data protection principles, employees should be instructed on the rights of data subjects. Other topics include company data protection guidelines, data protection when using mobile devices, as well as the legal basis and other specialist terms. It is particularly important to instruct employees on how to behave in the event of data breaches and data protection infringements. Employees who are in direct contact with customers, should additionally become aware of what information they may share with customers – and the conditions for sharing.
Try to make the training as interesting as possible and avoid merely ticking off topics with exhausting theory. Include examples of data protection in daily business and interactive elements to help keep employees focused during the training and raise awareness for the tasks they will later perform.
To make concepts such as Records of Processing Activities (ROPA), Technical and Organisational Measures (TOM), and other documentation obligations more tangible, it helps to run through practical exercises on specific data processing operations. Besides all this, training sessions should focus on aspects of data protection that are relevant to the specific daily activities of the employee. This helps illustrate the effects of certain processes. Those who are not only familiar with the theory of data protection, but also the practical side of things, can identify and steer clear of obstacles.
Generally speaking, internal data protection officers (DPO) often find it hard to motivate their team for training courses. This is easier for external service providers with learning platforms and interactive materials. We can train on principles, rights and role specific requirements.
INCORRECT ASSIGNMENT OF RESPONSIBILITIES
This section relates to incorrect assignments between controllers and processors and is a common amongst the six data privacy mistakes.
If you are managing customer data in a SaaS CRM (such as Salesforce, Pipedrive, and HubSpot) this section applies to you. If you have outsourced your payroll again this section will apply to you. Or perhaps you are simply sending a newsletter about marketing software. These are all examples of processing on your behalf. The data controller offers instructions to another company (the processor), which then processes data. Time and again, there are uncertainties about which party is responsible for which responsibilities. Therefore, should a CRM provider create a privacy policy for its customers for example?
All processing takes place on the basis of the controllers instructions. This means that the controller is also responsible for the creation of a privacy policy, and the processor must be included in their Records of Processing Activities. The agreement that governs the collaboration is called a Data Processing Agreement. This is normally created by the controller. The processor, on the other hand must list the relevant processing activities in their “Records of Processing Activities” pursuant to Art. 30 (2) UK GDPR.
THE OBLIGATIONS OF THE CONTROLLER
- Making sure that the Data Processing Agreement really covers all requirements listed in Art. 28 UK GDPR. Particular care should be taken to ensure that:
- there is a well-defined performance specification that precisely illustrates which partial performances are made by the processor
- data categories are illustrated in detail; do not merely scratch the surface
- there is a list of sub-processors of the processor in place, with evidence provided on the inspection of their data protection compliance
- Check the Technical and Organisational Measures (TOM) of the processor. The TOM demonstrate how securely processors handle their customer data. These are an essential component of data processing agreements. The following aspects should be covered, for example:
- Encryption measures
- A breakdown of who has access to which data
- Information on server redundancy and server security to guarantee availabilities
- A reference to the multi-client capability of your solution
- Comments on multi-factor authentication (e.g. for admins), if available
- The purpose of the collected data, to demonstrate that only those data are collected that are necessary for the provision of the service
- Information on patch management and regular updates
- Notes on the remote maintenance process
- Whenever relevant, the creation of a Data Protection Impact Assessment. The use of new technologies – such as SaaS solutions – in processing operations, can pose risks to the rights and freedoms of your customers and employees. These might require a Data Protection Impact Assessment.
THE OBLIGATIONS OF THE PROCESSOR
The processor is responsible for processing the data in line with the instructions of the controller. The principles of the UK GDPR that also apply to other companies must be observed.
This is joined by an important and often forgotten obligation: If an instruction of the controller infringes against the UK GDPR, the processor must inform the controller accordingly (Art. 28 (3)). There is an additional obligation to report data breaches to the controller (Art. 33 (2)).
FEAR OF SUPERVISORY AUTHORITIES
This is the final of the six data privacy mistakes we will discuss. There are some letters nobody likes to receive. Letters from HMRC,. For example, letters from the courts, banks, and supervisory authorities. No news is usually good news. However, there is no reason to get worked up when the ICO gets in touch. Our advice: is to keep calm. Above all, cooperate and never shy away from communicating with the ICO. However, it might be better if you call us!
The ICO acts in an advisory and guidance role as the UK’s data protection watchdog. However, as part of this role they have several enforcement tools available implemented wihtin the Data Protection Act 2018. The powers available to them include:
Information Notices
Assessment Notices
Enforcement Notices
Penalty Notices
Cooperation with the ICO is one of the tasks of the data protection officer, pursuant to Art. 39 UK GDPR. If the ICO reaches out to you, the DPO should take it from there.
The ICO and Data Breaches
If a data protection breach has been identified in your company, you have to independently report it to the ICO within 72 hours. If the event comes with a high risk, you additionally have to inform the data subjects without undue delay.
In our role as an external DPO, we are in continuous contact with the ICO and we can usually lay all fears to rest. The ICO are communicative and cooperative and are quick to provide a friendly response to questions you might have. However, If the ICO requests certain documents, it is important that you act in a proactive and careful manner. An open cooperation with the ICO can certainly have a mitigating effect on later rulings.
With data breaches, it is crucial to meet all deadlines. Even if you might experience a ‘deer in the headlights’ response, or are eager to sweep the incident under the carpet, this is exactly what you should never do. Immediately report incidents to the ICO to demonstrate that your company takes data protection seriously, and this helps prevent higher fines in the end.
If all of this sounds a bit much then why not book a free, no obligation, one hour consultation here. Alternatively you can call us on 03333 22 1011 or contact us here and email us here.
0 Comments