The month in review
Here are our key takeaways from a number of perspectives this month:
1. For General Counsels: ensuring your organisation is ready for dealing with a ransomware attack or data breach. Barely a day goes by without some data breach, ransomware attack or other service issue. Preparing a playbook, instructing your Breach Counsel, understanding mitigations, role playing them and putting them in place helps you be prepared. We've set out below how we can do this for you.
2. For DPOs: back to basics, even for complex things like AI. Being clear on what you do, and why, is fundamental to data protection compliance and your obligations as a DPO. In the rush for the business to change and develop, this is sometimes missed, meaning there is a disconnect between practical operations and what is stated. Avoid the compliance gap by reading our analysis below, and instilling data protection by design and default in your organisation – particularly for AI as we see below, and the ever-changing position with data transfers.
3. For those operating in the Consumer sector: be clear on breach-readiness and the Adtech advance. Please also read our article in our Global Consumer Trends 2023 hub, covering the specific risks and trends for Consumer sector breaches, as well as covering the business-growing but complex area of Adtech. Also have a look at our guidance on AI and the readiness for breach/ransomware attack.
4. Employers: check out the latest positions on DSARs and how to be transparent with AI use.
Read on for updates and analysis of the following:
- General updates
- Adtech and direct marketing
- AI and Innovation
- Cyber, breach and ransomware
- Data transfers
- Consumer matters
- Employment data protection
- Public sector
Online Safety Bill update
In the December 2022 issue of DWF Data Protection Insights, we provided a short introduction to the Online Safety Bill, which is currently before Parliament. The Bill has been in the news recently for a number of reasons:
- controversy regarding the proposal to impose criminal liability on senior managers who breach their obligations to protect children from harmful content;
- criticism for treating smaller platforms the same as big tech companies; and
- Ofcom's publication of a call for evidence on protecting children from content that is legal, but harmful to them.
We will of course monitor the Bill's progress and report in future issues of DWF Data Protection Insights.
ICO advice: Building better business by responsibly unlocking the value of personal information
The ICO has published advice on good data protection practices, which is aimed at SMEs, but provides a useful reminder of the key compliance steps for organisations of all sizes:
1. Make a list – Start by making a list of what personal information you have or plan to collect. You need to be able to account for all of it. For larger organisations, this may involve a more complex data mapping exercise developed into a "record of processing activity" or "ROPA", but understanding what personal information you have is an essential first step.
2. Ask why – You need to balance what you want to do with people’s personal information, against the benefits to them and any harm that might be caused. If you are holding or using people’s personal information, it must always be fair as well as lawful.
3. Think security – Check your security measures are appropriate for the types of information you hold and the reasons why you are processing it. Put stronger security measures in place if the data poses a higher risk or is sensitive.
4. Be transparent – You must explain to people why you hold information about them, how you use it and how long you will keep it. This should also be recorded in a privacy notice, which must be made available, clearly drafted and appropriate to the intended audience to meet the transparency requirement.
5. Know about subject access requests (DSARs) – make sure that you have a clear process in place for responding to SARs in accordance with the relevant deadlines, as well as other data subject rights.
6. Have a data breach action plan in place – ensure that you have a plan in place to deal with any data breaches, and that all your workers understand the plan. This needs to include consideration of whether the breach needs to be notified to the ICO and/or the affected individuals within the applicable deadlines.
7. Keep up to date with developments – as the ICO points out, its website is updated regularly. We also recommend reading DWF Data Protection Insights every month and attending our future events.
DWF Solutions: if you would like advice on any of these action points, including data mapping, data breach and ransomware preparedness, dealing with DSARs or putting a data breach action plan in place, please speak to one of our partners in the team – Stewart Room, James Drury-Smith or JP Buckley.
DSARs (1): European Court rules that data subjects have the right to know the specific identity of recipients of their data
The Austrian Supreme Court requested clarification from the European Court of Justice on whether a data subject's right under Article 15(1)(c) GDPR to obtain information from a controller concerning the recipients or categories of recipient to whom their personal data have been or will be disclosed means that the controller is obliged to disclose the specific identity of the actual recipients.
The Court confirmed that the controller is obliged to provide the data subject, on request, with the actual identity of those recipients. The controller may indicate only the categories of recipients in question where:
- it is not possible to identify those recipients; or
- the controller demonstrates that the request is manifestly unfounded or excessive.
The Court also clarified that the right of access is necessary to enable the data subject to exercise other rights under the GDPR, namely the right to rectification, right to erasure, right to restriction of processing, the right to object to processing, and right of action when they suffer damage.
The decision is not legally binding in the UK, but is still relevant, because the wording of the UK GDPR is identical in all material respects and the UK courts may have regard to the decision.
However, DSARs (2): EU Advocate General's opinion: no right to know identity of specific employees who have accessed personal data
In contrast to the above case, in the opinion of an Advocate General (AG) of the European Court, on a matter referred by a Finnish court, an AG has stated that the controller does not need to tell the data subject the identity of the controller's employees who have accessed his/her personal data on the controller's instructions. This is because those employees are not "recipients" within the meaning of the GDPR. AG opinions are not binding on the European Court, but they are usually followed. The forthcoming decision will not be binding in the UK, but will still be relevant for the reasons referred to above.
DWF Solutions: our team have considerable experience in dealing with contentious DSARs – get in touch with JP Buckley for more details.
Adtech and direct marketing
Read our article on adtech's future featuring in our Global Consumer Trends 2023.
AI and Innovation
AI: ICO Blog: Addressing concerns on the use of AI by local authorities (but note the wider impact)
The ICO has published a blog post about its inquiry into the use of artificial intelligence (AI) by local authorities (LAs). The ICO did not find evidence of discrimination or unlawful usage, but recommends that LAs and central government should take a number of practical steps when using algorithms or AI. While the ICO's inquiry focused on LAs, these recommended steps are relevant to all organisations using or considering using AI.
1. Take a data protection by design and default approach
Data controllers must ensure that their processing complies with the UK GDPR (and EU GDPR too, where there are individuals located in the EU). This includes having a clear understanding of what personal data is being held and why it is needed, how long it is kept for, and erasing it when it is no longer required. Data processed using algorithms, data analytics or similar systems should be reviewed reactively and proactively to ensure it is accurate and up to date. If a controller engages a third party to process personal data using algorithms, data analytics or AI, they are responsible for assessing that they are competent to process personal data in line with the UK GDPR.
2. Be transparent with people about how you are using their data
Controllers should regularly:
- review their privacy notices, and identify areas for improvement;
- check that their notices clearly explain how and why people's personal information is used and include the other information required by law; and
- bring any new uses of an individual’s personal data to their attention (i.e. the purpose limitation principle).
3. Identify the potential risks to people’s privacy
Controllers should consider whether they need to conduct a Data Protection Impact Assessment (DPIA) to help identify and minimise the data protection risks of using algorithms, AI or data analytics, including the potential for any significant social or economic disadvantage.
DWF Solutions: Whether your organisation is in the public or private sector, please contact one of our privacy experts for advice on how to use algorithms or AI in compliance with the law, including reviewing your privacy notices and conducting DPIAs. We've developed specific approaches for doing so – please contact James Drury-Smith or Shervin Nahid.
Cyber security, breach and ransomware
Security: DWF's perspective on GDPR's appropriate technical and organisational measures or 'ATOM': Farewell SHA-1
We have published DWF Perspective: GDPR ATOM which recommends that organisations should be making time-bound and complete plans for the wholesale replacement of SHA-1 (an ageing type of algorithm) in any security use case.
DWF Solutions: get in touch with Mark Hendry to review your security arrangements, and of course check if you use this in practice and plan for its replacement.
Security: NIS2: Read Stewart Room's reaction
Stewart Room, our Global Head of Data Protection, Privacy & Cyber Security, has written this article for Forbes about NIS2: Europe Beefs-Up Cybersecurity Law, Trumping The UK (forbes.com). With the EU adding to the scope of their laws on network and infrastructure safety, and the UK planning to, don't miss this analysis.
DWF Solutions: we're already advising clients on these changes. If you are covered or if you're not sure if you are, get in touch with Stewart Room.
Also read our Adtech and data security risks article, referred to in further detail below.
Data Transfers: US to UK: First meeting of Comprehensive Dialogue on Tech & Data between US and UK
On 12 January representatives from the UK and US Governments met in Washington, D.C. for the inaugural meeting of the US-UK Comprehensive Dialogue on Technology and Data. The UK government has reported that the representatives identified deliverables to address in 2023, including finalising and implementing a data bridge for US-UK data flows.
As this 'data bridge' is a key concern for UK organisations receiving data from the US, we will of course monitor developments closely and report further in future issues of DWF Data Protection Insights. In parallel, discussions continue regarding the "adequacy regulation" from the UK Government for data transfers from the UK to the US.
EU-US Data Privacy Framework
The draft adequacy decision for the EU-US Data Privacy Framework was presented to the European Data Protection Board (EDPB) at its plenary meeting on 17 January. The EDPB has reported that it is currently working on its opinion on the draft decision, which will be finalised in the coming weeks.
DWF Solutions: please contact James Drury-Smith, JP Buckley or Tughan Thuraisingam for advice on any international transfers of personal data, including transfers to the US, including contractual approaches, intra-group transfers and risk assessments.
Consumer Trends 2023: Adtech and data security risks
Our Data Protection and Cyber Security team have published Adtech and data security risks article as part of DWF's wider report on Consumer Trends 2023. This article focuses on:
- ransomware, including the question whether or not to pay a ransom demand, an increasingly topical question and one requiring detailed legal advice and clarity of approach; and
- adtech, focusing on the importance of transparency and consent in this evolving market.
DWF Solutions: our Breach Counsel service and standby appointment as your experts to deal with any breach or ransomware event is crucial reading – get in touch with Stewart Room, Jamie Taylor or Mark Hendry to request your brochure.
DWF Solutions:our team analyses adtech environments from both the supply and buy perspectives – get in touch with James Drury-Smith or JP Buckley to check your compliance!
Employment data protection
Read our views on the ever-topical issue of what to include when you respond to a data subject access request, highlighted above.
Also consider how you're clear and transparent with your workers, particularly when it comes to AI, as we highlight previously in this article.
Public Sector: Government consultation: Draft legislation to help more people prove their identity online
The UK Government has launched a consultation on draft legislation intended to make it easier for citizens to prove who they are online when accessing Government services. The draft regulations create a new objective for the public service delivery (PSD) power under the Digital Economy Act 2017, which allows specified public authorities to share personal information for objectives set out in regulations.
The consultation paper sets out:
- A proposed new objective to support identity verification services, and for the four authorities below to use it.
- A proposal for four new public authorities to be added to the schedule of authorities able to use objectives under the PSD data sharing powers. These new public authorities are the Cabinet Office, the Department for Transport, the Department for Food, Environment and Rural Affairs (DEFRA) and the Disclosure and Barring Service (DBS).
- A proposed list of public authorities which are already in Schedule 4 of the Digital Economy Act 2017 to be able to use the new objective.
The consultation closes on 1 March 2023. We will of course monitor the outcome of the consultation and report in a future issue of DWF Data Protection Insights.
See also our sub-article above regarding AI in local authorities.