Data Protection – April/May 2018

Binary Code Print publication


GDPR and UK Data Protection Act 2018 in force tomorrow, news from the ICO, cybersecurity update and more.

Latest on the EU General Data Protection Regulation (GDPR) – in force tomorrow!

The waiting is finally over! GDPR, the new data protection regime, comes into force tomorrow. Guidance has been coming in thick and fast at both UK and European level. We provided a round-up of the latest guidance in our recent newsletter. Since then, the UK’s Information Commissioner’s Office (ICO):

The European Commission recently published a Seven steps for businesses to get ready for the GDPR factsheet.

On 18 May 2018, the National Cyber Security Centre (NCSC) published guidance developed jointly with the ICO, describing a set of technical security outcomes that are considered to represent “appropriate” measures under GDPR.

The Crown Commercial Service published a procurement policy note, reminding in-scope organisations of their obligations under the new data protection legislation. It previously published GDPR customer toolkit guidance and guidance for suppliers on next steps.

The Committee of Advertising Practice is consulting until 19 June 2018 on changes to its rules on the collection and use of data for marketing, in light of GDPR.

Nominet UK, the .uk domain name registry in the UK, published the response to its consultation on proposed changes to comply with GDPR. Among other things, registrant data will be redacted from the WHOIS database, unless explicit consent has been given.

In her speech at the Data Protection Practitioners’ Conference on 9 April 2018, the UK’s Information Commissioner referred to enforcement being a last resort: “Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law. Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action. It’s not just about fines though, is it? The GDPR has handed the ICO a whole new set of tools to motivate organisations towards compliance. Privacy by default and design, codes of practice, privacy seals, Data Protection Impact Assessments, accountability mechanisms, data protection officers …all these things – and more – form an integrated package. All of them are necessary; none of them is sufficient on their own. And when we do need to apply a sanction, fines will not always be the most appropriate or effective choice. Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data. None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line”.

Please do not hesitate to contact us should you require assistance on any aspect of GDPR compliance.

Latest on the UK Data Protection Act 2018 – in force tomorrow!

After both Houses of Parliament agreed on the text of the UK’s Data Protection Bill, to be read alongside GDPR, it received Royal Assent on 23 May 2018. Now known as the Data Protection Act 2018, it comes into force tomorrow. The Information Commissioner has published a blog post on the new Act. The ICO previously published an introduction to the Data Protection Bill and a Guide to Law Enforcement Processing, which highlights the key requirements under Part 3. Watch out for our separate upcoming briefing on the new Act.

Latest on the ePrivacy Regulation

The new ePrivacy Regulation (which, among other things, sets out rules for direct marketing via phone, text and email) was due to apply at the same time as GDPR. The government has confirmed that delays in negotiations in Europe mean that the deadline will be missed. In light of Brexit, it is not clear when (if at all) the new rules will apply in the UK. Until the new Regulation is finalised, the existing PECR (Privacy and Electronic Communications Regulations) rules will apply using the GDPR definition of consent. On 15 May 2018, the European Commission published a factsheet on the proposed Regulation, as part of a wider press release about concrete actions European leaders can take to protect citizens’ privacy and make the EU’s Digital Single Market a reality before the end of 2018.

More news from Europe…

The Article 29 Working Party (WP29), which will be replaced tomorrow by the European Data Protection Board, held its last plenary meeting on 10 and 11 April 2018. Among other things, the WP29:

  • published a statement on encryption
  • established a social media working group (whose work will continue after tomorrow)
  • published a list of the European national data protection authorities including contact details
  • wrote to the International Organisation for Standardisation (ISO) requesting that ISO 17065 be published free of charge, allowing the national data protection authorities to fulfil GDPR obligations in relation to accreditation
  • wrote to Facebook requesting information regarding its use of facial recognition.

We reported previously that the Irish High Court is referring questions over the validity of the European Commission’s adequacy decisions on model contract clauses to the Court of Justice of the European Union (CJEU), following the complaint by Austrian privacy campaigner Max Schrems to the Irish Data Protection Commissioner about Facebook Ireland’s transfer of his personal data to Facebook Inc. in the US. The High Court made a request to the CJEU for a preliminary ruling, which sets out the 11 questions to be referred. On 2 May 2018, the High Court rejected Facebook’s application for a stay pending an appeal against the making of the reference. It held that the least injustice would be caused by the High Court refusing any stay and delivering the reference immediately to the CJEU.

‘Snooper’s Charter’ incompatible with EU law

In a victory for human rights organisation Liberty, the English High Court ruled that Part 4 of the Investigatory Powers Act 2016, dubbed the ‘Snooper’s Charter’, is incompatible with fundamental rights in EU law. The government now has until 1 November 2018 to rewrite this section of the legislation, which deals with the retention of communications data. Liberty launched a second crowdfunding campaign to continue with its legal challenge against the Act.

ICO news and recent enforcement action

  • The University of Greenwich was fined £120,000 following a serious security breach involving the personal data of nearly 20,000 people, including staff, students and alumni, some of which was sensitive data.
  • Two West Yorkshire firms were fined a total of £400,000 for nuisance calls to subscribers of the Telephone Preference Service (TPS).
  • Two Stockport firms were fined for nuisance marketing. The first had made more than 69,000 calls to people registered with the TPS and was issued with an enforcement notice ordering it to stop illegal marketing; the second had sent more than 260,000 spam texts.
  • Royal Mail was fined £12,000 for sending more than 300,000 emails to people who had already opted out of receiving direct marketing.
  • The Crown Prosecution Service was fined £325,000 after it lost unencrypted DVDs containing recordings of police interviews with child abuse victims. It was previously fined £200,000 for a separate breach in November 2015.
  • Humberside Police was fined £130,000 after unencrypted disks containing the interview of an alleged rape victim, and accompanying paperwork, went missing.
  • A former hospital employee was prosecuted after she accessed patient records without authorisation.
  • Kensington and Chelsea Council was fined £120,000 after it unlawfully identified 943 owners of vacant properties in response to Freedom of Information Act requests by journalists.
  • A former recruitment consultant was fined for stealing personal data from his employer when he left to set up a rival company.

The ICO is consulting until 28 June 2018 on how it will use increased powers under upcoming data protection reform. It has also published a blog post on the consultation.

The ICO’s latest statement on its investigation into data analytics for political purposes can be found here.

The ICO served an enforcement notice on SCL Elections Ltd (said to be Cambridge Analytica’s agent) in relation to an inadequate response to a data subject access request submitted to Cambridge Analytica by a US academic.

Cybersecurity update

The Network and Information Systems Regulations 2018 (NIS Regulations) came into force on 10 May 2018. They were made to implement the EU Directive on Security of Network and Information Systems (NIS Directive). The government previously consulted on its plans to implement the NIS Directive. More information can be found here. Businesses identified as “operators of essential services” will be required to take appropriate and proportionate security measures to manage the risks to their systems and to notify serious incidents to the relevant authority. Key digital service providers will also have to comply with security and incident notification requirements. The government has published a health sector guide and a transport sector guide to assist with compliance with the NIS Regulations. Ofcom has published interim guidance for operators of essential services in the digital infrastructure subsector. The NCSC has also updated its guidance.

In other developments:

  • On 16 May 2018, the NCSC published guidance outlining the security steps that organisations should take in response to an increased threat of cyber attack.
  • The Department for Digital, Culture, Media and Sport published the Cyber Security Breaches Survey 2018. A summary is set out on pages 1 to 3.
  • TheCityUK published a report outlining a new framework for boards to meet the growing cyber threat.
  • The NCSC and the National Crime Agency (NCA) produced a joint report on the cyber threat to UK business.
  • A website linked to more than four million cyber attacks globally, was shut down following an investigation led by the NCA and the Dutch National Police. See the NCA’s press release.
  • The Home Secretary announced that the government will be investing over £50 million over the next year to bolster cyber capabilities within law enforcement at a national, regional and local level. See the press release for more details on how some of the funds will be allocated.
  • In a speech given at the same event, the Information Commissioner spoke of how security “is a boardroom-level issue. We have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings. If left solely to the technology teams, security will fail through lack of attention and investment. These companies may have the best policies in the world – but if those policies are not enforced, and personal data sits on unpatched systems with unmanaged levels of employee access, then a breach is just waiting to happen”.