logo text

Wednesday, 22 April 2020

Coronavirus and data protection in the workplace: your questions answered

As the coronavirus pandemic has swept the globe, news reports have understandably tended to focus on the potential impact on the population both at home and at work, as well as the government’s response. However, as organisations grapple with how best to maintain their business operations while protecting their workforce, questions related to data protection continue to arise.

The UK data protection regulator, the Information Commissioner’s Office (“ICO”), is issuing guidance via its data protection and coronavirus information hub. It has also updated its regulatory strategy to reflect the changed environment, saying, “We recognise that the current reduction in organisations’ resources could impact their ability to comply with aspects of the law. We are committed to an empathetic and pragmatic approach, and will demonstrate this through our actions.” So, if you find that you need to redirect your usual efforts due to the current working constraints, this is a great time to get your house in order and tick off some of those data protection compliance jobs you’ve been saving for a rainy day.

As data protection experts, we thought it might be helpful to share our expertise and answer some common questions that we’ve encountered from our clients.

Q: We want to follow the government guidance for minimising the spread of coronavirus by enabling our staff to work from home. What data protection issues should we be aware of?

The security principle of the General Data Protection Regulation (“GDPR”) requires you to establish and maintain appropriate security measures to protect the personal data you hold. With information moving off-site, away from the security established at the workplace, these measures need careful review. 

If you don’t already have a policy to cover remote working, some items to consider are:
  • Is the device that will be used remotely and/or the data encrypted? If so, this is good news because the data should not be accessible without the encryption code. 
  • If encryption isn’t an option, is the data pseudonymised, i.e. has information been replaced/removed so that it no longer identifies an individual? 
  • Has access to personal email been blocked from work devices? 
  • Will the worker be using a secure private network rather than a public network on the remote device? 
  • Will the remote device and any accessories be stored securely when not in use, e.g. in a locked room or in a locked bag?
For more information, see the guidance from the National Cyber Security Centre and the ICO’s advice on working from home.

We have worked with many clients on creating various data protection policies including home-working, so please contact us if you would like our help with this.

Q: A major part of my job is responding to subject access requests and other individual rights requests. However, coronavirus has really disrupted our business, so I’ll struggle to meet the response times set out in the GDPR. Will my organisation get fined for non-compliance?

The ICO is the data protection body with the power to issue fines. It has reassured people that it won’t penalise organisations that need to prioritise other areas during these unprecedented times.

The timescales set out in the GDPR are enshrined in law, so they cannot be extended, but the ICO has committed to warning people that they may experience “understandable delays” in the progress of any information rights requests during the pandemic. Its updated regulatory strategy states, “Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact this. We will assess these reports, taking an appropriately empathetic and proportionate approach.

Q: Some of our employees have informed us that they will be self-isolating because they are experiencing some symptoms of coronavirus. Are we allowed to pass on this info to other staff? How can we do this in a GDPR-compliant way?

Yes, as part of your duty of care to your staff, you should keep them informed about cases (whether possible or confirmed) of coronavirus in the organisation.

To do so in a GDPR-compliant way, there are three main elements of the GDPR to bear in mind:

  • The purpose limitation principle requires you to have specified the purposes that the data would be put to when you collected it and not process the data further in a way that is incompatible with those purposes. 
  • The data minimisation principle requires you to identify the minimum amount of personal data that you need to fulfil your purpose. In this example, think hard about whether you need to name the affected individuals and make sure that you don’t provide more information than is strictly necessary.
  • Health data is one of the special categories of personal data, which means that there are more stringent conditions in place for processing it. As with standard data, you must identify a lawful basis for processing under Article 6 of the GDPR, but you must also identify a separate condition for processing under Article 9.
Think carefully. Do you need to name the affected individuals? It’s unlikely. How much information do you need to provide? It’s probably less than you think. Be sensitive to the fact that, even if you do not name the person, it might be obvious who the individual is, given their role and/or the size of your organisation.

Q: We want to tell our customers how coronavirus will affect our business and their dealings with us. Are we allowed to do this, or will we be breaching marketing laws?

It depends on the thrust of your message. If you confine your communication to routine information about service interruptions, delivery arrangements, etc. brought on by the impact of the coronavirus pandemic on your business, this is unlikely to count as direct marketing and you could rely on legitimate interests as your basis for communicating.

However, if you include promotional material that, for example, is aimed at getting customers to buy extra products or services, the message would be classed as direct marketing and other rules would apply, in particular where you are sending emails or other electronic direct marketing messages. The ICO states, “You can still rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR.” (The Privacy and Electronic Communications Regulations (“PECR”) sit alongside the GDPR and give people specific privacy rights in relation to electronic communications.) For more information, see the ICO’s Guide to PECR.

To be fully GDPR-compliant, don’t forget to document your decisions on legitimate interests. You still need to do this to meet the requirements of the GDPR’s accountability principle in terms of demonstrating compliance.

Q: Data protection is just one of our many worries, how on earth should I prioritise everything?

Here at Pritchetts, we’ve created a whizzy spreadsheet that helps organisations to track risks, prioritise them and document next steps. If you’d like a copy, please get in touch.

And finally…

Q: With schools closed, I’m trying to work from home at the same time as looking after my kids. Any tips?!

You’ll be needing a tip-top Internet connection, buckets of patience and coffee. Lots of coffee! Also, a space to retreat to when you just need a few minutes to yourself. Fortunately, there’s a wealth of online resources out there to help those of us in this brave new world:
Plus, dance, drawing, Minecraft and a whole lot more – all available for free! Best of luck!

If you have a question that you’d like us to include here, please get in touch and we’ll update the blog as soon as possible.

Monday, 21 October 2019

Pritchetts Law LLP: a leading UK law firm

Here at Pritchetts, we are celebrating our success after being ranked in the UK’s leading legal directories for the fourth year running.

The Legal 500 UK and Chambers and Partners, the UKs foremost independent legal directories, carry out extensive research to arrive at their annual list of the best law firms and individual solicitors, including conducting thousands of interviews with clients and legal peers. Both directories have recently published their research findings for the period from late 2018 into 2019 and have once again recognised our firm’s solid reputation for outstanding legal advice, practical approach and friendly attitude.

In The Legal 500 UK 2020: South West, Pritchetts has been recognised and ranked as a Leading Firm in the IT and Telecoms practice area, highlighting our “particular specialism in data protection” and diverse range of clients, from international companies to local SMEs and charities. Stephanie Pritchett, Ben Wootton and Al Goodwin of Pritchetts have all been singled out as recommended lawyers for IT, Telecoms and Data Protection.

Stephanie Pritchett has also maintained her ranking as a Recognised Practitioner in the recently published Chambers and Partners 2020 guide. In addition, Ben Woottons huge contribution to the firm has been acknowledged through his first-time ranking as a Recognised Practitioner in the same publication.

We are very grateful to all of our clients who gave their valuable time to provide incredible feedback and testimonials – we know that you have other priorities, but as a niche player in an extremely competitive market, the benefit to us is huge. It continues to help us in punching considerably above our weight! Thank you.

Information about the services that Pritchetts offers is available on our website, including many reviews from satisfied clients. Were delighted to be planning a relaunch of our website soon, with a fresh new site to celebrate the firms tenth anniversary.

To get in touch and find out more about us, you can also email us at info@pritchettslaw.com.

Tuesday, 9 July 2019

ICO issues two notices in two days of its intention to levy multimillion pound fines under GDPR

You know how you can be standing at a bus stop for ages, only to have two buses come along at once? Well, it’s been over a year since the General Data Protection Regulation (“GDPR”) came into force and data protection professionals across the UK have been watching and waiting for the first GDPR fine to be issued by the Information Commissioner’s Office (“ICO”). That wait looks like it will soon be over because in the last two days, the ICO has announced its intention to levy huge fines for data breaches under the GDPR on not one, but two organisations.

Back in October 2018, there had been some false hope around the case of Facebooks involvement in the Cambridge Analytica data scandal, where the penalty levied was trumpeted as the largest ever awarded by the ICO. However, the case began under pre-GDPR data protection rules, so £500 million was the maximum fine that could be levied.

Instead, according to the ICOs latest statements, British Airways (“BA”) and Marriott International (Marriott) could end up being the first organisations in the UK to feel the impact of the GDPRs penalty system, where maximum fines can reach €20 million or 4% of annual global turnover, whichever is greater.

What happened?

At BA, the case began when it notified the ICO in September 2018 of a cyber incident whereby users of its website had been diverted to a fraudulent site. Hackers used this false site to harvest customer details, compromising the personal data of about 500,000 customers, according to the ICOs investigation. The ICO believes that the breach began in June 2018 and that data relating to logins, payment cards, travel booking details, names and addresses was compromised by poor security arrangements at the company”. It intends to fine the airline £183.39 million.

In the case of Marriott, it notified the ICO in November 2018 of a cyber incident involving the exposure of personal data contained in approximately 339 million guest records. Of these, 30 million related to residents in the European Economic Area (EEA), of which 7 million related to UK residents. The vulnerability is believed to have begun in 2014, in the computer systems of the Starwood hotels group. Marriott acquired Starwood in 2016, but it was two more years before the exposure of personal data was discovered. The ICOs investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”. It intends to fine the US hotel group more than £99 million.

Can the organisations appeal?

The two fines (BAs amounts to about 1.5% of its £11.6 billion global turnover last year) arent a done deal. Both organisations can now make representations to the ICO about its findings and the proposed sanction. 

Willie Walsh, the chief executive of BAs parent company, International Airlines Group (IAG), has declared his intention to do so, saying, We intend to take all appropriate steps to defend the airlines position vigorously, including making any necessary appeals.” 

Marriotts president, Arne Sorenson, confirmed that it would be taking the same approach, saying, We are disappointed with this notice of intent from the ICO, which we will contest.

After reviewing the representations, the ICO will decide whether to proceed as intended with the monetary penalty notice, or indeed apply a different penalty. If the ICO issues a penalty notice, BA and Marriott would have 28 days to pay the fine or lodge an appeal at the Tribunal. If they pay on time, they get a 20% discount!

Does anyone else get a say?

The ICO has been conducting its investigations into BA and Marriott as the lead supervisory authority acting on behalf of data protection authorities (DPAs) in other EU member states. Therefore, in accordance with the GDPRs one-stop-shop mechanism, the ICO will be inviting comment on its findings from those EU DPAs whose residents have been affected. It has announced that it will consider carefully representations from the two organisations and other DPAs before making its final decision.

It will be fascinating to see how the one-stop-shop mechanism will work across the EU. Interestingly, if the UK was outside the EU, BA and Marriott would be dealing with the UKs ICO and a lead supervisory authority for the EU.

Where does the money go?

Whatever sum the ICO arrives at, the penalty will be split among the EU DPAs, with the ICOs share going directly to the UK Treasury. Individuals who are affected by the data breach and seeking compensation will need to claim money from BA or Marriott direct – the ICO does not have the power to award compensation directly to individuals.

As yet, the ICO has not released any further details about the reasoning behind its intentions to fine BA and Marriott, so we will comment further when more information comes to light.

At Pritchetts Law, we can help you with all aspects of data protection compliance, including preparing for or handling personal data breaches when they happen as well as taking preventative steps such as carrying out audits and implementing policies and procedures. Please get in touch to find out more.

Thursday, 16 May 2019

ICO highlights importance of staff training on data protection

The accountability principle of the General Data Protection Regulation (“GDPR”) which hadn’t been a feature of its UK predecessor, the UK Data Protection Act 1998 – puts new impetus behind the need for organisations to train their staff in data protection.

The principle requires organisations not only to be responsible for complying with the GDPR, but also to demonstrate their compliance by establishing appropriate technical and organisational measures. These include the implementation of a comprehensive training programme and data protection policies as well as the adoption of a “data protection by design and default” approach, among others.

A shiny new set of data protection policies is of limited use if staff who process personal data aren
t aware of them or trained in their implementation. After all, an organisations employees are pivotal in ensuring that the organisation complies with the data protection rules. Raising staff awareness of data protection issues is a fundamental part of an organisations overall data protection system and its compliance with the accountability principle and data protection by design and default obligations under the GDPR.

Staff training should build on your organisation
s data protection policies and guidelines as well as on the outcome of your data protection audit and data-mapping exercises. When staff are not trained in this way, it can lead to significant harm to the organisation, as Henry Ford indicated a century ago when he said, The only thing worse than training your employees and having them leave is not training them and having them stay.

In the worst cases, where a serious data protection issue has arisen and the Information Commissioner
s Office (ICO) has been informed, the regulator has made it clear that it will pay careful attention to any gaps in training and lack of awareness that it unearths.

In April 2019, the ICO tweeted,
Staff training is absolutely key. We will nearly always ask about this and will expect to see evidence that it has been delivered to an appropriate standard.

Our experience of assisting clients to handle data protection breaches and near-miss incidents is that insufficient training is almost always involved, with further training being required to remedy issues.

What should you do to improve your data protection training programme?

  • For a successful data protection programme, senior management need to demonstrate their commitment to a training programme and indeed to data protection compliance generally. If those at the top arent publicly invested in the importance of data protection within the organisation, its unrealistic to think that employees wont adopt the same attitude.
  • With this buy-in from the top, your organisation can ensure that it has a robust set of data protection policies and procedures in place.
  • The next step is to raise awareness of these policies and procedures, highlighting specific data protection issues that affect particular members of your staff and helping to address particular problems or challenges that they may face. This could include, for example, general advice-focussed training sessions on topics such as data protection compliance and data security. Alternatively, it could involve more bespoke, lengthier workshops on specific areas such as:
    • What to do if a breach occurs, sanctions for non-compliance and how to handle investigations and liaisons with the ICO and other regulators.
    • How to handle a subject access request (SAR) or other individual rights requests.
    • Handling human resources/personnel issues.
    • Ensuring that marketing and communication campaigns are compliant.
    • Challenges encountered by customer service agents when handling calls.
    • Compliance when outsourcing to third-party processors and cloud services.
    • Ensuring compliant international data transfers directly or when sub-contracting. 
    • Performing data-mapping exercises, data protection audits and data protection impact assessments (DPIAs).
    • Ensuring effective data retention and destruction.   
    Raising awareness is an ongoing process, so organisations should seek out their most creative teams to implement a data protection awareness campaign that engages staff effectively. Such a campaign should include not just face-to-face training and e-learning packages, but also targeted reminders via intranet messages, emails, newsletters or even posters in communal staff areas.
  • The other element of raising awareness is ensuring that staff who handle personal data are trained at appropriate levels in the organisations data protection policies and guidelines. This could be through instructor-led, face-to-face training and workshops, e-learning courses or a combination of these and other approaches. It may even be a good idea to include a quiz or test as part of the training to provide evidence that the staff member understood what was being discussed.
  • Finally, going back to the ICOs comment about evidence, organisations must track what training has been carried out and which staff have attended. It will also be important to know yourself – and to be able to demonstrate to the ICO on request – what your plan is for catching up staff who have been absent, such as new starters or those on maternity or other types of leave.
Here at Pritchetts Law, we are experts in data protection training. Not only do we provide training and workshops for our own clients in-house, but Stephanie is also a tutor on many public courses run by PDP, the leading provider of professional training courses in information management and compliance.

We regularly advise on data protection audits and data-mapping exercises large and small, as well as assisting organisations with DPIAs. We often uncover areas of potential non-compliance or near-misses that require bespoke data protection policies and guidelines, which we can follow up with bespoke data protection training and workshops if required.

If you need help with any aspect of training your staff in data protection, or indeed any other aspect of data protection compliance, please get in touch.

Tuesday, 26 March 2019

How will a no-deal Brexit affect our data protection laws?

Are you like Times columnist, Hugo Rifkind? Asked to predict what would happen next with Brexit, he responded, "I don't know anything. Nobody knows anything. The government doesn't know what it is doing and the ERG also doesn't know what it is doing. The Labour Party, meanwhile, doesn't know what it is doing. Looking towards the future, then, my thoughts are 'wuh?' and 'huh?' and 'can we talk about something else?'"

It's fair to say that considering the implications of Brexit in the round is quite the brain-scrambler. However, if we focus on specific aspects, we'll get a much clearer picture, so let's examine now the implications of Brexit on data protection law.

The current state of play

As part of the EU, the UK is subject to the General Data Protection Regulation (GDPR). The UK then adopted the Data Protection Act 2018 (DPA 2018), which includes various derogations where the GDPR allows for these, and extends the concepts of the GDPR to other areas such as law enforcement and the intelligence services. Also in the data protection legislation mix are the Privacy and Electronic Communications Regulations (PECR), which give people specific rights in relation to electronic communications, and the Network and Information Systems Regulations 2018 (NIS), which are aimed at improving cybersecurity.

The European Union (Withdrawal) Act 2018 (
EUWA) passed into law in June 2018 and retains the GDPR in UK law. Therefore, when the UK leaves the EU, organisations and data subjects will experience the same fundamental principles, obligations and rights that they've been used to.

Well, that sounds fine. What's all the fuss about?

As always, the devil is in the detail, and the particular devil that is the focus of this blog is international data transfers.

International data transfers

With the UK a member of the EU, personal data can flow freely between organisations in the UK and the European Economic Area (EEA) without requiring any specific additional compliance measures, because a common set of rules – the GDPR applies to all countries in the EEA. That will all change if the UK leaves the EU without a withdrawal agreement that makes specific provisions for the continued flow of personal data to the UK as a non-EEA country during the transition phase.

If we leave without a deal, the UK government has committed to taking steps to facilitate the flow of personal data to EEA states and to Gibraltar, enabling that data to flow freely from the UK to those areas. The UK has also committed to honouring any adequacy decisions that were agreed before the UK's exit date, such as those relating to Japan and the US (although the latter is limited to the
EU–US Privacy Shield).

The EU-US Privacy Shield

The clue's in the name: the Privacy Shield framework only applies between the EU and the US. By leaving the EU, the UK will no longer be covered by it. Therefore, UK companies transferring personal data to the US will need to check whether the US organisation receiving the data has agreed to extend its commitment to the Privacy Shield by accepting data flowing in from the UK. The US Department of Commerce has stated that, in the event of a no-deal Brexit, Privacy Shield participants must update their privacy notices by the exit date to confirm their decision to extend their operation of the Privacy Shield to the UK.

Although the UK has committed to maintaining the same free flow of personal data as it did as part of the EU, no such reciprocal arrangement has been mooted by the EU27. Therefore, GDPR transfer rules will apply to any data coming from the EEA into the UK.

Organisations will therefore need to consider what GDPR safeguards they can establish to ensure that personal data continues to flow into the UK in a compliant manner.

These safeguards sound handy. Tell me more.

When the UK leaves the EU, it will become a non-EEA country, also known as a third country in data protection terms. Under the GDPR, data transfers to third countries are restricted unless certain safeguards are established. There are various potential safeguards/compliance measures that can be put in place, including the following:
  • Standard contractual clauses (SCCs). The UK organisation and the relevant EEA organisation will need to enter into a contract that incorporates SCCs. These clauses place contractual obligations on the data exporter (the controller based in the EEA) and the data importer (the processor or controller outside the EEA), and set out rights for the individuals whose personal data is transferred.

    However, only transfers from controllers are currently covered under the two versions of the EU SCCs. The circumstances for data transfers from an EEA processor to a UK controller may therefore be restricted. Neither
    the Information Commissioner's Office (ICO) nor the European Data Protection Board (EDPB) have clarified how this would be permitted in practice - a very unsatisfactory position indeed!

  • Binding corporate rules (BCRs). This is an intra-group arrangement that a UK organisation can sign up to with the relevant EEA organisation to allow restricted data transfers (e.g. among parts of a multinational group). The arrangement must be submitted to and approved by an EEA supervisory authority in an EEA country where one of the companies is based. This process usually takes a considerable time to implement.

    Under the GDPR, BCRs allow the free flow of data both within and outside the EEA. Those BCRs certified by the
    ICO are recognised by 21 EEA countries under mutual recognition. However, this may not continue after Brexit.

  • Adequacy decisions. At the time of writing this article, the European Commission has not made an adequacy decision about the UK, despite the UK's current implementation of the GDPR. Discussions on an adequacy decision had been expected to occur during the 21-month transition period allowed for in the withdrawal agreement, but a no-deal Brexit means no transition period.

For more information about SCCs and BCRs, including template contracts for SCCs, see the ICO's guidance or contact us at Pritchetts Law LLP for advice and support with putting these in place.

How does the ICO fit into the Brexit picture?

That's a good question. At the moment, organisations that perform cross-border data-processing have to deal with only one EEA supervisory authority. When the UK leaves the EU, the ICO will no longer be recognised as one such authority. This means that UK organisations that are involved in cross-border processing could be subject not just to the ICO, but to one or more EEA lead authorities. These authorities could supervise and possibly fine UK organisations for their activities. Equally, EEA-based organisations may need to deal with the ICO in addition to their local regulator.

My company is based in the EEA and not established in the UK. Will I need to appoint a representative?

Yes. If your company offers goods or services to UK individuals, or monitors their behaviour, it will be subject to the UK version of the GDPR and you will need to appoint a representative in the UK.

Likewise, under the GDPR, UK-based companies that are not established in the EEA, but offer goods or services to EEA individuals, or monitor their behaviour, will need to appoint a representative in the EEA.

Representatives act on behalf of their principals, so if there is non-compliance, they can be fined by the ICO or by data protection authorities in the EEA.

Does Brexit only affect the implementation of the GDPR? What about PECR, etc?

The UK government has confirmed that PECR and NIS will continue to apply in the UK after Brexit, although in relation to the latter, UK-based digital service providers will need to appoint representatives in the EU if they want to maintain access to EU markets.

The draft new EU ePrivacy Regulation, however, will not be implemented in the UK after Brexit. Where it differs from PECR, companies that perform direct marketing to individuals in the UK and the EU27 will need to comply with both the UK and EU regulatory regimes. There are also concerns that if that new EU ePrivacy Regulation is not implemented in the UK, this may affect the EU's decision to award the UK adequacy status as a safe country for data flows (as discussed above).

Help! How can I prepare my business for no-deal?

  • Contact your partners in the EU to discuss how you can work together to ensure that data can continue to flow into the UK.
  • Read the Six Steps to Take and Data protection if there's no Brexit deal guides from the ICO, which help organisations to understand the implications of no-deal and plan ahead.
  • By the day the UK leaves the EU, you'll need to have taken various actions such as:
    • Appointing representatives in the EU or the UK depending on where you're based.
    • Checking your contracts and terms around restrictions on data transfers into or outside the EU/EEA.
    • Updating privacy notices to reflect your data transfers into or outside the EU/EEA.
    If you would like some help with this, or any other assistance with your organisation's Brexit planning, please contact us.