logo text

Thursday, 25 October 2018

Our Legal Support Assistant secures PC.dp qualification

Hilary Homer, our Practice Manager and Legal Support Assistant, has passed the exam for the PDP Practitioner Certificate in Data Protection (PC.dp) and is now a qualified Data Protection Practitioner.

Her five-day course, which was fully up to date with the requirements of the General Data Protection Regulation (GDPR), covered essential data protection knowledge, data security, handling subject access requests and conducting data protection impact assessments.

Prior to joining our firm, Hilary has had a long career in publishing, working on educational materials for schools and editing school assemblies, technical training manuals and e-learning courses.

Thanks to her PC.dp training, Hilary now has a solid knowledge of data protection law and an understanding of the practical implications of the GDPR for organisations. This is a great asset for her continuing work in proofreading and editing documents for our firm. Our solicitors will continue to carry out all of the legal advice work on matters for our clients, but Hilary's new status as a Data Protection Practitioner will ensure that she can edit and proofread documents for our clients with an enhanced knowledge of the subject area. In this way, we can continue to create economies in our delivery for clients.

Successful completion of the Practitioner Certificate in Data Protection programme demonstrates to employers and others that the candidate possesses a solid knowledge of data protection law, as well as an understanding of the practical implications for organisations of the GDPR.

Hilary said, I am thrilled to have passed this rigorous exam and am grateful to the Partners at Pritchetts for supporting my development by putting me forward for it. The course has given me an excellent grounding in data protection law at a practical level. I now have the confidence to analyse documentation with a feel for how organisations will use it. I am really enjoying using my new skills in my work!

Stephanie Pritchett, a Partner at the firm, said, My Partner, Ben Wootton, and I are delighted with Hilarys result. She worked incredibly hard to achieve this PC.dp qualification, following intensive training and studying over the last year. This PDP course is long-established and very highly regarded in the sector, and is often undertaken by Data Protection Officers and legal compliance experts alike. The course is rigorous in its education around the new and more onerous requirements of the GDPR and has brought Hilary bang up to date with the new law. Hilary is going from strength to strength in this role, is highly engaged in data protection matters and is a fabulous support to the whole team.

For more information about what Pritchetts Law LLP can offer your organisation, visit our website. For comment on data protection issues, why not sign up to our newsletter or check out our blog? You can also follow us on LinkedIn and Twitter.

Friday, 19 October 2018

ICO consults on establishing a regulatory sandbox to support innovation

A few weeks ago, the Information Commissioner issued a call for views on creating a regulatory sandbox. That consultation has now closed, and the Information Commissioner is reviewing the feedback to inform further work on developing the sandbox. But what's a regulatory sandbox? And how does it work? Read on to find out more.

What is it?
The Information Commissioner's Office ("ICO") has defined its regulatory sandbox as "a safe space where organisations are supported to develop innovative products and services using personal data in innovative ways." Participating organisations would be able to take advantage of the ICO's expertise in the areas of risk mitigation and data protection by design while ensuring that they were establishing appropriate protections and safeguards, although they wouldn't be exempt from complying with data protection law.

Has there ever been one before?
Creating a regulatory sandbox is an innovative approach for a data protection regulator. However, regulatory sandboxes are already being used in FinTech, notably by the Financial Conduct Authority ("FCA"), which launched its sandbox over two years ago. In a report outlining the lessons learned from the first year of the sandbox being in operation, the FCA concluded that:
  • Access to the sandbox had reduced the time and cost of getting innovative ideas to market.
  • Testing in the sandbox had helped facilitate access to finance for innovators, enabling products to be tested and introduced to the market.
  • The sandbox had enabled the FCA to work with innovators to build appropriate consumer protection safeguards into new products and services.

Why would it be useful?
A regulatory sandbox could be particularly beneficial for the data protection community. Organisations are starting to realise that compliance with data protection law is an iterative process, not something that has to be done only once on a project. Also, projects involving technical innovation have particular requirements to meet under data protection law, so using the ICO's "safe space" in tandem with its Regulators' Business and Privacy Innovation Hub to develop them could be advantageous.

However, we don't yet have a clear picture of how it works if businesses have already gone live with a technologically innovative project and then want to use the sandbox to develop it further. The sandbox doesn't offer a data protection amnesty, so if a particular project is not compliant when it is first trialled in the sandbox, it is unclear how the ICO would handle that.

What feedback has there been so far?
The Centre for Information Policy Leadership ("CIPL") has responded to the ICO's call for views, welcoming the ICO's initiative of creating a regulatory sandbox. However, it pointed to anxieties that organisations might have with using it in the absence of a data protection amnesty, saying, "information disclosed into the sandbox must only be used as the basis for an enforcement action in exceptional circumstances . . . the ICO must give some benefit of the doubt where - during testing in a real-life scenario in the supervised space - genuine uncertainty arises about compliance."

In its comments, CIPL sets out:
  • The benefits of the regulatory sandbox for organisations, the ICO, society, the economy and individuals.
  • Real-world and hypothetical examples of situations where participation in such a sandbox could be useful.
  • The practicalities that need to be considered in order to maximise the sandbox's success.
  • Its suggested criteria for acceptance into the sandbox.
  • The need for clarity over the relationship between the sandbox and data protection impact assessments ("DPIAs").
  • The safeguards that must be established to reassure businesses over aspects of their participation in the sandbox.

What's the next step?
The ICO's initial call for views on the feasibility, scope and demand for a sandbox has now closed. The responses are now being reviewed and will inform the ICO's detailed proposal for consultation, which it expects to submit later in the year.

We have many clients working on exciting and innovative new products and services, so please contact us if you would like some assistance with ensuring that your idea stays on the right side of data protection compliance.

Useful links

EDPB indicates that ICO's guidelines on DPIAs are too stringent

Organisations can use data protection impact assessments ("DPIAs") to identify and mitigate a project's data protection risks. The General Data Protection Regulation ("GDPR"), which has been in force since 25 May 2018, mandates organisations to carry out DPIAs in specific circumstances.

During its latest meeting, the European Data Protection Board ("EDPB"), the EU privacy watchdog, adopted 22 opinions that establish common criteria for DPIA lists.

The lists were created by the national supervisory authorities ("SAs") to establish what types of processing are likely to be categorised as high-risk, and therefore require a DPIA to be carried out. The EDPB examined lists from 22 EU countries before establishing the common criteria, with the aim of providing more consistency across the EU, as required by the GDPR.

The UK list, which had been supplied by the Information Commissioner's Office ("ICO") in its guidance on DPIAs, stated that the processing of biometric, genetic or location data would automatically require a DPIA to be undertaken. However, the EDPB's opinion on the UK list disagreed, saying that processing these types of data on their own "is not necessarily likely to represent a high risk". Instead, the Board recommended that the ICO change its guidance so that for these types of data-processing, a DPIA should only be carried out when the processing is done in conjunction with at least one other criterion set out in the WP29's guidance on DPIAs, which the EDPB has endorsed.

There was further contention over employee monitoring and the use of innovative technology. The EDPB's opinion requested that the ICO amend its guidance to require the presence of two "high-risk" criteria (listed in the EDPB's guidance on DPIAs) before it is mandatory for organisations that plan to monitor employees to carry out a DPIA. Likewise, the EDPB asked the ICO to revise its guidance to refer to "innovative" rather than "new or innovative" and add that processing using innovative technology only requires a DPIA to be conducted when it is done in conjunction with at least one other criterion from the EDPB's guidance on DPIAs.

In line with Article 64(7-8) of the GDPR, the ICO must respond to the EDPB's opinion within two weeks of receiving it. The GDPR does not require SAs to amend their lists in line with the EDPB's recommendations, but if they decide not to do so, they must, within the same time period, provide the relevant grounds for their intention not to follow the EDPB's opinion.

We have created DPIA procedures for many of our clients. Please contact us if you require assistance with creating such a process or consultation on your DPIAs.

Useful links

Notes from the latest EDPB meeting

A list of the 22 opinions of the EDPB on DPIAs

The EDPB's opinion on the UK list

The ICO's current guidance on DPIAs (possibly subject to change)

The WP29's guidance on DPIAs

Article 64(7-8) of the GDPR

Tuesday, 26 June 2018

Facebook fan page case leads to new understanding of “joint controllers” concept

A recent ruling by the European Court of Justice (“ECJ”) has found that administrators of Facebook fan pages are joint controllers with Facebook for those pages.

What are joint controllers?
Article 26 of the General Data Protection Regulation (“GDPR”) states that “where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. The GDPR then sets out very specific obligations on joint controllers processing personal data, which must be complied with by those controllers.

There is some helpful information about joint controller relationships in the WP29 Opinion 1/2010 EU regulatory guidance. It explains that there may be various situations when data controllers are acting together and that this may lead in some circumstances to joint and several liabilities, but this is not necessarily a rule.

Guidance from the Information Commissioner’s Office (“ICO”) under the old law provided a distinction between joint controllers and controllers in common. It suggested that joint controllers would be acting together to decide the purposes and manner of data processing, whereas controllers in common would simply share a pool of personal data that they processed independently of one another.

We hope that the new European Data Protection Board (“EDPB”) will soon update the previous EU guidance on determining controller, processor and joint controller relationships and that the ICO will then follow suit.

It is our experience that most organisations find these relationships very difficult to identify and that they will therefore struggle to ensure compliance with the new more stringent GDPR obligations on joint controllers.

What are the details of the case and what’s new in relation to “joint controller” relationships?
On 5 June 2018, the ECJ delivered its verdict on a case that concerned a German company that had been using a Facebook fan page for marketing purposes. The company could obtain viewing statistics for its fan page via the Facebook Insights tool, which works by Facebook using cookies to collect personal data about visitors to the fan pages. The company operating the fan page was only provided with anonymous statistical data about visitors to its fan page, whereby it could commission Facebook to place targeted advertisements there. The company had no access to identifiable personal data.

The company had not made it clear to visitors of its page that Facebook was using cookies to gather personal data about them in order to produce statistical information and carry out targeted advertising. As a result of this, the German data protection authority (regulator) ordered the company to deactivate its fan page, but the latter took the issue to court, arguing that the data controller in this case was not itself, but Facebook Ireland. It argued this on the basis that it did not itself hold the information to identify the individuals. The German courts agreed, but asked the ECJ to consider the issues.

What were the reasons behind the ECJ’s “joint controller” verdict?
The ECJ’s verdict (which followed the previous Advocate General Bot’s opinion) concluded that the administrator of the fan page on Facebook must be regarded as being, along with Facebook Inc. and Facebook Ireland, a controller of the processing of personal data that is carried out for the purpose of compiling viewing statistics for that fan page.

The ECJ said that the fan page administrator could be a controller because:

  • It agreed to Facebook placing cookies.
  • It set processing parameters that influenced or contributed to the purposes and manner of Facebook’s processing.
  • The data in question was sensitive in terms of its privacy impact (e.g. demographic data including trends in terms of age, sex, relationship and occupation, and information on visitors’ purchases and online purchasing habits) and the ultimate purposes, i.e. targeted advertising.
  • Non-Facebook users could visit the fan page, so privacy notices were imperative.
  • The fact that the fan page administrator had no access to the personal data that Facebook obtained did not preclude it from being a data controller. The definition of “data controller” in Directive 95/46/EC does not talk about access to personal data.

What does the verdict mean for the rest of us?
The ECJ’s verdict has, no doubt, extended the interpretation in relation to which organisations can be considered controllers and indeed joint controllers. This will have a wider impact on many business relationships.

In the absence of current, clear EU/ICO guidance on this point, organisations should consider:

  • Whether their data-sharing relationships involve joint participation in a business activity that requires processing the same personal data, or alternatively simply sharing the same pool of personal data for different and distinct purposes.
  • If and to what extent any decisions are taken together by relevant parties.
  • Specific data flows in their data-sharing relationships:
    • Will the data flows always be the same or will they change in different data-sharing processes? (The latter is more likely.)
    • Is it possible to separate out specific decision-making processes and business logic in relation to different data-processing activities carried out by the respective different parties in a way that demonstrates situations where they determine the means and purposes together?
  • Carrying out data protection impact assessments (“DPIAs”) to assess data-sharing relationships. To comply with the accountability principle and the concepts of privacy by design, organisations should consider carrying out a DPIA to make their evaluation and demonstrate the factors that they have considered before coming to their conclusion and putting the appropriate compliance measures in place.
  • Carrying out a regular review/follow-up DPIA to see whether their data-processing relationships and relationships between parties change over time and therefore require a different compliance route to be followed.
All organisations running Facebook fan pages or any other social media pages should ensure that those social media pages display clear links to the organisation’s privacy policy and in particular how information obtained on that fan page may be used (including an explanation of analytics carried out, targeted advertising and cookie use, etc.).
Next steps
If you require assistance with reviewing or upgrading your website or corporate social media site pages for compliance, Pritchetts Law LLP would be delighted to assist. Please contact us here.

Tuesday, 17 April 2018

Ben Wootton Promoted to Partner of Pritchetts Law LLP

On 6 April 2018, Ben Wootton was promoted to Partner of Pritchetts Law LLP. Ben has been a Senior Solicitor for Pritchetts Law for nearly four years.

The specialist data protection law firm has shown strong growth since it was founded in 2009 by Partner Stephanie Pritchett.

In recognition of its outstanding offering, Pritchetts Law was once again ranked as a leading national and regional firm in the most recent edition of The Legal 500. This well-regarded
directory of top UK law firms describes Pritchetts Law as a highly recommended specialist firm with extensive and in-depth data protection and privacy expertise’”.

After setting up Pritchetts Law nine years ago, Stephanie quickly established its status as a leading UK data protection specialist firm. It advises a wide range of clients across many sectors, consistently punching above its weight and winning work from larger competitors.

Stephanie and Ben have featured on various BBC television and radio programmes, discussing topical data protection issues. They also speak regularly at events and conferences, as well as delivering market-leading data protection and GDPR training courses.

Since Ben joined the firm in 2014, clients have come to recognise his strength in this area. In its independent ranking of Ben Wootton as a “Recommended Lawyer”, The Legal 500 commends “his knowledge of data protection [and] strong feel for the commercial realities that companies face”. See more about our independent rankings here.

Of Ben’s promotion, Stephanie Pritchett said, “I am delighted to formalise what has already been a great partnership with my colleague, Ben Wootton. I couldn’t be more thrilled to have such a smart, dedicated and extremely personable partner aboard the good ship Pritchetts Law LLP.

Of entering into partnership at Pritchetts Law LLP, Ben said, “Stephanie has worked tirelessly to build an extremely well-regarded practice over the last nine years. I am looking forward to continuing the excellent work we have done together over the last four years. We both aim to help clients achieve their commercial objectives while navigating the choppy waters of data protection – we make a great team.”

The team have most recently been helping clients across the UK, and internationally, with preparations for compliance with the EU General Data Protection Regulation (GDPR).

In fact, so great is the demand for the expertise of Pritchetts Law LLP that the firm has recently recruited a consultant solicitor, Al Goodwin, who is a senior commercial contracts specialist lawyer. He trained at top City law firm Freshfields Bruckhaus Deringer, going on to work at several well-known global and national firms (including five years as a partner successfully growing a new practice area). Al has most recently spent two years as Head of Commercial in a global advanced manufacturing and engineering group.

For more information about what Pritchetts Law LLP can offer, visit the firm’s website. For comment on topical data protection issues, read the Pritchetts Law LLP blog, and follow the firm on LinkedIn and Twitter.