logo text

Thursday, 25 October 2018

Our Legal Support Assistant secures PC.dp qualification

Hilary Homer, our Practice Manager and Legal Support Assistant, has passed the exam for the PDP Practitioner Certificate in Data Protection (PC.dp) and is now a qualified Data Protection Practitioner.

Her five-day course, which was fully up to date with the requirements of the General Data Protection Regulation (GDPR), covered essential data protection knowledge, data security, handling subject access requests and conducting data protection impact assessments.

Prior to joining our firm, Hilary has had a long career in publishing, working on educational materials for schools and editing school assemblies, technical training manuals and e-learning courses.

Thanks to her PC.dp training, Hilary now has a solid knowledge of data protection law and an understanding of the practical implications of the GDPR for organisations. This is a great asset for her continuing work in proofreading and editing documents for our firm. Our solicitors will continue to carry out all of the legal advice work on matters for our clients, but Hilary's new status as a Data Protection Practitioner will ensure that she can edit and proofread documents for our clients with an enhanced knowledge of the subject area. In this way, we can continue to create economies in our delivery for clients.

Successful completion of the Practitioner Certificate in Data Protection programme demonstrates to employers and others that the candidate possesses a solid knowledge of data protection law, as well as an understanding of the practical implications for organisations of the GDPR.

Hilary said, I am thrilled to have passed this rigorous exam and am grateful to the Partners at Pritchetts for supporting my development by putting me forward for it. The course has given me an excellent grounding in data protection law at a practical level. I now have the confidence to analyse documentation with a feel for how organisations will use it. I am really enjoying using my new skills in my work!

Stephanie Pritchett, a Partner at the firm, said, My Partner, Ben Wootton, and I are delighted with Hilarys result. She worked incredibly hard to achieve this PC.dp qualification, following intensive training and studying over the last year. This PDP course is long-established and very highly regarded in the sector, and is often undertaken by Data Protection Officers and legal compliance experts alike. The course is rigorous in its education around the new and more onerous requirements of the GDPR and has brought Hilary bang up to date with the new law. Hilary is going from strength to strength in this role, is highly engaged in data protection matters and is a fabulous support to the whole team.

For more information about what Pritchetts Law LLP can offer your organisation, visit our website. For comment on data protection issues, why not sign up to our newsletter or check out our blog? You can also follow us on LinkedIn and Twitter.

Friday, 19 October 2018

ICO consults on establishing a regulatory sandbox to support innovation

A few weeks ago, the Information Commissioner issued a call for views on creating a regulatory sandbox. That consultation has now closed, and the Information Commissioner is reviewing the feedback to inform further work on developing the sandbox. But what's a regulatory sandbox? And how does it work? Read on to find out more.

What is it?
The Information Commissioner's Office ("ICO") has defined its regulatory sandbox as "a safe space where organisations are supported to develop innovative products and services using personal data in innovative ways." Participating organisations would be able to take advantage of the ICO's expertise in the areas of risk mitigation and data protection by design while ensuring that they were establishing appropriate protections and safeguards, although they wouldn't be exempt from complying with data protection law.

Has there ever been one before?
Creating a regulatory sandbox is an innovative approach for a data protection regulator. However, regulatory sandboxes are already being used in FinTech, notably by the Financial Conduct Authority ("FCA"), which launched its sandbox over two years ago. In a report outlining the lessons learned from the first year of the sandbox being in operation, the FCA concluded that:
  • Access to the sandbox had reduced the time and cost of getting innovative ideas to market.
  • Testing in the sandbox had helped facilitate access to finance for innovators, enabling products to be tested and introduced to the market.
  • The sandbox had enabled the FCA to work with innovators to build appropriate consumer protection safeguards into new products and services.

Why would it be useful?
A regulatory sandbox could be particularly beneficial for the data protection community. Organisations are starting to realise that compliance with data protection law is an iterative process, not something that has to be done only once on a project. Also, projects involving technical innovation have particular requirements to meet under data protection law, so using the ICO's "safe space" in tandem with its Regulators' Business and Privacy Innovation Hub to develop them could be advantageous.

However, we don't yet have a clear picture of how it works if businesses have already gone live with a technologically innovative project and then want to use the sandbox to develop it further. The sandbox doesn't offer a data protection amnesty, so if a particular project is not compliant when it is first trialled in the sandbox, it is unclear how the ICO would handle that.

What feedback has there been so far?
The Centre for Information Policy Leadership ("CIPL") has responded to the ICO's call for views, welcoming the ICO's initiative of creating a regulatory sandbox. However, it pointed to anxieties that organisations might have with using it in the absence of a data protection amnesty, saying, "information disclosed into the sandbox must only be used as the basis for an enforcement action in exceptional circumstances . . . the ICO must give some benefit of the doubt where - during testing in a real-life scenario in the supervised space - genuine uncertainty arises about compliance."

In its comments, CIPL sets out:
  • The benefits of the regulatory sandbox for organisations, the ICO, society, the economy and individuals.
  • Real-world and hypothetical examples of situations where participation in such a sandbox could be useful.
  • The practicalities that need to be considered in order to maximise the sandbox's success.
  • Its suggested criteria for acceptance into the sandbox.
  • The need for clarity over the relationship between the sandbox and data protection impact assessments ("DPIAs").
  • The safeguards that must be established to reassure businesses over aspects of their participation in the sandbox.

What's the next step?
The ICO's initial call for views on the feasibility, scope and demand for a sandbox has now closed. The responses are now being reviewed and will inform the ICO's detailed proposal for consultation, which it expects to submit later in the year.

We have many clients working on exciting and innovative new products and services, so please contact us if you would like some assistance with ensuring that your idea stays on the right side of data protection compliance.

Useful links

EDPB indicates that ICO's guidelines on DPIAs are too stringent

Organisations can use data protection impact assessments ("DPIAs") to identify and mitigate a project's data protection risks. The General Data Protection Regulation ("GDPR"), which has been in force since 25 May 2018, mandates organisations to carry out DPIAs in specific circumstances.

During its latest meeting, the European Data Protection Board ("EDPB"), the EU privacy watchdog, adopted 22 opinions that establish common criteria for DPIA lists.

The lists were created by the national supervisory authorities ("SAs") to establish what types of processing are likely to be categorised as high-risk, and therefore require a DPIA to be carried out. The EDPB examined lists from 22 EU countries before establishing the common criteria, with the aim of providing more consistency across the EU, as required by the GDPR.

The UK list, which had been supplied by the Information Commissioner's Office ("ICO") in its guidance on DPIAs, stated that the processing of biometric, genetic or location data would automatically require a DPIA to be undertaken. However, the EDPB's opinion on the UK list disagreed, saying that processing these types of data on their own "is not necessarily likely to represent a high risk". Instead, the Board recommended that the ICO change its guidance so that for these types of data-processing, a DPIA should only be carried out when the processing is done in conjunction with at least one other criterion set out in the WP29's guidance on DPIAs, which the EDPB has endorsed.

There was further contention over employee monitoring and the use of innovative technology. The EDPB's opinion requested that the ICO amend its guidance to require the presence of two "high-risk" criteria (listed in the EDPB's guidance on DPIAs) before it is mandatory for organisations that plan to monitor employees to carry out a DPIA. Likewise, the EDPB asked the ICO to revise its guidance to refer to "innovative" rather than "new or innovative" and add that processing using innovative technology only requires a DPIA to be conducted when it is done in conjunction with at least one other criterion from the EDPB's guidance on DPIAs.

In line with Article 64(7-8) of the GDPR, the ICO must respond to the EDPB's opinion within two weeks of receiving it. The GDPR does not require SAs to amend their lists in line with the EDPB's recommendations, but if they decide not to do so, they must, within the same time period, provide the relevant grounds for their intention not to follow the EDPB's opinion.

We have created DPIA procedures for many of our clients. Please contact us if you require assistance with creating such a process or consultation on your DPIAs.

Useful links

Notes from the latest EDPB meeting

A list of the 22 opinions of the EDPB on DPIAs

The EDPB's opinion on the UK list

The ICO's current guidance on DPIAs (possibly subject to change)

The WP29's guidance on DPIAs

Article 64(7-8) of the GDPR