ICO provides SAR guidance

ICO provides SAR guidance for organizations receiving requests.

ICO provides SAR guidance to simplify the process for, and give better understanding to organizations receiving subject access requests.

 

The ICO published information last month, geared at giving guidance to organizations who may receive subject access requests (SARs). As the weight of personal data becomes more apparent to individuals, more people are exercising their right to information on what exactly is happening to their personal data. The right of access, also referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other additional information. The ICO, having realized how important it is that an organization should be able to deal with subject access requests efficiently and effectively, has launched this guide, which was published in the form of a list of frequently asked questions, can be found here

 

The initial consultation for this guidance published by the ICO, generated lots of engagement, and received an overwhelmingly positive response.

 

The process of creating this right of access detailed guidance started back in December 2019, with a consultation which received an overwhelming reaction, comprised of over 350 responses from various organisations. While those responses consisted of mainly positive feedback, there were also requests for examples, explanations and additional content. Based on the feedback, there were some key changes made, and content added to the original version published. 

 

The ICO provides SAR guidance, complete with situational examples for reference.

 

This guidance published by the ICO last month includes details on what right of access is, why it is important, and also what specific information an individual is entitled to. The information provided in this guidance also includes direction on who should be handling requests and in what manner requests should be handled, complete with relatable examples, which the individuals in an organisation can follow and apply to their circumstances to gain a better understanding of how things should proceed.

 

The ICO was able to clarify a few key points raised by organisations during the guidance consultation phase. 

 

There were a few key points raised for clarification by the organisations regarding their obligations, which the ICO cleared up. For one, stopping the timer on response time, when clarification is needed to provide a response is definitely now allowed. The ICO also clarified what a manifestly excessive request is, and offered guidance on how to navigate dealing with those, including when and how an admin fee may be applied to some requests.

The ICO has further plans to create several resources for business on the topic of SARs.

 

The ICO has plans on creating a suite of resources. This will include an even more simplified guide for small businesses regarding subject access requests with key information from the general guide which would specifically benefit them. This information is viewed as essential to organisations, to ensure trust from individuals, in the way an organisation handles their personal data, and by extension in the organisation itself.

 

Do you know how to handle DSARs and the rest of data subjects rights granted by the GDPR? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

A data broking investigation

A data broking investigation by ICO results in enforcement action against Experian.

A data broking investigation conducted over the past two years has resulted in an enforcement action against the company Experian.

 

A data broking investigation into Experian as well as Equifax and TransUnion and their use of personal data within their data broken businesses has resulted in enforcement action. The ICO published a report earlier this month, on the findings of their extensive investigation into these data broking companies, their processes, and the legislative framework which led to this outcome.

 

The investigation found significant processing of personal data unbeknownst to the data subjects, by the CRAs; Equifax, TransUnion and Experian.

 

The investigation by the ICO uncovered how these three CRAs (Credit Reference Agencies) were trading, enriching and enhancing people’s personal data without their knowledge. This personal data was then used by commercial organizations, political parties and charities to find new customers, build profiles about people, and also identify the people most likely to be able to afford their goods and services.

 

The ICO defines data broking as “the practice of obtaining information about individuals and trading, including by licensing, this information or information derived from it as products or services to other organisations or individuals. Information about individuals is often aggregated from multiple sources, or otherwise enhanced, to build individual profiles.” Collecting and using an individual’s personal data without their knowledge goes against data protection law.

 

Through the data broking investigation, the ICO uncovered several data protection failures at each company. 

 

Through their investigation the ICO found that the personal data provided to each of these CRAs which would then be used to provide the statutory credit referencing function, was also being used for marketing purposes in limited ways. Some of the CRAs also engaged in profiling to generate new information or previously unknown information about the data subjects. 

 

These companies also failed to be transparent. While they did provide some privacy information on their websites, it did not clearly explain what they were doing with people’s data. In addition to this, they were using some lawful bases incorrectly to process the data. 

 

While all three companies were at fault, only Experian was subjected to enforcement action because they did not do enough to improve compliance.

 

All three CRAs made improvements to their Direct Marketing Services business as a result of the work done by the ICO. In addition to this, Equifax and TransUnion withdrew some of their products and services. For this reason the ICO has chosen not to take any further action against them. 

 

While Experian has also made some progress, the ICO found that the company did not go far enough. This CRA does not accept accountability for making changes set out by the ICO, and as a result, were not prepared to issue privacy information directly to data subjects, nor were they prepared to stop using credit reference data for direct marketing purposes.

 

Experian is now expected to make necessary changes to their framework within 9 months or risk further action including being fined.

 

The ICO decided to issue an enforcement notice, as it is seen at the most effective way of achieving compliance in this situation. The notice orders Experian to make the necessary changes within 9 months or risk further action. The company now risks being hit with a fine of up to €20 million or 4% of it’s total annual worldwide turnover. This notice from the ICO also requires Experian to inform people that hold their personal data. The company must also stop using the data derived from the credit referencing side of its business by January 2021.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

CPS Advisory fined

CPS Advisory fined for unauthorized cold calls

CPS Advisory faces ICO fine for making more than 100,000 unauthorized pension-related direct marketing calls. 

 

As technological advances, globalization—and now worldwide health & safety threats (such as COVID-19)—continue to catapult our world further into the remote sphere, more and more businesses are turning to cold calling and other such distanced customer engagement methods to keep their businesses alive. Yet if companies are not diligent, what may seem a prudent, practical, inevitable business development solution—especially in these unprecedented 2020 times—could plunge them into some serious hot water. This is the case for Swansea, UK based company CPS Advisory (CPSAL). 

 

According to the ICO,  an investigation into CPS Advisory’s operations revealed that during the period January 11 2019 to April 30 2019, the company made 106,987 unsolicited direct marketing calls related to occupational pension and/or personal pension schemes contrary to regulation 21B of PECR. 

 

The ICO article summarizes that “under the new law, companies can only make live calls to people about their occupational or personal pensions if:

  • the caller is authorised by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme;
  • the recipient of the call consents to calls, or has an existing relationship with the caller and the relationship is such that the recipient might reasonably envisage receiving unsolicited calls for the purpose of direct marketing in relation to occupational pension schemes or personal pension schemes; and
  • the recipient of the call has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of the recipient’s contact details for the purpose of such direct marketing, at the time that the details were initially collected and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.

 

As a result of this breach, the ICO Monetary Penalty Notice notes that the Information Commissioner decided to issue CPSAL with a monetary penalty under section 55A of the Data Protection Act 1998 (DPA).

 

PECR & GDPR – how do they fit

 

According to the ICO, “the GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but use the new GDPR Standard of consent. 

 

“This means that if you send electronic marketing or use cookies or similar technologies, from 25 May 2018 you must comply with both PECR and the GDPR.”

 

Does PECR apply to you & your company? 

 

The ICO offers that although some of the rules apply only to organisations that provide a public electronic communications network or service, PECR will apply to you if you:

  • market by phone, email, text or fax;
  • use cookies or a similar technology on your website; or
  • compile a telephone directory (or a similar public directory)

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EU-US Privacy Shield

EU-US Privacy Shield invalidation business implications follow-up

Since the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in their Schrems II judgement delivered two weeks ago, many questions have arisen around international data transfers to the US.

After the invalidation of the EU-US Privacy Shield by the CJEU two weeks ago, as reported by Aphaia, data transfers to the US require another valid safeguard or mechanism that provides an adequate level of data protection similar to the one granted by the GDPR.

European Data Protection Board guidelines

With the aim of clarifying the main issues derived from the invalidation of the EU-US Privacy Shield, the European Data Protection Board (EDPB) has published Frequently Asked Questions on the Schrems II judgement. These answers are expected to be developed and complemented along with further analysis, as the EDPB continues to examine and assess the CJEU decision.

In the document, the EDPB reminds that there is no grace period during which the EU-US Privacy Shield is still deemed a valid mechanisms to transfer personal data to the US, therefore businesses that were relying on this safeguard and that wish to keep on transferring data to the US should find another valid safeguard which ensures compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.

What about Standard Contractual Clauses?

The CJEU considered the SCC validity depends on the ability of the data exporter and the recipient of the data to verify, prior to any transfer, and taking into account the specific circumstances, whether that level of protection can be respected in the US. This seems to be difficult though, because the Court found that US law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection.

The data importer should inform the data exporter of any inability to comply with the SCCs and where necessary with any supplementary measures and the data exporter should carry out an assessment to ensure that US law does not impinge on the adequate level of protection, taking into account the circumstances of the transfer and the supplementary measures that could be put in place. The data exporter may contact the data importer to verify the legislation of its country and collaborate for the assessment. Where the result is not favourable, the transfer should be suspended. Otherwise the data exporter should notify the competent Supervisory Authority.

What about Binding Corporate Rules (BCRs)?

Given that the reason of invalidating the EU-US Privacy Shield was the degree of interference created by the US law, the CJEU judgement applies as well in the context of BCRs, since US law will also have primacy over this tool. Likewise before using SCCs, an assessment should be run by the data exporter and the competent Supervisory Authority should be reported where the result is not favourable and the data exporter plans to continue with the transfer.

What about derogations of Article 49 GDPR?

Article 49 GDPR comprises further conditions under which personal data can be transferred to a third-country in the absence of an adequacy decision and appropriate safeguards such as SCCs and BCRs, namely:

  • Consent. The CJEU points out that consent should be explicit, specific for the particular data transfer or set of transfers and informed. This element involves practical obstacles when it comes to businesses processing data from their customers, as this would imply, for instance, asking for all customers’ individual consent before storing their data on Sales Force.
  • Performance of a contract between the data subject and the controller. It is important to note that this only applies where the transfer is occasional and only for those that are objectively necessary for the performance of the contract.

What about third countries other than the US?

The CJEU has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the CJEU for transfers to the US applies for any third country, and the same goes for BCRs.

What should I do when it comes to processors transferring data to the US?

Pursuant to the EDPB FAQs, where no supplementary measures can be provided to ensure that US law does not impinge on the essentially equivalent level of protection as granted by the GDPR and if derogations under Article 49 GDPR do not apply, “the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the US. Data should not only be stored but also administered elsewhere than in the US”.

What can we expect from the CJEU next?

The EDPB is currently analysing the CJEU judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures.

ICO statement

The ICO is continuously updating their statement on the CJEU Schrems II judgement. The latest version so far dates 27th July and it confirms that EDPB FAQs still apply to UK controllers and processors. Until further guidance is provided by EU bodies and institutions, the ICO recommends to take stock of the international transfers businesses make and react promptly plus they claim that they will continue to apply a risk-based and proportionate approach in accordance with their Regulatory Action Policy.

Other European Data Protection Authorities’ statements

Some European data protection supervisory authorities have provided guidance in response to the CJEU Schrems II judgement. While most countries are still considering the implications of the decision, some other are warning about the risk of non-compliance and a few of them like Germany (particularly Berlin and Hamburg) and Netherlands have openly stated that transfers to the US are unlawful.

In general terms, the ones that are warning about the risks claim the following:

  • Data transfers to the U.S. are still possible, but require the implementation of additional safeguards.
  • The obligation to implement the requirements contained in the CJEU’s decision is both on the businesses and the data protection supervisory authorities.
  • Businesses are required to constantly monitor the level of protection in the data importer’s country
  • Businesses should run a previous assessment before transferring data to the US.

The data protection supervisory authority in Germany (Rhineland-Palatinate) has proposed a five-step assessment for businesses. We have prepared the diagram below which summarizes it:

Can the level of data protection required by the GDPR be respected in the US?

The CJEU considered that the requirements of US domestic law and, in particular, certain programmes enabling access by US public authorities to personal data transferred from the EU, result in limitations on the protection of personal data which do not satisfy GDPR requirements. Furthermore, the CJEU stated that US legislation does not gran data subjects actionable rights before the courts against the US authorities. 

In this context, it seems difficult that a company could be able to demonstrate that they can provide an adequate level of data protection to personal data transferred from the EU, because basically it would have to bypass US legislation.

Latest moves in the US Senate does not shed light in this issue, because the “Lawful Access to Encrypted Data Act” was introduced last month. It mandates service providers and device manufacturers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of a lawfully obtained warrant.

Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance servicesContact us today.