Sunday, 8 January 2017

When does the General Data Protection Regulation not require firms to appoint a Data Protection Officer?

I’m increasingly asked whether particular firms actually need to appoint a Data Protection Officer in order to comply with the requirements of the GDPR. Given that the potential fine for non-compliance (with Article 37) is €10 million Euros or up to 2% of the total worldwide annual turnover, companies quite understandably don't want to get such a basic issue wrong. Many firms that are basically B2B firms, who mainly process personal data for HR purposes, don't want to goldplate their privacy compliance programmes (to the extent they have any) by taking unnecessary action.

The Article 29 Working Party published an opinion on this subject last December. To be frank, it’s only somewhat helpful.

With regard to the private sector, firms that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale, must appoint a DPO.

The meaning of “core activity” has been set out in Recital 97. This relates to ‘primary activities and do not relate to the processing of personal data as ancillary activities’. The A29WP opines that “all organisations carry out certain activities, for example, paying their employees or having standard IT support activities. These are necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”

So, it would appear that the GDPR does not require firms that simply process personal data for HR purposes to appoint a DPO.

But what about, say, the customer data that's processed by firms – particularly by those in the B2B sector? How much (personal) customer data needs to be processed before the threshold for appointing a DPO is reached?

To answer this question, I’ve looked at the A29WP’s guidance on the meaning of the term “large scale”. Firms that don't process such data on a large scale don’t need to appoint a DPO. Unfortunately, the guidance (and the GDPR) is sketchy on what the term actually means.

Recital 91 explains, in the context of Data Protection Impact Assessments, that “large-scale processing operations” include those “which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk’ to individuals. On the other hand, the recital specifically provides that ‘the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer”.

So, the test appears to focus on the size of the firm, as well as the amount of personal data that is being processed. Accordingly, some types of SMEs – the smaller ones - will not be required to appoint a DPO. This is important, as SMEs account for more than 99% of all UK businesses.

Unfortunately, there is one very large fundamental problem with the SME sector.  That problem is that even within the UK government, there is no single definition of what a small or a medium enterprise is.

According to The Company Warehouse, for the purpose of Research and Development Tax Relief, HMRC defines an SME as a business with not more than 500 employees and an annual turnover not exceeding £100 million.

However, the rest of the UK government does not use this definition.

For the purposes of collecting statistics, the Department of Business, Innovation & Skills defines SMEs as companies with less than 250 employees.

For accounting purposes, Companies House defines a small business as employing less than 50 people and a turnover under £6.5 million and a medium business as less than 250 employees and a turnover under £25.9 million.

To further complicate things other parts of the UK government use the EU definition of an SME:
  • Micro Business = less than 10 employees & turnover under £2 million
  • Small Business = less than 50 employees & turnover under £10 million
  • Medium Business = Less than 250 employees & turnover under £50 million

So depending on which definition you use, an SME could have anywhere between 50 and 500 employees and have a turnover between £6.5 million and £50 million.

One way to encourage SMEs to comply with the GDPR must involve coming up with an easier definition of when they must appoint a Data Protection Officer.


Sources:
http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pd
https://www.thecompanywarehouse.co.uk/blog/2012/07/31/what-is-an-sme/

.

Saturday, 31 December 2016

My (somewhat unreliable) data protection predictions for 2017

I’ve recently had a quiet year on the blogging front – my professional duties have prevented me from playing a more active role on the Internet during this year than I would have liked, but that is set to change in 2017. 

My professional work this year included acting as a specialist adviser to the Joint Parliamentary Committee on the Draft Investigatory Powers Act, one of the most significant pieces of legislation to be laid before Parliament for many years, to advising large (and some not so large) companies, particularly in the financial services sector, on the steps they should consider taking to show how they comply with their current and their future data protection obligations.

Next year? Who knows whom I’ll be advising!

But what can I (unreliably) predict for the forthcoming year?

  1. The incoming Deputy Information Commissioner (Policy), who starts work in Wilmslow on 30 January, will amaze the data protection community with his knowledge of data protection law and practice. He will be supported through the year by key ICO staff who have a very considerable amount of knowledge of data protection law and practice.
  2. An increasing number of organisations will realise that, unless they start soon, they won’t have the time (or access to much external professional support) to fully prepare for the coming into force of the GDPR in May 2018. There are, after all, only 513 days to go. The final text of the GDPR was published some 750 days before the implementation date. Many organisations have done virtually nothing during the first third of the preparation period.
  3. A couple of private sector firms will decide to pay an ICO Civil Monetary Penalty, rather than go into liquidation and, like a phoenix, arise from the ashes and continue trading under a different corporate name.
  4. Data protection professionals will continue to feast on nuggets of guidance from the Article 29 Working Group, despite some of the Working Party officials privately advising key opinion formers to ignore parts of what was “agreed”. The Working Group offers opinions. They're not definitive statements of the law that must be ruthlessly adhered to.
  5. European courts and European privacy regulators will continue to present challenges to European law enforcement authorities, making it even more cumbersome for stored communications data to be used to fight various types of crime. Even the ICO may be denied access to communications data to address the problems caused by spam, because sending unsolicited communications may not be a sufficiently serious “crime” to justify the use of stored communications data for such a purpose.
  6. The ICO’s new satellite office in Central London will prove so successful that an increasing number of staff will want to work from that office. It is, after all, quite a long way from Wilmslow.
  7. The Information Commissioner will continue to increase the profile of herself and her office, using a wide variety of channels to get the message across. Her highlight of the year will be an appearance on Desert Island Discs.
  8. Stratospheric salaries offered to experienced data protection practitioners in the (heavily regulated parts of the) private sector will continue to encourage ICO staff to seriously consider their commitment to working long-time for the regulator. 
  9. Public sector data controllers will, facing yet another series of efficiency savings, find it harder to evidence how they are meeting data protection requirements. Some “good” public authorities will become “grotty” at evidencing data protection.  More public authorities will ask the ICO not to publish the executive summaries of recent ICO audits. Unlike data protection professionals, local councilors are occasionally eligible for civil Honours, and they wouldn't want to jeopardise their chances of an Honour by being associated with a data protection snafu.
  10. The British Computer Society will demonstrate its commitment to data protection education by withdrawing the harder of its two professional data protection certifications, on the grounds that not enough candidates can be bothered to take such a rigorous exam to make it financially viable. 
Thats is it for this year’s predictions. My crystal ball clouds over when Brexit is mentioned.  No one has the faintest idea of what the data protection implications will really be. My heart tells me that the UK will experience a hard Brexit, and that however the GDPR is implemented by the UK, the EU will refuse to accept that ‘Blighty has data protection standards that are equivalent to those that prevail elsewhere in the EU. Despite this, I remain confident that the UK will end up with data protection standards that are both realistic and appropriate for people who live in the UK.

My glass is always half full. Its never half empty.

Happy New Year.

.


Wednesday, 16 November 2016

Apollo – they can’t still be up to their old tricks?

Two years ago I blogged about an unsettling experience I had with Apollo, a firm that had confused me as to what they were really all about. 

Since then, I’ve had a number of emails from people who have had similar experiences. Today, I’m reprinting (most of) the most recent one – which comments about an organisation called Apollo-Transitions. Surely, this is not the same company as the Apollo company I had encountered?  But, spookily, Apollo Transitions Ltd has a remarkably similar logo to the old Apollo– and the same colour scheme. And, Geoff Russell, the person I met in 2014, is a member of the senior team.

Anyway, here’s the letter:

I have recently moved back to the UK [redacted].

As you did, I received the standard email wanting to organise a meeting with the senior partner etc. Whilst it all seems very odd, having a bit of time on my hands I thought I would go to a few meetings to see what I thought. By nature I'm a suspicious guy and to me this doesn't add up.

Like your experience in London I was very underwhelmed with the offices. A Regus office with no signage for Apollo in Cambourne, Cambridgeshire. 

Meeting the with senior partner was a great boost to my confidence as after a few questions and computer exercises (over the two meetings) I feel like I could head up NASA and solve world peace on the side. Whilst I understand that they are pumping up my ego, which is a great thing for job seekers, it's the little things that nag me.


  • Why no signage?
  • Why doesn't the ISO accreditation check out?
  • Recent company name changes
  • Long list of registered and de registered companies associated.
  • £1000 up front and £2000 paid over two months with no guarantees?
  • Very vague reviews
  • Concrete testimonials
  • Not seeing any other customers coming or going over two meetings.
  • Generic career management options.
  • A lack of contacts of partners and staff on LinkedIn?
  • So many directors/ partners etc
  • Why did the laptop provided have no up arrow key button?
  • The white board having the same writing on it for a week.
  • Taking an important phone call during the meeting to explain how busy things are
  • Keeping me waiting for 5 minutes past the scheduled meeting time with no one leaving
  • A stack of topical books for improvement, job progression.

During the process I was under the impression I would be put in contact with some senior executives and would basically be buying a contact list and referral. When I asked this directly that seems not to be the case?

I find this whole thing very odd. In perspective £3000 for your dream job is probably a good buy but it's a hell of a lot of money for someone to jazz up your cv and say don't fidget during an interview.

If I had a lazy £3000 I would follow this through out of interest but i think the old additive "if it's too good to be true" probably is the one to use in this situation.

As a disclaimer I would love to be completely wrong about his company. I hope they are placing thousands of people in great jobs who are advancing their careers and improving both their and their families lives.

I share these closing sentiments, too.



.

Wednesday, 9 November 2016

Post the result of the US Presidential election, what hope is there for the Privacy Shield?

In light of the recent US elections, paving the way for a Trump presidency in 2017, why should companies take the risk of adopting the Privacy Shield as a means of legitimising EU/US transfers?

Frankly, I wouldn't bother.

Not until the latest set of legal challenges has been resolved, anyway.

Why?

Well, a recent lunch with a chum who is closer to the minds of the policy-making and legal elites within the EU reminded me of the deep cultural divide that exists inside the Brussels bubble. “Fortress Europe” is the phrase that springs to mind, with a deep unwillingness on the part of the European institutions to accept that other views can quite legitimately be held by actors outside that fortress.

I’m a little worried at how quickly the relations are likely to sour between the UK and the European Institutions, post Brexit. I used to predict with confidence that, post Brexit, representatives from the ICO would be invited to observe the meetings of the (by then) European Data Protection Board, the successor to the Article 29 Working Party. And, that the ICO’s sensible and pragmatic advice would continue to be appreciated by the working groups that will be set up by the Board.  But I’m not so confident now.

My chum had an alarming tale to tell about the way the European institutions maneuvered to impede the work of some of the European groups they were involved with – because the project wasn't wholly within the European Commission’s control. Later, I learnt a little more about the basis on which the Commission decided that certain non-EU countries had “adequate” levels of data protection. Enough said. I won’t reveal any more details.

But the impression I was left with was that the European Commission acts when it is politically expedient for it to act. It either leads, or follows, public opinion. In terms of the General Data Protection Regulation, I think its fair to assume that it’s leading public opinion. After 27 years in this game, I still struggle to meet many members of the public who are as obsessed with privacy as those that devised the GDPR. And I’ve met fewer that have the mental capacity to understand such a complicated Regulation.

So, given a US President –elect with an “American First” agenda, what is the likelihood of EU judges agreeing that the Privacy Shield provides adequate protection against whatever today’s American bogyman is? 

Regardless of the comforting words muttered by some of Europe’s elite, congratulating Donald Trump on his achievement, I sense the tectonic plates shifting again, with Fortress Europe building ever stronger protections against those oiks who see themselves at nationalists, rather than Europeans.

I sense that, post Brexit, most European institutions will be giving the Brits the cold shoulder as we try to engage with European businesses – while the Americans will face a much frostier reaction.

And I suspect that one of the battles will rage around the EU–US personal information flows.

I suspect that well intentioned Europeans will redouble their efforts to prevent EU citizen’s personal data being transferred what they perceive to be an evil empire -  despite the heroic efforts by both sides to agree a framework that was more reassuring than Safe Harbor.

And I suspect that the EU courts may find some sympathy with their motives.

So, we are due a fierce fight about the legitimacy of the Privacy Shield. It ain’t court proof, and I’m awaiting with some degree of unease the result of the legal challenges that have already been made, and, no doubt, the result of further legal challenges that will come. 

My advice to data controllers who worry about such issues today is simple: Sit tight, rely on the current European Commission-approved model clauses to legitimize your EU/US data flows, wait for them (in turn) to be denounced by the European courts, and then wait several months before the European Commission decides what form of legalese really does need to be incorporated into the contracts. And then act.


Sunday, 30 October 2016

Post Brexit, what options are available for a GDPR-light Data Protection Act?

Let’s think the unthinkable.

Lets assume that, post Brexit, the British Government has an opportunity to decide how its data protection legislation should reflect the requirements of an aspiring British economy. And let’s assume that the Minister with responsibility for Data Protection asks for options about trimming back those elements of the General Data Protection Regulation that are unduly burdensome and, in practice, actually do very little to safeguard fundamental human rights.

Why might a Minister make such a request?

Just think of the pressures that are likely to face the public purse. Data controllers in the public sector will continue to have significant budgetary pressures over the next decade. So, all statutory obligations that have cost implications will need to be reviewed and justified. Difficult choices will need to be made. Costs that cannot be justified shouldn’t be permitted to continue to be imposed. And if the costs can’t be justified for public sector data controllers, then the same arguments ought to be able to be made with regard to (most) other data controllers.

What options might feature on the Minister’s list?

Hopefully, the following issues will be included:

  • Allow data controllers to levy a (relatively small) Subject Access Fee. In 27 years as a data protection practitioner, I’ve encountered too many situations where the individual had raised a complaint with the data controller, and had invoke the SAR process as a way not of resolving their complaint, but to “get their own back” and unnecessarily tie-up scarce resources. Its been my experience that a small SAR fees deter a good many unmeritorious requests.
  • Examine whether the GDPR right to require a data controller to pass an individual’s personal data directly to another data controller really ought to be a “fundamental” right, and thus within the ambit of the GDPR. Surely it should be up to the discretion of the data controller as to whether they should offer such a service to their customers.
  • Query whether it is necessary for there to be an obligation on certain (or any) organisations to appoint a DPO with the responsibilities that are specified in the GDPR. Why should a DPO, for example, be treated so differently to any other senior employee?
  • Query why fines for non-compliance need be set so high, or the higher rate (4% of global turnover) applicable for breaches of so many Articles of the GDPR , when the lower rate (2%) is arguably just as dissuasive.
  • Examine the mess that the rules on transborder data flows will impose (particularly) on cloud providers, and embark on a more pragmatic, less dogmatic, approach.
  • Query whether Data Protection Impact Assessments are required in so many cases, and whether the DPIA needs to address all the issues set out in the GDPR. Why can’t data controllers take a more pragmatic, risk-based approach be taken?
  • Clarify just what processes data controllers should document in order to demonstrate accountability, so that they aren't led to believing that a huge range of, for example, information flows, must be documented in considerable detail, on pain of a whopping fine from the regulator if they don’t.
  • Query whether individual’s rights really need to be as complicated as they are set out in the GDPR – which provides that their rights will depend, to some extent, on the legal grounds that data controllers rely on for processing personal data. Individuals may rightly feel aggrieved if their “rights” are oversold by people keen to sell the virtues of the GDPR. Individuals have to accept that data controllers have rights too.
  • Query the requirements & logistics for obtaining consent when data relating to children are being processed. Ignore the EU’s lower age limit of 13 and continue to accept that, in Scotland at least, young people can be treated differently to other minors when they reach the age of 12.
  • Query whether it is necessary to explain what an organisation’s “legitimate interests” are, when the legitimate interests condition is being used to process data.

These are all issues that don't really affect an individual's “fundamental” human rights. So, there is the possibility that some – or most- of them could be incorporated into a new Data Protection Act without the UK being accused of denying UK citizens rights that are equivalent to the fundamental human rights that are enjoyed by EU citizens.

“Equivalent” rights should not be taken to mean that a post-Brexit Data Protection Act should offer UK citizens rights that are “identical” to their EU chums. After all, countries like the Faroe Islands, Israel & Canada were awarded “adequacy” status by the European Commission a few years ago – not because their laws were identical to the requirements in the Data Protection Directive, but because it was, on balance, expedient for those countries to be so recognised.

.