Search
Contact Us
Newsletter
All businesses need an external facing Privacy Notice, aka Privacy Policy, if collecting and handling people’s personal information.
Data protection law tells us we must provide people with easily accessible and specific privacy information when we collect their data. This guide sets out the key considerations and core requirements our Privacy Notices.
Everyone seems to be talking about AI lately, with a recent explosion of new tools such as ChatGPT, Whisper APIs, Microsoft Co-Pilot, Siri’s Operation Bobcat and Google Workspace.
While many people are keen to jump in and try them out, there are growing concerns about jobs being replaced by ‘robots’, inaccurate or undesirable results and, for those thinking about data protection, what types of data (including personal and special category data) are being used to train these models.
Whilst the rapid growth in AI may seem inevitable and perhaps unstoppable, some leading industry figures have called for the development and training of powerful AI systems to be suspended for six months, due to worries fears they pose a threat to humanity.
Elon Musk amongst others signed an open letter warning of the risks, saying the escalation in development of AI systems has spun out of control. They want to give industry time to assess the risks.
Generative artificial intelligence relates to algorithms, such as ChatGPT for example, which can be used to create new content like text, images, video, audio, code and so on.
Recent breakthroughs in generative AI has huge potential to affect our whole approach to creating content.
ChatGPT for instance relies on a type of machine learning called Large Language Models (LLMs). LLMs are usually VERY large deep-neural-networks, trained on giant datasets such as published webpages. Recent technology advances have enabled LLMs to become much faster and more accurate.
With increased capability and growth in adoption of AI come existing and emergent risks. We may be reaching a trigger point, where governments and industry alike are keen to realise the benefits to drive growth. The public too are inspired to try out models like ChatGPT for themselves and find out more.
There’s an obvious risk of jobs being displaced, as certain tasks carried out by humans are replaced by AI technologies.
Concerns recognised in the technical report accompanying GPT-4 include:
Others fear the risks posed when training models using content which could be inaccurate, toxic or biased – not to mention illegally sourced!
The full scope and impact of these new technologies is not yet unknown and new risks continue to emerge. But there are perhaps some questions that need to be answered sooner rather than later. Such as:
The datasets used to train generative AI systems are often likely to contain personal data that might not have been lawfully obtained. Certain information has been used without consideration of intellectual property rights, where the owners have not been approached nor given their consent for use.
The Italian Data Protection Authority (Garante) has blocked ChatGPT, citing its illegal collection of data and the absence of systems to verify the age of minors. Some observers have pointed out these concerns are broadly similar to why Clearview AI received an enforcement notice.
We need to understand what people are doing with AI, or planning to do, across the business. Make sure they are aware of potential risks and know to ask questions, rather than dive in. Talk with business leaders and their teams to identify emerging uses of AI across your business.
We need to understand specific AI models the business is considering adopting and get clarity about any personal data they are using, particularly any sensitive or special category data. It’s a good idea to carry out Data Protection Impact Assessment (DPIA) to assess privacy risks and identify proportionate privacy measures.
Rather than adopting huge ‘off-the-shelf’ generative AI models like Chat GPT (and what may come next), businesses may consider adopting smaller, more specialised AI models trained on the most relevant, compliantly gathered datasets.
The ICO updated its ‘Guidance on AI and data protection’ in March 2023.
We might look to new regulation. The EU still working on the new AI Act, to regulate the use of certain types of AI. However, there is no date for it to become written into EU member state laws yet.
Over in the States, an initial approach to AI regulation emerged in 2022, but it was very limited in its scope. Broader AI regulatory initiatives are likely in 2023/24 and specific states are looking AI.
National Institute of Standards and Technology (NIST) released its Artificial Intelligence Risk Management Framework (AI RMF 1.0) in January 2023; guidance for use by organisations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies.
The UK has no equivalent law and currently looks unlikely to get one in the foreseeable future. The UK Government recently published a white paper entitled ‘AI regulation: a pro-innovation approach‘. The white paper outlines the Government’s framework is underpinned by five principles to guide and inform the responsible development and use of AI across the UK economy:
So to my final thoughts. It’s vital that we seek to understand how AI models work and assess any privacy risks before adopting them within our organisations.
The right of access; the right everyone has to ask an organisation for a copy of their personal data. But fulfilling it can prove challenging, time-consuming and costly for organisations.
Complaints about DSARs account for a fifth of all complaints raised with the UK’s Information Commissioner’s Office (ICO Annual Report 2021-22).
People are clearly not satisfied with how many organisations are responding to requests. This could in part be organisations failing to comply, and in part people misunderstanding what they are entitled to receive.
Late last year the ICO took the step of issuing a number of reprimands to public sector bodies and a commercial media company, in relation to DSARs. A key issue is failure to respond in time, and significant backlogs developing. The law says we must respond within one calendar month, this can be extended by up to a further two months where requests are unduly complex.
DSARs are nothing new; people had the right to request a copy of their personal data long before GDPR. Organisations are expected to have robust procedures in place and the technical capabilities to fulfil requests. What GDPR did, back in 2018, was raise awareness of this right and it’s clear more people are submitting requests.
So, how do we make sure we on the front foot and are able to efficiently respond to the requests we receive?
A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them, and know what to do if they receive or spot one. Everyone needs to know time is of the essence, so training is vital. The last thing you need is a delay at the very start because a request wasn’t quickly acted upon.
We can’t begin to fulfil requests unless we know where personal data is located across the organisation. What systems need to be searched, which may differ depending on who is submitting the request, do paper filing systems need to be in scope, do we need to approach suppliers to assist… and so on.
This is where having an up to date Record of Processing Activities (RoPA) and/or Information Asset Register (IAR) which states where and how we store data can really help to speed up the process.
It can prove particularly time-consuming searching for personal data within email systems and other internal messaging systems. This can throw up an eye-watering number records, which can take painstaking hours to sift through to identify relevant personal data.
A clear method for searching unstructured data is essential. Automated tools can make this more efficient and thorough.
Many organisations which receive a significant volume of requests will have a dedicated person or team to handle them. But where organisations have fluctuating numbers of requests it can be difficult to predict how many people within the organisation need the expertise to handle them.
We need to factor in holidays and the potential for sick leave. Have we got other adequately trained staff, or alternative resources on standby to provide cover, especially if we get higher than routine volumes?
In a recent case in Belgium, the data protection authority ruled the fact the person who normally handled DSARs was on long-term absence was not an excuse for a late response. I think other data protection authorities would take a similar view.
It can also pay to clearly allocate responsibilities. Often other people will have to free up their time to help deliver the DSAR process, for example retrieving the data, collating or reviewing it.
Having a clear procedure which walks staff through the key steps and considerations is invaluable, especially for times when key members of staff aren’t available and someone else needs to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on.
To avoid failing to respond to DSARs in time, to try and avoid complaints escalating and potential unwelcome regulatory scrutiny, it pays to be prepared. We need to be able to log requests, keep records, effectively retrieve data, manage workflows, review documents, apply redactions and respond on time. This can be done using routine business tools, but where DSARs are becoming unduly time-consuming and costly, technical solutions developed in-house or via an external provider can help to automate and streamline the process.
I was recently mulling over with colleagues whether someone could be both the CEO and Data Protection Officer, along with another client query about whether someone could wear two hats; Consumer Services Manager and DPO.
UK/EU GDPR specially tells us a DPO ‘may fulfil other tasks and duties’, but says the controller or processor must make sure ‘any such tasks and duties do not result in a conflict of interests’.
So, I read with some interest the recent judgement from the EU Court of Justice about the role of a DPO and the risk of a conflict of interests. (Albeit, it probably doesn’t say any more than we already suspected).
The court confirms, DPOs should be ‘in a position to perform their duties and tasks in an independent manner’. This means they should not be carrying out tasks or duties with would result in them determining the objectives and methods of processing personal data within the organisation.
Where an individual may have two, or multiple roles (including DPO), organisations are urged to make an assessment of whether there’s a potential conflict of interests. This should be done on a case-by-case basis taking into account all relevant circumstances, including organisational structure.
What matters is what happens in practice. If a DPO has two roles, the organisation needs to make sure there are clear rules in place to avoid, or limit, any conflict of interests arising. (And it’s not the DPO’s job to try and resolve this).
If a DPO’s other job means they have responsibility for the data processing itself, there’s likely to be a conflict. But, in practice this may be a difficult line to draw.
The law also tells us a DPO cannot be dismissed for or penalised for performing DPO tasks. However, DPOs could be dismissed from the role if they are unable or no longer able to carry out their duties and tasks in an independent manner.
So, can a CEO also be a DPO, probably far from ideal. Can a Customer Service Manager also be a DPO? Possibly, if the different roles are clearly defined.
The European Data Protection Board’s DPO guidance gives us a bit of a steer. This says conflicting positions within an organisation may include; ‘senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments)’. This may extend to ‘other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing’.
Clearly if you’re a smaller business, but judge you should have a DPO, it may be prove challenging to appoint a suitable person where a conflict doesn’t arise with limited numbers to chose from. One would hope any regulator would take size and resources into account.
It’s probably a good idea to follow this judgement and conduct an assessment. Clearly set out what different role’s entail, document your decision and be ready to defend if you have to.
With all of this it’s worth remembering;
Read our DPO myth buster covering who needs a DPO and what the role entails. And don’t forget changes may be on the horizon under the UK Data Protection and Digital Information Bill. This could require UK businesses to appoint a ‘Senior Responsible Individual’ for data protection.
One of the more challenging aspects of data protection compliance has been identifying and managing all our suppliers. Those acting as our processors, supporting our business.
Making sure appropriate contractual terms are in place, whilst doing all we can to protect the business from supply chain data breaches (which are all too common) can become onerous. It can help to take a risk-based approach, focusing on the suppliers which represent the biggest business risk first.
Alongside this, for any new suppliers we need to make sure we carry out appropriate and robust due diligence.
Years after GDPR was implemented, many projects to tackle supplier management remain unfinished, representing an ongoing risk. If we have limited visibility into how our data is processed by our suppliers (and any sub-processors) it clearly leaves the business exposed.
In short, we need to make sure our suppliers are doing what they say they’ll do to protect personal data, using risk assessments and audits. This includes knowing how our suppliers will respond when it comes to the crunch– a data breach. How quickly and fully will they notify us, how will they assist us?
1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place? Is there evidence to prove this? It’s good practice to request meaningful answers to certain questions, such as:
The above is by no means an exhaustive list.
2. International Data Transfers
There are additional considerations if international data transfers come into play. If we’re sharing data (or allowing it to be accessed) by a supplier in a third country, we need to check what safeguards need to be in place.
For countries where there’s no adequacy decision (allowing for the free flow of data), we need to implement a transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs). There’s also the relatively new requirement to conduct a transfer risk assessment, and consider if additional security measures are needed.
3. Contracts – Do we have a clear list of standard clauses for supplier contracts? What do the liability clauses look like? Are we prepared to walk away from suppliers whose contracts aren’t up to scratch? Do we have a good understanding of the level of contractual risk the business is prepared to accept?
UK/EU GDPR is clear on what should be included in contractual arrangements and the ICO have published useful contracts guidance. There are often negotiations to be had, especially when it comes to those tricky liability clauses.
4. Instructions – Have we provided clear instructions on how our suppliers are permitted to handle the personal data, for what purposes and how long they must retain it?
5. Ongoing risk assessment – Do we have a process for evaluating the level of risk suppliers may represent?
It’s important to recognise some suppliers may bring greater risks than others. It may not be necessary to risk assess every supplier to the same level of granularity. Effectively we need to risk assess the risk assessments.
6. Review / Audit – Do we have a review or audit programme in place? Annual audits of all suppliers may not be possible, but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.
For suppliers considered a higher risk, it may be prudent to routinely audit them. In doing so it’s important to be clear what aspects of the supplier’s business needs to scrutinised.
Creating a framework which is tuned and makes sense for the business is a good step and will mean there’s something to show the thought process if the ICO ever comes calling. Here are some factors to consider:
7. Certification – in the absence of an approved certification scheme, alignment with ISO 27701 (the standard extending ISO27001 into data privacy) is worth considering.
It can sometimes feel like a mountain to climb, especially if operating using multiple suppliers. As the saying goes ‘you can only eat an elephant one bite at a time’, the key to supplier management is identifying the biggest risks and prioritising where action is needed the most.
One of the stated aims of the UK Government’s Data Protection and Digital Information Bill is to support small businesses and remove unnecessary bureaucracy.
As context, there are 5.6m businesses in UK of which SMEs (less than 250 employees) represents 99% of the total. According to IAPP research approximately 32,000 organisations in UK have a registered DPO. It’s right, therefore, to focus on SMEs.
But how onerous is small business data protection now? Arguably, the answer is, not as onerous as you might think. We’ve created a top 10 checklist for start-ups and small businesses to help you decide what you should be concerned with:
Yes. Pretty much any business processing personal data for commercial purposes need to worry about data protection. (It does not apply to purely ‘personal or household activity’). Having said that, the law and regulatory advice focuses on taking a ‘proportionate’ approach. There’s no one size fits all and it will depend on the risk appetite of your organisation.
Probably not. If the answer to these three questions is no, you don’t need a DPO…
Even if you don’t need a DPO, it’s wise to nominate someone in your organisation as a data protection lead. This does not need to be a full-time role. Alternatively, you can outsource this activity to someone/a company who can provide the support on a part-time basis.
Maybe. There’s no escaping the fact RoPAs are challenging documents to complete and can absorb a huge amount of time. Companies with more than 250 employees must always keep a RoPA – that’s just under 8,000 businesses in UK.
If you have less than 250 employees, you don’t need a RoPA if the following applies:
The debate start when you consider what constitutes a ‘risk to the rights and freedom of the data subject’. It’s worth considering the type of data you handle rather than the volumes to help you decide whether to complete a RoPA. As a start up, you may not need a RoPA as defined in the legislation. However, having a record of what information is processed, for what purpose and under what lawful basis is a good idea even if the ICO RoPA form is not.
There are changes afoot with regards to the RoPA under UK data reform plans, but a record of your activities may still be necessary, just not as current prescribed.
Almost certainly YES. The ICO asks all businesses that process personal data to pay the Data Protection Fee. This is used to fund the ICO and its activities. This isn’t onerous. In fact, most small businesses will only have to pay £40 (or £35 with a direct debit). And that’s before you’ve considered whether you’re exempt. Not for profit status is a possible example.
Yes. A privacy notice is a foundational piece of your data protection work. Any organisation which processes personal data needs to set out what data they are processing and how they are processing it as well as the data subject’s rights. The ICO’s checklist provides very clear guidance for what must be in a notice and what might be in a notice.
Yes again. If you have a website, assume you need a cookie notice. Even if all you’re doing is using cookies to manage the performance of your website, a cookie notice is required. This does not need to cost money. You can get free software from the major privacy software providers. They have simple step by step set up guides. There is really no excuse not to have a cookie notice.
Yes, but make it proportionate. In a nutshell, accountability means ‘evidencing your activities’. Keep a record of what you do, why you’re doing it and your decision-making. It also means making sure you have appropriate technical and organisational measures in place to protect personal data. Have staff been adequately trained in data protection? Do we have clear guidelines and/or policies to help them?
Yes. Every individual has clear rights and irrespective of the size of the organisation you need to fulfil these requests.
These rights include right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.
Not all of these might apply to a small business but it’s important to decide how to recognise and respond to these requests from individuals.
Yes. Cyber Essentials was designed for SMEs. Arguably it’s the absolute minimum for any business. It does cost money but not a lot. Gaining the Cyber Essentials certification (if self-certified) costs £300. The five technical controls are:
Hopefully no! If you and your suppliers are only operating in UK and Europe stop reading now. However, if any data is exported to a third country (such as USA, South Africa or India), there’s no escaping the fact that international data transfers can be painful to work through.
When EU-US Privacy Shield was invalidated in 2020 this caused significant problems for data transfers between US and EU/UK. At the time, Max Schrems’ advice was to only work with companies based in UK or Europe who are not exporting data to third countries. However, this isn’t always possible – just consider how many people use Google, Microsoft or Mailchimp.
Many, if not most, businesses will have dealings with these three and the reality is that you must accept they’re not going to change anything for you, or choose not to use them.
Many small and start-up businesses can get ready relatively quickly. The trick for small business data protection is to review your arrangements on a regular basis and be aware if any more complicated processing emerges. For instance, anything involving automated processing, special category data, AI or children’s data carries significant risk and should be treated with care.
There’s more helpful information available on the ICO’s Small Business Hub.
Digital advertising faces significant changes in the wake of the latest fine to be levelled at Mark Zuckerberg’s Meta.
The Data Protection Commission (DPC) for Ireland has fined Meta (Meta Platforms Ireland Limited) a huge 390 million Euros. It was ruled Meta’s reliance on contract terms as the lawful basis for personalised advertising on both Facebook and Instagram, is invalid.
On top of the fine the DPC has given Meta three months to comply with its interpretation of the EU GDPR.
Behavioural advertising on Facebook and Instagram platforms are targeted using user-profile information. It’s based on people’s online activity and other details they share with the platform. This helps advertisers to target individuals based on location, hobbies, interests and other behaviours.
This latest ruling calls into question whether social media platforms must seek their users’ prior opt-in consent for behavioural advertising, rather than rely on the contractual terms people sign up for to use the platforms.
If social platforms switch to an opt-in consent, users will inevitably gain far more control over the adverts they see. But on the flipside, the number of individuals available for targeting by advertisers is likely to decline. This would have a big impact the marketing mix for many companies.
The DPC’s investigation stretches back to complaints originally raised on the very first day EU GDPR came into force, in May 2018. From the get go, it was argued Facebook’s (now Meta) processing for personalised advertising was unlawful.
Significantly prior to May 2018, Facebook Ireland updated both Facebook and Instagram’s Terms of Service. ‘Implicit consent’ had previously been used for behavioural advertising, but with consent being much more onerous to achieve under GDPR, there was a switch to relying on contract as the new lawful basis for the ads.
Users were asked to click ‘I accept’ to the updated Terms of Service and, in doing so, by default accepted behavioural advertising as part of the service package. The platforms simply would not be accessible if users declined to do so. The Irish DPC has now rejected the validity of the contract as a valid lawful basis for behavioural advertising.
This ruling follows a lot of uncertainty and disagreement between the DPC, other EU regulators and the European Data Protection Board (EDPB), over the use of contract as a legal basis for this type of advertising.
The Chair of EDPB, Andrea Jelinek: ‘The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model.’
This latest ruling represents a U-turn by the DPC, who have now stated their decisions ‘reflect the EDPB’s binding determinations.’
This is not Meta’s only fine. In September 2022, the DPC fined Meta €405 million for allowing minors to operate business accounts on Instagram, and there have been others. Unsurprisingly Meta plans to appeal both of the DPC’s decisions.
Max Schrems, privacy activist and honorary chair of Noyb: ‘People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.’
Estelle Masse, Global Data Protection Lead at Access Now, said the decisions are ‘hugely significant‘ for online companies which rely on targeted ad revenues. She said they should look at whether the way they deliver ads online is ‘legal and sustainable.’
Many companies need to share personal data with other organisations, be this reciprocal, one-way, a regular activity or ad hoc.
Data protection law doesn’t stop us doing this, but we need to be sure our sharing of data is lawful and transparent. We need to keep in mind other key data protection principles, such as minimisation and security.
The ICO’s Data Sharing Code of Practice provides detailed steps companies would be expected to have covered off. This code is aimed at sharing data with other controllers; organisations who’ll use the data for their own purposes. (There are other considers for sharing data with processors; our suppliers acting on our behalf).
If we’re planning to share children’s data, we should proceed with care. We need to assess how to protect children from the outset and we’ll need a compelling reason to share data relating to any under 18s. Likely to be a case where a DPIA is a very sound idea.
Is the organisation we’re sharing data with going to use the data for a purpose which is compatible with the original purpose it was collected for? The UK Department of Education came a cropper for sharing data for incompatible purposes.
If we’re engaged in a merger or acquisition, or another change in your company’s structure, this is likely to mean data is shared. Do people know this is happening? Will the data be used for a similar purpose? Robust due diligence is a must, and perhaps a DPIA to assess the risks.
Data lists are often shared by data brokers, credit reference agencies, political parties, marketing agencies and so on. The ICO’s code makes it clear; you are responsible for compliance with the law for the data you receive, and for data that is shared on your behalf. You must make appropriate enquiries and checks in respect of the data, including its source and any consent given.
We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The message from the ICO is clear; in an emergency you should go ahead and share data as is necessary and proportionate.
Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.