data protection newsletter · data protection bill ... the legislative aim is that the draft...
TRANSCRIPT
For further information contact Mike Bradford or Helen [email protected] 1
www.regulatorystrategies.co.uk
Headlines this month:
Data Protection Bill
ICO Guidance
UK is a 3rd country for data transfers from 30 March 2019
E-Privacy update – marketing and the ‘soft opt-in’
GDPR and the Credit Industry
ICO announces it will take proportionate approach to GDPR fines
Commission releases Communication on GDPR
Regulatory Strategies announces two GDPR events – places are still
available – details and registration form attached
Commentary:
Data Protection Bill
On 17 January, the Data Protection Bill received its Third Reading in the House of Lords
and will now be considered by the House of Commons.
Schedule 1, Part 3 of the Bill specifies the additional conditions that must be met in
order for personal data relating to criminal convictions to be processed otherwise than
under the control of official authority, which was a national derogation permitted under
article 10 of the GDPR.
A number of amendments were made by peers, including those tabled by the
Government on automated processing to make it consistent with the GDPR which was
helpful.
Opposition amendments to open up the manual elements of the automated decision-
making process were defeated. A version of the Bill after Report Stage, but before the
Third Reading, can be viewed here.
DDaattaa
PPrrootteeccttiioonn
NNeewwsslleetttteerr
February / March 2018
For further information contact Mike Bradford or Helen [email protected] 2
ICO Guidance
The ICO has published an updated Guide to the GPDR. The sections on Lawful basis for
processing and Rights related to automated individual decision making including
profiling contain new expanded guidance.
The ICO has expanded the page on Personal data breaches and updated the section
on Documentation with additional guidance and documentation templates.
The ICO has also added new sections on legitimate interests, special category data and
criminal offence data, and updated the section on consent.
UK is a 3rd country for data transfers from 30 March 2019
In a notice issued on 9 January, the EU Commission makes clear that 'in view of the
considerable uncertainties, in particular concerning the content of a possible
withdrawal agreement, all stakeholders processing personal data are reminded of legal
repercussions, which need to be considered when the United Kingdom becomes a third
country.'
'Subject to any transitional arrangement that may be contained in a possible withdrawal
agreement, as of the withdrawal date, the EU rules for transfer of personal data to third
countries apply.'
The Commission states that aside from an "adequacy decision", there are additional
options under the GDPR, such as using Binding Corporate Rules, contractual clauses,
codes of conduct or certification mechanisms. The Commission is working with
interested parties and data protection authorities to make the best use of these new
instruments.
The Commission makes no comment on the UK's possible adequacy in this notice. The
UK Data Protection Minister, Matt Hancock, (promoted on 8 January in the same
Department to become the Cabinet level Secretary of State), has said that the UK aims at
achieving an adequacy decision but we must wait until the Brexit negotiations have
reached the point in which data protection issues are included.
E-Privacy Update
On 10 January 2017, the European Commission published the proposed text for a new
E-Privacy Regulation (the draft regulation). When adopted, the draft regulation will
replace the current E-Privacy Directive (2002/58/EC) (the Directive) – PECR in the UK.
For further information contact Mike Bradford or Helen [email protected] 3
Since the Directive's last update, there has been a revolution in the electronic
communications sector, with the use of over-the-top (OTT) communications service
providers overtaking more established forms of electronic communications.
The legislative aim is that the draft regulation will bring OTT services into scope and, as
it is a regulation rather than a directive, harmonise the legal approach in this area
across EU member states in the same way that GDPR will do. This should reduce
compliance costs for companies in the long term.
The original draft:
applies to ‘over the top’ service providers such as WhatsApp, Facebook, Gmail
and Skype and not just to telecommunications service providers;
takes the form of a Regulation rather than a Directive;
covers both content and metadata derived from electronic communications –
both will need to be anonymised or deleted if users have not given consent,
unless required for billing purposes;
gives traditional telecommunications providers more scope to use data and
provide additional services subject to obtaining appropriate consent;
streamlines rules on cookies – consent to cookies will be able to be given through
browser settings and consent will not be needed for non-privacy intrusive
cookies improving internet experience and cookies set to count visitors to a
website;
bans unsolicited electronic communication by any means including phone calls if
users have not given consent;
allows Member States to require that marketing callers display their phone
number or use a special prefix; and
enhances enforcement, including by bringing penalties for non-compliance in
line with those under the GDPR.
Both the EDPS and the Article 29 Working Party expressed concerns that the draft did
not dovetail properly with the GDPR. There has also been considerable debate on
whether or not legitimate interests should be included as a justification for processing.
Publishers around Europe are particularly concerned about plans to allow users to
block third party cookies.
In November, the way was paved for trilogues to begin after the European Parliament
adopted a privacy-friendly version of the Regulation.
For further information contact Mike Bradford or Helen [email protected] 4
The EP’s proposal requires high levels of protection from unauthorised access to
electronic communications, including safety of transmission means or use of end to end
encryption. Decryption is prohibited and consent in line with the GDPR is the basis for
lawful processing.
The European Parliament calls for a ban on cookie walls (which prevent access to a
website where cookies are refused), and tracking without consent, including through
public hotspots or shopping centre wifi networks. It also wants a restriction on
snooping on personal devices via software updates. Meta data should be treated as
confidential and privacy by default should become standard for all software used for
electronic communications.
Where does this leave the marketing ‘soft opt-in’?
There is an exception under PECR for signifying consent with a positive action called the
‘soft opt-in’. This means that consent is not required if you are sending marketing
messages about similar products and services to your customers/clients or those you
have negotiated with to provide products or services, as long as:
You give them the opportunity to opt-out when you receive their contact
information; and
You give them the opportunity to opt-out when you send them subsequent
messages.
This processing is not based on consent, but rather the legitimate interests processing
condition and can only be relied up on by the organisation that collected the contact
details.
The definition of consent under the ePrivacy Regulation will be the same as the
definition under the GDPR.
In relation to the soft opt-in, that will still be available under the ePrivacy Regulation as
currently drafted but there is a significant difference.
Consent will not be required to send customers/clients direct marketing using their
email address etc in the context of a sale of a product or service. Entering into
negotiations, however will not allow the provider to send marketing messages without
consent.
This may change but at the moment it appears that the soft opt-in may be reduced in
scope to where a sale is concluded.
We would recommend that a policy of positive opt in is adopted across all channels to
avoid the potential for this becoming an issue and to have a consistent and ‘highest
common denominator’ approach to customer / client acquisition and management.
For further information contact Mike Bradford or Helen [email protected] 5
From experience we have seen that very often the inertia factor – a customer failing to
opt out of marketing – results in issues later and does nothing to create a high response
/ high conversion marketing database. Offering preferences and positive opt-ins – with
well worded explanations of what the customer is agreeing to can lead to more targeted
marketing and fewer customer complaints.
The ‘double opt-in’
The so-called ‘double opt-in’ has been raised by a number of clients. However it is
important to put this into context.
A double opt-in email list is like any email-based newsletter or e-course where people
can sign-up through the Internet either on a webpage or sending an email to mailing list
management software. What makes an email list “double opt-in” is that any person who
subscribes must confirm their request twice.
The first time is when the user submits their email address to the web-based form.
After the initial request is received by the email list software a special confirmation
email is sent to the address the person input into the form. This is the second opt-in. The
email contains a link which the recipient must click to confirm their subscription
request. Once they have done this they have “double opted-in”.
We consider that this rather cumbersome approach to evidencing consent does not add
value – either commercially or form a compliance perspective - when email addresses
are captured legitimately in the context of doing business.
There may be an application in the case of bought-in lists but we would urge the use of
warranties and indemnities to offer commercial protection and compliance mitigation
should an email address prove to be non-permission based.
There is no legal requirement for a double opt-in.
Timing
We now know that the e-privacy Regulation is not ready to coincide with GDPR
implementation.
It is hoped that the Trilogue on the EU e-privacy Regulation will start after the summer
recess, although The Council is trying to reach a joint position by June.
GDPR and the Credit Industry
With the introduction of the General Data Protection Regulation from 25 May 2018,
lenders will need to review the Fair Processing Notices provided to customers, which
set out how customers’ data will be used and processed.
For further information contact Mike Bradford or Helen [email protected] 6
The Credit Reference Agencies (CRAs) have worked together to produce a standard
Credit Reference Agency Information Notice (‘CRAIN’), which sets out how data will be
processed by the three CRAs – Callcredit, Equifax and Experian. The CRAIN has been
drafted to comply with GDPR and seeks to inform consumers in much more detail than
has previously been the case. It has been shared with the Information Commissioner’s
Office (ICO), which is comfortable with the approach taken.
Over 500 firms currently share data via the CRAs and so it is important that a
consistent approach is adopted when informing customers about data processing. The
CRAIN seeks to deliver this consistency and it covers data processing over the life of a
credit agreement. CRAs will be unable to share data with lenders who do not adopt the
CRAIN in its current format.
A layered approach
The CRAIN adopts a layered approach:
Lender Layer – This is where lenders will inform customers how their data will be used
and shared – and with whom, for example, via CRAs, CIFAS and other organisations. The
information will not be prescriptive but it must include a link to the CRAIN.
Experian: www.experian.co.uk/crain
Equifax: www.equifax.co.uk/crain
Callcredit: www.callcredit.co.uk/crain
CRAIN Layer – The CRAIN is around 24 pages long and provides a comprehensive
summary of how data is shared by the CRAs and covers additional issues such as Subject
Access Rights. It is in a standard format across all three CRAs and the text must not be
changed. In non-digital transactions, the ICO has indicated that a copy of the CRAIN
should be available to the customer should they want to see a copy.
In on-line applications, a link to the CRAIN can be readily provided allowing customers
to access the relevant information. However in face-to-face and telephone transactions
lenders will need to consider how the CRAIN can be provided at point of application,
should the customer want to read the information in full.
A customer must be given the opportunity (even if they choose not to take the
opportunity) to access and read the CRAIN at the point of application.
Face-to-face applications: (for example, in a retailer or motor dealership).
The lender’s FPN must be provided. In addition, paper copies (or a medium
suitable to the customer’s circumstances) of the CRAIN must be available at the
point of application. In some cases, it might be possible to show the customer a
copy of the CRAIN on a screen as part of the application process.
For further information contact Mike Bradford or Helen [email protected] 7
Online applications: Customers must be referred to the lender’s FPN, which
includes a link to the CRAIN. They should be given the opportunity, if they
chose to do so, to click on the link and read the CRAIN. Giving consumers a link
which they can access at a later date is unlikely to be sufficient. If customers
choose not to access until a later date, that’s their prerogative, but the facility
must be available when they apply.
Telephone applications: The lender’s FPN should be read out to the customer
at the point of application. The customer must also have access to the CRAIN.
If the customer has access to the internet, a link could be provided for the
customer to access. If the customer wants to read the CRAIN, this would need
to be accommodated before the application could proceed.
CRA Layer – This is where CRAs will include other Notices which relate to specific
processing they are involved in respect of different products and services, which may
not be reflected across the other CRAs.
Processing Grounds
The CRAs are basing their processing on the ‘legitimate interest’ ground – which has
been in place for many years and is recognised by the ICO. Lenders will need to look at
which ground is best suited to their own use of customer data, however lenders must
not infer that any other ground apart from legitimate interest applies to data shared via
the CRAs.
Rights to Object and Data Erasure
CRAs expect to receive requests from consumers for the erasure of CRA data under
Article 17 and objections to CRA processing under Article 21. CRAs believe that in the
majority of these cases it will not be consistent with the GDPR for these
requests/objections to be upheld because of the existence of the ‘overriding legitimate
grounds’ under Article 17(1) ( c) or ‘compelling legitimate grounds’ under Articles 21
(1) for the processing to continue. However the ICO will expect each case to be
considered on an individual basis.
Subject Access Requests
Clause 12 of the UK Data Protection Bill provides that where consumers raise a Subject
Access Request with a CRA, this can be fulfilled by the CRA providing the consumer with
a copy of their credit report. The Bill has still to complete the parliamentary process,
but this approach is not expected to change.
For further information contact Mike Bradford or Helen [email protected] 8
Restrictions on processing
The CRAs have expressed concern that consumers could try to interpret Article 18 (2)
on the basis that if they challenge the accuracy of the data on their credit file, then the
CRAs should restrict all processing of flagged credit file bureau data from receipt of the
subject access request. The CRAIN sets out that under Article 18 (2), such data could
continue to be processed if there is a strong cases for doing so.
Automated Individual Decision Making
The ICO (and Article 29 Working Party) have recently published regulatory guidance on
profiling and automated decision-making. The CRAs believe that there is nothing in the
Article 29 Working Party guidance which seeks to prohibit lender scoring activities but
that it will be for each lender to assess the guidance in line with its own contracts and
processes.
Retention Periods
There are currently no plans to move away from the current data retention period of 6
years. This period is also included in the ICO’s Credit Explained publication. However,
this issue is likely to be subject to further discussion over time.
Implementation
The CRAs have suggested that firms look to implement the required changes well in
advance of the GDPR May 2018 deadline, to ensure a seamless transition and the
continuation of data sharing.
ICO announces it will take proportionate approach to GDPR fines
The ICO is not planning to issue fines in every circumstance when it detects a breach of
the GDPR (or implementing legislation), ICO's Steve Eckersley said at the CDPD
conference in Brussels. Eckersley stated that the ICO will also have other options
including the opportunity to issue warnings or demand an audit. He said that in many
cases the reputational damage will have a greater impact than any fine.
The ICO is now recruiting an additional 100-150 people to work on GDPR aspects and
cyber security.
For further information contact Mike Bradford or Helen [email protected] 9
Commission releases Communication on GDPR
The European Commission has issued a communication to the European Parliament and
the Council on the direct application of the GDPR. The Communication outlines
remaining steps for successful GDPR preparation, and gives the measures the European
Commission intends to take up to 25th May 2018. Among the measures, there is new
online guidance from the Commission. The Communication also reveals that one year
after the GDPR enters into application, the Commission will gather feedback from
stakeholders on implementing the GDPR to feed into its evaluation and review of the
GDPR by May 2020.
Recent Data Protection Act Breaches
Record fines for company involved in illegal trade in personal information
A firm of loss adjusters in the UK has been fined £50,000 by a UK court for unlawfully
disclosing personal data that were obtained illegally by senior employees and rogue
private investigators.
The prosecution was part of an ongoing ICO investigation into allegations of a criminal
trade in confidential personal information involving corporate clients suspected of
using the services of rogue private investigators. A director and a senior member of staff
were also sentenced to record financial penalties, along with the private investigators
involved.
Elizabeth Denham, Information Commissioner, said: "The illegal trade in personal
information is not only a criminal offence but a serious erosion of the privacy rights of
UK citizens. As well as these record fines, the organisations and individuals involved
also face serious reputational damage as a result of being prosecuted by the ICO."
Carphone Warehouse fined £400,000 after serious security failings
One of the largest mobile phone retailers in the UK has been dealt a significant fine from
the ICO after one of its computer systems was compromised as a result of a cyber-attack
in 2015.
The company's failure to secure the system allowed unauthorised access to the personal
data of over three million customers and 1,000 employees. The compromised customer
data included names, addresses, phone numbers, dates of birth, marital status and, for
more than 18,000 customers, historical payment card details.
The ICO identified multiple inadequacies in Carphone Warehouse's approach to data
security, including the company's use of out of date software and its failure to carry out
routine security testing. £400,000 is the joint largest monetary penalty ever to have
been imposed by the UK regulator.
For further information contact Mike Bradford or Helen [email protected] 10
Four companies fined over spam texts
Four companies responsible for 44 million spam emails, 15 million nuisance calls and
one million spam texts have been fined a total of £600,000 by the Information
Commissioner's Office. Barrington Claims Limited was fined £250,000 for making over
15 million automated calls, Newday Limited was fined £230,000 for sending over 44
million spam emails, Goody Market UK Limited was fined £40,000 for 111,367 spam
texts and Macclesfield-based TFLI Limited was fined £80,000 for over 1.19 million spam
texts.
Director of accident claims company fined in UK
The director of an accident claims company has been fined for inventing a crash in order
to trace the owner of a private number plate he wanted to buy.
Miles Savory, 40, a director of Bristol-based Accident Claims Handlers Ltd, sent official
forms to the Drivers & Vehicles Licensing Authority requesting the identity of the
registered keeper of a 4x4 which he claimed had been involved in a collision in the city.
Mr Savory was fined £335, ordered to pay £364.08 costs and a victim surcharge of £33.
Police body signs Undertaking to comply with law in UK
West Midlands Police has signed an Undertaking with the ICO to comply with the Data
Protection Act.
The Undertaking commits the police force to a raft of security measures, including risk
assessments, improved documenting of procedures related to the distribution of
information, mandatory new staff training and refreshed data protection training.
Company which made 75 million nuisance automated calls in four months fined
A company which made 75 million nuisance calls in four months has been fined
£350,000 by the Information Commissioner’s Office (ICO).
Miss-sold Products UK Ltd made the automated marketing calls between 16 November
2015 and 7 March 2016. The calls contained recorded messages, primarily promoting
PPI compensation claims, but the company did not have the recipients’ consent for
making marketing calls, which is against the law.
It also broke the law by failing to identify the organisation making the calls, while it
used so-called ‘added value’ numbers that generate revenue when an individual calls
the number, which is then apportioned and passed to associated companies and the
network carrier.
For further information contact Mike Bradford or Helen [email protected] 11
The ICO received 146 complaints from the public about Miss-sold Products. Some
people were called on multiple occasions. Others said they were unable to opt out of
receiving the calls. Some expressed further distress as they were concerned that calls
late at night may have been from family members or those to whom they provided care.
Man prosecuted and police force given undertaking after sensitive data leak on
A Kent man who posted sensitive police information on Twitter has appeared in court
after he admitted breaking the Data Protection Act.
William Godfrey, 30, of Bull Lane, Bethersden, had previously been in a relationship
with a probationary officer, and came into possession of a USB stick containing the data.
In July 2016, he tweeted the name and address of a vulnerable adult, along with details
of their health and sexual life, to the accounts of the Information Commissioner’s Office
(ICO), the Independent Police Complaints Commission and Surrey Police.
That same day, he emailed the ICO threatening to publish a 40-page document
containing personal data, which included the details of a victim of a sexual offence, and
became involved in a Twitter exchange with an independent user who saw his tweet
and warned him that he was breaking the law.
It later emerged that a separate account, operated by Godfrey, had tweeted Surrey
Police two days earlier, disclosing the details of one named individual and the fact that
they had been searched by police in relation to an offence.
The ICO contacted him to ask him not to publish the material. Godfrey later failed to
attend a meeting to hand over the USB stick and Surrey Police eventually had to take out
an injunction to retrieve it.
Godfrey admitted two offences of unlawfully disclosing personal data in breach of s55 of
the Data Protection Act when he appeared at Maidstone Crown Court, on Wednesday 17
January 2018.
He was sentenced to a 12-month conditional discharge, in part because he had been
placed on stringent bail conditions, including an electronic tag, before the hearing.
Surrey Police has also signed an undertaking to improve its procedures as a result of
this case.
Regulatory Strategies Limited Registered Office: 14 London Road Newark Nottinghamshire NG24 1TW UKRegistered in England and Wales no. 6869459 VAT no. 970 2142 43
COMPLYING WITH GDPRA PRACTICAL APPROACH
ARE YOU READY…?
“Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25May 2018 there will be no ‘grace’ period – there has been two years toprepare and we will be regulating from this date.” Elizabeth Denham, Information Commissioner
Over the last two years Regulatory Strategies (www.regulatorystrategies.co.uk)has been advising clients on the impact of GDPRand ensuring they are ready for these newregulations. And our track record of helping clientswith practical business solutions goes back to 2009– and even further from our plc background.
We are now offering you the opportunity to benefit from this experience andcheck that you have everything in place for 25th May.
Our one-day sessions (10.30am to 2.30pm) will explain the keychanges and what you need to do to meet your new obligationsand give you the chance to ask any questions. The event willhelp you create a toolkit to comply with the new regulationswhilst also taking into account your commercial realities.
Monday 5th March at the Queens Hotel, LeedsFriday 9th March at the Wesley Hotel, Euston, London
Your discounted fee is £395 plus VAT per delegate (total £474) (normal fee£495 plus VAT) which includes a buffet lunch; copies of all the slides; acomprehensive check list of what is required to meet the requirements ofcomplying with the GDPR; a list of the Policy Documentation that you will needto have in place; and a complimentary copy of our latest Newsletter withsections on what GDPR means in the credit data sharing world and formarketing.
Please complete the attached Registration Form and send it [email protected]
COMPLYING WITH GDPRA PRACTICAL APPROACH
REGISTRATION FORM
PLEASE COMPLETE ALL SECTIONS AND RETURN [email protected]
Forename
Surname
Telephone
Company name
Address line 1
Address line 2
Address line 3
City / Town
Postcode
Preferred venue(please tick)
Monday 5th MarchQueens Hotel, City Square,
Leeds LS1 1PJ
Friday 9th MarchWesley Hotel, 81-103 Euston St, Kings Cross,
London NW1 2EZ
Please tick here if you would like attendat either venue if your preferred choice
is over-subscribed
Terms andConditions
1. Cancellation by you up to 21 days before your chosen event will incur acancellation fee of 50% of the full fee
2. Cancellation within 21 days of your chosen event will incur a cancellationfee of 100% of the full fee
3. Any cancellation by Regulatory Strategies will result in full repayment ofany fees paid
Privacy 1. The information provided will only be used for the purposes ofadministration for this event.
2. Our event organisers are Credit Strategies Ltd(www.creditstrategies.uk.com) and follow up correspondence about yourattendance will come from Credit Strategies Ltd.
Payment detailsPlease make yourpayment by BACSto the accountshown oppositeFull payment isdue at the time ofbooking
Your discounted fee is £395 plus VAT - £474.00 – due now
Regulatory Strategies LtdBank: TSB Bank plcSort code: 30-18-98Account Number: 01279581
Please quote “GDPR + Initials and Surname” as your PaymentReference
Regulatory Strategies Limited Registered Office: 14 London Road Newark Nottinghamshire NG24 1TW UKRegistered in England and Wales no. 6869459 VAT no. 970 2142 43