In just a little over a year and a half, there have been over 160,000 data breaches reported to authorities, and GDPR fines either imposed or proposed by authorities have totalled over €400 million. Some of the world’s largest companies have fallen foul of data protection rules, and this is perhaps one of the reasons why people are more conscious of how their data is being used than ever before.
The landscape for businesses is therefore one fraught with risks. Last month, our firm held a ‘DPO Forum’ in order to unpick this thorny issue, and at it we heard a number of in-house privacy practitioners explain what they currently see as the hot topics and key risks for their businesses.
So what are the top issues which have been keeping DPOs up at night?
It shouldn’t be a surprise to anyone that DPOs have concerns here. If you receive data from the EU, use a “Privacy Shield” certified business in the US, or do business in the EU, data protection issues will arise. While these may not be a problem until after the transition period ends on 31st December 2020, businesses are looking to take steps now to ensure that their data stored in the US is adequately protected and that they can offer the right assurances to EU entities which share data with them.
While CCTV isn’t a new technology, people are become more aware of their rights under the GDPR and so many businesses are receiving more requests to access CCTV footage. Those can cause significant difficulties and expense around delivering footage and redacting third party information, not to mention taking appropriate steps to verify the identity of the person making the request. Having a robust but proportionate policy to deal with subject access requests is crucial to ensure that you don’t fall victim to fraudulent requests.
Image consents for marketing
Most businesses will use some marketing images which include people. These might be paid models or employees of the business, or they could be members of the public (such as service users). While DPOs might be able to rely on a “legitimate interests” basis when using images of paid models or employees for marketing, using images of members of the public will generally need consent. This presents its own challenges in terms of recording that consent (with marketing teams often having to change their processes to incorporate an appropriate consent form) and what to do if that consent is withdrawn. The risk of investing time, effort and money into a marketing campaign, only for an individual to withdraw their consent and ask for their image to be removed, means DPOs may be reluctant to commit to campaigns which don’t use paid models.
Obviously data security remains a huge area of concern for businesses. Often the technical side of data security will be the responsibility of a technology officer, rather than a DPO. However, DPOs are still keen to keep a good understanding of the technology and standards involved, even if they ultimately rely on the expertise of an IT professional. DPOs are however more involved in organisational security, such as physical security measures and IT policies (as opposed to more technical issues such as encryption standards). A frequent challenge is balancing security and accessibility, for instance how to apply role-based-access for IT systems. While a small number of authorised users for a system should mean it is more secure, it also means significant inconvenience if the right user isn’t in the office, or if other areas of the business need to use data which sits on that system.
Ultimately, the GDPR doesn’t set specific security measures which must always be applied, the requirements focus around being appropriate to the level of risk involved. DPOs have to make a judgment on how to implement effective security measures without unduly affecting operational flexibility. What is essential however, is that someone takes ownership of the more practical issues of organisational security. If your IT team are only concerned with technical measures, and your DPO believes all security is dealt with by the IT team, the risk is that nobody will be considering these organisational measures and security vulnerabilities will be missed.
Reporting and monitoring breaches also remains a key concern. DPOs have two main tasks here, ensuring that staff are aware of their responsibilities (and promoting a culture in which breaches aren’t ignored or covered up) and then making a decision over whether a breach is reportable (to the ICO or to the individuals affected). The first of these, staff awareness, is a continuing challenge, and the focus is on reinforcement and practical measures, not just paper policies which are all too easily ignored. Judging whether to report a breach has been a learning process, and as with security in general the context of the breach is key, but recording your reasoning and maintaining a detailed breach register is crucial to mitigating risk in this area.
More detailed guidance is now available on what constitutes best practice for cookies. This issue is often overlooked by businesses who don’t use their websites to advertise third party products, or track visitors in order to advertise to them on other websites. Almost every business wants to collect some website visitor data in order to review and monitor their web presence, but often businesses won’t be aware that they need consent (to a GDPR standard, meaning you cannot assume consent simply because a website visitor is made aware of the cookies you use and then continues to browse the website). While it remains a common frustration that analytics cookies and targeted advertising cookies are treated in essentially the same way, despite their impact on individuals being very different, the ICO have made it clear that analytics cookies still require consent.
While there is a new e-Privacy law on this horizon, this will be EU legislation and it remains to be seen whether the UK will follow the same approach. Until the law changes, websites are left technically needing opt-in consent for what should be relatively innocuous cookies.
Elliot Fry, Senior Associate, Cripps Pemberton Greenish