GDPR – Dispelling the Myths
ICO

In her address yesterday, Information Commissioner Elizabeth Denham reminded businesses throughout the UK that “DP-Day – is only 27 working days away”. For those who have, as yet, undertaken no work to achieve and demonstrate compliance, this timeframe will certainly add to existing pressure. With the deadline looming, we have found an increase in misinformation around data protection and GDPR. In an effort to help your compliance journey, let’s dispel some prominent myths.

Advice and support is available.

When working with barristers, solicitor firms and chambers, our clients often struggle to accept that, as the regulator, the Information Commissioner’s Office can also be a source of advice, support and resources. Perhaps given recent experience of regulatory regimes within the legal sector, this may be understandable. However, the Information Commissioner reinforced the message that there is “no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route”. For those adopting a genuine, responsible and diligent approach to becoming compliant, this should allay some concerns.

The ICO promises tough action.

Equally, we can experience a level of bravado or procrastination that GDPR and data protection is not a priority or irrelevant. There is a disbelief of the “hype” surrounding GDPR and the increased penalties. Notwithstanding their pragmatic approach, Denham warned “we will back this up by tough action where necessary; hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law”. In light of this, non-compliance is a high risk strategy for any barrister or chambers.

Monetary fines aren't the only sanction.

Recent images of ICO Enforcement Officers entering and searching the offices of Cambridge Analytica had sobering effect for many businesses. Most barristers believe their only interaction with the ICO would be if a data breach occurs. This notion fails to recognise other enhanced powers afforded through GDPR, specifically the power to audit all those who hold, use and share personal data. In the context of your own practice or Chambers, you will know best how concerning a compulsory data protection audit would be. It is worthwhile highlighting that a fine isn’t the only sanction to be concerned with. The Information Commissioner has flagged the range of sanctions available that “may not require a cheque to the Treasury, but they will have a significant impact on reputation and, ultimately, companies’ bottom line”.

Reporting a breach is now mandatory.

The notion of mandatory self-reporting causes considerable consternation, due to the misbelief that a self-report will result in an investigation. The ICO is investing resources to ensure the reporting process is “simple and effective”. Again, the Information Commissioner has stated “our focus will be on identifying whether your breach is a reportable one, working with you and calling in whoever else we need to involve, to help you make the right decisions in those key first few days”. Obviously, the circumstances and the nature of the breach will dictate whether an investigation follows thereafter – if so, your level and evidence of compliance will be critical to the overall outcome.

Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 60 chambers to help them navigate through their compliance journey. We also offer a range of online training consultancy services and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount with code BCEW at checkout.

Do Chambers require a Data Protection Officer?

Despite what some may think, the concept of a ‘Data Protection Officer’ is not new. In the UK, many organisations chose to appoint Data Protection Officers as best practice. The relevant change under the GDPR is that such appointments will now be mandatory for organisations who meet the stated criteria. In recent training sessions and client meetings, the question has been posed whether barrister’s chambers should do so.

The Criteria

Let’s first consider Article 37 of the GDPR which outlines the criteria where the appointment of a DPO by a controller or processor is mandatory:

         I.            The processing is carried out by a public authority;

       II.            The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or

     III.            The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions/offences.

The Interpretation

For Chambers, the first criterion is irrelevant. However, the second and third could pose potential issues. Unhelpfully, the GDPR does not define what constitutes largescale processing. However, Recital 91 specifically provides that ‘the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer’. As with much of the GDPR, there is considerable scope for interpretation and a lack of definitive guidance on how to apply the various principles and articles in specific sectors. It is evident that individual barristers will not require a DPO; however, it remains less clear whether certain chambers by virtue of their size, the volume and sensitivity of the information processed may require a mandatory DPO.

Notwithstanding any mandatory requirement, Chambers may still choose to appoint a DPO. The ICO believes it may be useful for organisations to designate a DPO voluntarily. Even the Article 29 Data Protection Working Party “encourages these voluntary efforts”.

In the course of supporting Chambers through their compliance journey, we have seen various informal iterations of such a role – a management committee member, a designated barrister within chambers and a senior clerk or administrator. Recognising their importance, the GDPR lays down conditions for his or her appointment, position and tasks. The GDPR is very clear that when a DPO is appointed on a voluntary basis, the requirements under Articles 37 to 39 will still apply as if the designation had been mandatory. If Chambers simply wants to allocate the tasks associated with compliance to particular individual, they should not be referred to as a DPO.

Given the heavy reliance on transparency and being able to demonstrate compliance, Chambers who determine not to appoint a DPO should record their thinking and decision as part of their compliance documentation. This may take the form of the management committee minutes or a written determination from the Head of Chambers.

It is worthwhile reiterating that the DPO, whether mandatory or voluntary, bears no personal responsibility for non-compliance with the GDPR. The responsibilities and obligations of the data controller or processor cannot be passed or transferred and they remain accountable for compliance.

Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 45 chambers to help them navigate through their compliance journey. We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

Data Controller or Processor – that is the question!

This month, I had the pleasure of delivering GDPR and Data Protection training for the Bar Council in London. Both sessions were fully subscribed and sold out quickly, perhaps indicating the level of interest or concern within the profession. Having conducted my fair share of cross-examinations, it was an interesting experience to be on the receiving end of questions! Despite the roles of data controller and data processor existing prior to GDPR, significant confusion remains about the roles in the context of barristers and chambers.

Data Controller

Under GDPR, a data controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Under this definition, we can clearly see that barristers are data controllers for their client information – they are directly responsible for, and must be able to demonstrate, compliance with the GDPR principles. Depending on the nature of instructions or the case, it is likely that most barristers and the instructing solicitor firm will operate under a joint controller relationship.

It should be noted that the definition of a controller is a person – for the majority of Chambers, this means that the Head(s) of Chambers is the recognised data controller for the personal information held about employees and members of Chambers. Head(s) of Chambers must be aware of their responsibilities and liabilities under GDPR. This is prompting much discussion at management committees. To this end, the Bar Council has asked BRIEFED to deliver a special training session for Heads of Chambers – details available here.

Data Processor

According to GDPR, a data processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.  This reflects the relationship between chambers and its members. Under the Head of Chambers, the Chambers provide a range of services to assist members in their practice. The GDPR places specific legal obligations on Chambers as data processors; for example, to maintain records of personal data and processing activities. Furthermore, it introduces legal liability if Chambers are responsible for a breach. Where a processor is involved, this does not relieve individual barristers of their obligations. The GDPR places further obligations on barristers as controllers to ensure contracts with processors comply with the GDPR. Defining the lines of liability is critical – which is why a data processing/sharing agreement must be in place between each individual barrister/controller and their Chambers. The agreement will definitively state the role, responsibilities and obligations on both parties

Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 45 chambers to help them navigate through their compliance journey. We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

When is a breach a breach?

Over the five years of working with barristers and chambers on all aspects of data protection and the GDPR, one of the most frequently asked questions is “what is a breach?” This is usually followed by a suggested scenario, a strictly hypothetical one of course! Most seem shocked by the extent of what constitutes a data breach so it may be useful to explore this further here.

What constitutes a data breach?

You have to be able to recognise a breach in order to properly deal with one. Article 4(12) defines a “personal data breach” as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Under GDPR, data controllers and processors must comply with this fundamental principle:

using appropriate technical and organisational measures, personal data shall be processed in a manner to ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.”

It is worth reiterating that the GDPR only applies where there is a breach of personal data. Not all security incidents are necessarily personal data breaches. This is one of the reasons why barristers and chambers are being urged to review their systems, policies and working practices now. Consider the difference if a burglary occurred in chambers or at home where all devices are encrypted, offices are secured, a clear desk policy is followed and papers are stored in locked cabinets.

What should I do if a breach happens?

Having taken all reasonable steps to prevent a breach but it nonetheless occurs, the ability to react in a timely manner is critical. The GDPR makes notification to the Information Commissioner mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of an individual(s). Given the type of personal and sensitive information held by barristers, a breach is likely to have adverse effects such as the potential for identity theft or fraud, damage to reputation or social disadvantage and therefore, would constitute a risk to the rights of individuals.

Regardless of whether a breach in data was due to the barrister or the chambers, the barrister must notify the Information Commissioner’s Office within 72 hours. There is no expectation that all details relating to the breach will be available or known but the key is to register the breach within the timeframe. Any undue delay may give rise to an investigation.

Although barristers have overall responsibility for the protection of data, chambers have an important role to play in helping barristers comply with their obligations. If chambers become aware of a breach, they must inform the barrister(s) without undue delay. Furthermore, if the barrister has given authorisation, chambers could initiate the notification on their behalf. Given the interdependencies, it is vitally important that the data processing agreement is clear on these matters.

Whilst we much prefer being engaged as a proactive step towards compliance, there are unfortunately times when our help is needed to manage a data breach or navigate a client through an ICO investigation. Contrary to what may be believed, the focus of the notification is to encourage controllers to act promptly, to contain a breach, to recover the compromised data and to seek relevant advice. As has been our experience to date, not all notifications will result in punitive action. The risk of failing to notify and the ICO becoming aware of the breach by other means is too great to contemplate.

Briefed can help barristers and chambers with GDPR compliance - we also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

Consumers Ready to Exercise Rights under GDPR

In last week’s article, we highlighted the low level of awareness amongst businesses and barristers of the GDPR and their responsibilities under the legislation. By comparison, new research published this week proves consumers and clients are keenly aware and intent on exercising their increased rights post-May 2018.

Unsurprisingly, 58 per cent of respondents think the regulation is a positive step towards protecting their data and privacy. Perhaps reinforcing the rationale behind the GDPR and stricter data protection laws, only one in five (19%) were confident their personal data is used in the best possible way.

With over a third (34%) of respondents stating their intention to exercise their individual rights under the General Data Protection Regulation (GDPR), as data controllers, barristers should prepare themselves for processing a variety of requests.

What should a barrister expect?

Under the GDPR, clients have the right to be informed. Barristers need to be aware of the type of information they should supply and when individuals should be informed. Furthermore, the information must be “concise, transparent, intelligible and easily accessible”; written in clear and plain language and free of charge.

Clients will have the right of access, which allows individuals to request access to their personal data and supplementary information so they can be aware of and verify the lawfulness of the processing. It is only possible to refuse such request if it is manifestly unfounded, repetitive or excessive.

If an individual finds that data held is incorrect or incomplete, they have the right of rectification. The barrister must then take steps to correct the data held and contact anyone they have shared the information with the correct details.

Significantly, GDPR confers the right to be forgotten, which allows individuals to request the deletion of their personal data where there is no compelling reason to hold the information any longer. There is a relevant exemption for the legal profession which includes the exercise or defence of legal claims. 

There are a number of others rights including the right to object, to restrict processing, to data portability and related to automatic decision making, which are of lesser significance to individual barristers.

What should barristers do?

The importance of a data protection policy for your practice cannot be underestimated as well as supporting privacy notices, which are clear and easily understood. These are the fundamental tools which detail how you manage, use, process, secure and dispose of personal data.

Any of these requests can be submitted at any time. They must be complied with, free of charge and generally within one month. Any refusal or lengthy delay risks a complaint to the Information Commissioner and/or the profession’s regulator.

To comply cost-effectively and time-efficiently, barristers should review their current practices and determine how and for what length of time they store information, both in paper and electronic form. In terms of practicality, consider your current filing system, email account, offices, any storage archives, how easily could you retrieve information and comply with any of these requests? In terms of administration, barristers must be able to demonstrate their process for managing such requests, record any requests received and how they were complied with.

Any barrister or business who has processed a subject access request under data protection laws will concur that without appropriate policies and procedures, complying with such requests can be difficult, lengthy and costly. Preparing In advance of GDPR is key!

Briefed can help - we also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

What does a Barrister need to know about GDPR?

Recently published research from the Cyber Security Breaches Survey highlighted that fewer than half of all businesses and charities are aware of new data protection laws coming into force. Given that May 2018 is now only four months away, concern has prompted the UK Government to issue a warning over businesses' lack of preparation.

Regardless of your viewpoint on whether a barrister’s practice is a business, GDPR will apply just the same. From the perspective of the Information Commissioner, barristers are individually responsible as data controllers and must demonstrate compliance with their own practice.

Undoubtedly, you will have read countless articles, blogs or commentary on GDPR. The Bar Council has been proactive in raising this issue. Reputable chambers are taking action to ensure their compliance. So by now, your general awareness may be fairly good or is it?

What should a barrister be aware of?

First and foremost, barristers need to know about the legislation, the governing principles and the nine key changes GDPR will make to current data protection law. Training in GDPR is therefore essential and represents a key component in defending any potential action by the Information Commissioner.

Secondly, barristers must be aware of the information they hold. Practice at the Bar and access to personal and/or sensitive information are inextricably linked. As the data controller, the barrister is responsible for knowing what type of information they hold, the lawful bases to hold it, whether you can and with whom you can share it, how you should accurately maintain, store and responsibly dispose of such information. Furthermore, barristers must have this recorded in supporting documentation.

Thirdly, compliance is critical. Barristers must apply the GDPR principles to the daily operation of their practice. This includes risk assessing your home work environment, your office work environment, your transport, your IT security and practices, your digital and hard copy storage arrangements. Unfortunately, your chambers cannot do this on your behalf.

Lastly, barristers are more than familiar with mitigating on behalf of clients. Having undertaken no training, copying and pasting a generic policy, failing to adopt security measures, keeping records for fifteen years or holding no data sharing agreements are examples of unacceptable practices. Given that the outcome of any potential audit or investigation often rests on the strength of the mitigating evidence you can demonstrate to the Information Commissioner, such practices would place a barrister at significant risk.

How can Briefed help you become aware?

In conjunction with the Bar Council, the Briefed team will be in London next month, delivering training courses specifically for barristers (8 March) and for chambers staff (9 March). We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

 

We are meeting with Chambers throughout the legal quarter, delivering gap analysis reports and action plans. We will also be celebrating with others who have completed their compliance journey. Please contact us if we can help you or your chambers.

GDPR - Are you prepared?

Over the past number of months, Briefed has been engaged by many chambers and barristers to support and guide them through their GDPR compliance journey. One of the most common misconceptions is that the GDPR is yet another tick-boxing exercise, designed to frustrate an overworked profession. If this is your impression, you have been warned to think again!

The EU General Data Protection Regulation (GDPR) marks a wide reaching and significant shift in how all organisations must manage and protect personal data. In May 2017, Information Commissioner Elizabeth Denham advised that rather than just box-ticking, the focus must be on developing a “framework that can be used to build a culture of privacy that pervades an entire organisation”.

Article 5 of the GDPR states that “the controller shall be responsible for, and able to demonstrate compliance with” six privacy principles. The sixth principle (integrity and confidentiality) states that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

In March 2017, a senior barrister who failed to keep clients’ sensitive personal information secure was fined by the Information Commissioner’s Office (ICO). Steve Eckersley, Head of enforcement at the ICO said: “People put their trust in lawyers to look after their data - that trust is hard won and easily lost. This barrister, for no good reason, overlooked her responsibility to protect her clients’ confidential and highly sensitive information.”

Under GDPR, changes will be required in our policies and procedures but also in our working habits; it will require resources in terms of time, systems and finances but mostly, it requires the collective and individual commitment of chambers and barristers to the principles underpinning GDPR.  The ICO has repeatedly stated that evidence of such commitment will be the key to mitigating any sanction post 25th May 2018.

The days where the responsibility for privacy protection is left to someone else are over. From 25th May, both the barrister and the chambers can potentially be audited, investigated or fined. Barristers cannot simply rely on their chambers having the proper policies and procedures; they must be able to demonstrate compliance in their own individual practice. Chambers can no longer accept traditional individualised methods of working and will have no choice but to hold their members to account. Ultimately, the risks, sanctions and consequences that will result from even a simple data breach raise the importance of the GDPR from an issue of compliance to a critical business imperative.

Top Tips for Choosing your GDPR consultant

With the introduction of new data protection legislation fast approaching, many organisations are sourcing outside expertise to help them reach GDPR compliance. In a world where most hadn’t heard of GDPR a year ago, there are now many businesses offering GDPR services and products. So how do you sort the good from the bad, and decide who entrust with such an important task?

Barrister and GDPR specialist Orlagh Kelly offers some advice on what to look out for in your GDPR consultant.

1. LEGAL EXPERTISE

GDPR is first and foremost legislation. If you’re seeking to understand the impact new legislation has on your business, who do you usually ask? Legal experts. Look for GDPR advisers who have a deep knowledge and experience of data protection legislation and case law. Not just the new legislation, but the Data Protection Act 1998 too. Such are the complexities of the GDPR legislation you need someone who can interpret legislation easily, and translate how it applies to your business. 

 

2. LONG TERM OUTLOOK

GDPR brings ongoing obligations and liabilities, similar to health and safety or anti-money laundering legislation. Your GDPR consultant should be someone you can depend on going forward, rather than a short term solution. Look out for a partner who can safely guide you on the legislation, perhaps for years to come.

 

3. KNOWLEDGE OF GDPR CRISIS MANAGEMENT

Should you suffer a data breach you will enter the difficult and draining scenario of being investigated by the Information Commissioner’s Office. A good GDPR partner will be able to defend your business for you. Having worked closely with your organisation and helped implement your GDPR compliance project, your consultant will be informed and able to launch your defence. Before you choose your consultant ask yourself if you are satisfied that they could advise and represent you if needed.

 

4. NO ULTERIOR MOTIVES

Last but not least, be wary of GDPR ‘experts’ who work hard to create the impression they have GDPR ‘expertise' as a precursor to selling. The publicity around GDPR has lead to many companies jumping on the bandwagon, providing GDPR ‘expertise’ as a sales tool, scaremongering clients into believing they can only achieve compliance through purchasing their products. In most cases it is possible to achieve compliance whilst working with an organisation’s existing systems, so if you are being given the hard sell, tread very carefully. The perfect GDPR consultant comes from a data protection background

 

Greetings from our Guru

At Briefed we are very excited to let you know that our founder and #1 data protection specialist, Orlagh Kelly, will be discussing the GDPR issues that matter most to you and your business in her informative new column, the GDPR Guru, live now on syncni.com.

In order to help you to reach GDPR compliance we need to know the data protection issues that are concerning your business. To pose a question to Orlagh or suggest a topic for discussion, email info@briefed.pro or complete our contact us form.

In the mean time, here's some information about how one of Northern Ireland's top barristers made the transition to GDPR Guru, helping hundreds of businesses to meet their data protection obligations along the way... 

1. How did a barrister become a tech entrepreneur? 

I always dreamed about a becoming a lawyer. I saw an episode of Perry Mason when I was a child and fell in love with the idea of court work. I really wanted to fight for people who couldn’t fight for themselves.

At 25, I was called to the Bar and found myself self-employed and tasked with building my own practice. But it went well - I established a successful family law practice, handling over 200 cases a year as one of the top-earning family barristers in my jurisdiction.

Since childhood I have dreamt of a career as a barrister. I saw an episode of Perry Mason and fell in love with the idea of court work and of fighting for people who couldn’t fight for themselves. From that day my commitment to my goal was unwavering - I wanted into the courtroom and I wanted to get there fast.

I was called to the Bar aged 25 and having never considered running my own business I found myself

self- employed and tasked with building my own practice. 8 years on I had established a successful family law practice, handling over 200 cases a year as one of the top earning family barristers in my jurisdiction. But the practicalities of running my own business were holding me back - I was overrun by paper work and had no way in which to market myself effectively and grow the business. I knew the answer lay in technology and with no practice management tools available for barristers I took the daunting step into the world of tech and set about developing one myself. And so Briefed was born.

It became clear that one of the key advantages for barristers using the platform was the ability to easily increase their data security. I realised that businesses needed access to a range of products and training in order to meet their data protection and GDPR requirements, a need that no one was satisfying. Hence, Briefed has evolved into a business, not only offering the original case management system but which services companies on every step of their compliance journey, through our e-products and training and our consultancy services. 

The two sides of the business go hand in hand. The knowledge and understanding we gain from working with organisations and learning about the practical challenges presenting from GDPR, shapes and informs our online offerings, ensuring a relevant product designed to truly up skill the user.

2. What was the biggest lesson you learned in different acceleration and incubation programmes? 

It’s very easy to assume everyone else knows what is best for you and your business. Early on, I was encouraged to aim for a Silicon Valley-type business with hundreds of employees and investors, but in reality that wasn’t my personal goal. I’m very happy now with what is a high-quality business with a prominent brand in the UK and Ireland. Over time, I learned to trust in myself and back my own judgment.

3. If you could go back in time, what advice would you give to yourself in the run up to the launch of Briefed? 

I’ve gained a lot from the Lean Startup Methodology. It’s a scientific approach to testing target markets and understanding the appetite for a product prior to development. As the revenue required for development is generated through sales, this way of working can reduce timescales and the need for outside investment. Had I worked with this methodology from the get-go, I could have brought the original Briefed product to the market faster and at less expense.

Read more at bit.ly/2wWR1FT 

 

 

Orlagh Kelly
First things first - what actually is GDPR?

“The General Data Protection Regulation or GDPR as it is commonly known, is updated data protection legislation that mandates how organisations handle personal data. 

Personal data is anything from which a person can be identified, such as an IP address, an email address, a bank account number, even a Facebook profile page or library card number. If your organisation processes personal data of any kind, you need to ensure that you are compliant with GDPR by the enforcement date of 25 May 2018.

Failure to comply will have major consequences, including:

  • Monetary fines
  • Public recognition of the sanction and subsequent damage to reputation
  • Criminal prosecution.

Are these consequences that your organisation could survive?

To hear more about how we can help your business become GDPR compliant, visit briefed.pro/gdprservices

 

Penalties - Payments, Press and Prosecution

“It has been widely publicised that the penalties under GDPR are much more severe than under the Data Protection Act 1998. The penalty which has received the most coverage is the monetary fine, issued by the ICO. Currently the ICO has the power to issue a fine of up to £500k. Come 25 May 2018, under GDPR, the ICO will have the power to issue a fine of up to £17m or 4% global turnover, whichever is higher.

Secondly, and a penalty which I have found to be much more costly for businesses than any fine, is the publicity the ICO is allowed to generate relating to your sanction. When sanctioned, the ICO will issue a press release, detailing your breach and the sanction they have imposed upon you. Current customers will hear about the data breach, potential customers will hear about the data breach, competitors will hear about the data breach. The impact on the sustainability of your business can be catastrophic.

Thirdly, the ICO have the powers to issue criminal proceedings against your organisation for failure to comply with the legislation. And you could find yourself in court again, being sued by the data subjects for failing to protect their personal data. 

Do you think your business could survive these consequences?

To find out more about how we can help your organisation become compliant with GDPR - visit briefed.pro/gdprservices”.

Does Brexit mean Brexit?

“Since the Britain voted to leave the EU in June 2016, I have continuously been asked this one question - Can we ignore the GDPR because of Brexit?

The simple answer is NO.

What most people do not know is that GDPR legislation is already in force in the UK. We are currently in a two year grace period until 25 May 2018, at which point GDPR will be enforced in the UK. On this date we will still be a member of the European Union and we will need to abide by EU law. 

Additionally, any business selling goods or services into Europe or monitoring the behaviour of EU citizens needs to be compliant with GDPR, regardless of their global location. This includes organisations as far afield as the USA or Australia, or most importantly for you and I, organisations in the UK.

If you have been ignoring the GDPR under the belief that it would disappear due to Brexit then think again. You need to consider your data protection obligations under GDPR and you need to consider them now. 

For information on how we can help you on your journey to GDPR compliance, visit briefed.pro/gdprservices”.

 

The rise of the Data Protection Officer

“The GDPR requires that an entity appoint a Data Protection Officer if they are:

  • A public authority
  • An organisation which carries out large scale monitoring of individuals, such as online behavioural tracking
  • An organisation which carries out large scale processing of special categories of data or the processing of criminal offences.

The GDPR defines special categories of data as personal data that reveal the following about an individual:

  • Racial or ethnic origin
  • Health conditions
  • Sexual activities
  • Sexual orientation
  • Political views
  • Membership of a trade union
  • Genetic or biometric data
  • Religious or philosophical beliefs.

If you process any of theses categories of data on a large scale, then you are required to appoint a Data Protection Officer. 

The one caveat on this, is that as of this point, September 2017, there is no clarification as to how large scale will be categorised. Data protection specialists, including myself, are awaiting guidance from the ICO as to how this will be classified. 

However, regardless of the boundaries that the ICO decide upon, my advice would be - if you are an organisation that would suffer greatly from a breach, in terms of fines, or repetitional damage, then you should consider appointing a designated Data Protection Officer. It is safer for you and your customers to have someone with the appropriate expertise ensuring your compliance obligations are being met on an ongoing basis.

If you want to here more about how Briefed can help you on your journey to GDPR compliance, please visit briefed.pro/gdprservices”.

 

Mis-sent emails and cyber attacks - the many faces of a data breach

“When most people hear the term data breach they think of a large scale hacking by foreign cyber criminals but, in reality a breach can come in a much more mundane and simple form.

Under GDPR a data breach is defined as - ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data, transmitted, stored, or otherwise processed.’ 

But what does this mean for you and your organisation?

Here are some previous examples of fines issued by the ICO. It is worth remembering when considering these fines that these were issued under the previous legislation with fines capped at £500k. Under GDPR the ICO will have the power to issue fines of up to 34 times higher!

  • A solicitor sent an email to the wrong person - fined £120k
  • A social worker left papers on a train -  fined £70k
  • A filing cabinet was sold containing old files - fined £185k
  • Medical records were left in a disused building - fined £225k
  • A report was posted to a wrong address - fined £60k
  • A memory stick was stolen from a staff member’s home - fined £150k.

Along with each of these fines the ICO issue a press release, publicising your sanction. The combined monetary and reputational damage can have serious repercussions on the sustainability of a business, in some cases leading to business failure. 

To hear more about how we can help your organisation to become GDPR ready and avoid the penalties associated with non compliance, visit briefed.pro/gdprservices”.

 

Why, why, why? The reasons for GDPR.

“I am often asked why we need the new GDPR and why we can’t continue to operate under the Data Protection Act 1998?

The Data Protection Act is based upon data protection legislation, first laid down in 1995. At this point I would ask you to think back to your life in 1995... What technology did you regularly use? The internet was not widely available. Hardly anyone had a mobile phone. Phone numbers were written down in address books. Photos were developed. Holidays were booked on Teletext or Ceefax. The amount of data you shared was limited.

Now think about your life as you live it today. How many apps do you have on your phone? How often do you open these apps and what activities do you use them for? Do you buy goods or services? Do you pay bills or check your bank balance? 

The way we use and share information has altered exponentially in ways we could never have envisaged in 1995.

Quite simply the DPA 1998 is no longer fit for purpose and the GDPR is updated data protection legislation, designed to ensure the safety of personal data in our modern, technological world. 

To find out more about GDPR and how we can help your organisation become and remain compliant, visit briefed.pro/gdprservices”. 

 

Procrastinate at Your Peril

“I often get asked by businesses if they can wait until after the GDPR enforcement date, 25 May 2018, to consider their GDPR obligations. My response - ‘would you wait until the day after an exam to start your revision?’

GDPR is already in force in the UK. We are currently in a two year grace period which Government has given to allow organisations to ready themselves for the incoming regulations. It is expected that when the regulations are enforced on 25 May 2018, your organisation will be compliant.

There are two key actions I would recommend for any business beginning their compliance journey:

  • Perform a GDPR gap analysis - analyse how your business measures up to GDPR requirements and what work needs to be done to bring your data protection activities up to speed
  • Train 100% of your employees in data protection - the ICO mandates that all staff are regularly trained in data protection. Not only will training ensure you meet this regulatory requirement but the knowledge your staff will acquire will play a major part in protecting your organisation against a data breach.

To find out more about the Briefed portfolio of services, including gap analysis and training, please visit briefed.pro/gdprservices”.

 

GDPR Ob-BLOG-ations

Hi, I am Orlagh Kelly, data protection barrister and founder of Briefed, GDPR Compliance Specialists.

I have spent the past 5 years training organisations and individuals across the UK and Ireland on their data protection obligations. Over the past year, I have encountered a lot of uncertainty and apprehension in regards to the incoming GDPR; organisations remain unsure of what GDPR means for them and what they have to do in order to be compliant. In this blog and through my role as the SYNCNI GDPR Guru,  I will take you through the most commonly asked questions relating to GDPR, and discuss key points of the new legislation, helping you to gain an understanding of what GDPR means for you and your organisation.

If you have any questions you would like me to answer or any topics you would be interested in hearing more about, please just let me know through the form at the bottom of the page.