Home » News updates and thoughts » GDPR

Category: GDPR

is your website cookie compliant?

ICO Logo - the logo of the Information Commissoner's Office - Data Protection Training from Concrew Training

The ICO cookie police are after non compliant website owners.

“We will not stop with the top 100 websites. We are already preparing to write to the next 100 – and the 100 after that.”

The PECR regulations require consent for non essential cookies, unless your website contains only essential cookies or opt out or all other is a one-click operation you may be breaching the Privacy and Electronic Communications Regulations

The ICO state:

“We expect all websites using advertising cookies or similar technologies to give people a fair choice over whether they consent to the use of such technologies. Where organisations continue to ignore the law, they can expect to face the consequences.

We will not stop with the top 100 websites. We are already preparing to write to the next 100 – and the 100 after that.

To accelerate our efforts we are developing an AI solution to help identify websites using non-compliant cookie banners

Our advice to all organisations is to take action now to become compliant.” 

ICO latest guidance on emails

“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year” say the ICO.

The Information Commissioner’s Office (ICO) has today issued a warning to organisations to use alternatives to the blind carbon copy (BCC) email function when sending emails containing sensitive personal information.

Read the full ICO publication HERE

ICO consultation on biometric data guidance

ICO Logo

“The Information Commissioner’s Office (ICO) is producing guidance on biometric data and biometric technologies.

The first phase of this guidance (draft biometric data guidance) is now published for public consultation.

The second phase of this guidance (biometric classification and data protection) will include a call for evidence early next year.

The draft biometric data guidance explains how data protection law applies when you use biometric data in biometric recognition systems.

The ICO consultation will run from 18 August to 20 October 2023.”

The above extract is from the ICO website for more information

Ian Hirst
20 August 2023

ICO respond to police data breach

ICO logo

Norfolk and Suffolk Constabularies have announced a data breach relating to responses for Freedom of Information (FOI) requests for crime statistics, issued between April 2021 and March 2022.

The ICO initial response highlights the importance pf having robust measures in place to protect personal information

GDPR explained – necessary proportionate fair

Concrew Training Logo

Understanding the GDPR terms Necessary, Proportionate and Fair

The GDPR does not require organisations to gain consent before personal information is processed, it merely requires that a lawful basis is established.

However For the processing to be lawful a legal basis for processing has to be decided upon and this has to be evidenced as necessary, proportionate and fair.

Further, the GDPR requires all of the above be transparent. That is to say the basis and underlying considerations be recorded and made available to data subjects (the people whose data is being processed) before the processing takes place.

Identifying an overarching “legal” basis for processing and outlining this within a “privacy policy” may appear sufficient but in the event of a complaint or breach it is likely to be found woefully inadequate

To meet the “necessary and fair” requirements of the GDPR each policy, process, policy, approach, project or initiative needs to have a legal basis for processing identified and the key underlying principles of Necessary, Proportionate and Fair and met. Additionally final decisions and outcomes need to be transparent; that is to say made available, in an easy to understand manner, to the appropriate staff, stakeholders and service users.

Except in situations where the precise processing activity is specifically required by a Government directive all organisations need to demonstrate, for each and every individual processing activity, that the “necessary, proportionate fair and transparent” requirements have been met.

In the event of complaint or breach organisations will struggle to evidence GDPR compliance

Necessary
Processors need to demonstrate that the processing is ‘necessary’ for a specific purpose.

It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or habitual. It must be a targeted, proportionate and fair way of achieving the said purpose.

Processing is not deemed “Necessary” if you can reasonably achieve the same purpose by less intrusive means.

Proportionate
Organisations need to consider the, scope, extent and intensity of the processing.

That is to say consider the impact the processing may have on the data subjects, conduct a fair balance assessment and then explore ways in which the impact of the processing can be reduced.

Processing is not deemed “proportionate” if you can reasonably achieve the same purpose through less intrusive means

Fair
Organisations must use personal data in a way that is fair.

In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.

Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.

In order to assess whether or not you are processing personal data fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually.

If you have obtained and used the information fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will still be a breach of this principle.

Personal data may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justifiable

Organisation also ensure they treat individuals fairly when/if data subjects seek to exercise their rights over their data. This includes for example providing clear information on how to object to the processing and the right to be forgotten

Transparent Processing
Processors must be clear, open and honest with people from the start about how they use the personal data provided. Data subjects have a right to be informed.

You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

The level of detail provided within the privacy policy should be proportionate; in situations where the need for processing may not be readily obvious to the data subject then the privacy policy needs to provide greater detail on the legal basis and how the necessary, fair and proportionate requirements have been met.

Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data.

Transparency is always important, but especially in situations where individuals have a choice about whether they wish to enter into a relationship with you. If individuals know at the outset what you will use their information for, they will be able to make an informed decision about whether to enter into a relationship, or perhaps to try to renegotiate the terms of that relationship.

Transparency is important even when you have no direct relationship with the individual and collect their personal data from another source. In some cases, it can be even more important – as individuals may have no idea that you are collecting and using their personal data, and this affects their ability to assert their rights over their data. This is sometimes known as ‘invisible processing’.

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

Impact Assessments
Whilst the GDPR only requires impact assessments be conducted for high risk activities, they are the perfect way to inform evidence necessary, fair and transparent decisions.

Good practice dictates that impact assessments should be completed, recorded and made available to all staff for each and every policy, procedure, process, initiative, project or assignment.

Such an approach delivers the best opportunity to keep personal data safe.

Recording Processing Decisions
Organisations are required by law to document all their data processing activities. This means data controllers you need to maintain an internal record of all processing activities carried out by any processors on behalf of your organisation.

In the event of complaint or breach the ICO may require organisations to demonstrate that processing is in line with the accountability principle and may require you to provide records of processing activities to them.

For processing to be lawful organisations need to be able to justify a legal basis for the processing and evidence that the requirements for “necessary, fair and transparent” have been met.

Additionally Data Controllers need to ensure that the processing decision information is made available to those tasked with processing the data

Our courses help refresh your knowledge of GDPR and in doing so help your organisation keep personal information.

Concrew Training
August 2023

Website Team Lists Breach GDPR ?

Concrew Training Logo

The simple act of posting a Staff, Employee, Team list on your website may breach data protection legislation. Most organisations will need to be able to evidence consent from all those who have their names listed and in situations where vital interest or public duty is relied on you will need to be able to evidence that it is “necessary”, easier said than done we suspect.

The GDPR (General Data Protection Regulations) require organisations to justify how and why they use data. In simple terms this means the organisation needs to identify and record the purpose and legal basis for processing all personal data.

Most of the lawful bases for processing depend on the processing being “necessary”.

This does not mean that processing has to be absolutely essential. But the processing must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.

The lawful basis for processing must be established BEFORE the processing takes place and recorded

Most organisations publish team lists on their website to make their organisation appear more attractive to potential customers. Basically, a marketing and promotional activity which will require consent to be given by each member of staff whose name is listed; or the requirement to have their name listed on the website written into their contract of employment.

Some organisations may consider there to be a vital interest or public duty benefit, for example safeguarding, that allows them to publish names and photographs WITHOUT consent.

We consider this a high risk strategy because the processing needs to be “Necessary” (see above).

We know of no inherent legal duty to publish team lists on web sites.

Factoring in the risks posed by publishing teams lists makes it difficult to see how publishing names for the whole world to see is necessary. For example: stalking and phishing or the increased risks posed to those who have escaped domestic abuse (8% of women suffer abuse at home)

Even if it could be evidenced as proportional; “Necessary” also demands that there be no other less intrusive way of achieving the same outcome. The ease with information such as “Team lists” can be issued direct to service users undermines the “no less intrusive method” argument.

In simple terms we consider opt in consent to be the only GDPR compliant route for publishing Teams lists on websites.

Ultimately, a legal ruling will be required before total clarity is establish but can your organisation afford to take the chance?

More interesting points of discussion in our one day courses on GDPR and PECR

GDPR free resources

The ICO web site contains a raft of free information, advice and guidance on data protection, GDPR and PECR.

For those who prefer a more personal approach our one day courses highlight all the key information in a more enjoyable and interactive way.

PECR and the TPS

TPS Logo

Do you check with the TPS before making a sales call? if not you need GDPR/PECR training. Prices start at £395+vat.

The TPS (Telephone Preference Service) allows businesses and individuals to opt out of unsolicited sales and marketing calls.

Whilst the GDPR and PECR should prevent organisations making unsolicited calls registering with the TPS adds another barrier and provides a far faster way for resolution in the event of breach.

All those making sales and marketing calls need to check the numbers against the TPS lists BEFORE making a sales call. Even if the number has been contacted previously it could now have been added to the barred list.

There are several organisations offering barred call lists and the prices charged can be high, especially as the data needs to be updated at least every 28 days. We have no affinity with the TPS but do note that their charges for accessing the barred call list is significantly lower than some charge.

If you have been making unsolicited sales calls without checking each number against the TPS lists you are probably breaching the GDPR and PECR in other respects too.

Our GDPR/PECR training starts at just £395+vat – way lower than the average £150,000 fine for GDPR breaches.

7726 equals Spam

7726 = SPAM = £85000 Fine for Tempcover Ltd

Received an unsolicited marketing sms on your phone and you can report it by forwarding to the number 7726. The number is easy to remember 7726 spells out spam on your phone key pad.

12 users reported marketing sms messages from short term car and van insurer Temp Cover via the 7726 services and one additional user reported the messages direct to the ICO.

These complaints investigated by the ICO and Tempcover Ltd were fined £85,000.

Digging deeper into the case Tempcover believed they had consent because users had confirmed their agreement to Tempcover processing their details in line with Tempcover’s ” privacy policy and terms of business” But the ICO ruled that this was not sufficient stating Tempcover

“had failed to provide subscribers with an opportunity to opt-out of direct marketing when first obtaining their details, and essentially made agreement to marketing a condition of service. For this reason, the consent to receive unsolicited direct marketing messages cannot be said to have been ‘freely given’.”

This is clear example of why regular high quality GDPR training is essential for all businesses. No organisation can afford to get caught out by employees failing to understand or remember the rules

Concrew Trainings data protection courses start at just £285 for 14 people, at our prices all organisations can afford high quality GDPR and PECR training every year.

latest GDPR fines

ICO logo

Are you GDPR and PECR Compliant?

Poor understanding and human error are no defence for breaches. Even the largest of organisations can get it wrong, but regular refresher training can help avoid mistakes like these and hefty fines from the ICO :

Virgin Media – 08 December 2021
Fined £50,000 for emailing out a marketing preference reminder

The Ministry of Justice – 18 January 2022
Enforcement notice for failing to process subject access requests promptly

Northern Power and Gas – 17 December 2022
Fined £75,000 for telephoning numbers registered with the TPS and CTPS

The Cabinet Office – 02 December 2021
Fined £500,000 for disclosing personal postal addresses online

HIV Scotland – 22 October 2021
Fined £10,000 for disclosing personal email addresses through the Email “CC” option

Concrew Training’s GDPR and PECR courses are a low cost, high value, way to get management and staff to understand the importance of service user privacy. Breaches like those above will only be avoided when everyone puts privacy at the front of everything they do. Our courses help you achieve this. Prices start at just £285+vat, for a group of up to 14 people online.