data protection

  • Dixons carphone data hack

    This year in June, Dixons Carphone announced that a major data breach had occurred, estimating that 1.2 million customers were affected by the hack. This number has now risen to 10 million customers’ who may have had their personal information hacked, including their names, addresses, and email addresses.

    Dixons Carphone announced that no bank details were taken, however, 5.9 million payment cards were accessed, although the majority were protected by chip and pin.   

    The company has expressed regret for any distress caused by the hack, stating they would be apologising to the customers affected in due time. Dixons Carphone chief executive, Alex Baldock advised that they are working with the top cyber security experts, in order to improve security measures, which has involved:

  • Are MAC addresses personal data?

    A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

    On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."

    The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data. However, there are very good reasons WP29 state MAC addresses should be regarded as personal data:

  • GDPR requires a multi-disciplinary approach involving:

    Culture is to be implemented and engrained in staff training and awareness

    Processes should be implemented to ensure policies are adhered to

    Legal advice is necessary for the interpretation of developing laws

    Technology should help to bring it all together and add a layer of security.

    While this may appear daunting at first sight, taking time to putting together a plan should enable you and your business tackle your compliance requirements:

    • Evaluate your personal data entry – this could be via your website, by telephone calls, marketing or networking events, and then look where GDPR comes in

  • For businesses which rely on B2B marketing, GDPR and the e-Privacy Regulations will certainly give food for thought.

    For initial contact, there may be a reliance on Legitimate Interest grounds, on basis that the business is an SME who is only processing basic B2B business information and does not carry out volume email marketing. The ICO’s own helpline for SME businesses has indicated this is acceptable. However after the initial contact, the consent rules will undoubtedly apply.

  •  

     Binding Corporate Rules

    In order to reflect the requirements of GDPR, the Article 29 Working Party (WP29) has published the following updated guidelines on Binding Corporate Rules (BCRs):

    •  Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)
    • Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

    The tables have been amended to meet the requirements of Article 47 GDPR, in order to clarify the necessary content of BCR's and make the distinction between what must be included in BCR's to be presented to the competent supervisory authority in the BCRs application. The amendments will also effect corresponding the principles with the Article 47 text references for controller BCR's, as well as providing further guidance on each of the requirements.

  • If economic uncertainty following the Brexit vote created a nest for cyber-fraud, then Thursday’s High Court decision requiring Parliament approval to trigger Article 50 – and thus creating further uncertainty – only enhances the breeding ground.

    According to forensic experts, fraudsters concoct scenarios which convince senior managers and owners of companies to hand over monies often in excess of £100k.

    The immediate aftermath of June’s Brexit vote had the effect of driving more businesses to try non-traditional methods of raising capital. Particular sectors, such as shipping and off-shore haulage, appear to be ripe for targeting by fraudsters.

    UK authorities are currently working on a number of fraud cases valued at more than £100 million each, and they were also carefully watching the healthcare sector where incidents of fraud are rising sharply. Entwined with this, was the recent state-sponsored hacking of medical data belonging to UK athletes which has caused a stir and led to internal soul-searching. This has coincided with the recent announcement by Chancellor Philip Hammond that £2bn will be invested into tackling cyber crime.

    But that was before Thursday’s announcement.

    Amongst competition that becomes increasingly desperate, it can become much easier for the fraudsters to simply blend in amongst genuine businesses and bide their time. This is nothing new.

    It has been said by some experts, that transparent data sharing across the globe between businesses will help to cultivate a system of check to help create accurate patterns to be used by the authorities in tackling the fraud. But what is the commercial reality of this, when businesses are already scrabbling around in a state of Brexit-induced flux? 

    While we watch and wait with anticipation at the political ponderings of the establishment, and where we go with Brexit, hard or soft, the fraudsters will continue to have the upper-hand.

     

    Aaron Pearson – 04.11.16

  • If an organisation has not obtained consent to record calls for training purposes, can it cite 'legitimate interest'?

    Some sectors, such as the insurance industry, are required to do so from a regulatory perspective, such as the FCA, and so recording the call does not present a problem.

    But for unregulated businesses, this may present an issue to be thought about. Capturing consent is not mandatory, nor does GDPR say Consent is required for audio recordings. But reasoning, such as Legal Obligation, Performance of a Contract or Legitimate Interest (with appropriate weighting) could very be used as the lawful basis. Nevertheless, GDPR would still require this to be made clear to Data Subjects.

    Any recording could potentially contain personal data and the only time Consent is needed explicitly, is if the Personal Data is extracted as part of a tool, technique or technology used explicitly to identify the caller.

    While legal, contractual, police, health and regulated entities fall into the other lawful bases, ‘training purposes’, or ‘training and monitoring purposes’ are likely to fall into the legitimate interest category.

    Further, it is not only important to identify the correct legal basis under GDPR, but thought too should be given to the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, and associated case law, which are key for monitoring and recording.

     

  • CNIL hands notice to french energy company

    In March, the French data protection authority (‘CNIL’) announced it had issued a formal notice to DIRECT ENERGIE, Société Anonyme, for failing to obtain consent for the collection of customer usage data from its Linky smart meters. CNIL ordered that Direct Energie were to collect valid consent within three months of receiving the notice.

    The CNIL decision, based on French law sets down the likely approach of other supervisory authorities within the EU.

    The issue which CNIL have is that at the time customers had meters installed, they were asked to give only a SINGLE CONSENT for both 1) the installation of the meter 2) collection of hourly electricity consumption data. The purpose of this data was to enable determination of various tariff benefits.

    Installation of the meters was mandatory, and so consent was not relevant. Therefore, the second limb of the requests, i.e. the consent to data collection, was invalid, because it not free itself as separate from the designation of the meter. Nor could it be considered informed and specific, as it was clustered together and dependant on the overall contract.

    It is for organisations to ensure their systems reflect the new anti-profiling right of data protection by design, yet clearly Direct Energie failed in this regard. Further, it did not have a legal basis for processing the data, as the hourly consumption data was not necessary for the contract to be fulfilled, its customers are billed monthly.

    Further, an organisation which seeks to rely on legitimate interest, is required to perform a legitimate interest assessment to enable it to balance those interests with the rights and freedoms of the individual. The collection of hourly data was, according to the CNIL, particularly intrusive and detrimental to the privacy of the individuals and in fact disregarded their rights and interests.

    Direct Energie did not help themselves by publishing within its privacy notice that the hourly rate data would enable the customer to benefit from tariff deals, yet there were no tariff offers based on hourly consumption.

    CNIL thereby concluded that the processing had no legal basis, since it was not based on valid consent, and that other possible legal bases failed.

    Fortunately for Direct Energie, so long as it complies within the deadline set down by CNIL, it will not issue any penalty.

    GDPR Article 21 sets down that an individual has the to object at any time to the profiling of personal data for direct marketing purposes. The similarities with this case, while subtle, make clear that prior consent is required due to the sensitive nature of energy consumption data collected, in all future cases where companies wish to have a better understanding of their customers’ behaviour by analysing their consumption habits which, ultimately, is linked to marketing strategies.  Organisations must therefore ensure they adapt their systems and adopt a way of working to ensure that any marketing or perceived 'customer benefits' which essentially form the basis of their own analysing data, is separate from the overall contract that their customer-base has entered into.

    Facebook in particular, given the collection methods it uses, will have to change the way its marketing/analytical/statistical data is separated from its core function as a social media 'platform'.

  • consent and retention of data

    There are effectively two points to consider here, firstly, the requested consent for data usage during the retention period and secondly, how the business manages the information collected in order to document and evidence as compliance.

    The business should consider things such as:

    • how the data is stored, i.e. primary storages such as databases; secondary storages such as email, employee contact records, printed materials and spreadsheets etc; thirdly, backups.
    • The stage at which a contract occurs - this may affect the data retention

    An individual who contacts a business with the intent of custom will often expect to be contacted back by the business. It would be wise for the business to record the contact details and make a note of the time and the conversation and ask the customer permission to send out information. There should also be mention that once the transaction has completed, their personal data will be destroyed, and in what time frame, taking account of any warranty periods etc.

  • In a business to business transaction, Company A obtains the contact details of a representative of Company B, and places those details (such as name, e-mail, telephone) in to its CRM. This information is only to be used to connect to the other company.

    However, Company A takes the decision as to when to contact and when it will delete the contact details. Because Company A decides on the lawful basis of processing, retention period, etc, it becomes the controller.

    In this instance, Article 14 GDPR applies and it obliges the controller to inform the data subject, and a link to the privacy notice on the website of Company A may help.

    Where there is a formal business contract in place between Company A and Company B, it should have defined roles and responsibilities of each party. Based on the contractual terms a preliminary determination of who might be the controller (or joint controllers) and who might be the processor (or joint processors) could be made, on the basis of which specific data controller- data processor clauses to the contract could be drafted.

  • DATA CONTROLLER

    Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

    If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

    The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

  • Data Privacy in Europe and beyond

    The GDPR law is not the only new European privacy regulation everyone is talking about. There has been a lot of discussion regarding the ePrivacy Regulation, which deals with e-communication, although technically it is a revised version of the ePrivacy Directive or the ‘cookies law’. The ePrivacy Regulation was initially supposed to be introduced on 25th of May 2018, the same day as GDPR. However, it has been delayed but it is still expected to come in to effect this year pending review by the European Union’s member states.

    Although, some of the changes may appear small, as a whole it will have a huge impact in the long run and will also make organisations more aware of the regulations they must adhere to, which will also align with GDPR requirements.

  •  cloud storage

    Cloud solutions tend not store data for small companies on its servers. Instead, the data is stored in data centres in the US (such as in the case of Dropbox). Similarly, OneDrive enables some users to locate their data within the EU but general users do not have that option.

    This makes it tough for organisations to comply with GDPR requirements, particularly where there is a cross-border transfer of data. Some of the larger software providers, including Microsoft Azure, Google and AWS have implementing 'GDPR-ready' platforms. Microsoft also offers a compliance portal, while its OneDrive - as part of Office 365 – means the location of the data is tied to the Office 365 billing address. Sharefile by Citrixis another which enables storage within the EU jurisdiction.


    Away from these platforms, it is of course possible to encrypt the data before it is stored in the Cloud. That way, it matters less the location of the server, as the Cloud service provider, such as Dropbox, will have no access to the data.  Encryption and holding keys before the data leaves the organisation is perhaps the most sensible way to overcome such an issue, while pseudonymising data in cloud SaaS applications should also be considered.

     

  • Data protection risk assessment

    A Data Protection Impact Assessment (DPIA) is a procedure which assists you in detecting and minimising data protection risks of a project. You should always complete a DPIA when undertaking tasks of a high risk, usually new tasks or projects.

    In order to conduct an assessment, you can utilize certain applications in order to produce an efficient DPIA.

  • When a data subject challenges the accuracy or legitimacy of you holding their data you must restrict processing, including access, while you investigate. But, this leads to questions as to how this is this being done. And, more importantly, what are YOU doing about it? The reality is not many are actually doing this yet, and while systems can be configured to do so, very few applications comply with privacy by design. Practically-speaking, databases should only be accessed by a designated few while the redaction investigations are performed. This means only authorised staff can access personal data. If the data is used for analytics purposes, it should be anonymised.

  • Email Marketing Consent

    The ePrivacy Regulation (PECR) is set to particularise GDPR for electronic communications and is focused only on electronics — devices, processing techniques, storage, browsers etc.

    It is the successor to the current ePrivacy Directive, known as the ‘Cookie Law’ because it has governed the statement frequently seen on Europe-based sites that declares users agree to the use of cookies if they agree to use the site.

    According to the e-Privacy rules of email marketing (Reg.22), marketing emails & texts should not be sent to individuals without specific consent, although there are limited exceptions for existing customers. 

  • Data breach compensation

    Three Graces Legal is a commercial law firm which has many years' experience in dealing with civil claims for compensation, including large commercial dispute matters. We also deal with claims arising out of breach of the Data Protection Act and GDPR.

    Our specialist data protection claims solicitor, Aaron Pearson, is a GDPR practitioner and the firm has acquired the standard of ISO17024 for GDPR practitioner and Cyber Essentials.

    We make compensation claims on behalf of individuals and businesses who have been adversely affected by a breach of the Data Protection legislation. 

    We offer a wide-range of funding arrangements, including been able act for you under a no win, no fee agreement.

    We are specialists in pursuing civil claims for a breach of the Data Protection legislation. The law is constantly evolving to keep up with such a changing landscape, particularly where data is concerned. More than ever, we have to ensure that we remain vigilant, while organisations who collect and process our data must take measures to avoid a breach, otherwise they may be faced with a claim for compensation.

    Compliance with data protection law, and moreover, the GDPR, is vital. We act for many businesses in advising them how to stay compliant so as to avoid any unwanted legal proceedings for breach of data protection laws. Equally, we act for individuals who have suffered some harm as a result of a data protection breach.

    Three Graces Legal have seen how the changes arising from the existing Data Protection Act 1998, which was usurped by the European Directive, enabling a person to claim compensation for distress alone, has developed to be written into the General Data Protection Regulation. This now enables an individual to rely on a binding EU Regulation to claim compensation for distress arising out of a data breach.   

  • Under the Privacy and Electronic Communications Regulations (PECR), it was possible to use lists of people who purchased good or services in the past and give ‘opt-out’ of future mailings.

    Under GDPR is this no longer valid because there is no clear and active consent, as it has been assumed or implied. Soft opt-in, however, is not changing, and so this can still be used.

  • GDPR AND HR

    From the 25th May 2018, to avoid the risk of breaching the General Data Protection Regulation, employer’s are obligated to take on new responsibilities, as well as updating their contracts, policies and procedures, in order to maintain compliance under the GDPR requirements.

    This means employer’s must:

  • Data processor

    The minimum information needed for a processor to comply with its legal responsibilities, and for the controller to comply with Article 28, is to specify whether the data includes special categories of personal data, this raises the risk profile of the data set.

    For Personal Data that does not fall into one of either:

Make a free enquiry, call now

0151 659 1070




Please let us know your name.



Please enter a valid telephone number



Please let us know your email address.



Please let us know your message.

Please tick the box below

Invalid Input

Invalid Input
I understand that by submitting my query to you, my personal data (name, email address and contact number) will be processed by you in order to contact me and assist me with my query. I confirm I have read and understood the Privacy Notice and I consent to you processing my data for the purpose of contacting me to assist me with my query.




How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070