The Article 29 Working Party (WP29) published an assessment of the balance between legitimate interests of employers, and the reasonable privacy expectations of employees. In which it outlines the risk assessment posed by modern working practices, where new technologies enable more systematic processing of employees’ personal data at work, which bring about challenges in regards to privacy and data protection.

Processing of personal data on the use of online services and location data from a smart device, are much less visible to employees than other more traditional types such as overt CCTV cameras, yet they encapsulate our lives more so.

Learn about the difference between structured data and unstructured data and how to best protect it in Data Protection 101, our series on the fundamentals of information security.

When organizations prepare to collect, analyze and secure data, they need to understand there two kinds of data: structured and unstructured data. Each presents different challenges — especially when it comes to data security. It is important to understand both concepts.

Structured data is usually stored in relational databases and displayed in defined columns and rows. This allows data mining tools and algorithms to access and analyze it via search.

Structured data can be used in:

Data protection is a term to over-arch the mitigation against failures in protection (confidentiality), accuracy (integrity) and access (availability) that can cause an impact to data subjects and ultimately, your business. Compliance is about the governance of the GDPR, and non-technical measures to adopt and adapt.

 Risk-assessments enable the decision-makers consider everything from contractors leaving with passwords and insider-knowledge and lead to changes in technology, anonymisation of databases, deletion of old, unnecessary records, role-based access to customer data and so on. 

But what about technical support and access to customer data, particularly when required on a large-scale? What measures are available to manage, minimize and control this?

A common scenario involves country-level sites managed by a central team with some in the EU, and some outside. 

The question is, will all the sites be in scope of GDPR as EU visitors may access any of the sites while visiting those countries?

Before Brexit is finalised, there is a lot of work to be done, with one of the most recent priorities being data transference between the UK and the EU. This is because both the Government and businesses have expressed their reservations regarding personal data traffic post-Brexit, especially in the event of a ‘no deal’ Brexit. 

In order to combat this issue, a new Data Law Committee has been implemented in order to discuss future legislation regarding Data Protection and Privacy law. The City of London Law Society announced the introduction of the Data Law Committee, with Jon Bartley, the chairman of the committee describing it as “pivotal moment” for Privacy law.

The Committee is in place in order to discuss all aspects of Data Privacy and Cybersecurity legislation. However, Jon Bartley, the Committee Chairman and Partner at the Corporate and Insurance law firm Reynolds Porter Chamberlain, announced that Brexit is “our first and most urgent area of interest.”.

The Network and Information Security (NIS) Directive is intended to create a base level of security for organisations that are operating essential services within the EU. 

The legislation came in on 6 July 2016 and became enforceable from 10 May 2018. The main sectors covered are energy providers, transport, banking, financial services infrastructure, health, water and digital infrastructure providers. 

Organisations who operate within these sectors are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.

A cloud service provider of apps and storage for businesses is a data processor. However, that does not mean it is not exempt from appointing a Data Protection Officer (DPO) if the data processed presents potential risks to the rights and freedoms of others, or large scale systematic processing.

The Director at the Serious Fraud Office (SFO), Lisa Osofsky, has recently announced her plans to utilise artificial intelligence in order to deal with fraud cases that are data- heavy.

Osofsky, the former FBI Lawyer discussed the SFO’s plans in her first speech since taking on the chief role:

One question that continues to be asked is whether there is any kind of check list out there to ensure your software is GDPR compliant.

It is not so much the software but rather, the organisation that needs to be compliant. Software systems can be improved to help the process, but most of the changes have to be in people and processes. Begin by looking at the Information Commissioners Office's 12-step plan which will help you establish a framework from which to begin, Next, conduct a data inventory and audit to see where personal data is located, processed, stored or transmitted will set you on the right road.

Further steps can be found at:

https://www.lepide.com/blog/the-lepide-checklist-for-gdpr-compliance/

http://expert-advice.org/security/things-you-should-know-about-governance-and-management-system-for-gdpr-compliance/

https://www.totalprogrammecontrol.com/gdpr.php

1. Manage expectations - GDPR ‘compliance’ is a matter of constant review, adoption of policies and adaption of processes. Plan, develop and sustain.

2. Continued awareness and training for staff.

3. Update your privacy policy, consent capture and recording.

According to research from the professional services firm KPMG, 39% of UK-based CEOs are convinced that a cyber-attack is inevitable, and on a global scale nearly half of CEOs agreed with this statement. KPMG surveyed 1200 CEOs from around the world, including 150 leaders from the UK, where they were asked to discuss company challenges and future plans.

In order to protect organisations against cyber-attacks, UK CEOS discussed how a durable strategy for their cyber security is essential, as according to 74% of UK leaders, cyber security is a trust enabler. Although only 39% believe they are “very well” equipped for when a cyber-attack does occur.  

KPMG’s UK vice chair, Bernard Brown discussed how:

Personal data is defined within Article 4 of the General Data Protection Regulation (GDPR) and means solitary or group data that can be used to identify an individual. The following are examples of personal data:

• Name
• Home address
• Driver’s license

• WHEN TO HIRE A DATA PROTECTION OFFICER

   

  

   Under the GDPR, you must appoint a data protection officer (DPO) if you:

  1) are a public authority (except for courts acting in their judicial capacity);
  2) carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or

  3) carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

• WHICH? UNCOVERS UNDERHANDED TACTICS OF POPULAR PHONE APPS

  

  The Consumer Rights Association Which? have devised a report after monitoring 29 popular apps utilised by both iPhone and Android users, in which they discovered the underhanded tactics of several app companies when obtaining personal data.

  Which? found that several of these companies uncovered borderline-lawful means in order to obtain unnecessary information from customers who were unaware, as they neither had the time nor were willing to read the overcomplicated and long data protection policies. After the consumer body found that:

  “Based on average reading it would take 22 hours, 21 minutes to read all the policies in one go.”

  The report also showed that despite the General Data Protection Regulation (GDPR) being implemented in May 2018, there were still organisations ignoring the fundamentals of the regulation:

• WITHDRAWING CONSENT AND RIGHT OF ERASURE

   

   

  

   

   

  In respect of the data subject enforcing their rights, it should first be noted that withdrawing consent, i.e. removing the controller's right to use your data, is not the same as the right of erasure. Consent is specific and unambiguous and is given for a particular activity.

   

  For example, many of us will use an online web form to download a document. If there is a check box to receive marketing material from the site, and we tick the box, we will receive the marketing materials. 

   

  If we later withdraw the marketing consent, will our information be erased as well?