The Article 29 Working Party (WP29) published an assessment of the balance between legitimate interests of employers, and the reasonable privacy expectations of employees. In which it outlines the risk assessment posed by modern working practices, where new technologies enable more systematic processing of employees’ personal data at work, which bring about challenges in regards to privacy and data protection.

Processing of personal data on the use of online services and location data from a smart device, are much less visible to employees than other more traditional types such as overt CCTV cameras, yet they encapsulate our lives more so.

Learn about the difference between structured data and unstructured data and how to best protect it in Data Protection 101, our series on the fundamentals of information security.

When organizations prepare to collect, analyze and secure data, they need to understand there two kinds of data: structured and unstructured data. Each presents different challenges — especially when it comes to data security. It is important to understand both concepts.

Structured data is usually stored in relational databases and displayed in defined columns and rows. This allows data mining tools and algorithms to access and analyze it via search.

Structured data can be used in:

Data protection is a term to over-arch the mitigation against failures in protection (confidentiality), accuracy (integrity) and access (availability) that can cause an impact to data subjects and ultimately, your business. Compliance is about the governance of the GDPR, and non-technical measures to adopt and adapt.

 Risk-assessments enable the decision-makers consider everything from contractors leaving with passwords and insider-knowledge and lead to changes in technology, anonymisation of databases, deletion of old, unnecessary records, role-based access to customer data and so on. 

But what about technical support and access to customer data, particularly when required on a large-scale? What measures are available to manage, minimize and control this?

A common scenario involves country-level sites managed by a central team with some in the EU, and some outside. 

The question is, will all the sites be in scope of GDPR as EU visitors may access any of the sites while visiting those countries?

Before Brexit is finalised, there is a lot of work to be done, with one of the most recent priorities being data transference between the UK and the EU. This is because both the Government and businesses have expressed their reservations regarding personal data traffic post-Brexit, especially in the event of a ‘no deal’ Brexit. 

In order to combat this issue, a new Data Law Committee has been implemented in order to discuss future legislation regarding Data Protection and Privacy law. The City of London Law Society announced the introduction of the Data Law Committee, with Jon Bartley, the chairman of the committee describing it as “pivotal moment” for Privacy law.

The Committee is in place in order to discuss all aspects of Data Privacy and Cybersecurity legislation. However, Jon Bartley, the Committee Chairman and Partner at the Corporate and Insurance law firm Reynolds Porter Chamberlain, announced that Brexit is “our first and most urgent area of interest.”.

The Network and Information Security (NIS) Directive is intended to create a base level of security for organisations that are operating essential services within the EU. 

The legislation came in on 6 July 2016 and became enforceable from 10 May 2018. The main sectors covered are energy providers, transport, banking, financial services infrastructure, health, water and digital infrastructure providers. 

Organisations who operate within these sectors are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.

A cloud service provider of apps and storage for businesses is a data processor. However, that does not mean it is not exempt from appointing a Data Protection Officer (DPO) if the data processed presents potential risks to the rights and freedoms of others, or large scale systematic processing.

Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.

1. Manage expectations - GDPR ‘compliance’ is a matter of constant review, adoption of policies and adaption of processes. Plan, develop and sustain.

2. Continued awareness and training for staff.

3. Update your privacy policy, consent capture and recording.

Personal data is defined within Article 4 of the General Data Protection Regulation (GDPR) and means solitary or group data that can be used to identify an individual. The following are examples of personal data:

• Name
• Home address
• Driver’s license

• WHEN TO HIRE A DATA PROTECTION OFFICER

   

  

   Under the GDPR, you must appoint a data protection officer (DPO) if you:

  1) are a public authority (except for courts acting in their judicial capacity);
  2) carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or

  3) carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

• WHICH? UNCOVERS UNDERHANDED TACTICS OF POPULAR PHONE APPS

  

  The Consumer Rights Association Which? have devised a report after monitoring 29 popular apps utilised by both iPhone and Android users, in which they discovered the underhanded tactics of several app companies when obtaining personal data.

  Which? found that several of these companies uncovered borderline-lawful means in order to obtain unnecessary information from customers who were unaware, as they neither had the time nor were willing to read the overcomplicated and long data protection policies. After the consumer body found that:

  “Based on average reading it would take 22 hours, 21 minutes to read all the policies in one go.”

  The report also showed that despite the General Data Protection Regulation (GDPR) being implemented in May 2018, there were still organisations ignoring the fundamentals of the regulation:

• WITHDRAWING CONSENT AND RIGHT OF ERASURE

   

   

  

   

   

  In respect of the data subject enforcing their rights, it should first be noted that withdrawing consent, i.e. removing the controller's right to use your data, is not the same as the right of erasure. Consent is specific and unambiguous and is given for a particular activity.

   

  For example, many of us will use an online web form to download a document. If there is a check box to receive marketing material from the site, and we tick the box, we will receive the marketing materials. 

   

  If we later withdraw the marketing consent, will our information be erased as well?