In order to reflect the requirements of GDPR, the Article 29 Working Party (WP29) has published the following updated guidelines on Binding Corporate Rules (BCRs):

•  Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)
• Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

The tables have been amended to meet the requirements of Article 47 GDPR, in order to clarify the necessary content of BCR's and make the distinction between what must be included in BCR's to be presented to the competent supervisory authority in the BCRs application. The amendments will also effect corresponding the principles with the Article 47 text references for controller BCR's, as well as providing further guidance on each of the requirements.

Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

Supermarket chain, Morrisons face paying out compensation claims to more than 5,000 of their staff after the Court of Appeal upheld the High Court’s ruling in regard to Morrisons being liable for the data leak conducted by their former employee, Andrew Skelton.

The supermarket chain is now involved in the UK’s first data leak group action, due to Mr Skelton’s actions in 2014, in which the former senior internal auditor leaked payroll data whilst working at Morrison’s head office in Bradford.

The claimants are a mixture of both former and current employee, who allege that the data breach enabled them vulnerable to the possibility of identity theft and financial losses. This has been ruled as Morrison’s responsibility, and they are therefore in breach of data protection, privacy and confidence laws.

A Data Protection Impact Assessment (DPIA) is a procedure which assists you in detecting and minimising data protection risks of a project. You should always complete a DPIA when undertaking tasks of a high risk, usually new tasks or projects.

In order to conduct an assessment, you can utilize certain applications in order to produce an efficient DPIA.

Document management solutions provide:

• structured organisation and control of documents
• enable search
• provide document security, audit, versioning
• capability to manage retention

What they are not necessarily capable of is identifying and separating personally identifiable information (PII) from everything else in each document.  

Industry group, UK Finance have discovered that customers of UK banks have had more than £500m stolen from their accounts at the start of this year. This consisted of £358m being lost to unauthorised fraud and £145m being obtained through authorised push payment (APP) scams. The difference being banks usually refund unauthorised fraud victims, whereas APP victims are rarely refunded.

At the start of 2017, APP scams hit a total of £101m, and this number has now shown an increase of £44m, since four more banks reported fraud data.

UK Finance’s managing director for economic crime, Katy Worobec discussed how the new figures highlighted fraud as a top “major threat” in the UK. She also stated that the money obtained from bank accounts are used to fund terrorism, people smuggling and drug trafficking.”

From the 25^th May 2018, to avoid the risk of breaching the General Data Protection Regulation, employer’s are obligated to take on new responsibilities, as well as updating their contracts, policies and procedures, in order to maintain compliance under the GDPR requirements.

This means employer’s must:

The legal requirements pertaining to surveillance and personal cameras are contained within the code of practice issued by the ICO.

Surveillance is now a proactive technology which can identify people and keep detailed records of activities.

As a consequence of the greater use of personal surveillance, the Protection of Freedoms Act (POFA) was passed in England and Wales. The POFA has seen the introduction of a new surveillance camera code and appointment of a Surveillance Camera Commissioner, while the ICO's code of practice adds even more enforcement powers.

The minimum information needed for a processor to comply with its legal responsibilities, and for the controller to comply with Article 28, is to specify whether the data includes special categories of personal data, this raises the risk profile of the data set.

For Personal Data that does not fall into one of either:

The Key terms and definitions you need to know: 

Binding corporate rules: personal Data Protection policies adhered to by controller or processor in the Member State for transfer of personal data to controller or processor in third country

Originally devised by Article 29 Working Party to transfer secure large data internationally while reducing bureaucracy

GDPR establishes conditions for Member State to establish own binding corporate rules to streamline international transfers.

The key changes including in the General Data Protection Regulation (GDPR): 

• The Regulation will enforce tough penalties – proposed fines up to 4% of annual global revenue or €20million, whichever is greater.

• Even though the UK will not be in the EU in post-Brexit, we will still have to comply with the Regulation. Although regulation beyond EU borders will be a challenge, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

• GOOGLE'S DATA BREACH COVER UP

  

  Following Google’s announcement this week (8 October 2018) regarding a data breach in 2015, they have temporarily shut down their social network Google+, where a security bug enabled third party developers to gain access to user data, potentially affecting around 496, 951 Google+ users.

  The announcement on Monday was the first time Google discussed the breach, which although occurred three years ago, was not exposed and remedied until March 2018. Google’s reasoning for late exposure was relayed in an internal memo, which discussed the avoidance of “regulatory interest”, and potential comparisons to Facebook’s Cambridge Analytica scandal.

  The bug may have allowed third party developers to gain access to usernames, email, gender, data of birth, location, pictures, as well as occupation and relationship status. However, there is no concrete evidence to confirms this (as Google only holds API data for two weeks) therefore they cannot determine how many users were exposed. Google have advised that there was “no evidence that any profile data was misused” as well as there being “no evidence that any developer was aware of this bug, or abusing the API”.

• HOW THE GENDER RECOGNITION ACT CRIMINALISES STAFF

  Following the closure of the Gender Recognition Act consultation, many people have voiced their opinions regarding the need to reform the act, due to a variety of problematic issues.

  The Employment Lawyers Association (ELA) have discussed the negative implications of the Gender Recognition 2004 act and have called for a repeal of section 22 of the act, which they believe inadvertently criminalises innocent members of staff, especially HR employees who assist trans job seekers.

  Section 22 of the Gender Recognition Act 2004 states:

• HOW TO MAKE YOUR HR POLICIES GDPR COMPLAINT

  The General Data Protection Regulation (GDPR) was enforced on the 25^th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

   Employers should maintain focus on the following factors:

• ICO STUDY SHOWS A 75% INCREASE IN DATA BREACH REPORTS

  

  According to a study from the Information Commissioners Office (ICO), data breaches have shown a 75% increase in the past two years.

  The report was conducted by Kroll, one of the top corporate investigations and risk consulting firms, based out of the US. Kroll compiled data breach reports which were submitted to the ICO, regarding breaches of personal data, including financial and health details. Some of the data contained in the reports were of public knowledge, whilst other forms of data were accessed under the Freedom of Information Act.

  The final report established that over 2,000 reports submitted to the ICO were due to human error in the past year, with the most common grounds for a data breach being: data being sent by email or fax to the wrong recipients and the loss or theft of paperwork.

• IMPROVING CYBERSECURITY MEASURES

  

  In the past year there have been an array of high-profile data breaches from some of the UK’s biggest organisations including: British Airways, Dixons Carphone, and Ticketmaster UK.

  It is alarming that such large established organisations have jeopardised not only their company’s data, but also the personal data of their customers, through their lack of cyber security.

  Many cybersecurity experts believe that a data breach can occur due to a simple mistake being made possibly when updating systems or when processing the migration of data. Although there has been a substantial amount of investment placed on cybersecurity, there are still gaps in the basic procedures, which must be addressed.

• INTERPRETATION AND PRACTICABILITY OF GDPR ARTICLE 19

   

  

  Does a data processor need to be informed when a data controller deletes data?

  A Data Processor only needs to be informed if the Data Controller is in need of support, in regard to undertaking the right to be forgotten. Although, it is important for a data controller to define the relationship with the data processor, in order to understand the dynamics between the two.  It is also seen as good practice to allow the controller to gain access to deleted records through a Subject Access Request that the controller has obtained. If a Data Processor retains copy records as well as back up records, they must be deleted if requested by the Controller. 

  The deletion process can be difficult to carry out efficiently, although it is an essential process, according to GDPR, all the subject’s data must be deleted and backed up again, which is a lengthy but essential process.

• KEEPING UP WITH GDPR REQUIRMENTS

  

  The EU General Data Protection Regulation (the “Regulation”) came into effect on 25 May 2018, replacing the Data Protection Act 1998. The GDPR requirements largely repeat the security principles set out in the DPA, although with a much tougher regime and more severe sanctions for breach.

  This change has brought about business challenges for which there is little, if any, legislative or regulatory clarity at present.

   1. How does controllerand processorliability work in practice? 

• MAINTAINING GDPR COMPLIANCE

  

  According to recent survey, 17 out of 24 regulatory authorities were unprepared for the General Data Protection Regulation (GDPR), when it was introduced on 25 May 2018.

  Regardless of these statistics, organisations cannot afford to become complacent, as all businesses are at risk of data breaches. Therefore, GDPR compliance must be continually enforced.

• RECORD KEEPING

  

  GDPR gives individuals the right to have their personal data deleted, although this is not an 'absolute' right. If you still need to retain the personal data concerned, you may be able to refuse the request. Moreover, the right to erasure does not mean you erase all the data if you have a need and legitimate interest basis to process their data for audit records. If you cannot erase data (for example, there is a legal requirement to keep certain records for 6 years) then consider restricting the processing, such as moving to archiving.

  The data minimisation principles should also be applied, together with an appropriate retention period. Ensure that you inform the data subject as to what data you are keeping.