Included in this issue: ICO Commissioner communicates that UK firms must follow GDPR Pre Brexit; ICO issues landmark fine; Facebook latest to sign up to Safe Harbour 2.0 - Privacy Shield and more...

ICO Commissioner communicates that UK firms must follow GDPR Pre-Brexit

The European General Data Protection Regulation (GDPR) adopted back in April 2016, is due to take effect in UK from 25 May 2018. Many companies have been speculating as to whether they need to comply with the GDPR, which in some cases will mean a full review and upgrade of current data protection clauses, privacy policies and data collection practices.

In Elizabeth Denham's first speech as Information Commissioner at the Personal Information Economy (PIE) 2016 conference on 29 September, she confirmed that, 'It is extremely likely that the GDPR will be live before the UK leaves the European Union." Elizabeth Denham, went on to say, "when the UK leaves the EU (based on what we know today – 2019 or later) a new data protection law will need to be in force."

The territorial application of the GDPR means that organisations collecting and using personal information from citizens in the EU will need to comply with it regardless of where they are located. The EU Referendum result to leave the EU will not affect this. The UK Government will need to decide which EU Directives and Regulations it will choose to adopt or keep as part of UK legislation (including the GDPR). Many companies will, therefore, be required to comply with the provisions of the GDPR in order to continue trading in the EU.

To access Elizabeth Denham's speech click here

ICO issues landmark fine

The ICO has hit telecoms giant TalkTalk with a £400,000 fine for securities failings which gave hackers easy access to customer data.

The ICO investigation found that the breach could have been avoided if steps had been taken to remedy the technical weaknesses in the IT systems.

The cyber criminals were able to access the personal data of 156,959 customers by using the 'SQL injection' technique. This form of attack utilises attack driven data applications where the hacker can execute malicious statements in order to control a web applications server and therein gain access to information contained within that server. Defences are available for this kind of attack. The hackers in this instance took advantage of a bug in the out-of-date database software that TalkTalk had inherited from Tiscali following the 2009 acquisition.

Information Commissioner Elizabeth Denham, said: “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting. Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

To access the ICO's advice for 'Protecting personal data in online services: learning from the mistakes of others' click here.

To access the ICO investigation timeline in relation to this cyber-attack click here

Facebook latest to sign up to Safe Harbour 2.0 - Privacy Shield

Facebook has recently signed up to the Privacy Shield, the new EU – US data pact which will enable personal information to be transferred to the United States. Privacy Shield has been introduced in place of Safe Harbour, a 15-year-old treaty which was last year declared invalid by the ECJ following a legal action against the social network.

The new treaty became operational on 1 August 2016 and it is designed to provide an adequate form of protection to facilitate and protect the transfer of personal data between the EU and the US. 

Facebook, like many major global organisations, relies on the ability to transfer personal data between countries. It intends to use Privacy Shield in relation to its new business-focused 'Workplace' platform and for the transfer of certain types of advertising data.

A spokesperson for Facebook confirmed: “We have signed up two important parts of our business to the EU-US Privacy Shield Framework – Facebook at Work and our relevant Ads and Measurement services.”

Companies with an ICO registration who have signed up to the Privacy Shield are reminded to update their data protection register entry by emailing or phoning the ICO.  

To view Facebook's statement click here

Law change to give ICO more power to combat nuisance calls

A change in the law, due to take effect from spring 2017, will give the ICO the ability to impose combined fines of up to £1 million for breaches of privacy. Prior to this announcement, a prior change in the law had been announced back in April 2015 where the ICO was initially handed the ability to fine companies more frequently. However such consumer groups such as Which? argued in August of this year that the ICO should be afforded greater powers of enforcement to crack down on this bad practice which is viewed by many as a form of harassment.

This argument succeeded, and under the revised law, directors of 'nuisance call' companies come under the ICO's radar and will be held personally liable and accountable for breaches of the privacy regulations. Under the current system, fines can only be imposed on companies. Those seriously in breach could face a personal fine of up to £500,000.

Elizabeth Denham, the information commissioner, commented: "Making directors responsible will stop them ducking away from fines by putting their company into liquidation. It will stop them leaving by the back door as the regulator comes through the front door.”

The rise in nuisance cold calling can be seen to have occurred in the wake of such things as the PPI scandal which has seen almost everyone in the UK receiving either a text message or automated phone call asking whether they were ever misold PPI. This practice has grown in popularity as more companies utilise this method to solicit business from potential customers. The law change, it is hoped, will combat this bad practice and tackle the increasingly prevalent practice of such companies declaring bankruptcy in order to avoid the payment of fines by making the directors personally liable.

For coverage of this story in the Guardian please click here

ICO releases updated code of practice for privacy notices

Ahead of the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, the ICO has updated its code of practice for privacy notices. This revised code of practice comes in the wake of the consultation held by the ICO which ended in March 2016 entitled, "Privacy notices, transparency and control - a code of practice on communicating privacy information to individuals."

The document offers guidance as to how companies can comply with both UK privacy laws and the GDPR. Specifically, it contains guidance on how to comply with the GDPR's more stringent privacy notice policy and consent requirements.

Companies who collect personal data are advised to read the guide and review their current privacy policies. Companies are reminded that a privacy policy should clearly explain all the ways in which you use the data that is collected, who it is shared with and the reasons why. Clarity and transparency are key. A privacy policy that is robust and clear and one which has had time invested in its drafting will serve as a valuable asset to any business collecting and sharing personal data. 

Privacy policies ultimately tie into the issue of consent and whether this has been validly given by a data subject. Under the GDPR consent needs to be explicit. Further to this the GDPR will require more detailed language around the legal basis for processing, how long data will be retained for and why and wording must be included giving the data subject a clear right to complain and contact details for doing so.

Compliance with the GDPR is likely to be complex, time-consuming process and so it is advisable for companies to begin preparations as soon as possible. 

To view a copy of the guide click here

NHTSA issues cyber security advice for automotive industry

US government agency, the National Highway Traffic Safety Administration (NHTSA) has issued its first set of cyber security guidance to the automotive industry.

The non-compulsory guidance aims to assist with the protection of vehicle systems and software against cyber criminals and to minimise the risk of data breaches. The guidance follows the National Institute of Standards and Technology (NIST) cybersecurity framework and recommends the implementation of measures such as: security risk assessments, cyber-attack detection software and having the necessary mechanisms in place to recover systems following a cyber-attack.

The guidance seeks to develop best practices within the industry and encourages companies to share information relating to any attacks that they experience.

In contrast, in Europe, the Automobile Manufacturers Association (ACEA) published a statement back in April confirming compliance with the principles GDPR. 

It can be seen that data protection has become a hot topic in light of technological advancements in relation to greater connectivity between devices and vehicles and the Internet of Things. 

To view the guidance click here

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile