On the UK’s hottest day on record, our Rachael Eyre attended the ICO’s data protection conference along with 2000 other people. Thankfully for her, it was a remote event.
These are interesting times for data protection practitioners. Brexit, rapidly developing technology, a global pandemic, changes in the Privacy and Electronic Communications Regulations (PECR), and the introduction by the Government of the Data Protection and Digital Information Bill. The landscape is shifting. Law firms need to know exactly what personal data they hold and and how it is processed.
It is also important to keep up to date with the latest guidance from the ICO.
Main points to come out of this year’s data protection conference
- Training. It is so important to train everyone in a firm on data protection, so they can understand what they can and can’t do with personal data and what to do in the event of a Subject Access Request, or a breach. The ICO has released the training they use in house as a resource for people to use for free. There are 12 Data Protection Sessions and 3 Freedom of Information/Environmental Information Regulations training sessions, each no more than 35 minutes. You can find them here.
- Data Sharing. This is well worth a reminder. You can share personal data with other organisations providing that:
- you have a lawful basis
- you are transparent with the data subjects, either through your Privacy Notice or a specific notification (unless one of the legal obligations exceptions apply e.g. reporting to the NCA)
- the sharing arrangement is fair and what can reasonably be expected. If you are sharing with a Processor or you are the Processor, there must be a contract in place. A Data Sharing Agreement is best practice in other scenarios but not essential.
- Supply Chains. This has been a risk area where some IT service providers have run into issues and had a breach and not told the firms whose data they hold. Managed service providers can be a high risk as there is limited control by the firm over security. For law firms, this is both about ensuring the security of personal data and of confidential client data. Tips to mitigate this risk include:
- Ensure you apply patches to your software and have an updating policy. If you can’t apply a patch or update (because it would break another part of your integration) record why and what you will do to mitigate.
- Ensure back ups are offline and will not to be lost with a breach of the online system by the supplier.
- Use a policy of least privilege – where people only have access to the data they need, not access to everything.
- Don’t allow staff to randomly download software into your system.
- Monitor your supply chain and systems (there have been a lot of payment diversion attacks)
A contract will bind your supplier into having to assist you and keep you informed and demonstrate your awareness of the need to protect personal data in your supply chain. It is here that many firms fall down.
- Horizon scanning. There is always lots going on in the data protection world. The ICO produces new guidance and tools all the time. Current changes to look out for include:
- the passage of the Online Safety Bill and the Data Protection and Digital Information Bill
- changes to PECR
- possible changes to the Adequacy Decision from the EU
- development of the Privacy Shield, which dictates whether data can be safely sent to the USA
- ongoing international work into website Cookie Settings
- “Data Protection rights are Human Rights”. The Chief Executive of the Equalities and Human Rights Commission, Marcial Boo, spoke of the deep connection between data protection and human rights. Particularly Article 8, the right to private and family life. He also raised concerns over advancements in automated processing and its relationship with protected characteristics in The Equality Act. Automated data processing can become discriminatory. For example, if the algorithms in automated recruitment selection are built are men’s CVs, the system could easily become discriminatory against women. According to the ECHR, firms need to take care that any automated processing has been built with diversity in mind.