Data Protection Compliance Audit - Computer Law Training Ltd

This report is prepared to provide advice in relation to achieving, or maintaining, compliance with Data Protection Act 2018 (DPA18) and the General Data Protection Regulation (GDPR). (Certain organisations might well be subject to FOI / FOISA too). The advice is provided based upon our understanding of relevant laws and guidance as they stood on the date of audit and in reliance upon the information provided to us, by you, during the audit at that date. You are advised to review the relevant regulations on a regular basis.

The purpose of the audit is to establish an understanding of the personal data being controlled and processed. During the audit our discussions included the following: What categories of personal data you hold ? What processing of personal data takes place ? What legal bases you are relying on when you process personal data. Who processes data on your behalf (third party processors) ? Where your personal data is held. How you secure your personal data, and How long you are retaining personal data. This has allowed us to identify the data protection risks that your organisation is facing, establish data protection priorities and make recommendations on what is required for ongoing GDPR compliance. From this, you should be able to establish: Your priorities to work towards GDPR compliance, and The processes and work required to try and attain ongoing compliance

Organisations must identify the legal basis for processing personal data. Valid consent is very difficult to obtain under the GDPR, particularly if the organisation is in a position of power i.e. an employer or public sector organisation. Therefore, consent should only be used for processing if no other legal basis is available. There is a requirement that, for all personal data, the processing is necessary, and you must identify at least one of the following conditions: Consent. The data subject has given their consent to the processing for one or more purpose. (This will likely form the legal basis for marketing) Contract. Processing is necessary for the performance of/or to enter into a contract Legal Obligation that the data controller is subject to Vital Interests of the data subject or other person Public Interest, or in the exercise of official authority Legitimate Interests. This can be used where the processing is necessary for the purposes of the legitimate interests pursued by an organisation, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which requires protection of personal data; a lawful and fair balance must be struck

Under the overarching principle of Accountability, you will be required to demonstrate compliance with the following data protection principles: Lawfulness, Fairness and Transparency - processed lawfully, fairly and in a transparent manner in relation to the data subject. Purpose Limitation - collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Data Minimisation - adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Accuracy - accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are identified as inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. Storage Limitation - kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Integrity and Confidentiality - processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

There are additional conditions required to process special categories of personal data. Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and Trades Union membership. It also includes the processing of biometric or genetic data, health related data and data concerning a person’s sex life or sexual orientation. To process special categories of personal data you must identify one of the processing conditions above and one of the following: Explicit Consent is provided by the data subject. Processing is necessary for employment and social security and social protection law as long as the processing is necessary for compliance with a legal obligation. Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; Certain activities carried out by not-for-profit bodies with a political, philosophical, religious or trade union aim, where appropriate safeguards are in place and the processing takes place in relation to members or former members or persons who have regular contact in connection with its purposes and the information is not disclosed beyond the organisation. The processing relates to personal data which are manifestly made public by the data subject. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. Processing is necessary for reasons of substantial public interest on the basis of EU or UK law. Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems. Processing is necessary for reasons of public interest in the area of public health which is carried out under the supervision of a health professional or by another person who owes a duty of confidentiality under an enactment or rule of law; or Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes with appropriate safeguards in place including data minimisation, e.g. pseudonymisation. The legal basis for processing personal data must be stated in Privacy Notices and in the Record of Processing.

Organisations must establish whether they are Data Controllers or Data Processors for each category of personal data processed. Definitions: Data Controller: the organisation that decides why data is being processed, how it is being processed and what is happening to personal data. Data Processor: the organisation that carries out processing on behalf of the controller and on the instructions of the controller. Joint Controller: both organisations act together to decide the purposes and manner of data processing.

GDPR specifies that certain information, e.g. the purpose and legal basis for the processing, must be supplied to the data subject when you are collecting personal data obtained directly from them unless they already have this information. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, especially if you are processing the data of a child or vulnerable person - these are known as 'Fair Processing Notices' or 'Privacy Notices'

The GDPR provides enhanced and new rights for data subjects. Any communication with a data subject should be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. You have to respond without undue delay to any request made by a data subject within one calendar month although this can be extended once by two more months depending on the complexity of the request or the number of requests. There should generally be no fee charged to the requester/data subject unless their request is manifestly unfounded or excessive, for example, due to their repetitive nature. If you have reasonable doubts about the identity of the requester/data subject, you should use all reasonable measures to confirm the identity of the person making the request, before taking action. Data Subject Rights requests include the following: Subject access. Data portability. Rectification. Erasure (‘right to be forgotten’). Object to processing (including direct marketing). Restrict processing. Object to automated decision making. The above are not absolute rights in every circumstance and may not be applicable depending on the identified lawful basis for processing the personal data

The previous provisions under the Data Protection Act, that data should not be kept for longer than necessary, should be accurate and, where necessary, kept up to date, have been extended under the GDPR. Data subjects must now be provided with detailed information about the retention of data at the point of collection of that data. The general principles on retention of personal data are: You must not keep personal data for longer than you need it. You need to consider – and be able to justify – how long you keep personal data. (This will depend on your purposes for holding the data.) You need a policy setting standard retention periods wherever possible, to comply with documentation requirements. You should also periodically review the data you hold, and erase or anonymise it when you no longer need it. You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.

Under GDPR all personal data processed must be done in a manner which ensures integrity and confidentiality. This means that organisations must have appropriate technical and organisational measures in place to ensure the appropriate security of personal data in relation to unauthorised or unlawful processing and to guard against accidental loss, destruction or damage – both personal data in paper files and data stored electronically. In relation to all systems, access controls should be in place and organisations should consider the following measures, where possible: Pseudonymisation. This is data which has had the personally identifiable features removed but which can be combined with other data to re-identify the individual. This is a new term under GDPR and pseudonymised data can reduce the risk of personal data being lost or unlawfully accessed if the additional information for attributing the data is kept separately. Anonymisation. This refers to data that does not itself identify any individual and that is unlikely to allow any individual to be identified through its combination with other data. Encryption. The ICO encourages making sure that any personal data being transferred digitally whether by email or on a removable device, including laptops, is encrypted. Security Standards. Achieving Cyber Essentials and Cyber Essentials Plus is encouraged by the Government. Back-ups. The ICO’s advice is to have a robust data backup strategy in place to protect against disasters such as fire and flood but also malware, such as ransomware. At least one of your back-ups should be off-site. Vulnerability Scans and Penetration Testing. The ICO recommends that organisations run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities and make sure that any vulnerabilities identified are addressed.

A Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR obliges the data controller to notify the ICO of a personal data breach without undue delay and within 72 hours after having become aware of it. In considering whether there is an obligation to report an incident, you should consider if there is likely to be an impact on data subjects where physical, material or moral damage could occur including a loss of control over their personal data, or an impact on them in terms of discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data protected by professional confidentiality or any other economic or social disadvantage to the individual concerned. Contracts with Processors must contain a requirement for personal data breaches to be reported to the Data Controller without undue delay. Failing to report a breach or complying with these provisions could result in a fine of up to €10million or 2% of global turnover. If a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller is obliged to advise the data subject without undue delay so that they can take the necessary precautions. Failing to notify a data subject of a personal data breach in contravention of the GDPR provisions could result in a fine of up to €10million or 2% of global turnover.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

It is essential that all employees who handle personal data receive training in data protection and that training is conducted both at induction and then refreshed on a regular basis. Staff should know who to go to if there are any data protection issues and/or who their DPO is. They should also be aware of how any organisational policies relate to them within their job role. This will form part of any accountability portfolio

Direct marketing has a broad definition and includes sending out campaign messages and information as well as the more traditional use of selling things. There are particular rules in relation to direct marketing contained in the Privacy and Electronic Communication Regulations (PECR) which are likely to be replaced by the ePrivacy Regulation: Post - Sending direct marketing by post can be carried out without the consent of the data subject, even if they are named. Phone Calls - Making live phone calls can be done without consent as long the individual does not subscribe to the Telephone Preference Service (TPS). If they do, then consent is required. All automated calls require consent. Emails and Text Message - Any emails or text messages which constitute direct marketing require consent, unless you can rely on the soft opt-in (see below). Business to Business (B2B) Marketing - Sending marketing emails to corporate email addresses does not require consent unless they are sent to a sole trader or partner of an English partnership (not an LLP). The recipient should be able to opt out of receiving such emails. Soft Opt-In: There is provision in PECR and the ePrivacy Regulation to allow direct marketing emails and text messages to be sent without consent if you obtained the individual’s contact details in the course of the sale of a product or service. The organisation is not relying on consent here but is relying on the fact that it has a legitimate interest in sending marketing messages about the same or similar products to someone who has already shown an interest in their products. In that way their right to privacy is not outweighed by the interest of the organisation. However, the data subject must be provided with the option to opt out at the time their contact details are collected and on every other occasion when they are sent a direct marketing message. There is an absolute right to object to data processing for the purpose of direct marketing. This applies to all processing for that purpose, not just being sent messages. It is legitimate to keep the personal data of someone who has objected, to ensure that the individual’s personal data is no longer processed for this purpose. This is known as a suppression list.