Privacy and compliance teams face challenging times ahead, with increasing regulation, the new normal and Brexit on the horizon – and it looks like 2021 is going to be no exception when it comes to the pace of change, which has so far been relentless and unforgiving. This article outlines the four key privacy challenges organisations face going into 2021, and how they can begin to overcome them so they’re not caught out later down the line.
The Court of Justice of the European Union (CJEU) handed down its judgement on Schrems II, in which it ruled that US surveillance laws did not offer adequate protection for EU personal data. In particular, Facebook had shared EU personal data with the US National Security Agency. The CJEU found the European Commission’s adequacy determination for the Privacy Shield was invalid for two main reasons:
- US surveillance laws are not limited to what is strictly necessary and proportionate as required by European data protection law;
- Data subjects did not have a right to an effective judicial remedy in respect of those US surveillance laws.
It’s important to remember this judgement will impact organisations that transfer personal data not only to the US – but also outside of the European Union. The CJEU also considered the validity of SCCs and ruled that they will only serve as an appropriate mechanism for transferring personal data to third countries where that third country can ensure adequate protection of data.
This means organisations should assess the treatment of data in countries outside of the European Economic Area (EEA) or where there is no adequacy finding to ensure adequate protections are in place. Organisations should assess the country’s approach to data protection, its national security regime, legal system and enforceable remedies for data subjects. Assessments should be undertaken on a case-by-case basis – before any data transfer takes place.
If adequate protections are not in place, organisations must suspend transfers or provide additional safeguards. The judgement has placed similar requirements on supervisory authorities to consider data transfers on a case-by-case basis and to prohibit or suspend transfers where data protection is not of an equivalent standard to that in the EU.
Organisations should now review all data transfers, understanding where the Privacy Shield is relied upon, review all contracts containing SCCs, and identify third countries to which data is being transferred, with particular emphasis on the US.
The number of DSARs is rising
The impact that Covid-19 has had with regards to redundancies and the furlough scheme, not to mention the chaotic situation with the artificial intelligence exam grade calculations, has meant that we are beginning to see a huge increase in data subject access requests (DSARs) being issued across all sectors.
In fact, according to a new study conducted by eCase, which works closely with Westminster, data protection officers (DPOs) employed in public bodies and government departments have already claimed that they are being overwhelmed by data subjects demanding to know what data is held on them – with the number of DSARs actually doubling in the two years since the General Data Protection Regulation (GDPR) came into force. Most insist that they do not have the adequate resources in place to deal with this new workload.
This means that the time for an organisation to get its house in order regarding its record of processing activities and retention policies is now – not in a few months’ time when they are trying to trawl through 200,000 documents and emails going back 15 years.
The ICO’s pragmatic approach to responding to DSAR’s during the pandemic has not been a change in the law, and whilst they will treat each case on its merits, they still have the same expectations on how data security and privacy matters should be handled as they did before the pandemic.
It’s also important to remember that a disgruntled ex-member of staff was probably a trusted colleague at one point, and one who potentially knows about the management’s weak points – the knowledge of a management sanctioned group WhatsApp chat sounds trivial, for instance, but is something that could cause major headaches in a DSAR – so make sure you cover your back, think of everything and have a policy in place, before you receive the DSAR.
Brexit and the role of the DPO and data transfers
January 2021 seemed like a long way off when we started talking about the UK’s final exit from the EU, but with the date now looming there are major factors to consider with regards to whom is going to represent your organisation in various scenarios.
Firstly, organisations need to consider their flow of personal data, and whether transfers of personal data are undertaken. Currently, personal data can flow freely between the UK, EU and EEA without having appropriate safeguards in place – such as SCCs, binding corporate rules or other such mechanisms.
The UK government has stated that from 1 January 2021 data transfers will not be restricted and can continue to flow from the UK to EEA. So, any organisation that sends data from the UK to the EEA will still be able to do so without the need for any additional steps. However, at the end of the transition period, the UK will be considered as a third country – which means data transfers from the EEA to the UK will be restricted and organisations will need to rely upon an appropriate safeguard for data transfers.
Organisations should now be identifying whether data transfers are taking place and ensuring that they have the appropriate safeguards in place to protect personal data. They should also be reviewing all their privacy information and documentation so they can identify any minor changes that may need to be made at the end of the transition period.
One of the major changes facing UK based organisations that process the personal data of individuals living in EU countries, can be found within Article 3(2) and 27(1) of the GDPR.
Prior to the Brexit decision, Article 3(2) of the GDPR, (Territorial Scope,) and Article 27 (1) (Representatives of Controllers or Processors not established in the Union) applied to “someone else, not us”. Come the 31 December 2021, the UK is that “someone else”. As the EU GDPR will no longer apply in the UK, Article 27 most definitely affects UK-based organisations, which means they will need to appoint an EU Representative.
Article 27 states: “The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored.”
Equally, as a result of the UK GDPR (Part 2 DPA 2018) EU based organisations will need to appoint a UK representative. If an organisation is neither based in the EU or the UK, they will need both.
In essence, your EU representative is the local point of contact for data protection and privacy matters – for both the data subjects and the data protection supervisory authorities.
The representative is responsible for receiving requests from data subjects who want to exercise their rights under either the UK or EU GDPR and also supply the correspondence from the data protection supervisory authorities. To ensure compliance, the contact details of the representative must be publicised within the organisation’s privacy policies or notice. The representative is also responsible for the keeping – but not maintaining – a copy of the Article 30, which is the record of processing activity. This is to ensure that they can provide a copy to the supervisory authority if required.
If these requirements are not met, Article 83(4) GDPR sets forth fines of up to €10m, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year – whichever is higher.
The number of data breaches is increasing
The sudden move to mass home working meant many organisations will have been forced to adopt new working practices much more quickly than usual and, in many cases, will have had no choice but to place themselves outside of their risk appetites. Organisations may have had to relax their perimeter security to facilitate home working and may have had to introduce new technology without the usual rigorous testing and assessment of options.
We’ve seen a huge rise in the number of data breaches over the past few months where cyber criminals have targeted these newfound vulnerabilities in an organisation’s defence. Compliance functions need to be particularly aware of the need to carry out risk assessments and policy and process gap analyses to identify where risks have been introduced and ensure that their organisations come back within their risk appetites as quickly as possible.
On average, research shows it takes 206 days to identify a data breach and there is evidence that cyber criminals and nation states are testing organisations’ new processes. It is very likely that some organisations have been successfully attacked and don’t know it yet – so it is important that organisations assess what damage has been done as soon as they identify and close a vulnerability or gap. Burying heads in the sand is not an option – the consequences later down the line can be fatal to businesses.
Conclusion: Privacy teams will have a lot on their plate
Organisations that have little to no compliance resource will especially begin to struggle as regulators start to harden their approach to enforcement again.
While taking a pragmatic approach to enforcement during lockdown, the ICO still stated that organisations will “need to consider the same kinds of security measures for home-working that they would use in normal circumstances”. In other words, organisations will need to have complied with a remote working policy that was appropriate to the risks of the data processing, the pandemic is not an excuse for poor data security practices.
For those organisations that are struggling to deal with this surplus of privacy challenges as we approach 2021, looking into implementing privacy as a service (PaaS) is often the simplest way to manage and overcome compliance headaches.
A PaaS pulls together one solution that makes privacy management easier and more flexible to the changing needs of an organisation, with data protection, legal, information security and DSAR expertise all located and deployed from one place. For many companies, it can act as a lifeline as they focus on dealing with the other fires 2020 has ignited so far.