Q&A from the recent GDPR/ISO 27001 Webinar
10 November 2017
After a successful webinar, we have put together a Q&A from the questions asked during and after the webinar, we hope you find this useful.
What is the implication for personal information that has already been collected? If for example we have collected names and addresses of potential leads over the past three years through sales activity, do we need to ask them again in May?
The legitimate interests condition allows companies to continue processing soft opt in data collected pre-GDPR without having to reconfirm consent - if the data was collected after 25th May 2018 the organization must have a lawful basis for processing the data. This may well be a different basis from that on which it was collected. All data processing must by 25th May 2018 comply with the GDPR.
Where a company keeps training data relating to health & safety issues such as handling hazardous chemicals, they want to keep them for say 40 years. How is it handled when an ex-employee asks for their data to be deleted and the company needs to keep it to show due diligence in the future?
Personal Data can be stored for longer periods under the GDPR, provided that the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89(1). This personal data must be stored by the appropriate technical and organizational measures in order to safeguard the data subject’s rights and freedom.
The GDPR requires that data shall be kept for no longer than is necessary "for the purposes for which the personal data are processed". Organizations need to identify what personal data they process and the reason for processing to determine retention periods that are appropriate for each type of record.
Do you think future versions of 27001 will be amended to include GDPR requirements?
ISO 27001:2013 already requires organizations to demonstrate compliance with applicable legislations such as DPA etc. However ISO are reviewing, updating and introducing new standards all the time, so sign up to our InTouch e-newsletter to stay up to date with all the latest news.
Can organizations charge for access to private data requests, similar to freedom of information requests?
Organizations can only charge if the Subject Access Requests are instituted without sufficient grounds and serving only to cause annoyance to the organizations. The GDPR allows you to exceptionally charge an administrative fee for unfounded, excessive or repetitive request. Organizations are also able to refuse to respond to the request, but you must be able to demonstrate the unfounded, excessive or repetitive nature of the request.
Does GDPR affect business to business marketing?
B2B, B2C and business to employee will all have the same obligations to fulfil under the GDPR. You will need to consult with your legal advisors/professional for guidance specific to your organization.
Why do you think that there's been such a poor uptake in GDPR compliance?
Knowledge of the GDPR and implementation process could be causing issues.
Will controllers be expected to regularly audit processers that handled data for them? What type of "control of process" will be considered appropriate/ sufficient?
The data controller remains responsible for ensuring its processing complies with the GDPR, whether it processes in-house or engages a data processor. It is the Controllers responsibility to determine how it monitors and evaluates the processors.
When referring to personal data is this just consumers/end users or employee data or business to business individual data?
Personal data is defined as anything that can identify a 'natural person' - a living human, either directly or indirectly, and can be anything such as; a name, photo, email address - which includes work email, bank details, medical information biometric and genetic data or even a computer IP address.
If an employee has been sacked for gross mis-conduct or some other serious offence and they call up to have their details removed. Do we have to remove all records of them or are we able to keep some details to avoid re-hiring in the near future?
Data in relation to criminal convictions or offences may only be processed under official authority or when authorized by law. So this means that controllers or processors will need to ensure that they have at least one or more legal justifications to process said personal data
We are sent information from a number a clients that collect their customers’ information; we just process it and run some background checks for the client. Is the onus on the client to inform the customers of how their details are processed?
The controller determines the means and purpose for the data processing and as such the onus is on them to inform the customer on how this data is processed.
Do processors have as much to implement as the controllers - re getting unambiguous permission from data subjects?
Data processors face direct legal obligations under the GDPR in such areas as security and record keeping. Under the GDPR controllers can only use processors providing - sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protection of the rights of the data subject. If processors breach their direct obligations they can be fined by the Supervisory Authorities and held jointly liable with the controller for the entirety of any damage to a data subject, unless they can prove they were not in any way responsible for the event
What would be classed as a significant data breach that would require reporting to ICO?
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
How could we demonstrate conformity through independent assessment?
Adoption of and compliance with best practice standards such as ISO 27001:2013.
So if you’re using an American service provider say... cloud provider? Who are not under the GDPR laws but still may need to follow its rules if they are processing EU data and their Privacy Shield say's they won’t sell your data etc. you’re ok to still use this company? Then what would happen if they had a breach could you as a controller still be liable?
Do you still need to report low level breaches such as sending an email containing personal information to the wrong person? If so how strict would they be about that? Surely the fines for something like that would be a lot lower than say a hacker being able to steal a whole database for sale on the dark web?
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
How are American companies fined through the ICO if they are not under it?
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location
Do you get fined even more if they find out you didn't tell them within the 72 hours?
If an organization fails to abide by the core principles of the GDPR — such as gaining the consent, respecting the rights, and obeying the requests of individuals — the organization could face fines twice as high as those imposed for failure to report a data breach. Under the GDPR, the fine for failing to follow the new law could be as high as 4% of a company's global revenue, or a fine of €20 million — whichever happens to be the larger amount.
"The right to be forgotten" - what about roll-back systems or back-ups?
Data storage systems or backups/roll back systems must be developed so as to protect data and maintain its privacy. Organizations may need to complete a legacy data audit to ensure that any personal data held by a processor or controller is does so in line with the GDPR. This will enable organizations to identify where consent was granted correctly and delete records where consent was not or cannot be obtained.
Disclaimer
The answers to these questions are by no mean exhaustive and questions specific to your organization should be discussed, and answers sought from your relevant legal counsel/advisors.
Author: Chris Smith, NQA UK Regional Assessor
The legitimate interests condition allows companies to continue processing soft opt in data collected pre-GDPR without having to reconfirm consent - if the data was collected after 25th May 2018 the organization must have a lawful basis for processing the data. This may well be a different basis from that on which it was collected. All data processing must by 25th May 2018 comply with the GDPR.
Where a company keeps training data relating to health & safety issues such as handling hazardous chemicals, they want to keep them for say 40 years. How is it handled when an ex-employee asks for their data to be deleted and the company needs to keep it to show due diligence in the future?
Personal Data can be stored for longer periods under the GDPR, provided that the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89(1). This personal data must be stored by the appropriate technical and organizational measures in order to safeguard the data subject’s rights and freedom.
The GDPR requires that data shall be kept for no longer than is necessary "for the purposes for which the personal data are processed". Organizations need to identify what personal data they process and the reason for processing to determine retention periods that are appropriate for each type of record.
Do you think future versions of 27001 will be amended to include GDPR requirements?
ISO 27001:2013 already requires organizations to demonstrate compliance with applicable legislations such as DPA etc. However ISO are reviewing, updating and introducing new standards all the time, so sign up to our InTouch e-newsletter to stay up to date with all the latest news.
Can organizations charge for access to private data requests, similar to freedom of information requests?
Organizations can only charge if the Subject Access Requests are instituted without sufficient grounds and serving only to cause annoyance to the organizations. The GDPR allows you to exceptionally charge an administrative fee for unfounded, excessive or repetitive request. Organizations are also able to refuse to respond to the request, but you must be able to demonstrate the unfounded, excessive or repetitive nature of the request.
Does GDPR affect business to business marketing?
B2B, B2C and business to employee will all have the same obligations to fulfil under the GDPR. You will need to consult with your legal advisors/professional for guidance specific to your organization.
Why do you think that there's been such a poor uptake in GDPR compliance?
Knowledge of the GDPR and implementation process could be causing issues.
Will controllers be expected to regularly audit processers that handled data for them? What type of "control of process" will be considered appropriate/ sufficient?
The data controller remains responsible for ensuring its processing complies with the GDPR, whether it processes in-house or engages a data processor. It is the Controllers responsibility to determine how it monitors and evaluates the processors.
When referring to personal data is this just consumers/end users or employee data or business to business individual data?
Personal data is defined as anything that can identify a 'natural person' - a living human, either directly or indirectly, and can be anything such as; a name, photo, email address - which includes work email, bank details, medical information biometric and genetic data or even a computer IP address.
If an employee has been sacked for gross mis-conduct or some other serious offence and they call up to have their details removed. Do we have to remove all records of them or are we able to keep some details to avoid re-hiring in the near future?
Data in relation to criminal convictions or offences may only be processed under official authority or when authorized by law. So this means that controllers or processors will need to ensure that they have at least one or more legal justifications to process said personal data
We are sent information from a number a clients that collect their customers’ information; we just process it and run some background checks for the client. Is the onus on the client to inform the customers of how their details are processed?
The controller determines the means and purpose for the data processing and as such the onus is on them to inform the customer on how this data is processed.
Do processors have as much to implement as the controllers - re getting unambiguous permission from data subjects?
Data processors face direct legal obligations under the GDPR in such areas as security and record keeping. Under the GDPR controllers can only use processors providing - sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protection of the rights of the data subject. If processors breach their direct obligations they can be fined by the Supervisory Authorities and held jointly liable with the controller for the entirety of any damage to a data subject, unless they can prove they were not in any way responsible for the event
What would be classed as a significant data breach that would require reporting to ICO?
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
How could we demonstrate conformity through independent assessment?
Adoption of and compliance with best practice standards such as ISO 27001:2013.
So if you’re using an American service provider say... cloud provider? Who are not under the GDPR laws but still may need to follow its rules if they are processing EU data and their Privacy Shield say's they won’t sell your data etc. you’re ok to still use this company? Then what would happen if they had a breach could you as a controller still be liable?
Do you still need to report low level breaches such as sending an email containing personal information to the wrong person? If so how strict would they be about that? Surely the fines for something like that would be a lot lower than say a hacker being able to steal a whole database for sale on the dark web?
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
How are American companies fined through the ICO if they are not under it?
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location
Do you get fined even more if they find out you didn't tell them within the 72 hours?
If an organization fails to abide by the core principles of the GDPR — such as gaining the consent, respecting the rights, and obeying the requests of individuals — the organization could face fines twice as high as those imposed for failure to report a data breach. Under the GDPR, the fine for failing to follow the new law could be as high as 4% of a company's global revenue, or a fine of €20 million — whichever happens to be the larger amount.
"The right to be forgotten" - what about roll-back systems or back-ups?
Data storage systems or backups/roll back systems must be developed so as to protect data and maintain its privacy. Organizations may need to complete a legacy data audit to ensure that any personal data held by a processor or controller is does so in line with the GDPR. This will enable organizations to identify where consent was granted correctly and delete records where consent was not or cannot be obtained.
Disclaimer
The answers to these questions are by no mean exhaustive and questions specific to your organization should be discussed, and answers sought from your relevant legal counsel/advisors.
Author: Chris Smith, NQA UK Regional Assessor