Top 10 Challenges For DPOs – Part 2

Hosted by Zara Turner, Oliver Rear and David Holmes.

What are some of the top challenges for Data Protection Officers?

On this week’s episode of the Data Protection Made Easy, our consultants Zara Turner, Oliver Rear and David Holmes join together to discuss some of the most common challenges faced by Data Protection Officer (DPOs). Both Zara and Oliver work on the Support Desk here at Data Protection People and see every challenge imaginable. David works as a consultant and acts as an Outsourced DPO for some of our clients. Their roles in data protection give them the best insight into common challenges faced by Data Protection Officers and during this session they share their knowledge as well as some useful solutions to some of the shared challenges.

What did we cover in part one of the discussion?

SARs
Data Processors/DPA
Data Sharing
Policies & Procedures
Data Breaches

If you would like to listen in to any of the topics above, search for ‘Data Protection Made Easy‘ on all major audio-steaming platforms of check out part one in our resource centre: Top 10 Challenges For DPOs

News of the week

Easy Life – fined a total of £1.48 million for breach of data protection and electronic marketing laws. The organisation sells household items, as well as other services and products. For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.

The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalogue, the company would make assumptions about their medical condition and then market health-related products to them without their consent. 80/122 products that Easy Life sold were ‘trigger products’ for such profiling.
This was deemed to be invisible processing as data subjects were not aware that their data was being used for this purpose. Fined £1.35 million for this profiling and a further £130,000 for breaching PECR with 1,345,732 predatory calls to members of the TPS.

Green Logic – PECR enforcement for unsolicited marketing calls to members of the TPS. 15 complaints to TPS and 17 to the ICO. Evidence suggests that 11,741 calls were made to TPS subscribers. £40,000 fine made to Green Logic. No due diligence checks were made on the data suppliers and phone numbers were not screened against the TPS/CTPS.

The question is this ignorance? Is this a choice to avoid costs of compliance?

Eco Spray Installation – £100,000 fine for targeting residents with ‘predatory’ marketing calls. Investigators found Eco Spray flouted marketing laws to make 178,190 calls to people who were supposed to be exempt

Euroseal Windows Limited – £80,000 fine for making 169,830 calls to TPS-registered people in 2020.

Posh Windows – £150,000 fine (reduced to £120,000 if paid by 28 Oct 2022) for making 630,971 calls, 461,062 of these calls were made to subscribers to the TPS. Continued to call individuals who had requested suppression – some individuals called more than 10 times.

Andy Curry, head of investigations said: “The complaints we received showed that people were distressed, upset, worried and inconvenienced by the calls. For people to feel this way, in their own homes where they should feel safe, is unacceptable.

What did we cover this week?

During this week’s discussion, we pick up from part one of the conversation and look at the top ten requests that come into the support desk, after speaking with the team, we came to the conclusion that there are actually 12 key challenges and it would be wrong to omit any of them from this list.

Rights requests

Mainly right to erasure or removal of consent – important to know when these rights requests apply. Also, that does not invalidate previous processing on basis of consent, only future processing on consent.
Right to erasure only applies in certain contexts, qualified right (personal data no longer needed, withdrawal of consent, objection with no overriding legitimate interest, objection to direct marketing, unlawfully processed, erased to comply with a legal obligation, information society services to a child).
Removal of consent is an unconditional right and so must also be actioned, however, does not invalidate previous processing on that basis.
Links to whether consent is an appropriate basis for processing and questions on lawful grounds of processing.

Lawful grounds

The key issue of relying on consent when consent is not appropriate, often view consent as is necessary for data processing but is not.
Also, the point of legitimate interests, is often a very useful ground to rely on but there is the importance of completing an LIA (and completing it well) as stressed in the recent case of a German bank being fined 900,000 euros for extending the basis of legitimate interests too far (comparing data analysis with the credit agency and enriching from there: https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/900-000-euro-bussgeld-gegen-kreditinstitut-wegen-profilbildung-zu-werbezwecken-213925.html). Bank was deemed to have undertaken insufficient balancing of individuals’ rights.

Privacy information

Importance of covering all of your processing within a privacy notice, transparency requirements – considering child-friendly language etc.

CCTV

Particularly tricky in the housing sector with tenants’ CCTV, the key recommendation is to discourage the use of CCTV (outside of property boundary) by tenants due to issues of operating in compliance with data protection laws.
May be worth having a register for CCTV disclosures (e.g. to insurance companies or the Police).

International Data Transfers

The key issue with US transfers – still finds reference to the US privacy shield (deemed inadequate in July 2020 Schrems II). Also, the issue is that even if data is held in the EU database if the company is headquartered in the US then technically a risk of international transfer.
Additionally point that can no longer rely on old EU SCCs when entering into a new contract. If entering into a new international transfer agreement then it needs to be under an International Data Transfer Agreement.

Direct Marketing

Can be a very tricky part of the law as it has scope for interpretation (why I like it).
Particularly difficult for things such as newsletters sent by e-mail. The tricky part is determining what is constitutes marketing information, particularly a broad definition – can be anything promoting an organisation’s aims and ideals, encouraging further action from the reader etc.
When uncertain if it will fall to the company to make a decision depending on their risk appetite – can always choose to deliver information by post and avoid this issue. Or only disclose information by consent.

Useful Links From Todays Discussion:

Catalogue retailer Easylife fined £1,350,000

Bounty monetary penalty notice (ico.org.uk)

Greek DPA -v- PwC highlights

Cyber Security Services

PCI DSS

ISO 27001

Cyber Security Consultancy

Cyber Security Support

Pentesting

External Attack Surface Management

Data Protection Services

SAR Support

Data Protection Support

Outsourced DPO

Data Protection Consultancy

Information Management Software

GDPR Training

GDPR Audits

GDPR Representative

GDPR Documentation

GDPR Toolkit

Information Rights Request

24/7 Support whenever you need it