Outsourced DPO: Don’t shoot the messenger!

By Philip Brining

It’s been an interesting week for the Outsourced DPO: dispatched to the Jurassic Coast for a spot of auditing at two separate client sites, kicking off a new GPDR compliance project and advising on a couple of personal data breaches.

Don’t shoot the messenger!

Most of the week was spent undertaking compliance audits at two separate sites on the Jurassic Coast, not as a DPO but as lead auditor. Last week I spent a day conducting document reviews and a variety of searches and tests, partially to prepare for the on-site audit and partially to check that the policies and procedures comprising the information governance framework (IGF) allow the organisation to adequately meet the needs and obligations of the GDPR.

On-site I found that the client has done some really fabulous work in raising awareness of key data handling practices, probably forming the best work I have seen in this area for some time, but despite this, I still managed to get in and spend the day wandering around without a visitors badge, rifle a well-stocked and unlocked filing cabinet stuffed full of bank statements and personal data, and generally make a bit of a nuisance of myself in finding chinks in the compliance armour! I only report on what I see!

So, where were the weaknesses?

My alarm bells began ringing during the adequacy audit when there were no records of processing activities available for inspection and therefore I felt a little rudderless in terms of being able to use those as a basis to plan the audit. It makes the audit job significantly more difficult if the client cannot provide prior insight into the nature of the data processing arrangements. Fortunately I have a great deal of experience in their industrial sector to equip me with enough information to know where to look and what to look for but this lack of records attracted a RED rating in my compliance report representing a failure to meet the expectations of Article 30.

Another weak point which gave way after a little probing were the arrangements for data sharing, processing and ad-hoc disclosure. On paper, the policy and procedure looked adequate, but the register itself contained out of date information, non-complaint contracts (per Article 28) and processors such as cloud database hosting service providers working under woolly data sharing arrangements and NDAs. There was no evidence of any due diligence on these arrangements and as the day unfolded several suppliers of data services were uncovered that were either not on the register and/or were providing “shadow IT” – IT services that the IT department knew nothing about!

Some of these arrangements involved the processing of personal data in the USA which is not mentioned in any of the privacy information. The final area of out-and-out non-compliance was the lack of evidence of any system of audit or compliance checking (per Article 32(1)(d) and 5(2)). Most of the areas audited were rated as areas for improvement (YELLOW or AMBER) [i.e. some measures were in place but these had significant scope for improvement], but pleasingly there was also a smattering of GREEN ratings where there was clear objective evidence of compliance. Yeah!

Inevitably I observed some operational practices not conforming to organisational procedures ranging from users charging personal mobile devices from their desk-top PC contrary to the IT Security Policy, through to the screens of the HR team being visible from the street… and I have photographic evidence to prove it! Oh the joys of auditing!

Breach fine lines

Acting as a consultant rather than an Outsourced DPO, I was asked to advise on a security incident which turned out to be a personal data breach but presented a tough call on whether it was notifiable to the ICO. In summary an Office 365 account was compromised leading to the unlawful and unauthorised access to and processing of personal data within the compromised account. The information was used to send a wire transfer request to a bank and to ensure that all of the validation checks undertaken by the bank were successfully passed. As a result, £250,000 was transferred into the attacker’s account. Fortunately the target’s financial controller noticed the transfer while reconciling bank accounts and a second wire transfer a few days later was blocked.

In analysing the security incident we asked the following questions: a) was there a personal data breach as defined in Article 4 of the GDPR; b) is it unlikely that the breach will result in a risk to the rights and freedoms of natural persons? The cyber investigation team (Data Protection People’s own team) did a thorough and excellent job enabling us to objectively review reliable and well-presented facts leading to our assessment that a personal data breach did occur.

But the focus of the attack was extortion of money from a corporation (a legal person) and it seems unlikely given the sophistication and nature of the attack that the attacker will use the personal data in such a way as to cause distress, damage or harm to any natural persons such as employees of our customer or the correspondents of emails now in the attacker’s hands. But we really have no idea how the attacker might use or dispose of the data they have collected and so it is very difficult to say with any degree of certainty whether or not there is a likelihood of there being a risk to natural persons.

We always advise clients to err on the side of caution and notify due to possibility of attracting a hefty fine unless it is crystal clear that there is no likelihood of risk to natural persons. There is always a risk of distress etc. but assessing the likelihood of the risks materialising is obviously highly subjective. I’m also interested in the guidance which talks about material and non-material harm as being risks posed to individuals – but these are only a couple of dimensions to consider.

The GDPR refers to risks to the rights and freedoms which, I would suggest could be defined as being far broader than material and non-material harm. Having a facsimile of your signature stolen and mis-used may not result in any material or non-material harm, but I would say that it is certainly an infringement of an individuals’ rights and freedoms.

Still, we work with the guidance where it is favourable! Incidentally, this is the third incident I have been involved with in 6 weeks where an Office 365 account has been compromised through weak management controls. In all three cases accounts have been compromised perhaps through weak passwords and attackers have been able to set up mail forwarding rules that send emails on to their own accounts to allow them to monitor email traffic over the course of several weeks.

Next week

Next week I am re-drafting the data subject rights policy, procedures and record keeping framework for a charity client I am the Outsourced DPO of, chasing through a data sharing agreement involving medical data, and, with a bit of luck completing a white paper on the DPA 18 exemptions and data protection relating to social media marketing.

Talk to us today and see how Data Protection People can fulfil your DPO responsibilities.

30th November 2018

Philip Brining

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021