Another interesting week as an Outsourced DPO including two days at the Data Protection World Forum, a letter from the ICO, and more proactive regulation in Germany.
A day in the life of a DPO
I attended the two-day Data Protection World Forum in London’s ExCel this week both as an exhibitor and also a delegate. It was a good event and the Data Protection People (DPP) stand was busy with a constant stream of enquiries – in fact we had just short of 100 enquiries. What struck me most was that at least 50% of the exhibitors were selling software solutions – either those that mine/explore data, or those, like our own DataWise established way back in 2009, which provide a compliance management database/platform.
When we built DataWise it was the only system of its kind. Three-years ago there were maybe 4 or 5 data protection compliance management systems available but now there seem to be hundreds and deciding which system to use if any, is quite a challenge for a busy DPO. From our point of view, more people in the market is only a good thing as there are now probably a hundred times more marketing dollars against compliance software in the UK than this time last year 😊!
However, before I had even attended the event I was offered the attendance list for my own marketing purposes by two separate vendors. Big mistake I thought! I told the second company that I’d already bought it from a different vendor to shake them off, but I did make enquiries as to the price, data sets, and legitimacy of the data of the first vendor. The 5,000-strong database can be bought for £750 and includes names, email addresses, mobile phone numbers and company name of all the attendees.
I asked whether they could supply me a list of which stands and sessions each individual had attended (which they were not), and, for a bit of fun was tempted to ask if they were tracking individuals around the exhibition hall but thought that might blow my cover.
Anyway, I was assured that there is nothing at all to worry about because the data has been collected fairly and lawfully and I am perfectly entitled to use it – despite there being no privacy notice on the Data Protection World Forum registration page, confirmation email, or event information! I look forward to seeing how this plays out and whether any of the attendees or exhibitors is daft enough to buy and use it.
Trouble at t’ mill
I usually like reading information notices and other documents from the ICO as they provide a really good insight into how they approach certain issues – particularly the greyer areas of the law – but we received a letter this week from the ICO relating to a school I’ve been advising about a complaint they received from the ICO a few weeks ago regarding data retention. The ICO wrote that, “the School sates that the information is retained for the purposes of School development, alumni relations management, which includes; marketing and promotion of the School; holding alumni events and fundraising events. It is our view that these are not legitimate interests.” Wow! Now personally I think that is on the harsh side.
Unsurprisingly the ICO was critical of the wealth screening processes the school operates to identify alumni who may be a good target to approach for bursaries and I did advise the school to expect a bumpy ride regarding wealth screening. The ICO wrote, “Processing personal data for wealth screening isn’t necessary and therefore wealth screening cannot be included as part of your legitimate interests. It appears the School has not considered the privacy intrusion in wealth screening as an individual may not want their personal data analysed and profiled.” The last sentence is not true of course as the school has undertaken a legitimate test and found the wealth screen activities to be both fair and lawful. Anyhow, I have a meeting at the school next week to plan implementing changes that incorporate the ICO’s opinions.
What big eyes you have … what big teeth you have!
Earlier this month the data protection authority of Bavaria (BayLDA) issued a press release stating that it would be intensifying its GDPR compliance monitoring. We have a few clients with German operations although none are within the jurisdiction of Bavaria, so the Outsourced DPO sat up and took notice.
The BayLDA is the supervisory authority for monitoring compliance with data protection regulations in non-public sectors in Bavaria. Being pretty pro-active as a regulator, they carry out regular checks through targeted tests such as personal on-the-spot checks of individual businesses, automated online audits for thousands of companies and large-scale multi-page questionnaires, to establish the extent to which companies, associations and freelancers comply with their legal obligations.
The press release states that the BayLDA will focus on cybersecurity vulnerabilities of online shops and doctors’ practices following an increase in incidents in both of these sectors and that it also intends to focus on application of the accountability principle bemoaning the fact that in practice, it is not easy for it to recognise whether companies actually implement relevant data protection controls without undertaking spot-checks. Finally, the press release sets out that it will examine the use of processors and sub-processors in the coming weeks and data retention and deletion in SAP systems.
I’ve always been interested in this proactive approach as the UK’s ICO has never really gone on the offensive and tends to respond to complaints and breaches which, to be honest, has led to an overly relaxed attitude to data protection compliance in the UK in my opinion.
A gazillion data breaches
For a bit of fun (that’s the way the Outsourced DPO get its kicks) I googled “data breach this week” which returned over 61 million results!
Today (Friday) is my office day. I’ve got a call to run through a DPIA I’m doing for a large FMCG client, a meeting to review the progress of a compliance project with an international transportation provider and a bunch of internal meetings. The day kicked off with a fire drill at Data Protection Towers which set me off on my normal rant about, “you quite rightly regularly test that your health and safety systems are working – when did you last test the security of your data systems?”
27th November 2018
A blog written by Phil Brining, director of Data Protection People and Data Protection Officer for several organisations.