Outsourced DPO: Don’t shoot the messenger!

It’s been an interesting week for the Outsourced DPO: dispatched to the Jurassic Coast for a spot of auditing at two separate client sites, kicking off a new GPDR compliance project and advising on a couple of personal data breaches.

Don’t shoot the messenger!

Most of the week was spent undertaking compliance audits at two separate sites on the Jurassic Coast, not as a DPO but as lead auditor. Last week I spent a day conducting document reviews and a variety of searches and tests, partially to prepare for the on-site audit and partially to check that the policies and procedures comprising the information governance framework (IGF) allow the organisation to adequately meet the needs and obligations of the GDPR.

On-site I found that the client has done some really fabulous work in raising awareness of key data handling practices, probably forming the best work I have seen in this area for some time, but despite this, I still managed to get in and spend the day wandering around without a visitors badge, rifle a well-stocked and unlocked filing cabinet stuffed full of bank statements and personal data, and generally make a bit of a nuisance of myself in finding chinks in the compliance armour! I only report on what I see!

So, where were the weaknesses?

My alarm bells began ringing during the adequacy audit when there were no records of processing activities available for inspection and therefore I felt a little rudderless in terms of being able to use those as a basis to plan the audit. It makes the audit job significantly more difficult if the client cannot provide prior insight into the nature of the data processing arrangements. Fortunately I have a great deal of experience in their industrial sector to equip me with enough information to know where to look and what to look for but this lack of records attracted a RED rating in my compliance report representing a failure to meet the expectations of Article 30.

Another weak point which gave way after a little probing were the arrangements for data sharing, processing and ad-hoc disclosure. On paper, the policy and procedure looked adequate, but the register itself contained out of date information, non-complaint contracts (per Article 28) and processors such as cloud database hosting service providers working under woolly data sharing arrangements and NDAs. There was no evidence of any due diligence on these arrangements and as the day unfolded several suppliers of data services were uncovered that were either not on the register and/or were providing “shadow IT” – IT services that the IT department knew nothing about!

Some of these arrangements involved the processing of personal data in the USA which is not mentioned in any of the privacy information. The final area of out-and-out non-compliance was the lack of evidence of any system of audit or compliance checking (per Article 32(1)(d) and 5(2)). Most of the areas audited were rated as areas for improvement (YELLOW or AMBER) [i.e. some measures were in place but these had significant scope for improvement], but pleasingly there was also a smattering of GREEN ratings where there was clear objective evidence of compliance. Yeah!

Inevitably I observed some operational practices not conforming to organisational procedures ranging from users charging personal mobile devices from their desk-top PC contrary to the IT Security Policy, through to the screens of the HR team being visible from the street… and I have photographic evidence to prove it! Oh the joys of auditing!

Breach fine lines

Acting as a consultant rather than an Outsourced DPO, I was asked to advise on a security incident which turned out to be a personal data breach but presented a tough call on whether it was notifiable to the ICO. In summary an Office 365 account was compromised leading to the unlawful and unauthorised access to and processing of personal data within the compromised account. The information was used to send a wire transfer request to a bank and to ensure that all of the validation checks undertaken by the bank were successfully passed. As a result, £250,000 was transferred into the attacker’s account. Fortunately the target’s financial controller noticed the transfer while reconciling bank accounts and a second wire transfer a few days later was blocked.

In analysing the security incident we asked the following questions: a) was there a personal data breach as defined in Article 4 of the GDPR; b) is it unlikely that the breach will result in a risk to the rights and freedoms of natural persons? The cyber investigation team (Data Protection People’s own team) did a thorough and excellent job enabling us to objectively review reliable and well-presented facts leading to our assessment that a personal data breach did occur.

But the focus of the attack was extortion of money from a corporation (a legal person) and it seems unlikely given the sophistication and nature of the attack that the attacker will use the personal data in such a way as to cause distress, damage or harm to any natural persons such as employees of our customer or the correspondents of emails now in the attacker’s hands. But we really have no idea how the attacker might use or dispose of the data they have collected and so it is very difficult to say with any degree of certainty whether or not there is a likelihood of there being a risk to natural persons.

We always advise clients to err on the side of caution and notify due to possibility of attracting a hefty fine unless it is crystal clear that there is no likelihood of risk to natural persons. There is always a risk of distress etc. but assessing the likelihood of the risks materialising is obviously highly subjective. I’m also interested in the guidance which talks about material and non-material harm as being risks posed to individuals – but these are only a couple of dimensions to consider.

The GDPR refers to risks to the rights and freedoms which, I would suggest could be defined as being far broader than material and non-material harm. Having a facsimile of your signature stolen and mis-used may not result in any material or non-material harm, but I would say that it is certainly an infringement of an individuals’ rights and freedoms.

Still, we work with the guidance where it is favourable! Incidentally, this is the third incident I have been involved with in 6 weeks where an Office 365 account has been compromised through weak management controls. In all three cases accounts have been compromised perhaps through weak passwords and attackers have been able to set up mail forwarding rules that send emails on to their own accounts to allow them to monitor email traffic over the course of several weeks.

Next week

Next week I am re-drafting the data subject rights policy, procedures and record keeping framework for a charity client I am the Outsourced DPO of, chasing through a data sharing agreement involving medical data, and, with a bit of luck completing a white paper on the DPA 18 exemptions and data protection relating to social media marketing.

Talk to us today and see how Data Protection People can fulfil your DPO responsibilities.

30th November 2018

Philip Brining