Category: Uncategorized

Is the ICO using its full powers? Waymark Tech Blog 03.10.19

Is the ICO using its Full powers?

GDPR was supposed to usher in a brave new world of bumper fines and data responsibility, but is the ICO making the best use of its powers?

The build up to the launch of GDPR was a bit like the wait for the millennium bug. Headlines warned of massive penalties comprising 4% of annual turnover. The industry braced for impact and then… nothing. The big fines failed to appear in 2018 leaving many to wonder if this, like the Millennium bug, would be a lot of fuss over nothing.

More recently, though, things have begun to pick up. We’ve seen big fines for British Airways and Marriot. Facebook faces potentially billions of dollars worth of fines for multiple investigations. Regulators have shown that although they see fines as a last resort, they are willing to go big when required.

Even so, we have not yet seen fines hitting the 4% limit as promised, but this in itself should not surprise us too much. The ICO never issued the highest possible fines under the old Data Protection Act. The severity of the breach and the level to which the company may be deemed to have been responsible have all influenced scale of the fines implemented.

Financial services worst hit

One area in which the doom mongers might have been right was in guessing that the financial services would be heavily hit. Data on enforcement actions seem to back this up as the financial sector received more GDPR penalties than any other. Overall, data suggested there have been 68 enforcement actions across the EU with 11 of those going to the financial services sector. The professional sector came second with seven fines followed by the public sector and healthcare.

Most fines issued (41) were due to breaches in the processing of personal data while 23 were issued for the lawfulness with which the data was processed. Three fines were issued for the way a breach was communicated to the regulators and one for the way in which the breach was communicated to the individuals.

Too early to tell

GDPR is beginning to have an impact but in many ways it may be too early to tell. The ICO only applied GDPR to breaches that occurred after the imposition of the new regulations. As such, most of the enforcement actions taken during 2018 were held under the older regulations. It is only in 2019 that we have really seen GDPR taking shape.

Across the continent regulators are also working to adapt their approach and some have been clearer than others.

A good guide comes from Dutch regulators who issued this guidance on how they will approach fines. It has three main categories:

  1. Simple or clerical violations which carry fines of €100,000
  2. When a company fails to fulfill specific GDPR requirements regarding data processing they will be fined at € 310,000
  3. The most serious instances come when a company refuses to be transparent and fails to notify users or the regulators. These attract fines of €525,000
  4. The unlawful processing of special categories of data €725,000

These are early days indeed, but regulators are showing a degree of understanding. They are less concerned with penalising basic errors as much as cracking down on those companies which have seriously broken the law, or shown a lack of transparency when problems do occur. This is why companies such as Facebook which have repeatedly faced questions for the ways in which it handles data, tend to come under the greatest scrutiny.

Waymark Blog 17.09.19

Regulators Demand Answers from Cryptocurrencies Over Data Use

Despite a few bumps along the way, cryptocurrencies and the blockchain have been taking the world by storm. However, they store up all sorts of worries about data privacy.

In August, the ICO joined global regulators from the US, Canada, EU and Australia in expressing concerns about Facebook’s Cryptocurrency Libra. You can find an excellent detailed analysis on the Global Regulatory platform from data privacy lawyer Shiv Daddar.

In essence, though, regulators are concerned about two things: a lack of clarity so far about how the data will be processed and the involvement of Facebook itself whose own record with data is less than squeaky clean.

“To date, while Facebook and Calibra have made broad public statements about privacy, they have failed to specifically address the information-handling practices that will be in place to secure and protect personal information,” says the statement.

The regulators issued a list of questions which they would like answered, such as how customers will be profiled and shared among the 28 founding members of Libra.

Ultimately, though, this statement is about trust or the lack of it. Regulators are concerned about the role of firms who may play fast and loose with personal data and the nature of the technology itself.

Cryptocurrencies and the blockchain are still presenting a bit of a puzzle for regulators. On the one hand they recognise its potential and want to give innovation space to breathe, but on the other the technology itself gives real cause for concern.

For example, data stored on the blockchain is immutable. In theory, this makes it more secure, but it’s also difficult to satisfy regulatory demands to allow customers to have their data changed or deleted.

However, as this letter demonstrates, it’s also the identify of the data controller which will also attract scrutiny. Facebook’s track record as a reliable data processor is patchy to say the least.

It was fined $5bn by regulators for its role in the Cambridge Analytica scandal and could face billions more. The EU is currently handling a total of 11 separate investigations which, taken together, could inflict fines on the scale that might make even a giant such as Facebook wince.

Understandably, then, the mere fact of Facebook’s involvement is a red flag for regulators. It’s a bit like a football player who has a reputation for diving. Once referees have that in their mind, they will be less likely to give a foul.

This is an issue of trust. Technology needs to comply with regulatory obligations and be shown to comply. This is particularly tricky because regulations can change which means compliance must be an ongoing process.

Any organisation handling the data needs to be whiter than white, not only to please the regulators but to reassure a public which is becoming increasingly concerned about how its data is being used. Once an organisation gets a track record for bad behaviour, it’s very difficult to turn things around.

EU Commission Sets Out Its Stall on Equivalence

As Britain heads for Brexit, the EU has been setting out its rules regarding what it will consider as equivalence. So, what can we expect?

As I write this the Government has announced plans to suspend parliament and we seem to be hurtling towards a no deal Brexit with all the enthusiasm of Thelma and Louise heading towards a canyon. Of course, by the time I get to the end everything might have changed completely, but for now, no deal is looking more likely by the minute.

With that in mind, it’s worth looking closely at the European Commission’s latest communications on its rules surrounding financial equivalence for non-EU Countries. There’s a much more detailed review available on our Global Regulatory platform, but for now here are the picks.

Equivalence allows the Commission to recognise that the regulatory regime inside a third-party country is more or less equivalent to the corresponding framework within the EU.

When making a decision, the Commission will start an in-depth assessment by the Commission based on dialogue with authorities in the third country and involving, when appropriate, the European Supervision Authorities.

All decisions taken by the EU will be unilateral and balance the benefits against the need to preserve the integrity of the EU’s financial markets. A third country can apply, for equivalence at which point the Commission will consider the request.

After a country has been granted equivalence the EU will continue to monitor conditions within the country to determine whether it still meets the criteria. As part of this communication it revealed that it has repealed existing equivalence decisions for the first time in the field of credit ratings agencies for Argentina, Australia, Brazil, Canada and Singapore.

Under the withdrawal agreement the UK had initially sought access on the basis of mutual recognition, or that it would secure access but the EU insisted that cross border trade would only be feasible under the equivalence regime.

The problem is that Equivalence will take time to set up and is patchy. There are areas which will not be covered such as wholesale banking. Banks may have to move at least some of their operations abroad to continue benefitting from access to the European market and some have done exactly that.

The EU’s decisions are not always as heavily based on facts and figures as they would like to make out. Last year the EU allowed equivalence arrangements with Switzerland to expire over failed negotiations with a trading agreement.

What is meant to be a purely regulatory decision, then, can get political. The EU has already shown its willingness to use it as a tool in disputes between third party countries something which may come to the fore again if the UK and Europe go through a particularly messy divorce.

So, while this communication will add a sense of clarity about the Commission’s approach, there are still plenty of areas of uncertainty, especially if no deal turns out to be as acrimonious as we all suspect it might be.

Senior Managers Regime and GDPR

Senior Managers Regime and GDPR

The FCA finalised its guidance on the Senior Managers Regime in August and, with the deadline approaching in December, many firms have some serious work to do, particularly with regard to how they manage data.

The latest CEO Sentiment Survey, released by Pimfa revealed that SM&CR topped the list of CEO concerns with MiFID II following close behind. According to the survey, the biggest issue keeping them awake at night is amount of time it will take to manage these regulations.

There’s a fair bit to take in. The Senior Managers Regime, aims to embed responsibility into the heart of financial institutions. New rules have come in regarding the conduct of every employee in the organisation and imposing additional requirements on firms to look into their background.

Each process will require firms to identify functions which lie within the scope, document responsibilities, notify regulators of conduct breaches and assess the fitness of named senior managers to carry out their functions.

As part of this they will need to take references and perform a criminal records background check, all of which will require them to manage and monitor a considerable amount of data about their personnel.

Complying with GDPR

Compiling this data is quite an intrusive process and can create a number of issues with GDPR.

To justify the processing of the data GDPR Article 6 processing conditions must apply. These include that the processing of the data is necessary to comply with legal obligations.

In addition, you will also have to take account of Schedule One of the Data Protection Act which mean that the data processing is necessary for the purposes or obligations of imposed by the data controller.

However you choose to store this information, you should run a data privacy impact assessment to ensure that processing is proportionate and that you have taken adequate steps to mitigate the possible impact of processing this data, namely who it is shared with and what happens if there is a breach.

All personnel should also be notified about how their data is being processed in order to comply with the principle of transparency. You will need to explain what data you are processing, why you are using it, how long it will be stored and who it will be shared with.

It can be a considerable data management undertaking. You will need quick and easy access to the data to demonstrate that you have complied with the steps required by both SM&CR and GDPR. You may need an up to data record retention policy to demonstrate positive compliance to all parties involved.

The Senior Managers Regime is set to be a considerable change; one which will turn regulatory compliance into an organisation wide issue, rather than just the preserve of the compliance department. Every employee, from the top down, has a role to play to ensure that firms manage their obligations under SM&CR without affecting their compliance with GDPR.

Powered by WordPress & Theme by Anders Norén