A Warning Not to retain Personal Information Longer Than Necessary - Waymark Tech Blog

A Warning Not to retain Personal Information Longer Than Necessary

Eighteen months on from Europe’s General Data Protection Act coming into force, the multi million Euro fines after starting to roll in. After major actions in the UK and France, Germany followed suit with a €14.5 million fine against real estate company, Deutsche Wohnen SE.
The fine in this instance relates to the company’s retention of personal data. In this instance, the Berlin DPA considered that the real estate company had retained personal data longer than necessary and that this amounted to a breach for three reasons.

  • The controller did not have a legal ground for storing this data longer than needed.
  • Article 25 covering data protection by design and default, and integrating safeguards into the processing in order to satisfy the rights of subjects.
  • Article 5 relating to the processing of data.

Deutsche Wohnen was found to have failed to establish a data retention and deletion policy which was compliant with GDPR for the personal data of their tenants. This was made worse by the fact that an audit had revealed problems in 2017 and that a second audit in 2019 revealed the company had still not managed to implement a GDPR compliant process because it still couldn’t demonstrate effective clean up of its storage or legal grounds for holding the data longer than necessary.

What can we learn

The DPA’s decision is not final and Deutsche Wohnen has already said it plans to appeal, but the ruling does offer a number of key lessons…

Europe’s regulators are getting tough: The slow start to GDPR enforcement led many to wonder if regulators were willing to resort to the full extent of their powers. We’ve now seen a number of fines from regulators in the million Euro bracket which suggests they aren’t shying away from large scale fines.

  1. Data retention is a problem: A common theme in fines is the legal basis for retaining data. Firms will need to ensure they have a clear legal justification if they continue to hold data for longer than is absolutely necessary.
  2. Data retention and deletion processes are crucial: All firms must have clear systems to archive and delete data. Deutsche Wohnen could have used one of a number of commercially available systems which allow it to separate data and apply different archiving and deletion rules.

This is also the first action to be taken under the DPA’s new guidelines for GDPR enforcement. These divide all violations into five categories:

Step 1: Companies are filtered based on their size.
Step 2: Average turnover is calculated.
Step 3: Daily rate is calculated by dividing average annual turnover of the undertaking for the previous year by 360.
Step 4: Establishing fine corridors which assess the perceived severity of the offence.
Step 5: Classification of the specific GDPR infringement.

Data protection authorities are all taking their own approaches to enforcement and fine calculation. This adds to the complexity of managing compliance as, although each one refers to the same regulation, authorities may always adopt their own individual stances.

This could become more complicated post Brexit. Although the UK has adopted the GDPR framework and will continue to do so after Brexit, future governments would be free to make changes in the future.

Employee Investigations: Managing Data

Employee Investigations: Managing Data

Much has been written about the importance of managing client data in the era of GDPR. However, many firms may be overlooking a vital issue when it comes to their own internal investigations.

The rules surrounding data privacy have become much more complicated in the last few years. GDPR, plus a number of other international regulations, create fresh regulatory issues some of which firms may not be aware of.

At the same time data is growing in volume and complexity. Keeping a handle on it all is becoming increasingly complex. The use of cloud storage brings issues of cross border data transactions, third party problems and multiple jurisdictions which can be difficult to manage.

Employee consent

Data processing is an extremely wide ranging term under GDPR and, as we’ve written elsewhere, the penalties for getting it wrong can be quite extensive. Employee data must be treated just as carefully as client data, which means people must have given fully informed consent for all the ways in which data will be used. Even when consent has been obtained, it can’t always be relied upon for investigations.

At the same time firms must keep employees informed about what data they store, how it may be shared and with whom. As in all walks of life, employees are increasingly aware of their data rights and may well enforce them during an investigation.

How should you respond?

It’s a difficult tightrope to walk and there’s a fair chance many companies are unwittingly leaving themselves open to non compliance.

So, what lessons can be learned?

First, investigations teams must have a clear idea of the boundaries, what data they can analyse and how it can be used. They should put in place clear policies in place which ensure investigators understand how they can use data, and that only data which is relevant for the purposes of that investigation is used.

When working across multiple jurisdictions it may be necessary to obtain legal advice. GDPR has set the template for other regulators, but each takes their own individual spin on the concept. For example, China’s data privacy regulations, although closely modeled on GDPR, adopts a much looser approach to the idea of consent. Understanding which data belongs in which jurisdiction and making sure all applicable regulations are being complied with, is complicated and challenging.

Consent must be managed.

A firm must have a reasonable basis of holding any data and inform all employees about how their data will be used and their rights. If an investigation is carried out they will need to be handed notices informing them about the way in which their data will be used.

This is extremely important. Individuals have become much more informed about GDPR and how it applies to them, and may use that power as part of any investigation. Authorities are also showing themselves to be increasingly willing to go further in applying the details of GDPR for employees.

Companies should take time to look again at their policies, to ensure they are achieving the same level of compliance for employees as they already have for clients. You can find out more about what’s required in an excellent insight article by Dispute Resolution Lawyer David Harris on our Global Regulatory Database.

Senior Managers Regime and GDPR

Senior Managers Regime and GDPR

The FCA finalised its guidance on the Senior Managers Regime in August and, with the deadline approaching in December, many firms have some serious work to do, particularly with regard to how they manage data.

The latest CEO Sentiment Survey, released by Pimfa revealed that SM&CR topped the list of CEO concerns with MiFID II following close behind. According to the survey, the biggest issue keeping them awake at night is amount of time it will take to manage these regulations.

There’s a fair bit to take in. The Senior Managers Regime, aims to embed responsibility into the heart of financial institutions. New rules have come in regarding the conduct of every employee in the organisation and imposing additional requirements on firms to look into their background.

Each process will require firms to identify functions which lie within the scope, document responsibilities, notify regulators of conduct breaches and assess the fitness of named senior managers to carry out their functions.

As part of this they will need to take references and perform a criminal records background check, all of which will require them to manage and monitor a considerable amount of data about their personnel.

Complying with GDPR

Compiling this data is quite an intrusive process and can create a number of issues with GDPR.

To justify the processing of the data GDPR Article 6 processing conditions must apply. These include that the processing of the data is necessary to comply with legal obligations.

In addition, you will also have to take account of Schedule One of the Data Protection Act which mean that the data processing is necessary for the purposes or obligations of imposed by the data controller.

However you choose to store this information, you should run a data privacy impact assessment to ensure that processing is proportionate and that you have taken adequate steps to mitigate the possible impact of processing this data, namely who it is shared with and what happens if there is a breach.

All personnel should also be notified about how their data is being processed in order to comply with the principle of transparency. You will need to explain what data you are processing, why you are using it, how long it will be stored and who it will be shared with.

It can be a considerable data management undertaking. You will need quick and easy access to the data to demonstrate that you have complied with the steps required by both SM&CR and GDPR. You may need an up to data record retention policy to demonstrate positive compliance to all parties involved.

The Senior Managers Regime is set to be a considerable change; one which will turn regulatory compliance into an organisation wide issue, rather than just the preserve of the compliance department. Every employee, from the top down, has a role to play to ensure that firms manage their obligations under SM&CR without affecting their compliance with GDPR.

GDPR: Big Challenge, Bigger Opportunity

Are you ready for the GDPR?  If not, it’s time to work fast, because the GDPR represents a big challenge as well as an enormous opportunity.

Much has been written about the arrival of the EU’s General Data Protection Regulation (GDPR), and judging from many of the articles you might be forgiven for believing Armageddon is on its way! Yes, there are challenges, but it also allows more enterprising businesses to realise all sorts of benefits.

Read More

Financial Services Regulation: What to Expect in 2018

It’s a busy, demanding and unpredictable year ahead in the world of financial services regulation.

Happy New Year!

Now, buckle up because 2018 is likely to be a regulatory minefield.  New technologies, new rules and a fresh landscape all have the potential to create enormous problems. Some companies are better set up than others.

Read More

Powered by WordPress & Theme by Anders Norén