One of the more misunderstood aspects of GDPR has to be how companies can process personal data. This is covered in Article 6 of the regulation and even though there are 6 different scenarios allowing for the legal processing of personal data, the only one we are asked about on a regular basis is “Consent”. There is some justification for this given it is likely the most likely means for legal processing for most companies and the most transparent. That does not mean we should ignore or forget the rest. To give a bit of clarity and shed light on all 6 ways to legally process data we provide the following. It is each of the 6 justifications, a further description and an example of when that justification might be used.
Improvements have and continue to be made around how Facebook is monitoring inappropriate and illegal content on our timelines.
But how have these changes been implemented?
Well, Facebook have hired contractors to monitor images and content that are reported by users as inappropriate. However, employees are now suffering from psychological trauma as they witness disturbing images day-in day-out.
But, what’s worse? Leaving these images for Facebook users to see or taking them away but traumatising those who are left with the job?
The job of moderating Facebooks content used to require contractors to scan through 1000 images per day. This is more than one every 30 seconds over an eight-hour shift. This limit was removed to help with the psychological impacts of viewing so many brutal images every day. However, the requirement is not to view at least 400 to 500 images per eight-hour shift. This still equivalates to one image every minute of the shift.
Not only is the job leaving psychological scars on the contractors, it is leaving some ‘addicted’ to graphic content, leaving some savouring a personal collection of illegal, inappropriate and explicit images for personal pleasure. A job of constantly reading hate speech and fake news has also others shifting far right wing in their opinions.
Algorithms are also being used to flag up potential inappropriate conversations between adults and minors and this is leaving devastating impacts on the contractors viewing this content. A previous contractor said of reading these conversations, “90%” were sexual and were also violating and creepy”. After interviewing a variety of different moderators, it was found that a popular trend of sexual exploitation was rich, white men from Europe and the US, targeting children in countries such as the Philippines for sexual images in exchange for $10 or $20.
Although Facebook is trying to find a resolution for taking down explicit images, is putting contractors at risk by exposing them to these images causing more damage? Maybe Facebook should rely more on algorithms to detect images that are inappropriate for our Facebook feed and to take explicit content down automatically once detected by the algorithms, rather than causing psychological issues for contractors. The pushback from users would be that it suppresses their freedom of speech and expression. But perhaps if they understood the harm that a manual process was causing others, they may be willing to suffer brief annoyance rather than inflict such harm.
The UK parliament has hit a stalemate. It’s a mess and until there is a majority in Parliament, it will continue to be at deadlock. Boris Johnson no longer even fits the definition of a ‘prime minister’, that being, “The Prime Minister determines the general direction of Government’s activities by holding majority in the house”. However, after last week’s fiasco (Boris failing on two accounts to pass a general election) not only does he no longer hold a majority in the house, he also doesn’t determine the direction of the governments activities.
Although some people disagree with the actions that have been taken by Boris thus far, is he making the right decision by ignoring the most recent ‘Humble Address’ that was put forward?
A Humble Address is a proposal to the monarch. It can be discussed and amended by the parties, but once it has been agreed upon, it is usually binding on the house. It has only been used a total of 3 times since 1886, suggesting, bulk data collection of the conservative party couldn’t be passed any other way than through an arcane tool such as a Humble Address.
But, why is this significant?
Well, last week, Boris Johnson decided to ignore the Humble Address that was proposed to the conservative party. The Humble Address (in summary) has requested the following;
All communications, formal and informal, written or electronic, to and from public members of the conservative party, must be sent to the government to review so that they can see what has been said about Boris Johnson’s decision to suspend parliament.
The Humble Address also asks for…
All documents to be surrendered to the government which relate to ‘Operation Yellowhammer’ (what will happen if we leave the EU with no-deal- the worst-case scenario).
Instead Boris ignored parliaments request to see all internal communications and provided parliament with a six-page document of the information on Yellowhammer that they had requested.
But, was Boris right to do that?
The answer is simple, yes.
Under the Data Protection Act 2018 (DPA’18) a data subject’s rights can be waived if it significantly inhibits an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes. Simply collecting all the data from a member of the conservative parties’ business and personal mobiles does not fall into this category and therefore the DPA cannot be waived. Data subjects, under the DPA’18, also have the right to restrict processing if the processing is deemed unlawful. This data processing is highly unlikely to be legally enforceable. The only reason the government can lawfully collect someone’s personal communications is when there is a risk of state security, e.g. a person who is demonstrating online radicalism who is a suspected terrorist. Also, just because these people are members of the conservative party does that mean their right to privity should be compromised? They’re still members of the public and therefore should not have to give up this right just because they work for the government. Bulk data collection of the conservative party is therefore not legally enforceable as most of this data, particularly about their personal lives, would not be necessary in the investigation, giving the data subjects the right to restrict this type of processing.
However, this is not the only reason this Humble Address is not legally enforceable. Just think about the type of data which is being transferred and how is it being transferred. This data will fall under ‘special category data’ which, under the DPA’18, is particularly sensitive and therefore greater measures of security must be taken when collecting, storing, processing and transferring it. You cannot just rely on the six-legal basis’ for processing this type of extremely sensitive data. Political opinion is ‘special category data’ which will clearly be harvested within these communications.
Within the Humble Address, it states that these communications must be sent to the government, without being followed with a provision as to how this data will be securely collected, transferred or stored. Publicly announcing this is almost like giving a leaflet to hackers inviting them to hack the government. Prime bate for cyber criminals, sensitive and special category data lurking in the murky waters of the UK governments desktops.
Boris, don’t let the government get its hands on your data.
Are your admin team receiving fraudulent emails, text messages and phone calls?
Are your admin team struggling to know which emails, text messages and phone calls are legitimate and which are fraudulent?
With the 25th of May fast approaching, it’s been almost a year since the General Data Protection Regulation (“GDPR”) came into force throughout the European Union (“EU”). In celebration, we are offering £100 off our GDPR Compliance Manual for Law Firms.
Under the European General Data Protection Regulation (“GDPR”), for some organisations it is a mandatory requirement to have a Data Protection Officer (“DPO”), whether this is in-house or outsourced. However, mandatory or not, a DPO can still be beneficial to all firms who need guidance and support to ensure compliance with GDPR.
There is no denying that Apple have revolutionised the way in which we communicate across the globe. Since the production of its first iPhone, unveiled on the 9th January 2007, its sales have created a profit of over 3.7 billion, resulting in the organisation becoming the first public company worth more than 1 trillion dollars.
Little did Apple predict the worm around the corner…
My GDPR journey
When I first began my professional GDPR journey in 2014, I was working as an in-house B2B marketer. At that time, I began researching the draft legislation and was trying to figure out how it might later impact my everyday work in the marketing department. Of course, I was also doing it so I could advise the senior management team on what the expected changing legal responsibilities would be. Furthermore, it occurred to me that a data breach and any negative attention from it could undo months and years of hard work I’d put in to build the company’s brand and reputation. It was then that I suddenly felt a greater weight of responsibility and duty of care for the personal data I was tasked with handling.
TSB have had a disaster to deal with. Lots of press coverage and all for the wrong reasons. A major IT change that resulted in days of customer chaos. Disruption that lasted for over a week.
IT infrastructures are increasingly complicated, particularly in the large Banks, but I think it is irresponsible of people to say they are held together with sticking plaster. However, the complexity does mean that implementing change requires strong discipline and management.
Here are some points to consider.