Author: Laura Spencer

by Laura Spencer Laura Spencer No Comments

Continuing Professional Development (“CPD”) Webinars

Anson Evaluate are back with a brand new series of premium Continuous Professional Development (“CPD”) webinars. These webinars are available and suitable for all and will be focused on the following subject areas:

  1. Cyber security, including ransomware, targeted cyber fraud, cyber breach response and best defences.
  2. Data Protection, including data protection in the UK post Brexit, analysis of data protection enforcement by regulators, international data transfers, Data Protection Impact Assessments (“DPIA”) and data subject rights. 
  3. Social media law, including libel and business promotion.

Heather Anson, Anson Evaluate’s managing director, will be working up with Digital Law’s managing director Peter Wright to deliver these webinars to you in 3 rounds, with the first round starting on 23 November 2021.

Round 1 – Cyber Security (total of 4 webinars).

Webinar 1: Cyber Security – Ransomware:

The first recorded example of ransomware was in the late 1980’s which proves that ransomware isn’t anything new. However, over the last 3 years alone there has been a drastic rise in the number of companies who have fallen victim to ransomware attacks. Not only have such attacks become more common, they have also become a lot more sophisticated, even since the commonly known WannaCry and NotPetya attacks back in 2017. 

This webinar aims to take real life case studies as well as expert knowledge to better your companies response and defence mechanisms to such attacks. As well as this, the webinar will answer the following key questions:

  1. What are the drivers behind the growth in ransomware attacks?
  2. What should boards be doing to manage the risk from ransomware attacks?
  3. Should you feed the “beast” and pay the ransom?
  4. In the case of a ransomware breach response, who do you need to do and who do you need to notify?
  5. What counter measures and proposals have been put forward by governments and legislators around the world?

Webinar 2: Cyber Security – Targeted Cyber Fraud:            

According to official statistics from the National Cyber Security Centre (“NCSC”) in their 2021 Cyber Security Breaches Survey, the most common by far are those commonly known as phishing attacks, followed by impersonation. Both of these attacks fit into the targeted cyber fraud category.

As well as referring to real life case studies of companies/firms like yourself who have been the target of such attack, this webinar will focus on the following: 

  • The different modes of attack including email, SMS, instant messaging and social media.
  • How to spot a potentially fraudulent communication.
  • What to do if the worst happens, including law enforcement and notification.
  • The best methods of defence.

Webinar 3: Cyber Security – Cyber Breach Response:

The previous 2 webinars in this cyber security series have focused on the impact cyber security attacks can have as well as preventative measures that can be implemented to avoid such attack being successful. However, this webinar will focus on your response should the worst case scenario occur and will cover the following key points:

  • Case studies, including examples of some of the best and worst cyber breach responses.
  • What needs to be in your breach response plan.
  • Testing and simulation of your breach response plan.
  • When a cyber breach should be communicated and who with, for example, internal comms, customers, clients and wider PR.
  • Cyber liability and insurance.
  • Working with law enforcement.
  • Legal and regulatory risks and responsibilities.

Webinar 4: Cyber Security – Best Defence:

Having technical security measures and systems in place, as well as staff awareness and training, are some of the best defence measures of any cyber security attack. This webinar will look at real life case studies of companies that have managed to limit the impact of such attacks based on the strategies they have implemented, whilst also covering the following key points:

  • Cyber policies, procedures and internal governance.
  • Identifying risks and pinch points.
  • The risks associated with remote working and working from home.
  • Technical security measures and systems that can be implemented to reduce risk.
  • Insurance.
  • War games.
  • Training and assessment.

Round 2 – Data Protection (total of 4 webinars).

Webinar 1: Data Protection Regulation in the UK Post Brexit:

The General Data Protection Regulation (“GDPR”) is incorporated into UK law by the UK Data Protection Act 2018 (“DPA’18”). Consequently, the principles of GDPR still apply in the UK despite the UK’s departure from the European Union (“EU”) at the very end of 2020. This means that compliance with data protection hasn’t really changed since Brexit except for when it comes to data sharing and data transfers to and from the EU. This webinar will first summarise the UK GDPR and DPA’18, including discussing its key principles, before moving on to covering the following points:

  • The EU-UK Data Adequacy Decision from the European Commissioner.
  • The Information Commissioners Role (“ICO”) in regulation and enforcement of data protection in the UK. 
  • An introduction to Codes of Conduct.
  • UK Departure of Culture, Media and Sport consultation “Data: a new direction” and the UK National Data Strategy.

Webinar 2: International Data Transfers – EU, US and the rest of the world:

Webinar 1 focuses on data transfers to and from EU since Brexit. However, this webinar goes beyond this, discussing both transfers to and from the UK as well as the rest of the world. Therefore, this webinar will cover the following key points:

  • The implications Brexit has had on data transfers, including the EU-UK Data Adequacy decision from the European Commissioner.
  • Schrems II decision and the implications it had on the EU-US Privacy Shield.
  • An introduction to Data Transfer Agreements, including how and when they should be used, as well as what they need to contain.
  • An overview of Standard Contractual Clauses (“SCCs”), Binding Corporate Rules (“BCRs”) and Codes of Conduct.

Webinar 3: What goes into a Data Protection Impact Assessment (“DPIA”):

DPIA’s are an important part of risk assessment and analysis when it comes to launching a new business venture or simply carrying out a new processing activity. This webinar will not only discuss what a DPIA is and when it should be carried out, it will go into detail about the different topic areas that should be included in a DPIA.

The key points this webinar will cover are as follows:

  • When a DPIA should be carried out.
  • What a DPIA should include.
  • The purposes of and reasons for carrying out a DPIA, including discovery and assessment, and identifying and reducing risks.
  • Ownership and responsibility of the DPIA carried out as well as what to do with its recommendations.
  • Recommendations when it comes to the ongoing regular review and updating of your risk management system.

Webinar 4: Data Subject Rights:

Under the GDPR and DPA’18 all data subjects have a range of rights relating to the processing of their personal data. This webinar will look at each of these rights in turn before moving onto discussing how each of these rights should be responded to, including the following key points:

  • An overview of the 5 main rights a data subject has.
  • How to answer a Subject Access Request as well as the fair and reasonable use of exemptions.
  • How to ensure the right of rectification is performed correctly.
  • How to demonstrate the “right to be forgotten” in practice.
  • How and when to apply the right to data portability.
  • How to respond to a requesting for the restriction of processing.
  • Other rights regarding automated decision making including profiling.

Round 3 – Social Media Law (total of 2 webinars).

Webinar 1: Social Media Law – Libel:

Where exactly do users stand with comments they make on social media? Cases over the last decade in the UK suggest that you are not free to say absolutely anything you like. While some users fall foul of the Terms of Service operated by social media companies and find their accounts blocked, some litigants with deep pockets have taken those who have made comments that they felt were libelous to court and in many instances have won. Consequently, it is important to think carefully before posting a tweet or making a comment on Facebook but evidence suggests that this message is still not filtering through to the majority of users. This webinar will explore the law as it stands with reference to leading cases and key legislation as well as posts that have featured cases before the employment tribunal.

  • Examples of libel cases, including Arlene Foster and Christian Jessen.
  • How did we get here? – the landmark cases of The Lord McAlpine of West Green v Sally Bercow.
  • Posts and the police – Offences under The Communications Act.
  • Examples of social media posts ending up in the employment tribunal.

Webinar 2: Social Media Law – Business Promotion:

Marketing through social media remains the cheapest and easiest way to target potential customers in volume and has become a valuable promotional tool for many businesses. However, the potential legalities surrounding its use are significantly more complex than more traditional forms of marketing that used to involve advertising agencies, newspapers and tv. Cutting out the middle man advertising agent means that a business may run an advert or sponsored post that could fall foul of anything from advertising standards regulation to contravening basic copyright law. This webinar will explore examples of businesses that got it wrong and in some cases have destroyed their reputations through social media posts that went wrong, as well as some of the problems that can arise when high profile celebrities recommend a product or service.

  • Social media business pages, content and ownership.
  • Preserving digital copyright.
  • Handling online customer reviews and ratings.
  • Disputes with social media platforms.
  • Celebrity product use and endorsements

by Laura Spencer Laura Spencer No Comments

Diary of a Fraud Victim: Lessons for Apple Pay Users

You may have seen the recent press coverage surrounding people who have fallen victim to fraud; Ofcom’s recently published research – almost 45 million cases – during summer 2021 alone!

You never think that it will be you. As someone, who would like to think that they are well versed when it comes to spotting a phishing link, I was surprised, to find pending transactions on my account with purchases that I had not made.

Ultimately there is the inevitable wave of panic. Trying to rationalise what has happened – going back through my previous purchases just to check that there had not been a mistake made. Then going through my phone and checking websites that I have used; emails I have received as well as text messages.

It was here that I realised my mistake. I had received a text message from my mobile service provider, asking me to update my payment details. Typically, this type of message about changing payment information would fly red flags. However, this text came through under my previous legitimate SMS chain, seemingly under the same number with my provider. Therefore, I clicked the link in the message, proceeding to resubmit my personal details. At the time, although cautious the link seemed to work legitimately. Despite this, I set a reminder to call my provider on Monday morning in order to double check that the details had been received correctly.

Unfortunately, I had fallen for a scam…

If it were you, you see a message from your service provider, asking for an update of information – from a SMS chain, which had been used before – what would you do? Would you hesitate or stop to think whether the message was indeed genuinely from the provider?

I received the ‘pending transaction’ alert from my banking app, I tried to report the pending transactions, however, it was still unclear as to the next steps. I received a call from a ‘no caller ID’ number, which naively, I answered. It sounded legitimate, they seemed to be telling me all of the things that I wanted to hear, but nonetheless I still couldn’t shake the feeling that I was being scammed for a second time. I eventually put the phone down mid conversation in order to ring my bank directly, after researching online my banking guidelines for such situations.

The advice from NCSC in such a situation is to: ‘Go back to something you can trust. Visit the official website, log in to your account, or phone their advertised phone number. Don’t use the links or contact details in the message you have been sent or given over the phone.’ (https://www.ncsc.gov.uk/guidance/suspicious-email-actions). This advice, published on the NCSC website offers guidance to both those affected by scam artists as well as acting as a prevention.

Thankfully, calling the number my bank advised for dealing with fraud, they had already flagged my account for some unknown purchases and therefore, they were aware of the situation prior to my call. While the unexplained ‘no caller ID’ is believed to have been my bank however, even they were unclear if this had been the case due to the nature of the call and the messages that I had received seemingly from them.

The legitimate call with the bank helped me to arrange voice ID on my banking transaction to ensure that this did not happen again. They equally transferred me to an additional line, to speak to the right department in order to. I would encourage everyone to take the time to set up voice recognition with their bank in order to aid the prevention of situations like this from happening.

After which,  I was transferred to my bank’s fraud department who took me through some basic questions such as:

  • When was YOUR last transaction and for how much?
  • Has anyone had access to your card or bank details, this could be a family member or a carer,
  • Are you still in possession of your card?
  • Do you use Apple Pay?
  • Which devices do you use Apple Pay on?

While there were many other questions asked in order to gauge the situation, these were a few of the most memorable. What struck me as interesting was the fact that the questions were asked about Apple Pay, the platform while popular and typically very secure ‘Apple Pay is a very secure way to make payments. This is because your card numbers are not stored on your device, and are never shared by Apple Pay, or sent with your payment. Instead, Apple Pay gives you a unique Device Account Number, that’s encrypted and stored in a secure part of your iPhone, iPad or Apple Watch. So, when you use Apple Pay, your Device Account Number and a specially created security code are used to process your payment.’ (https://www.barclaycard.co.uk/personal/help/contactless-payments/secure-applePay) As it turns out there had been a separate account set up using my personal details, with the code mentioned above.

While on the phone the bank informed me that over the weekend, there had been tens of thousands of reports of phishing from mobile phone providers – this specific attack was on Apple iPhone users. This is because when the fraudulent messages were sent, they were automatically filtered into what seemed legitimate messages from providers. Hence, many, including myself, believed that the link circulated was genuine.

Thankfully I had caught the transactions early and my bank will be able to refund me the money that had been taken while also closing down the Apple Pay account that had been created using my details. Additionally, I will be sent a new card, with new banking details as well as being instructed to carefully watch my account over the next few days – reporting any changes to my account. Alongside this I was sent some useful advice for the future.

This was resolved mainly because I had my pending transactions set up on my account to receive a notification whenever my transactions were being processed. This means that whenever money is ____ my account I am ‘pinged’ with a notification and made aware regarding any payments in my account. I would strongly recommend to anyone who does not check their bank frequently to ensure that such notifications have been set up – otherwise for me, there may have been a very different outcome to this experience.

Lessons to be learned:

  1. People should be aware that phishing is becoming more and more evolved, exacerbated by the pandemic. While this seems like the obvious warning, estimates from the Telephone-operated Crime Survey for England and Wales (‘TCSEW’) showed that there were 4.6 million fraud offences in the year ending March 2021, a 24% increase compared with the year ending March 2019 (https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingmarch2021). Demonstrating that despite advice given out, people are still being ‘scammed’.
  • Apple users need to be more cautious when receiving unexpected messages – since messages can be auto filled into seemingly legitimate contact numbers, already on your phone. In my experience this came in the form of my mobile service provider. To prevent this from happening Apple have produced an update where you can filter and block unknown messages (to find out more https://support.apple.com/en-gb/guide/iphone/iph203ab0be4/ios) which may help people avoid possible phishing messages.

by Laura Spencer Laura Spencer No Comments

Routed in the Past

Passwords, every 2 or 3 months they should be changed or adjusted slightly in order to keep your password protected account/device secure. So why do we not change our Wi-Fi password for our router? Most of us will still be using the awkwardly long password written on the back of our router or on a card, and not think twice about changing it.  In reality we should probably be changing this password as soon as we can, and then regularly modifying it to keep a secure network.

The complacency that we approach our router security with is quite frankly appalling – it  is so easy for an individual with malicious intentions to hack into a router. Particularly when working from home networks which are not designed for intensive business use. Throughout the  pandemic, working from home has been a necessity for millions of people  working in business of all shapes and sizes, however, the reality of the scenario is that our Wi-Fi routers are vulnerable and we need to adapt them in order to make them less susceptible to hacking as well as other security risks.

With lockdowns and COVID restrictions slowly coming to an end its foreseeable that more and more visitors will be coming into your home. And what is the first thing that most ask?

“What is the Wi-Fi password?”

So what?

Giving the Wi-Fi password to a visitor to your house seems so innocent and somewhat a rite of passage in this day in age. Even my grandad in his 70s asked for the Wi-Fi password when in my garden this weekend! However if working from home, individuals should perhaps consider partitioning your home Wi-Fi, one for work devices such as your computer and work phone as well as one for normal usage for both your personal devices, smart speakers, TVs, and any other internet enabled technology and keep a separate partitioned network for guests. On the same front you could also consider using a guest Wi-Fi and keeping a separate Wi-Fi for those who live with you.

The importance of outdated routers as well as router security comes after a recent report by Which? The report details problems found by its lab during extensive tests.

The main concerns highlighted by the report include:

  • Weak default passwords cyber-criminals could hack were found on most of the routers
  • A lack of firmware updates, important for security and performance
  • A network vulnerability with EE’s Brightbox 2, which could give a hacker full control of the device

The UK Government plans to ban default passwords being pre-set on devices, as part of upcoming legislation covering smart devices. This would come under the UK’s Internet of Things (‘IoT’) ‘Security by Design’ law. The law is aimed at enhancing the security of consumer devices, this comes after the government introduction of a security code of practice for IoT device manufacturers back in 2018 – with the forthcoming legislation intending to build on that with a set of legally binding requirements. This therefore would encourage the individual to keep their device and network more secure – similarly in highlighting it in such report as this and equally solidifying it in legislation will aid the public’s understanding of the importance of keeping a secure home network.

The ‘Security by Design’ law is also planning to make manufacturers:

  • Tell customers for how long their device will receive security-software updates
  • Provide a public point of contact to make it simpler for anyone to report a vulnerability

This will enable individuals to have greater access to information and help in regards to their device security.

by Laura Spencer Laura Spencer No Comments

Pandemic Business Boom: Website Blunders

Living in the 21st Century it is increasingly easy for individuals to start their own businesses, especially during the pandemic new businesses have risen to around 407,510 new businesses were formed during this period (according to SKY news https://news.sky.com/story/covid-19-record-number-of-new-businesses-predicted-as-uk-comes-out-of-coronavirus-lockdown-12236841). However when it comes to marketing and advertising for your brand there are a few key points which need to be considered.

The first being what sort of platform are you going to use to build your website?

It is common and only natural to see an advertisement of a company on the TV or see an advert online which uses fancy advertising with offices around the world. However, often the knee jerk reaction is ‘this must be a good company, look at how well advertised they are’ and therefore you make the decision to build your platform using their platform and tools. This is not always the case. The most important aspect when looking to build an online presence is the legal and regulatory compliance of the platform. Read through their privacy policy in detail; read through their terms and conditions and then decide whether you think that they are in fact compliant – you would be surprised as to what the platforms that  spend money on advertising on the TV and online hide in regards to their compliance, or potentially lack of it. Recently we have been working for a client which has been using one of the highly advertised sites as his website platform and going through his website compliance documents raised too many red flags to ignore – hence the inspiration for this post!

In this case there were a few major red flags.

  • Their storage limitation (data retention)
  • Their data minimisation
  • Their server base location

Starting with the storage limitation of our client’s website provider; the Information Commissioner’s Office (‘ICO’) directs companies and organisations:

  • You must not keep personal data for longer than you need it.
  • You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
  • You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
  • You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
  • You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

The UK General Data Protection Regulation (‘GDPR’) does not dictate how long you should keep personal data for. It is up to the company or organisation to justify their retention of such data, based on their purposes for processing it. Personal data for many companies and organisations are kept for a maximum of 6 years – this is because UK statutory limitation – the period of time for which a contract could be subject to a legal dispute resulting in a court claim – is 6 years. After 6 years a transaction or contract cannot be the subject for a court case and by default many corporations destroy all such records after 6 years.

Ensuring that you erase or anonymise personal data when you no longer need it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Apart from helping you to comply with the data minimisation and accuracy principles, this also reduces the risk that you will use such data in error – to the detriment of all concerned.

But why is storage limitation so important?

Personal data held for too long will, by definition, be unnecessary. You are unlikely to have a lawful basis for retention (e.g. 6 year statutory Limitation as outlined above). From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security, either in hard copy or online. Remember that you must also respond to subject access requests for any personal data you hold. This may be more difficult if you are holding old data for longer than you need. Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.

Data minimisation is also covered under UK GDPR. The ICO directs companies and organisations, when processing data to ensure that the data is processed in way that are deemed:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

The idea of minimisation is based around companies and organisations only collecting data that they need, and is necessary. The website provider our client was using was ‘hoovering’ up information which why did not necessarily need – taking information from it’s users users. Minimisation is important because orgnisations should not be collecting more data than they need for the specific task the personal data is collected for.

Finally the server location through our client’s website provider is vague. It is important for companies and organisations to know where your data is being stored, whether the data is encrypted and if so to what standard (e.g. SSL 128- bit, TSL 256-bit). If your data is hosted with a cloud provider where the physical servers are not within the EU, then you can’t use that service unless the appropriate GDPR compliant international transfer conditions are met (adequacy, a data transfer agreement containing standard contractual clauses or binding corporate rules). These conditions are complex, hence it is helpful to know where the personal data, for which your organisation is responsible, is actually being stored. Any provider who either cannot confirm this simple information, or obfuscates when the question is asked, should be avoided. Even if they do have lots of shiny offices and a slick TV advertising campaign.   

by Laura Spencer Laura Spencer No Comments

Experian Discredited: ICO Investigation

Picture this – you are looking to buy your first house – you get your credit score checked by Experian  – you have heard of them, maybe seen some advertising on TV,  and so you go ahead. Little would you think about what Experian may be doing with your data without your knowledge/consent because there are regulations that they must follow – surely?

Experian and other credit reference agencies collect and process vast amounts of personal data in order to carry out credit checks as well as parts of their other services; ‘We gather, analyse, combine and process it to help people and organisations achieve their goals’. Yet does this mean that you as a consumer are intending for your personal information to be traded, enriched and enhanced without your knowledge or consent for marketing purposes?

The answer, more often than not, is no.

You most likely do not want the company sharing your information with third parties purely for their own marketing gain, even more so without your consent to boot.

This processing of your personal data by Experian resulted in products which were used by commercial organisations such as political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.  The UK Data Protection Regulator , the Information Commissioners Office (“ICO”) found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. ‘Invisible’ because the individual data subject is not aware that the organisation is collecting and using their personal data. This is against data protection law.

The Data Protection Act (DPA) and General Data Protection Regulation (GDPR) initiated a new approach to personal data and the transference of such data. It had 7 main aims/principles

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

These aimed to guide and regulate organisations to allow for individuals to have greater access to their data and to be able to understand what companies could and could not do with it.

Experian, failed to be transparent – outlined under Article 5 GDPR; this is because they were using ‘invisible’ processing of personal data and therefore were not being clear to data subjects, as to what their personal data was really being used for. g. The regulator found that personal data provided to Experian, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes.

The ICO ordered Experian to make fundamental changes to how it handles people’s personal data within its direct marketing services. Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover. The enforcement notice followed a two-year investigation by the ICO into how Experian used personal data within their data brokering businesses for direct marketing purposes. The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal. The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. In the enforcement notice, the ICO states that people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.

At the same time that the ICO were investigating Experian, other credit reference agencies (CRA) were being investigated for similar reasons, only along with transparency some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive. It is not revealed in the report as to whether Experian were also using profiling within their processing. This highlights the potential need for further regulating of these providers to ensure that there is compliance at all times in regards to both UK GDPR as well as the UK Data Protection Act (DPA). Similarly investigations such as this open consumer eyes as to what goes on ‘behind closed doors’ of companies in regards to their data and how it is used. Outgoing UK Information Commissioner Elizabeth Denham has remarked: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

It is safe to say that certain reports and investigations that your data is being used for purposes that you did not consent to will have had an impact on the company itself – with its reputation severely tarnished.

by Laura Spencer Laura Spencer No Comments

Marketing Consent Crisis

We have all been there, scrolling through the endless marketing spam in our inbox – most of the time not even taking any notice on what we are deleting. Throughout the pandemic organisations have also turned to SMS in order to market their business – equally buying and selling personal data illegally in order to find a new customer bases.

Under the General Data Protection Regulation (‘GDPR’) Article 6 specifies that there has to be a legal basis for processing the data – the article also outlines 6 basis that make the processing legal. These are: 

  1. Consent: the individual has given clear specific informed consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Where organisations are using personal data to send unsolicited marketing emails and messages they may be doing this without consent which therefore breaking the law. Not to mention that these are often annoying and frustrating!

Why is a Legal Basis Necessary?

The first principle of GDPR requires that you process all personal data lawfully, fairly and in a transparent manner. If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully. The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing. This means you need to include these details in your privacy notice.

However the UK Data Protection Regulator  the Information Commissioner’s Office (‘ICO’) throughout the pandemic have been having to enforce more and more cases of non-compliance in organisations. For example the ICO reported on the 5th March 2021 they fined two separate companies that sent nuisance text messages during the Covid-19 pandemic have been fined a total of £330,000 by the ICO. Messages from one of the companies prompted a record 10,000 complaints.

The companies in question were Leads Works Ltd and Valca Vehicle Ltd. The ICO fined West Sussex-based Leads Works Ltd £250,000 for sending more than 2.6 million nuisance text messages to customers without their valid consent. These messages, that were sent between 16 May and 26 June 2020, resulted in over 10,000 complaints, the company have also been issued with an enforcement notice by the ICO, ordering it to stop sending unlawful direct marketing messages.

Examples of the text messages include:

“In lockdown and want to earn extra cash? Avon is now FULLY ONLINE, FREE to do and paid weekly. Reply with your name for info. 18+ only. Text STOP to opt out.” The ICO’s investigation found Avon did not send or instigate the text messages.

Valca Vehicles Ltd, following complaints from the public to the ICO, the company was found to have sent more than 95,000 text messages from June to July 2020 without the recipients’ permission. The messages referenced the pandemic and were designed to appeal to individuals whose finances have been adversely affected. This, in the Commissioner’s view, was a clear attempt to capitalise on, and profiteer from, the health crisis.

Examples of the text messages:

“*firstname* Affected by Covid? Struggling with finances? lost job /furloughed? Were here to help! Gvnmnt backed support see if you qualify http://www.debtquity.org”. The company, which is currently operating as ‘Debtquity’ to generate leads for debt management products, has also been issued with an enforcement notice by the ICO, ordering them to stop sending the messages.

A Post Pandemic World…

The future, although uncertain, will involve businesses trying to recuperate what was lost to the pandemic – rebuilding and reimagining marketing. However, it is important to note that despite the fact we have been living in unprecedented times, the UK GDPR as implemented through the UK Data Protection Act (‘DPA’) still has to be followed in order for business to operate legally.

So is buying contacts and sending marketing emails and sms texts impossible under GDPR?

NO – this can still be done but it has to be done in a manner consistent with GDPR. An organisation can purchase personal data such as emails or phone numbers and used them for marketing PROVIDED you can demonstrate compliance with one of the 6 bases named above. Poor value data vendors are continuing with the same poor practices that were actually illegal under the pre – GDPR data protection laws, let alone now. Good vendors are providing due diligence documents demonstrating legal basis, and providing the purchaser with evidence to demonstrate compliance, such as records of consent, showing how and when it was given and for what purpose. Any reputable vendor would be easily able to provide this information on request, so the onus falls on the organisation buying the data and doing the marketing – don’t forget your GDPR due dilligence.  

*Spam texts and emails, as well as nuisance calls can be reported through the ICO’s website at ico.org.uk/concerns. Mobile phone users can also report spam texts to the GSMA Spam Reporting Service by forwarding the message to 7726.

by Laura Spencer Laura Spencer No Comments

Docassemble Showcase Recording

On the 25th February Anson Evaluate with the aid of Tonic Workflows and Sheffield Legal Hackers hosted a showcase – celebrating ‘Access to Justice’ projects which had been worked on by those involved in the ‘Free Course: Build an A2J tool using Docassemble’.

Projects from the A2J Docassemble course included groups exploring revenge pornography, domestic abuse as well as asylum seekers. Each project would begin in the research stage, in order to understand what the unmet legal need was exactly; leading on from this research, groups began to design and plan apps or software which could be used as a basis to meet the legal need. From here groups used the Docassemble platform to build their project in code format. Finally each group has presented their A2J topic and demoed their Docassemble software in front of the other A2J groups as well as a virtual panel. The recording of the showcase held in February is linked below.

by Laura Spencer Laura Spencer No Comments

Schrems II: Privacy Shield Down – The future of international data transfers with the US

Dr. Heather Anson chaired a discussion on Wednesday 12 August at 1pm BST regarding the recent European court decision that struck down the EU-US privacy shield, the main data sharing agreement allowing the storage of personal data of EU citizens in the US where the majority of the worlds cloud storage infrastructure is held.

Heather Anson was joined by Peter Wright, managing director of Digital Law, Jennifer Baker, Brussels based technology journalist, and Anna Drozd, specialist on EU law on Privacy and data protection based in the Brussels office of the Law Society of England and Wales, and covered topics such as:

  • The implications of this decision on data sharing between Europe and the US,
  • The use of Standard Contractual Clauses in contracts to facilitate international data transfers,
  • The use of Binding Corporate Rules,
  • The implications for businesses based in the UK, Europe and elsewhere who wish to trade in the European digital single market,
  • The likely implications of Brexit on international data transfers to and from the UK,

and more.

Don’t worry if you missed it, the webinar was recorded and is now available on demand by clicking on the link below.

by Laura Spencer Laura Spencer No Comments

Episode 4 – Mental Health (Lockdown – LET webinar series)

Hi everyone. Here is episode 4 of our ongoing webinar series “Lockdown – The Light at the End of the Tunnel”.

This weeks episode is focused on Mental Health covering topics such as the VUCA environment, the impact Covid-19 has had on peoples mental health, stress and anxiety, how individuals can support their own mental health, what leaders can do to support their employees, the resources available for those who require support and much more!

This webinar features Paula Louise Dixon, Business Psychology Associate at Sereniti Ltd and of course Dr.Heather Anson, the managing director of Anson Evaluate.

If you want to keep up to date with any of our upcoming webinars, please email us on Events@AnsonEvaluate.com and we will add you to our subscription list.

We hope you find it useful!

Top