GDPR

by Laura Spencer Laura Spencer No Comments

USING WHATSAPP FOR BUSINESS PURPOSES? YOU REALLY SHOULDN’T BE…

The Information Commissioner’s Office (‘ICO’) has called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. This comes after the announcement of an enquiry into the messaging systems used by government throughout the pandemic, earlier this year.  The ICO report details a yearlong investigation, launched in 2021 by Commissioner Elizabeth Denham, into the use of these channels by Ministers and officials at the Department of Health and Social Care (‘DHSC’) during the pandemic.

The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies – such as WhatsApp – had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled.

Action Taken:

  • The ICO has now issued DHSC with a practice recommendation ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance. This will ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.
  • A reprimand has also been issues
  • To make sure wider lessons are learnt, the ICO is also calling for the government to set up a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised whilst ensuring data protection and transparency requirements are met.

This is a particularly important story when we think about WhatsApp. If you are a regular on our podcast or a regular newsletter reader, at Digital Law we regularly mention WhatsApp and the dangers of using this platform for business related purposes. This year alone, we have discussed multiple stories, including one from the MOD, informing service personnel to use alternative messaging apps such as Signal due to WhatsApp’s security. This is because while the app is ‘encrypted’, due to the fact that the messages are stored on the cloud, this makes it more accessible for hackers. Alternative messaging apps such as Signal are more secure because no messages are stored on the cloud, rather they are stored on the device themselves, effectively then the only way to get the messages would be to take the device itself.

Finally, for the avoidance of all doubt, this is not a new policy. You should not be using WhatsApp for business purposes. Especially considering highly regulated sectors such as law, finance and government. Highly regulated sectors, in this particular case, relating to the government, really highlights why, for a regulated sector, using unsecure platforms can be a real problem. It also highlights the stance that the ICO are likely to take if you, as an organisation, have a breach and you are using WhatsApp or other similar messaging platforms such as Telegram.

For more information as well as advice and guidance, please do not hesitate to contact us at admin@ansonevaluate.com.

by Laura Spencer Laura Spencer No Comments

GDPR v PECR: The ICO Multi-Million Pound Enforcement

Since May 2021, the Information Commissioner’s Office (‘ICO’) have issued 37 fines for a total of £3.04 million to companies for nuisance calls and messages.

These fines fall under the Privacy and Electronic Communications Regulations (‘PECR’) and not the General Data Protection Regulation (‘GDPR’). This is an important distinction when we are thinking about ICO fines, due to the fact that the ICO typically focus on PECR fines over GDPR. Looking at the amount of fines that will have had to have been given out, the figures would suggest that it is mainly mid-tier SME businesses that have been subject to these fines.

The UK government, outlined in the new Data Reform Bill proposal, have proposed an increase in fines to organisations that breach PECR, with the aim of preventing companies contacting people for marketing purposes without consent. It proposes that the ICO’s power to fine companies will increase from the current maximum of £500,000 to up to four per cent global turnover or £17.5 million, whichever is greater.

Why is this important?

If you are a business who regularly calls customers and potential customers, you may want to consider your marketing strategy and how this may be affected by the change. Similarly, this is a testament to the increased powers that the ICO will have under the proposed new legislation.

As it stands, the ICO can only penalise organisations for calls that are answered however, legislation, outlined in the Data Reform Bill, will allow them to take action over high volumes of unanswered calls. However, a key thing to mention here is the fact that these calls do need to be reported before the ICO can take action and therefore, while the fine increase is a step in the right direction, arguably it does not do enough to protect consumers.

by Laura Spencer Laura Spencer No Comments

CONTENTIOUS COOKIES: IS THE UK BREAKING AWAY FROM THE MOLD?

General Data Protection Regulation (‘GDPR’) and  Privacy and Electronic Communications Regulations 2003 (‘PECR’)

The UK had to follow rigid guidelines in relation to data protection and electronic regulations as a result of being an EU member. However, as the UK have left the EU, the government is trying to move away from EU standards and ‘cut the red tape’ for organisations and businesses. Hence, changing the laws and regulations around data, in order for businesses to prosper.

Current Regulation:

Under the current legislation, cookies are not allowed to be placed on a device without the consent of the user. There are currently only two limited exceptions from gaining consent. These are:

  1. for purposes that are essential to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking); or
  2. where needed to transmit a communication over a communications network.

Consent is usually sought through a pop-up notice or banner which appears when a person visits a website. However, as you are no doubt aware, most of the time when a cookie consent banner pops up, you click the accept button without taking the time to read the terms. The UK in trying to change these regulations, aims to ensure that the ‘tick box’ attitude is adapted so that users are more aware, in practice, as to how their personal data is being used.

Proposed Changes:

The government intends to remove the need for websites to display cookie banners to UK users. This would see the government allowing cookies to be installed on a user’s device without explicit consent (for non-intrusive purposes). Moving forward, the government would operate an opt-out model of consent for cookies. This would mean cookies could be set without seeking a user’s consent however, the website must give the user clear information on how to opt out. Objectively, this would achieve a more hands on approach, breaking away from the ‘tick box’ consent that we are using currently.

How could this affect my business?

As a business, this may mean that you will no longer have to display a cookie banner on your website, in turn, this may provide a smoother and more enjoyable experience for your users. However, this is a change that the UK are considering and therefore it does not apply to other country’s regulations. Therefore, it may still be necessary for you to display such banners if you plan on operating outside of the UK. Although, this being said, the EU are also consulting plans to make changes to cookies and the consent surrounding this however, any such changes are unclear at the moment.

So what?

As it stands, the UK has been granted data adequacy by the European Commission, this means that personal data can travel freely (as it did before Brexit) between countries in the EEA and the UK. Without adequacy, it would make carrying out business and trade by UK businesses with customers outside of the UK very difficult. Therefore, when the proposed changes are being made, the UK will need to keep the EU ‘on side’ in order to retain this adequacy decision. Hence, if any drastic changes are made, the EU may revoke the decision.

Experience and thought leadership in Data Protection
by Laura Spencer Laura Spencer No Comments

Experian Discredited: ICO Investigation

Picture this – you are looking to buy your first house – you get your credit score checked by Experian  – you have heard of them, maybe seen some advertising on TV,  and so you go ahead. Little would you think about what Experian may be doing with your data without your knowledge/consent because there are regulations that they must follow – surely?

Experian and other credit reference agencies collect and process vast amounts of personal data in order to carry out credit checks as well as parts of their other services; ‘We gather, analyse, combine and process it to help people and organisations achieve their goals’. Yet does this mean that you as a consumer are intending for your personal information to be traded, enriched and enhanced without your knowledge or consent for marketing purposes?

The answer, more often than not, is no.

You most likely do not want the company sharing your information with third parties purely for their own marketing gain, even more so without your consent to boot.

This processing of your personal data by Experian resulted in products which were used by commercial organisations such as political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.  The UK Data Protection Regulator , the Information Commissioners Office (“ICO”) found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. ‘Invisible’ because the individual data subject is not aware that the organisation is collecting and using their personal data. This is against data protection law.

The Data Protection Act (DPA) and General Data Protection Regulation (GDPR) initiated a new approach to personal data and the transference of such data. It had 7 main aims/principles

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

These aimed to guide and regulate organisations to allow for individuals to have greater access to their data and to be able to understand what companies could and could not do with it.

Experian, failed to be transparent – outlined under Article 5 GDPR; this is because they were using ‘invisible’ processing of personal data and therefore were not being clear to data subjects, as to what their personal data was really being used for. g. The regulator found that personal data provided to Experian, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes.

The ICO ordered Experian to make fundamental changes to how it handles people’s personal data within its direct marketing services. Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover. The enforcement notice followed a two-year investigation by the ICO into how Experian used personal data within their data brokering businesses for direct marketing purposes. The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal. The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. In the enforcement notice, the ICO states that people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.

At the same time that the ICO were investigating Experian, other credit reference agencies (CRA) were being investigated for similar reasons, only along with transparency some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive. It is not revealed in the report as to whether Experian were also using profiling within their processing. This highlights the potential need for further regulating of these providers to ensure that there is compliance at all times in regards to both UK GDPR as well as the UK Data Protection Act (DPA). Similarly investigations such as this open consumer eyes as to what goes on ‘behind closed doors’ of companies in regards to their data and how it is used. Outgoing UK Information Commissioner Elizabeth Denham has remarked: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

It is safe to say that certain reports and investigations that your data is being used for purposes that you did not consent to will have had an impact on the company itself – with its reputation severely tarnished.

Experience and thought leadership in Data Protection
by Laura Spencer Laura Spencer No Comments

Marketing Consent Crisis

We have all been there, scrolling through the endless marketing spam in our inbox – most of the time not even taking any notice on what we are deleting. Throughout the pandemic organisations have also turned to SMS in order to market their business – equally buying and selling personal data illegally in order to find a new customer bases.

Under the General Data Protection Regulation (‘GDPR’) Article 6 specifies that there has to be a legal basis for processing the data – the article also outlines 6 basis that make the processing legal. These are: 

  1. Consent: the individual has given clear specific informed consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Where organisations are using personal data to send unsolicited marketing emails and messages they may be doing this without consent which therefore breaking the law. Not to mention that these are often annoying and frustrating!

Why is a Legal Basis Necessary?

The first principle of GDPR requires that you process all personal data lawfully, fairly and in a transparent manner. If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully. The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing. This means you need to include these details in your privacy notice.

However the UK Data Protection Regulator  the Information Commissioner’s Office (‘ICO’) throughout the pandemic have been having to enforce more and more cases of non-compliance in organisations. For example the ICO reported on the 5th March 2021 they fined two separate companies that sent nuisance text messages during the Covid-19 pandemic have been fined a total of £330,000 by the ICO. Messages from one of the companies prompted a record 10,000 complaints.

The companies in question were Leads Works Ltd and Valca Vehicle Ltd. The ICO fined West Sussex-based Leads Works Ltd £250,000 for sending more than 2.6 million nuisance text messages to customers without their valid consent. These messages, that were sent between 16 May and 26 June 2020, resulted in over 10,000 complaints, the company have also been issued with an enforcement notice by the ICO, ordering it to stop sending unlawful direct marketing messages.

Examples of the text messages include:

“In lockdown and want to earn extra cash? Avon is now FULLY ONLINE, FREE to do and paid weekly. Reply with your name for info. 18+ only. Text STOP to opt out.” The ICO’s investigation found Avon did not send or instigate the text messages.

Valca Vehicles Ltd, following complaints from the public to the ICO, the company was found to have sent more than 95,000 text messages from June to July 2020 without the recipients’ permission. The messages referenced the pandemic and were designed to appeal to individuals whose finances have been adversely affected. This, in the Commissioner’s view, was a clear attempt to capitalise on, and profiteer from, the health crisis.

Examples of the text messages:

“*firstname* Affected by Covid? Struggling with finances? lost job /furloughed? Were here to help! Gvnmnt backed support see if you qualify http://www.debtquity.org”. The company, which is currently operating as ‘Debtquity’ to generate leads for debt management products, has also been issued with an enforcement notice by the ICO, ordering them to stop sending the messages.

A Post Pandemic World…

The future, although uncertain, will involve businesses trying to recuperate what was lost to the pandemic – rebuilding and reimagining marketing. However, it is important to note that despite the fact we have been living in unprecedented times, the UK GDPR as implemented through the UK Data Protection Act (‘DPA’) still has to be followed in order for business to operate legally.

So is buying contacts and sending marketing emails and sms texts impossible under GDPR?

NO – this can still be done but it has to be done in a manner consistent with GDPR. An organisation can purchase personal data such as emails or phone numbers and used them for marketing PROVIDED you can demonstrate compliance with one of the 6 bases named above. Poor value data vendors are continuing with the same poor practices that were actually illegal under the pre – GDPR data protection laws, let alone now. Good vendors are providing due diligence documents demonstrating legal basis, and providing the purchaser with evidence to demonstrate compliance, such as records of consent, showing how and when it was given and for what purpose. Any reputable vendor would be easily able to provide this information on request, so the onus falls on the organisation buying the data and doing the marketing – don’t forget your GDPR due dilligence.  

*Spam texts and emails, as well as nuisance calls can be reported through the ICO’s website at ico.org.uk/concerns. Mobile phone users can also report spam texts to the GSMA Spam Reporting Service by forwarding the message to 7726.

by Laura Spencer Laura Spencer No Comments

Schrems II: Privacy Shield Down – The future of international data transfers with the US

Dr. Heather Anson chaired a discussion on Wednesday 12 August at 1pm BST regarding the recent European court decision that struck down the EU-US privacy shield, the main data sharing agreement allowing the storage of personal data of EU citizens in the US where the majority of the worlds cloud storage infrastructure is held.

Heather Anson was joined by Peter Wright, managing director of Digital Law, Jennifer Baker, Brussels based technology journalist, and Anna Drozd, specialist on EU law on Privacy and data protection based in the Brussels office of the Law Society of England and Wales, and covered topics such as:

  • The implications of this decision on data sharing between Europe and the US,
  • The use of Standard Contractual Clauses in contracts to facilitate international data transfers,
  • The use of Binding Corporate Rules,
  • The implications for businesses based in the UK, Europe and elsewhere who wish to trade in the European digital single market,
  • The likely implications of Brexit on international data transfers to and from the UK,

and more.

Don’t worry if you missed it, the webinar was recorded and is now available on demand by clicking on the link below.

by Laura Spencer Laura Spencer No Comments

5 Tips for more Secure Remote Working

For some people who run their own businesses or those who’s employers promote flexibility in the workplace, remote working may be the norm. However, for a large majority of the population this whole “working from home” situation is completely new! Whilst working from home is essential during this difficult and unprecedented time, it doesn’t come without its risks.

Read more

by Laura Spencer Laura Spencer No Comments

Clio Online Webinar Series – Remote Working

Unfortunately this years LegalEx event was postponed due to Corvid-19. As you may have heard, Peter Wright, the managing director of Digital Law and consultant for Anson Evaluate, was due to speak at the event alongside many other valued speakers.

Luckily for you, you don’t have to miss out completely. Not only has the event been rescheduled, but our friends over at Clio set up a mini webinar series that took part over 2 days last week. On the 2nd day of the series Peter Wright participated in a webinar focused around remote working alongside Joe Walsh, a remote working specialist from LogMeIn.

Don’t worry you if you didn’t manage to watch it live, you can view a recorded version of the webinar here:

https://landing.clio.com/clio-online-seminar-series-2.html?utm_source=internal&utm_medium=email&utm_campaign=legalex-seminars-2020&utm_content=noshow

GDPR Compliance Manuals for Legal Practices
by Laura Spencer Laura Spencer No Comments

1 Year Anniversary of the GDPR

With the 25th of May fast approaching, it’s been almost a year since the General Data Protection Regulation (“GDPR”) came into force throughout the European Union (“EU”). In celebration, we are offering £100 off our GDPR Compliance Manual for Law Firms.

Read more

Top