The GDPR will introduce a number of administrative requirements for organisations, including changes to internal procedures. One change which must be addressed stems from the explicit provisions that require organisations to maintain internal records of their processing activities. Among other things, records must be kept on processing purposes, data sharing, and retention. Documenting this information is linked to the principle of accountability and helps demonstrate compliance with the GDPR. The ICO have produced detailed guidance on this documentation requirement explaining who has to maintain these documents, what has to be recorded and how this should be done.
ICO issues new FAQs on data protection for charities
The ICO has issued guidelines for what charities need to do to comply with the GDPR. Much of the advice is taken from their general advice and guidance for all organisations on how to prepare for the GDPR, including advice in relation to what needs to be included in privacy notices, advice around consent requirements, security of data requirements under the GDPR, and Data Protection Officer appointment.
In relation to health charities processing special categories of personal data, the ICO advises that special category data is broadly similar to the concept of sensitive personal data under the Data Protection Act 1998. The requirement to identify a specific condition for processing this type of data is also very similar. The conditions for processing special category data under the GDPR in the UK are likely to be similar to the Schedule 3 conditions under the 1998 Act for the processing of sensitive personal data. Conditions for processing special category data are set out in the Data Protection Bill and more detailed guidance will follow when it is finalised.
For charities making marketing calls, emails and texts they will also have to comply with the Privacy and Electronic Communications Regulations 2003 (PECR) and ensure they have the correct consents in place.
For more information see: https://ico.org.uk/for-organisations/charity/charities-faqs/
ICO issues new data protection FAQs for Education, Health and Government Sectors
The ICO have issued updated GDPR focused FAQs for various sectors including Education, Health and Government. The FAQs can be found here:
Local Government: https://ico.org.uk/for-organisations/local-government/
In the news: Individual is fined for selling personal data to nuisance callers
A former worker at an accident repair firm who downloaded and sold the personal data of motorists to nuisance callers has been fined. Cyber security consultants were called in when the employee of Nationwide Accident Repair Service (NARS) was found to be accessing suspicious volumes of customer data from his laptop at home outside of his work hours.
Customers of NARS had been complaining about receiving large numbers of nuisance calls after engaging NARS which prompted the business to monitor the worker’s suspicious behaviour. The employee was found to be accessing the data of 2,724 customers without consent. After this the customers received unsolicited and sometimes aggressive marketing calls in relation to their accidents. NARS reported the employee to the ICO. He pleaded guilty to unlawfully obtaining data in breach of s55 of the DPA. A further charge of unlawfully disclosing data was also admitted and taken into consideration. He was fined £500 and was also ordered to pay £364 costs and a £50 victim surcharge.
ICO Criminal Enforcement Manager Mike Shaw:
“the case serves as a warning to anyone who thinks they can make some quick and easy money selling people’s personal information. The consequence can be severe. Not only can it lead to a day in court and the attendant media coverage but it can cost a person their job and can damage their future career prospects.”
FCA and ICO publish joint update on GDPR
The Financial Conduct Authority rules requires financial services firms to process personal data. The FCA and ICO have stated that the GDPR does not impose requirements incompatible with the rules in the FCA Handbook.
They have noted that compliance with GDPR is now a board level responsibility and firms must be able to demonstrate compliance. The requirement to treat customers fairly is central to both data protection law and the current financial services regulatory framework but the FCA have said that they recognise that there is ongoing discussion to ensure that specific details of the GDPR can be implemented consistently within the wider regulatory landscape.
The FCA and ICO are going to review their current Memorandum of Understanding which lays out their relationship and demonstrates their commitment to co-operation and coordination in their activities. This will now be reviewed to take into account GDPR requirements. Whilst ICO are the regulators of the GDPR, complying with GDPR requirements is also something the FCA will now consider under their rules eg the requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module under which firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls.