Your GDPR Questions and Answers
Thank you to everyone who came along to last week’s GDPR webinar. We had a number of questions during the webinar and we’ve answered them all here in this blog. Please contact us if you would like a personalised discussion on your data protection compliance needs.
Top 12 GDRP questions and answers
How can I legally transfer data to the USA?
Right now the way to legally transfer data to the USA is using the standard contractual clauses, or the British equivalent mechanism. This means going through a risk assessment process, filling out all the paperwork of who the data is going to, who processes it etc.
Think of it like exporting physical goods. Paperwork needs to be filled out at the port of exit and properly done so, and data is unfortunately no different. But do the paperwork correctly and there shouldn’t be too many problems.
What types of personal data lost most often result in fines i.e. are fines skewed towards banking information?
It really depends. We’ve seen fines all over from companies large and small. I don’t think it is skewed particularly to financial information, and to be honest the trends from EU cases ten to treat the other special categories, particularly health, race, sexual orientaton etc just as significantly as financial data. We saw from the H&M case quite a massive fine over recording health data when they shouldn’t have been. In fact in that case they probably could have made it in a legal way, they just didn’t. So the main message is that data breaches or breaches of GDPR law are not confined to only financial matters when it comes to fines.
Is there a difference between EU GDPR and UK GDPR?
EU GDPR no longer applied in the UK after Brexit, so the UK copied and pasted the EU rules into UK GDPR. UK GDPR kept most of the rules but also removed EU specific parts.
The Data Protection Act 2018 known as DPA 2018 further clarified how GDPR operates in a specific UK context. The core provisions of GDPR all remain the same in the UK.
The DPA 2018 doesn’t rely on EU GDPR but UK GDPR. It is slightly complicated but essentially at this present moment, the only differences between UK and EU GDPR are minor such as the age of valid consent being 13 years in the UK which is down from 16 years in the EU.
Essentially they are the same laws just pointing to different places. However the data reform bill we were discussing earlier will make changes to UK GDPR, so at the end of that process, they will be quite fundamentally different.
What has changed since Brexit? EU Representation? Cookies?
UK and EU GDPR have changed since Brexit, but also that the UK is seen as a third country when it comes to GDPR. So that means if you operate in the EU from the UK, you need to appoint a representative and a lead authority in the EU. Just as EU companies working in the UK must appoint the ICO as their lead authority for the UK. That also means registering with the ICO and paying their fees. You need to appoint a representative because that’s who will be notified if there is a data breach.
Regarding cookies, The current PECR rules covering marketing, cookies and electronic communications derive from EU law but are set out in UK law so those haven’t changed. They may be updated when the EU decides to update the e privacy regulation, but we don’t know.
How do we keep GDPR fresh in an employee’s mind when they are getting GDPR fatigue after 4 years of refresher training?
Fatigue can often come from doing the same type of training over and over again. That’s the first thing to avoid. Making training specialised to a particular job role makes the training much more relevant. And that’s what we do in our courses. We have GDPR for marketers, for HR, for customer facing individuals. Focus on what they need to know for their job. But also, data protection is a serious subject that is only becoming more important, more material for companies. Yes, people may be fatigued about GDPR but at the end of the day, a data breach, a potential fine, is probably one of the most damaging compliance failures a company can experience.
And I think what we’re going to see particularly in the UK is that the legal requirements of data protection are being reduced, but the public is and will be hyper-aware of data protection rules and what they should expect their data to be treated like. I think UK companies are going to have to think very carefully about embracing the UK government’s GDPR changes because I think they might find they are alienating a significant amount of customers who are expecting a strong level of data protection.
Can we ask if people have been vaccinated or is this a breach of GDPR?
Yes, you can ask about people’s vaccination status. In fact, it’s probably recommended from a health and safety perspective. Employers have a duty to protect their staff and mitigate the risk of them becoming sick. So if you’re allowing a lot of unvaccinated people into the office freely, that’s likely to put a lot of people at risk. But when you’re asking people about their vaccinations status remember that’s special category data under GDPR, so you need to treat it the same way as any other health information.
What are the most significant GDPR risks with a hybrid working model?
There are two main risk areas that stand out. The first is the external factors. The risk of a hacking attack, phishing attempts, a malware infection because of human error. That can be mitigated by strong security policies, password changes and encryption standards for personal devices. But more importantly, probably is training. Constant reminders about the risks and the need for vigilance, frequent password changes, using a password manager for instance.
Secondly are the internal factors which we’ve seen have resulted in quite a few GDPR breaches. Monitoring staff when they shouldn’t have been, collecting too much data, not putting in place human oversight of automated systems, and not informing people of data that’s collected about them.
But the best way to manage both those factors is to closely follow GDPR. The data protection rules give guidelines for data security as well as protecting people’s fundamental rights and freedoms. So the better you and everyone in the business understands GDPR, and the closer you can follow the rules, then you’ll be much more likely to be able to stay on the right side of the law and of necessary security measures in this hybrid working era.
Will a new version of the privacy regulations be introduced in the UK when they come in at the EU level?
A new ePrivacy directive was meant to come into force along with GDPR back in May 2018. But that never happened, because the EU was unable to agree to a new text. The Finnish Presidency of the EU tried and failed 10 times in the second half of 2019 to reach an agreement, and the Croatian presidency also failed in 2020.
There are some inconsistencies between the existing ePrivacy directive and GDPR, particularly when it comes to cookies on websites and there’s no general agreement on how that should be dealt with. Plus, certain sectors such as AdTech, AI, and autonomous vehicles lack a strong set of specific regulations, thereby relying on the ambiguous rules which can differ widely across EU member states. Those industries have been strongly lobbying the EU to ensure any new rules are favourable to them, hence the delays. If and when it is eventually agreed, the new ePrivacy directive is expected to sit alongside GDPR and cover things such as
- The processing of electronic communications data including content and metadata and the requirements for consent
- Rules around obtaining end-users’ consent to cookies which may require browser providers to provide built-in privacy settings (and so remove cookie banners from websites)
- Extending direct marketing rules to instant messaging and in-app notifications, therefore requiring opt-in consent
The short answer is we don’t know what the UK will do. But it’s likely they would update the regulations to some extent, probably using the EU version as a framework.
How far should a firm be going in refreshing its data audit and data protection policies four years on?
It depends on a few different factors. First of all the size and complexity of your business. Very complicated companies may need to redo a data audit once a quarter if you have a lot of complex data flowing through your business or are operating with a lot of third parties. But at minimum, it’s a good idea to take a risk based approach to the data audit. Once a year is probably a good middle ground for looking at your data audits, but I think if you haven’t done it since GDPR, it’s probably worth looking at it again now. Also if you do a risk assessment on different parts of your data storage you might decide to do an audit on the high-risk parts like customer data for example, and hold off on other parts. But at minimum, you want to know where everything is and make sure it is properly protected.
How can you re-consent email addresses for marketing legally?
There are other lawful basis for contacting people. You don’t always have to rely on consent. You might want to use the legitimate interest basis for processing their data or if they are existing customers by virtue of the fact you have a contract with them. So you can always segment your database and rely on a different lawful basis for different groups of people, but if you are changing the lawful basis for processing their information you should inform them with an updated privacy notice.
If you are relying on consent though, as long as you have a record of when they first gave consent, for instance they opted in, clicked a button, or confirmed their subscription, you don’t need to get re-consent. That remains valid until they withdraw their consent and if there’s an unsubscribe button on every marketing email then you have basically covered your bases.
GDPR for not for profit/clubs/hobby groups – what is the most important priority?
GDPR applies to organisations, not individuals. So if you’re not a constituted body like a business or a charity, GDPR won’t apply to you. Neighbourhood groups or individuals or people who just come together without being under some formal organisation don’t need to apply. If you are an organisation though, then you need to make sure you comply. The first thing would be to have an updated data protection policy in place, inform people how you are going to use their information through a privacy policy which is on your website, and make sure they have unsubscribe buttons on all your marketing emails. Those are the main priorities.
From an internal point of view, doing a data protection impact assessment, essentially a risk assessment, for new things you are going to do with data, will help minimise potential problems. Let’s say you’re a charity with a lot of phone numbers and you want to send out a mass text for a fundraising drive. Doing a quick data protection impact assessment is going to throw up questions like do we have consent for all these phone numbers, where did they come from and what lawful basis are we going to contact them under. If they all opted in to receiving marketing communications by text then that’s fine, but a chunk of them didn’t or your unsure, then don’t send them the text message.
What sort of refresher training should be given – and at what frequency?
Refresher training means additional training after staff have been trained initially. Refresher training does as it says, it re-freshes the knowledge gained in the initial training and assesses whether staff have retained the knowledge. Refresher training is not just about rolling out the exact same training course to staff all over again. Refresher training should be specifically designed to come afterwards, and can take a variety of forms including knowledge checks, risk assessments, micro courses or reviews of recent cases or examples of breaches.
GDPR training is most effective when it is focused, role-based training which relates to the specific requirements of a person’s job. This means those in the marketing department understand the requirements and rules on marketing and consent, while those in IT know about encryption rules and keeping data safe.
Everyone should be doing some form of basic refresher training annually, in addition to specialised modules for their specific role. Higher risk roles you might want to retrain more often.