Sunday, 11 March 2018

Fined for seeking consent in readiness for GDPR?!

This is interesting..
If you read the Flybe case you can see it was obvious they were going to get a fine!
Information Commissioner’s Office (ICO) found Exeter-based airline Flybe deliberately sent more than 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm
The Honda case it more interesting. They were emailing people to update their records in readiness for GDPR!
Honda Motor Europe Ltd had sent 289,790 emails aiming to clarify certain customers’ choices for receiving marketing.
I suspect it is OK to email “exiting customers” where you used to have an opt-out and now want to have an explicit opt-in. That surely reflects a desire to move from the old (Data Protection Act) to the new (GDPR).
Lesson 1
Because of their failings in the past Honda could not evidence that the emails they were using to ask people about Consent were lawfully gained in the first place. So if your existing data-base isn’t OK under Data Protection Act you cannot use it to make it better for GDPR.
Lesson 2
I think what is clear is that you should not tie GDPR updates to any promotions or marketing, because clearly at that point it ceases to be an information update and instead becomes junk-mail.
I am curious how others interpret this decision.
There are businesses and charities who are – right now! – emailing people to ask “...please can we continue to use your data, and if so please [opt-in] so we can be sure to get it right or never bother you again if you dont…”

Friday, 9 March 2018

GDPR When Can the Child Speak for Herself?

Subject: When Can the Child Speak for Herself?
The Limits of Parental Consent in Data Protection Law for Health Research | Medical Law Review | Oxford Academic

Key points that I observed form this article 
(I welcome feedback, particularly from those with practical experience)

‘Parental consent will always expire when the child reaches the age at which they can consent for themselves. You [as data controller] need therefore to review and refresh children’s consent at appropriate milestones.’2

In the UK, the age of full majority is 18.3 However, an individual is entitled to exercise certain legal rights while still a minor

The Gillick Test in Healthcare - The case of Gillick v West Norfolk & Wisbech Area Health Authority4 established that where a person under the age of 16 has reached sufficient maturity to understand the nature and consequences of a proposed intervention, and it is in their best interests to do so, then they can provide a valid legal consent on their own behalf. Lord Fraser concluded that while a doctor should always seek to persuade a child to tell a parent [it is up to the child]

If the processing of a child’s data began with the consent of their legal representative, the child concerned may, on attaining majority, revoke the consent. But if he wishes the processing to continue, it seems that the data subject need give explicit consent wherever this is required.

You [as data controller] should consider whether the individual child has the competence to understand and consent for themselves (the ‘Gillick competence test’). [And presumably consider that as part of DPIA and Privacy by Default/Design]

‘The core legal principle is that of the best interest of the child.’28 As in the context of healthcare, parents continue to have responsibility—where necessary, expressed through parental consent—to act in a child’s best interest.29

There may be limited circumstances in which a data controller considers it appropriate to continue to process data relating to a child past the age of 16, and on the basis of a parental consent. These circumstances would most likely be limited to those where the following considerations apply:

1.      the requirements regarding consent were met at the time that consent was originally given;

2.      there is no reason to rebut the presumption that, in line with previous parental consent, it remains in the best interest of the child that the processing continue; and

3.      it would be ‘fair’ to rely upon the alternative legal basis in the circumstances.

Whether it would be ‘fair’ requires consideration of all material factors including, but not limited to,

1.      whether it is clear to the data subject, ie the child, that she has rights in relation to the processing, including the right to object;

2.      the extent to which the child was originally involved in the original decision to provide consent, and whether she assented to the processing;

3.      the extent to which considerations of ‘best interest’ are engaged and favour processing; and

4.      evidence from any context in which the child has begun to exercise her own data autonomy, for example, through social media or other means that suggest evidence of growing maturity.

Saturday, 17 February 2018

Quiz - Simple GDPR Self Assessment

Layer 1

This is a simple self-assessment, we do not keep your email address or try and sell you anything

Are you GDPR Ready? †Take our Questionnaire

Your result will appear automatically at the foot of the page. Please be sure to answer all questions.

Have you appointed a Data Protection Officer (DPO)?

Implementation of GDPR measures will, in some cases, require the appointment of a Data Protection Officer. Organisations will have additional obligations and there will be changes that impact internal accountabilities and contracts. Where there is insufficient need for an internal DPO, some organisations may choose to employ the services of an external Data Protection Officer.

Have your security personnel received training or instruction on the GDPR?

Software alone cannot sufficiently counter all threats to data protection. Security personnel training should cover data processing obligations as well as the identification of breaches and risks.

Have your senior management been briefed on the GDPR?

A GDPR compliance programme should involve senior stakeholders as it will require input from all departments.

Have all staff received GDPR awareness training?

Many staff are unaware of their contribution to protecting private information and what is expected of them. The GDPR requires privacy awareness training to be provided to all employees.

Have you reviewed and updated your privacy policies?

You will need to review all existing data protection and privacy policies to ensure they comply with the new requirements.

Have you made preparations for implementing and performing Data Protection Impact Assessments?

You should assess all of your data processing activities in relation to managing data privacy and ensuring compliance. To prepare for Data Protection Impact Assessment (DPIA) requirements, you should also identify processing of sensitive data (including biometric information), surveillance activities (including CCTV), and data processing that may impact on the rights and freedoms of individuals.

Have you assessed all points of data collection to ensure that explicit consent is properly requested in each case?

The GDPR implements more stringent requirements for obtaining consent when collecting data from individuals. Data collection will have to adhere to just-in-time notification of ìreason for data collectionî and communicating to data subjects ìhow their data will be processedî and procedures for ìfurther engagement in terms of enhanced privacy rights.î

Have you prepared, documented and communicated processes for managing subject data access requests?

Not many companies know where all their data is kept. Data may be stored in many different places, and not just inside the company or for internal use. Data is often not restricted to databases. Much of the data people work with everyday is in a variety of file formats and on different platforms, often outside the network, somewhere in the cloud. Successfully responding to data subject access requests will be a challenge in cases where process requirements have not been considered and dealt with thoroughly.

Have processes been developed to allow individuals to amend or delete their personal data?

New enhanced personal data rights, such as the ìright to be forgottenî and ìdata portability rightsî additionally necessitate the need for organisations to know what data they process and where they store it. To allow individuals to amend or delete their personal data, the capability to track data (through systems and all the different storage locations) will be required under the GDPR.

Have data retention and destruction procedures been reviewed for all data (including offline) as used by your organisation?

Documented policies and procedures should describe handling of classified information in terms of retention, responding to data deletion requests, and maintaining records of retention and destruction activities.

Have you re-assessed your suppliers and supplier contracts in relation to the GDPR?

It will be necessary for organisations to monitor the privacy compliance of suppliers, agents and shops to avoid liabilities and damages. It is also advisable to follow a formal process for selecting external suppliers that will be expected to process personal data.

Have you made preparations to detect and report breaches as part of a response plan?

Breach notifications are already mandatory elsewhere in the world. The GDPR introduces requirements for breach responses, particularly for breaches that affect data belonging to private individuals in the EU.

Have you prepared data breach notification procedures for informing data subjects?

It will be necessary to maintain a protocol for communicating breaches. A breach response plan should cover communication to affected individuals and describe processes for co-operating with regulators, credit agencies, and law enforcement.

Have you prepared for regular compliance audits or reviews to identify and fix issues?

It will be necessary to maintain a protocol for communicating breaches. A breach response plan should cover communication to affected individuals, and also describe processes for co-operating with regulators, credit agencies, and law enforcement.

Have you made preparations to abide by the GDPR codes for ëPrivacy by Design and by Defaultí?

This requirement will call for evidence that you have considered and incorporated compliance measures into your data processing activities. This includes adopting appropriate policies for integrating privacy-by-design and privacy-by-default, as well as pseudonymising and data minimisation.

Answer all of the above to see your result here†


If you want to get in contact feel free to phone +447797762051 or email

(C)OPYRIGHT Tim HJ Rogers, All Rights Resverved

Sharing data with Government (data-controller or data-processor)

Businesses hold a lot of data about staff, customers and contacts and under GDPR they need to keep that data  private, safe and secure.

Additionally where that data is held or shared with a third-party there needs to be some form of data-controller/data-processor agreement detailing the roles, goals and controls for the management of that data.
In many cases that third-party may be a government department. So it makes sense for the government department to detail is policy, procedures, templates etc., so as to be clear and consistent with all its dealings rather than create a bespoke solution and documentation for every organisation with whom it shares data.

Having a standard approach and template agreements will help reduce cost, raise awareness and ensure best practice. Surely this is better than every business having a slightly different approach with sharing data with that government department?

In the meantime I have been writing letters long the following line to support by clients becoming GDPR compliant and evidencing the roles, goals and controls for the management of data held for, or shared with government.

Dear XXXXXX                                                                          

FOI General Data Protection Regulation (GDPR).

Many organisations hold personal-data [as defined by GDPR] for the States or shared with the States (for example ID, Tax and SocSec Information, and in some cases special-category data like medical information)

What are the requirements of the States in relation to that data? Do you have guidance and model data-controller/data-processor agreements as required by GDPR that can be shared to encourage a standardised approach based on best-practice?

For Example

·        What personal-data should be held for the States or shared with the States (Examples DBS Checks? ID Records? Staff Records?)

·        What should the retention period be for personal-data for the States or shared with the States (Example: 1 year, 3 years, 10 years?)

·        What information security measures should be applied personal-data for the States or shared with the States (Example: Cyber Essentials? ISO 207001?)

Perhaps this is be better submitted as a Freedom of Information Request so that the reply can be used as a standard for all organisations seeking to address the requirements of GDPR?

Yours sincerely