This is our second blog of 2020, we have been busy with working on compliance projects, conducting DPIA’s and being engaged to be DPO’s for Public Authorities and private organisations.
Our main office in Jersey closed down due to COVID-19 and all our planned training courses in the Channel Islands and Ireland had to be cancelled. We will keep you up to date when we arrange new dates.
Other Propelfwd news, The Data Protection Officer course we will be running has now been CPD certified, giving candidates 28 CPD hours once complete. Like all our courses the material has been provided to us by Data Privacy Advisory Service (DPAS) who we work in collaboration with for this training. We now provide training on-line and classroom based for foundation, practitioner and DPO courses, all CPD certified.
Our articles today are covering topics such as, the new way of working, – what data protection considerations you should have? Unlawful processing of Biometric data and the DPO position, who can hold this title?
The new way of working – what should you consider?
As we start to peek over the edge of COVID-19 lockdown, hopefully, and restrictions on our personal lives and businesses begin to lift, we must now review how we work and where we work.
Flexible working has been around for a long time although I, for one, have always been very apprehensive about it. Call me old fashioned but I believe it is fair to say that others are also wary; for instance, regarding trust issues about productivity, handling of data and data security. With current restrictions dictating how work can and cannot progress, it’s time to harness the benefits of the recent discovery of alternative methods of working, which can both endure such constraints and allow for the prospect that the ‘new normal’ may not simply be an about-turn to what was.
There is no escaping the fact that COVID-19 has forced businesses to do things differently, to ensure resilience and innovation in the way they can continue to function successfully. I have seen the Hospitality and retail industry revolutionise the way they promote their products as well as deliver products to their customers. Five-star hotels and Michelin star restaurants now offer high-quality take away meals – often with a home delivery service, High street retailers have embraced opportunities to provide online sales with free home delivery or convenient collection arrangements. Private and public sector businesses have strived to continue to provide an appropriate service involving work-from-home arrangements. Public authorities have moved many of their administrative services to the home environment. Even Law Enforcement civilian and warranted officers have adapted to working from home very effectively and, not necessarily at a cost to efficiency. It shows it can be done.
So what do business leaders do now that we can start moving organisations back to full capacity? Is it a case of: Call everyone back to the office, get our IT departments (who have worked miracles over this COVID-19 period) to collect all the additional equipment we have sourced and supplied over the past three months or so. I would like to think the answer could be ‘No’!
Boards, Directors, Senior Management Teams and even owners of SME’s should re-evaluate how their business is conducted. We have seen our employees can work from home, work will get done, in many cases productivity may have increased, while sickness may have reduced. Given the opportunity, how many staff would express their preference to work from home and which could be of benefit to all?
This is not to say move everything to work from home full-time but look at a balance. For example, does this now allow for a week involving two office-based days with three home-based days, or vice versa – in other words, flexible working arrangements.
So, if this appeals to businesses and their employees what else do we need to consider? that may not be in place adequately or, may be it’s hidden somewhere within a lengthy paragraph in a policy somewhere? – Yes, you’re right to ask: How do we policy this new working model? What procedures do we put in place? How do we ensure data safety and compliance with the GDPR or relevant jurisdictional data protection law?
Data Controllers have responsibilities. By law, this includes the requirement to put in place Organisational and Technical Measures to protect the personal data being processed. The Organisational requirement involves the policies and procedures that need to be put in place, appropriate staff training, ensuring everyone understands what the policies and procedures mean, where they are and how they should be applied.
The Technical Measures should address the security put around the personal data, firewalls, cyber security, software to guard against data leaks etc. All of these areas need to be considered, with systems put in place so it is future-proofed and not just ‘thrown together for convenience’.
There are plenty of enforcement cases which can be referred to, as examples of organisations that have been fined for lack of compliance, but the majority of Data Controllers will be aware of these.
At Propelfwd, we can advise on your requirements for additional Policies and Procedures, or an ‘add-in’ to your current Policies and Procedures. We can write the policies and procedure for you and help you put them in place effectively.
Other areas to consider include:
Whether you allow your employees to use their own devices? If the answer to this question is ‘Yes’, then you need to put in place a ‘Bring your own device’ (BOYD) Policy.
Have you provided appropriate training to your employees on working from home and data protection issues? If not, Propelfwd can develop a customised online training course for your employees on this topic.
We can also provide assistance with Data Protection Impact Assessments.
A DPIA can be vital to organisations, to identify the risks involved with home working, the data security, staff training needs, the home environment, the home security and internet usage. It will highlight both the likelihood and severity of any potential harm to individuals.
The general rule is:
A DPIA must be carried out where a type of processing is likely to result in a high-risk to the rights and freedoms of individuals:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks”
If you want to know more about the legal requirements of a DPIA, refer to Article 34 GDPR, Article 16 Data Protection (Jersey) Law 2018 or Article 44 Data Protection (Bailiwick of Guernsey) Law 2017.
It is advised also, where new processing activities are adopted by an organisation or changes to a current process takes place, a DPIA should be completed by the Data Controller. This is the first step to developing policies and procedures for your organisation, you must know the risks to the organisation and know what appropriate mitigations need to be in place to reduce those risks.
If you are unfortunate enough to suffer a data breach and during the subsequent investigation it is shown you had not identified and considered the risks associated with the new data processing activity, you could be liable to sanctions from the Information Commissioner, which could have bene avoided with the correct measures in place.
Propelfwd can conduct the required research, liaise with employees with an online questionnaire covering their thoughts on the process, how and where they will work in their home, what internet access there is, security requirements etc, identify the associated risks and provide recommendations on appropriate mitigations for you to put in place to reduce your exposure.
In essence, once the above measures and actions have been completed adequately you have demonstrated, as a data controller, that you are accountable and have taken this important issue seriously and that you recognise the need to protect any personal data that you process. This is not an expensive undertaking for your organisation but, if left unaddressed, it could prove to be very costly, both financially and detrimental to the reputation of your organisation.
For more information, please contact us at Propelfwd.
Dutch Supervisory Authority Fines Company
On April 28, 2020, the Dutch Supervisory Authority (“Dutch SA”) announced its decision to impose a fine of €725,000 on a company for unlawfully processing the biometric data of its employees.
Processing Biometric Data of Employees
In 2018, the company concerned installed an access and time management system that collected and processed biometric templates of employees’ fingerprints. This initiative came about following indications of fraudulent use of the company’s existing badge-based time management system. After installation, the company’s old system co-existed with the new system, and employees were free to choose the method by which to sign in to work. One of the employees subsequently filed a complaint with the Dutch SA, which led to this investigation.
In its decision, the Dutch SA identified several violations of data protection law, in particular:
- no evidence that employees explicitly and freely consented to having their fingerprints scanned;
- insufficient information provided to employees about how their biometric data would be used; and
- over-retention of ex-employees’ biometric templates, which were “blocked” in the system but not actually deleted.
The Dutch SA noted that, in the absence of valid consent (Art. 9(2)(a) GDPR), the processing of biometric data is permitted only when necessary for “authentication or security purposes” (Art. 29 of the Dutch Implementing Law). In the matter at hand, the Dutch SA found that this was not the case. According to the Dutch SA, the company’s use of biometric data was disproportionate to the aim pursued because the security risks were not particularly high in this case. Moreover, less intrusive means could have been used to achieve the company’s objectives.
In light of the severity of the violation, its “long” duration (ten months) and the “high” number of individuals concerned (337), the Dutch SA decided to impose a significant fine. In an effort to reduce the fine, the company asserted that the encryption of the biometric templates and ISO certification of the technology supplier (and its sub-processor) should serve as mitigating factors. In the end, the Dutch SA found the company’s arguments unconvincing to reduce the fine, which was calculated in accordance with the Dutch SA’s fining model announced last year.
Belgian Data Protection Authority: You may need a new DPO
Through recent decisions, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) has examined the role of the Data Protection Officer (DPO) and set out its own interpretation of the requirements for this role, as well as the DPO’s tasks.
In each case, the Litigation Chamber concluded – in a manner that may lead to controversy – that the (internal and external) DPOs appointed did not meet the requirements of the GDPR. The deadline for filing an appeal is still running in relation to these decisions, but it is already useful to look at the Litigation Chamber’s position on this topic.
In summary, here are the top tips that result from this evolving case law:
- When recruiting a DPO, request evidence of expert knowledge of data protection law of the candidate in question, even when you work with a DPO agency;
- Carry out your own assessment of the candidate, even when you work with a DPO agency;
- If you are uncertain of the (best) candidate’s expertise, compare the risk in your case of (i) continuing the search or (ii) hiring him/her and forcing the DPO to improve that expertise in the short/medium term;
- If there is a potential data breach, involve the DPO, but ensure that he/she is not involved in the decision on the risk (and on whether or not to notify the Data Protection Authority);
- Avoid having a DPO who is also head of any given department in your organisation;
- Ensure that there is a clear possibility for the DPO to report to the highest management level, and that this possibility is not limited to a yearly report.
Read on for more detail on the Litigation Chamber’s reasoning – and how this might affect your organisation.
1. Preliminary remark: internal DPO or not?
The two main forms of DPO are (i) the internal DPO (an employee or a freelancer, hired directly by the organisation, on a full-time or part-time basis) and (ii) the external DPO (where the organisation has a direct relationship with a DPO agency, for which the “natural person” DPO works as employee or freelancer).
Each form has its own advantages, and based on these decisions, the Litigation Chamber does not appear to prefer one form over the other. The Litigation Chamber criticised the way in which the DPO role was organised in each case it examined – one relating to an internal DPO, another relating to an external DPO.
2. DPO selection
Before appointing a DPO, one must select the DPO carefully. Article 37(5) of the GDPR states that the DPO must be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39“.
a) Whose responsibility is it to test these qualities?
In one decision, where the relevant organisation was working with a DPO agency, the BDPA’s inspection service criticised the organisation for not having tested such qualities among candidates. The organisation responded that the assessment of such professional qualities and expert knowledge of data protection law had been carried out at the level of the DPO agency: the DPO agency had imposed a “written and oral test”, which was evaluated by the DPO agency. On this basis, said the organisation, it could reasonably trust the fact that the candidate (the external DPO) had the necessary professional qualities. Moreover, the candidate acted as DPO for other organisations.
The Litigation Chamber rejected this argument, considering that this was an admission that the organisation itself had never assessed whether the person in question had the necessary professional qualities for the role as DPO – and this was an infringement of Article 37(5) GDPR.
In practice: even if you work with an external DPO agency, you should assume nothing and request to have evidence of the candidate’s professional qualities (including expert knowledge of data protection law).
b) Expertise regarding GDPR and/or information security
As mentioned previously, Article 37(5) GDPR requires “expert knowledge of data protection law“. Yet in the aforementioned case of the external DPO, the job description for the role of DPO stated as follows: “(extensive) Knowledge of the GDPR is a plus”.
The Litigation Chamber considered that this approach did not comply with Article 37(5) GDPR, and stated the following in relation to the expertise needed for the role as DPO:
- “extensive knowledge of the internal IT systems and knowledge of all business processes in the broad sense can represent added value for the carrying out of the function of DPO and can as such be indicated as relevant skills and expertise”;
- “[k]nowledge of the legislation on data protection is however a requirement, certainly with a view to the carrying out of the tasks of the DPO as set out under Article 39 GDPR”.
In other words, expertise regarding data protection law is a requirement; IT expertise is a plus. It is worthwhile noting, however, that the Litigation Chamber did not require the DPO to have a legal background.
In reality, evaluating expertise regarding the GDPR can prove more difficult than one might expect for a variety of reasons, in particular:
- First, from a practical perspective, based on the logic of the position, the DPO would likely have to know the GDPR at least as well as the best-informed person in the organisation; at the same time, there still is no official certification of expertise today. [Those stating they are “certified DPOs” have merely followed an unofficial course; organisations must make their own assessment of the merits of such unofficial certifications.]
- Second, there is the question of what counts as expert knowledge. Many purporting themselves to be “GDPR experts” discovered data protection law after the GDPR’s adoption in 2016, giving them a maximum of 4 years’ experience – given the fact that far fewer were advising on data protection law prior to 2016, setting a minimum of even 5 years’ experience would exclude most candidates for the role of DPO immediately.
- Third, tests must take national interpretations into account, given that even today supervisory authorities continue to have diverging interpretations on certain points (the DPO role being an example).
In practice: even if you work with a DPO agency, ask in-depth questions so that you can assess the candidate’s professional qualities, and record the selected candidate’s answers as well as at least the outcome of the assessment of other candidates. Until official certifications exist, though, know that there is no guarantee that your assessment process will be free from criticism.
c) Which candidate to choose?
Still in the same case of the external DPO, the organisation stated that of the various candidates, the person chosen was the “most suitable” one.
However, the Litigation Chamber considered that just because a candidate comes out of a recruitment process as the “most suitable” one, “this does not ipso facto demonstrate that the person is sufficiently suitable”.
In other words, if an organisation has several candidates but is unable to find one who does meet the “professional qualities” requirement of the GDPR, the Litigation Chamber seems to be of the opinion that the search for a DPO should continue.
This position appears to be very strict. Not only must the expertise be sufficiently tested, but if it is not properly demonstrated, no DPO can be appointed and the search must continue. Yet if an organisation is required to have a DPO as a result of its very nature or the processing it carries out, not appointing a DPO is in and of itself an infringement of the GDPR.
In practice: if you are not certain of the expertise of your preferred candidate, carry out a risk assessment and decide which is the larger risk – having an inadequate DPO during a certain period (with the possibility of forcing the DPO to improve his/her knowledge of data protection law in the short or medium term), or not having any DPO for a little longer while you continue your search.
3. Tasks of the DPO
a) Extent of involvement in relation to data breach situations
In a case regarding an internal DPO, part of the discussion concerned the involvement of the DPO in the management and assessment of potential personal data breaches.
The BDPA’s inspection service criticised the organisation for only informing – and not consulting with – the DPO of the result of the risk assessment regarding potential personal data breaches. The organisation responded that information was sufficient under Article 38(1) GDPR, which states that the DPO must be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
The Litigation Chamber refuted this position in part, considering as follows:
- Merely informing the DPO of the decision on the risk assessment and not consulting with him/her beforehand would hollow out the function of the DPO;
- The prior involvement of the DPO promotes compliance with the principle of data protection by design;
- In relation to the risk assessment process, the Litigation Chamber noted that the DPO was in reality involved, in that he/she carried out a separate assessment and provided advice prior to the decision on the risk. In other words, despite the organisation’s argument that the DPO did not need to be consulted, he/she was consulted in practice;
- In relation to the result of the risk assessment, the Litigation Chamber noted that business representatives were responsible for the end-decision on the risk and not the DPO, and this was consistent with Articles 38(1) and 39(1)(a) GDPR. In this context, the DPO was merely informed, not consulted, but this was permitted by the GDPR.
The Litigation Chamber concluded that in practice there was no infringement of Article 38(1) GDPR. However, it clearly considers that Article 38(1) GDPR requires the DPO’s active involvement in the management of data breaches – not merely information afterwards. It is unclear how strong this position is, as it is based on considerations relating to data protection impact assessments and not on any guidance relating to data breaches.
In practice: If there is a potential data breach, involve the DPO, but ensure that he/she is not involved in the decision on the risk – and in particular in the decision on whether or not to notify a personal data breach.
b) Non-DPO tasks and conflicts of interest In the same case of the internal DPO, the person in question had several roles in addition to that as DPO: he/she was also responsible for compliance, risk management and internal audit.
The organisation in question stated that it had taken various measures to mitigate the risk of any conflict of interest, and these measures were described in the form of a “DPO Charter”. In addition, the organisation contended that the other functions were merely advisory functions, without the power to take any decision in relation to processing activities.
The Litigation Chamber held, however, that the organisation did not demonstrate that the DPO did not carry out any tasks that were incompatible with his/her position as DPO. On the contrary, it stated that “the role of head of a department is incompatible with the role of DPO” because the DPO cannot carry out any independent supervision of such a department. In other words, irrespective of the non-DPO tasks of the DPO him/herself, and irrespective of the measures taken by the organisation to limit the risk of any conflict of interest, the issue in the eyes of the Litigation Chamber appears to have been the theoretical possibility of independent verification of the department by the DPO.
In practice: avoid having a DPO who is also head of any given department in your organisation.
4. Position within the organisation
Under Article 38(3) GDPR, the DPO must be able to “directly report to the highest management level of the controller or the processor”.
In the aforementioned case of the external DPO, it was unclear whether the DPO in question had the authority to report directly to the highest level outside of a yearly report.
The Litigation Chamber held that this was an infringement of Article 38(3) GDPR, and that the DPO must also be able to carry out his/her advisory or informational tasks vis-à-vis the highest management level on an ad hoc basis.
In practice: ensure that the reporting possibilities for the DPO are clear, and that the highest management level does not only see the DPO once per year for a yearly report.
5. What should you do?
Both of these cases started as investigations into non-DPO issues (a question about the scope of data processing in one case, a data breach in another case), and the investigations grew to encompass the assessment of the role of the DPO. No fine was imposed in the case of the external DPO, but that was likely just because the organisation in question was a public authority, and the Litigation Chamber cannot impose a fine on a public authority in Belgium. In the other case, the fine imposed (50.000 EUR) was the highest fine to date in Belgium.
In other words, just because you have not yet seen any criticism about the role of DPO within your organisation, doesn’t mean you are safe.
Rather, check whether your DPO meets the practical requirements highlighted. If these requirements are met, there is a chance you will avoid a fine; if not, be forewarned.