The GDPR provided the directive to members of the European Union on information privacy that is then passed into law within the member countries. It hasn’t come out of the blue sky; it summarizes international legislation and best-practice for information processing of personal data going back up to forty years. Because the directive isn’t particularly innovative, but relies on gathering together good practice, it can, in fact, be used as a basis for enacting privacy laws within any legislative area.
Data Protection and the Organization
Because IT practices are very much catching up with what society expects regarding privacy and security, the GDPR also provides guidance into how best to change your IT processes to make compliance easier and make any organization accountable for its privacy policies. At the time of writing, there is still quite a lot of confusion about what the typical organization needs to do in order to comply, and there aren’t many precedents for the sort of response that is necessary, together with the supporting documentation required of any organization that holds information about individual people.
Although national organizations acting as Data Protection Authorities (DPAs) such as the UK’s ICO provide many ways of getting to grips with privacy concerns, with checklists, articles and summaries, there are in addition the two important changes for organizations that the GDPR may require. These are the appointment of a Data Protection Officer (DPO) and the process of the Data Protection Impact Assessment (DPIA). The appointment of a full-time DPO is only relevant to larger organizations, but any organization, whatever its size, needs to be aware of its obligations concerning data and go through the exercise of working out what is necessary to ensure that people’s legal rights to a private life are respected. The smaller organization will probably seek part-time consultancy to cover this role.
This article concentrates on accountability. The requirement on organizations to implement appropriate procedures to demonstrate that their processing of personal data is compliant with the GDPR.
Accountability is one of the three principles covered by the GDPR: the right to privacy, the concept of accountability, and the ownership of personal data. The right to privacy already exists and is enshrined in law in many parts of the world. For Europe, Article 8 of the European Convention on Human Rights guarantees the right to respect for private and family life, one’s home and correspondence. The 4th Amendment of the US Constitution implicitly grants the individual a right of privacy. The accountability principle was first expressed in the Organization for Economic Cooperation and Development’s (OECD) 1980 Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. The idea that a person retains ‘ownership’ of information about themselves and that it is ‘confidential’ unless explicitly agreed otherwise, is a rather different perspective of existing law but is reflected in existing defamation, copyright and libel law. Most countries will have a great deal of legal precedent to underly this principle.
The exercise known as a ‘Data Protection Impact Assessment’ (DPIA) is a process for building and demonstrating compliance with the GDPR. The purpose of this is to come up with a simply-understood document that lists any potential problems with security and handling of data and come up with a strategy that minimizes the risks of a breach, or of any failure in the organization’s custodial obligations to personal data. DPIAs are an obvious way of educating organizations to be good data custodians, to illuminate practices that are risky or sloppy, and to take the obvious steps to prevent a data breach from happening.
The Personal Information Review document
In the average small organization such as a shop, golf club or society, the chances are that you don’t need to maintain a DPIA. If you don’t require a DPIA, you still need to state, in a plain ordinary document why not. There are checklists that help with this document. Even if you do need a DPIA, it is usually still a simple document that can be the result of a reasonably quick series of checks.
Do we hold personal data? If so, is it held securely? Where is it kept?
Is there any risk of accidental breaches?
Are there any risks of malicious breaches or theft? If so how can this risk be minimized?
Are employees able to access more information than is necessary for their role?
Are the users aware of what data we hold, why, and for how long?
Can they check on the information to ensure that it is correct?
Do we do any screening of that data, or any processing that the users wouldn’t be aware of?
Do we pass the data on to any other agency without explicit agreement?
Even for relatively small organizations, this sort of question can come up with surprising and quite scary answers. You can’t assume, for example, that everyone is aware that all confidential information sent over email must be encrypted. The general public won’t always be aware of the difference between HTTP and HTTPS, or the issues of Cloud security. We’re not just talking about databases here, but about documents, emails and notes. We are reviewing in general what is involved in using IT systems securely and responsibly, and in methodical document retention. To cover the practices of a small organization, one review document will usually be enough: especially if the organization is just doing simple things such as membership lists. That review document must exist and must explain why it is, or isn’t, necessary to do a DPIA. So far, I’ve not done a review document of over two pages, but this will vary.
If the review comes up with the requirement for a DPIA then it is each business or organizational process within the organization that involves personal data that needs its DPIA, not necessarily each application.
The DPIA isn’t just a handy and informative exercise: If an organization fails to create one when the nature of the information processing requires a DPIA, or fails to keep it up-to-date (Article 35 and (3)-(4)), or carries out a DPIA incorrectly (Article 35 and  to ), or doesn’t consult the relevant supervisory authority where required (Article 36[e]), it can be penalized. If, on the other hand, an organization can prove that it has considered the issues properly via a properly maintained DPIA, then this can mitigate any penalty for a breach. If an organization is uncertain what measures are required in the light of a DPIA, it can submit it for advice to the appropriate Data Protection Authority (DPA) such as the UK’s ICO.
DPIAs should cover a business activity that involves the processing or publication of data, rather than a single application. A single DPIA can assess several similar processing operations, especially where there is uniformity in the nature, scope, context, purpose, and risks of these operations. A DPIA is only required where a type of processing is not already covered by an existing DPIA and is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). It can be difficult to decide when a DPIA is required because it isn’t always apparent how applications, whether developed, purchased or leased, are using data, and what data is retained. There are obvious cases where processing is likely to result in a high risk to individuals, such as with healthcare, and there are ‘screening checklists’ available that list these obvious cases. Even applications that seem completely innocuous need a routine check to see whether a DPIA is worthwhile. The safest option is to do a DPIA for any major project which requires the processing of personal data. If you decide not to do a DPIA, you must provide, instead, a document that spells out your reasons for the decision. (see Article 32)
Determining the risks
We aren’t just talking about hackers doing SQL Injection on websites; Accidental Privacy breaches can happen for all sorts of reasons and aren’t always easy to prevent. A doctor can easily mention a medical condition to a family member, wrongly assuming that the patient is happy for information to be shared with their family. More important breaches can happen when papers, laptops, discs, and flash drives are dropped accidentally in the street or left on public transport. It can result from emails sent to a whole list of destination emails rather than a single recipient. It can happen when people in a hurry accidentally publish personal information online in a place accessible to the public. Carelessness is more common, such as when disks containing confidential data are dumped without being destroyed first or are stored in abandoned buildings, where members of staff are given access rights beyond what is necessary for their role.
Where in the past, organizations have allowed a data breach to happen, they have occasionally escaped censure or prosecution through claiming ignorance of the problem. This is now much less likely to be an escape route, because the GDPR and the equivalent legislation in various countries is obliging management to request and be familiar with the main protection and privacy issues within the organization. They must provide any necessary training to staff to increase their awareness of data protection issues and to facilitate the process of determining what the issues are whenever personal information is held. If an organization is not staffed with enough people with the training to meet their obligations, then they are now non-compliant.
When are you obliged to do a DPIA?
It will become increasingly likely that a DPIA is required if you find that your organization is recording evaluations or scoring about people, or if you are processing sensitive data or data of a highly personal nature. Holding and using data about children, disabled or otherwise vulnerable people, is a sign that a DPIA is necessary and any automated decision-making that could have significant effects on people should flag up a concern, particularly where that decision affects whether they can exercise a right or use a service or contract. The use of Innovative technological or organizational solutions isn’t discouraged, but it requires a thorough risk assessment via a DPIA.
There must be a DPIA for any business activity that involves any of these processes:
Whenever you use personal data to profile or categorize people, when the result is used for decisions that may affect those people, such as determining access to a service, opportunity or benefit. An example of this might be when a bank uses personal data to assess credit-worthiness, or a recruitment agency uses such data to select candidates.
If you need to process widescale ‘special category’ data or data that might include criminal records or prosecutions such as CRB data. Special category data is that which can “reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures” (Recital 75)
If you have data as a result of systematically monitoring a publicly accessible place on a large scale and collecting data that can lead to a personal identification.
If you are using technologies that are unusual or new to the processing of data – see recitals 89, 91 and Article 35(1) and (3)
If you are doing large-scale profiling based on collected personal data. (e.g. for advertising or political targeting.)
If you are processing biometric or genetic data.
If you are acquiring data from several sources to derive inferences from them, such as targeting potential donors for a charity, generating prioritized contact lists for sales, or to identify individuals from pseudonymized data.
Intend to process personal data without providing a simply-understood privacy notice directly to the individual.
If you wish to process personal data in a way which involves tracking individuals’ online or offline location or behavior.
If you process children’s personal data for commercial reasons.
If you process personal data which could result in a risk of physical harm to one or more individuals
If there is any security breach
The Impact Assessment.
The first task in a DPIA is to define the scope. Each area of activity within the organization where personal information is handled will have had its review. If that review finds that one or more DPIAs is required, then it needs to be progressed by a DPO or someone taking on that role. Whatever the outcome, the assessment of these risks, and insights into the way data is currently handled, is intrinsically valuable because the different aspects of IT, governance, delivery and operations, must meet and discuss the potential problems in data protection and privacy, be more aware of their social responsibilities, and pool their knowledge and experience. The result of this should be a ‘deliverable’ document that comprises a team-based assessment of all the possible problems and all the things that can go wrong for any major IT projects within the scope of the document that involve the processing or retention of personal data.
What are these ‘custodial obligations’ towards data? Firstly, you can no longer hold information on people without good reason, and even if the reasons are good, you have to do it properly and securely. Finally, you must behave with courtesy to the owner of the data: the person involved. To make certain that the organization is consistent and understands the issues, the organization is obliged to ensure that their employees are trained in the issues of data protection. By good custodianship, a company can avoid direct liability for a breach, but it is harder to avoid ‘vicarious liability’.
DPIAs must be concise and written in simple language: They must firstly describe the nature, scope, context and purposes of the processing. With this information, they must then assess how necessary it is to hold the data, its proportionality and must list all the compliance measures that will be required. It must identify and assess the nature of any risks to individuals that could happen if the data was breached and identify any additional measures that should be taken to mitigate those risks.
To assess the level of risk, you must consider the balance of the likelihood and the severity of any impact on individuals.
Who needs to be involved in an assessment? As well as anyone in the role of a data protection officer, you will need advice from people who understand the technical aspects, the business processes and the legal issues such as data retention. You will need representatives from any processors involved.
If the DPIA is properly drafted, and has the necessary information, it can be used to resolve any doubts or uncertainties over risks. Most governments have a function that will, when presented with a DPIA, give an opinion whether the processing of data can legitimately be done within the terms described.
Where necessary, especially if there is any element of doubt about the legality of what is being done, it may require explicit government ratification of the DPIA. In the UK this is done by the OIC.
Data Protection Officers
Every organization must ensure that it has sufficient staff and resources to discharge any obligations under the GDPR. It is always the senior management, trustees, or committee of any organization that is responsible for good custodianship of data. It is generally sensible to appoint someone to manage and maintain this. In certain cases, your organization may be required to appoint a data protection officer (DPO), especially if it is a public authority or body, or if it carries out certain types of processing activities such as
large scale, regular and systematic monitoring of individuals
large scale processing of special categories of data or data relating to criminal convictions and offences
If an organization decides that a DPO is unnecessary, the reasons for this must be documented along with a brief account of the evidence that led to this conclusion. If the organization changes its activities in any way that might change its level of compliance, then it must review this decision and replace this document as necessary.
A DPO is responsible for making sure that a suitable privacy protection program is developed, implemented and maintained for the organization. A DPO that is employed, perhaps part-time, must assist the organization in understanding their privacy obligations, to explain how to meet them, ensure that all the activities of the organization are kept under review for privacy, and to check that the recommendations of any DPIA are followed up. The DPO must ensure that policies and processes are created and maintained wherever they are needed and to check that staff training is made available to employees. They need to report on the level of compliance directly to the committee running the organization. As with Audit, the DPO must be an independent expert in data protection law and practices. The role can sometimes be shared between organizations.
DPOs will be required to
advocate privacy within the organization itself.
manage contracts for third parties who process for the organization, to make sure that the information is managed to the same standards as it would be within the organization.
inform and advise the employees of their data protection obligations under the GDPR and ensure that suitable training is provided.
check continuously on compliance with the GDPR and the organization’s data protection policies and procedures.
advise when a data protection impact assessment (DPIA) is likely to be necessary, perform the review, and supervise the DPIA.
serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting, and represent the organization in the event of a complaint investigation by a privacy commissioner’s office;
serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests.
Not only must organizations sharpen up the discipline with which they handle, process and curate personal data in line with legislation such as is defined by the GDPR, but also their level of accountability regarding personal data.
In effect, the recent changes in data privacy law make it an offense for the management of any organization to be ignorant of the way that personal data is handled within the organization. They also must be able to prove that the way their custodianship of personal data is regularly monitored and reviewed. The DPIA is merely a formal end-product of a process competently carried out, and the DPO is just the embodiment of the tasks and responsibilities of the management of any organization towards data privacy and custodianship.
Accountability isn’t intrinsically exciting. However, it is no longer sufficient for any organization to do everything possible to ensure that personal data is held correctly; it has to be seen to do so by documenting the review and risk assessment process to the standard required.