This year in June, Dixons Carphone announced that a major data breach had occurred, estimating that 1.2 million customers were affected by the hack. This number has now risen to 10 million customers’ who may have had their personal information hacked, including their names, addresses, and email addresses.

Dixons Carphone announced that no bank details were taken, however, 5.9 million payment cards were accessed, although the majority were protected by chip and pin.   

The company has expressed regret for any distress caused by the hack, stating they would be apologising to the customers affected in due time. Dixons Carphone chief executive, Alex Baldock advised that they are working with the top cyber security experts, in order to improve security measures, which has involved:

A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."

The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data. However, there are very good reasons WP29 state MAC addresses should be regarded as personal data:

In order to reflect the requirements of GDPR, the Article 29 Working Party (WP29) has published the following updated guidelines on Binding Corporate Rules (BCRs):

•  Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)
• Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

The tables have been amended to meet the requirements of Article 47 GDPR, in order to clarify the necessary content of BCR's and make the distinction between what must be included in BCR's to be presented to the competent supervisory authority in the BCRs application. The amendments will also effect corresponding the principles with the Article 47 text references for controller BCR's, as well as providing further guidance on each of the requirements.

If an organisation has not obtained consent to record calls for training purposes, can it cite 'legitimate interest'?

Some sectors, such as the insurance industry, are required to do so from a regulatory perspective, such as the FCA, and so recording the call does not present a problem.

But for unregulated businesses, this may present an issue to be thought about. Capturing consent is not mandatory, nor does GDPR say Consent is required for audio recordings. But reasoning, such as Legal Obligation, Performance of a Contract or Legitimate Interest (with appropriate weighting) could very be used as the lawful basis. Nevertheless, GDPR would still require this to be made clear to Data Subjects.

Any recording could potentially contain personal data and the only time Consent is needed explicitly, is if the Personal Data is extracted as part of a tool, technique or technology used explicitly to identify the caller.

While legal, contractual, police, health and regulated entities fall into the other lawful bases, ‘training purposes’, or ‘training and monitoring purposes’ are likely to fall into the legitimate interest category.

Further, it is not only important to identify the correct legal basis under GDPR, but thought too should be given to the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, and associated case law, which are key for monitoring and recording.

In March, the French data protection authority (‘CNIL’) announced it had issued a formal notice to DIRECT ENERGIE, Société Anonyme, for failing to obtain consent for the collection of customer usage data from its Linky smart meters. CNIL ordered that Direct Energie were to collect valid consent within three months of receiving the notice.

The CNIL decision, based on French law sets down the likely approach of other supervisory authorities within the EU.

The issue which CNIL have is that at the time customers had meters installed, they were asked to give only a SINGLE CONSENT for both 1) the installation of the meter 2) collection of hourly electricity consumption data. The purpose of this data was to enable determination of various tariff benefits.

Installation of the meters was mandatory, and so consent was not relevant. Therefore, the second limb of the requests, i.e. the consent to data collection, was invalid, because it not free itself as separate from the designation of the meter. Nor could it be considered informed and specific, as it was clustered together and dependant on the overall contract.

It is for organisations to ensure their systems reflect the new anti-profiling right of data protection by design, yet clearly Direct Energie failed in this regard. Further, it did not have a legal basis for processing the data, as the hourly consumption data was not necessary for the contract to be fulfilled, its customers are billed monthly.

Further, an organisation which seeks to rely on legitimate interest, is required to perform a legitimate interest assessment to enable it to balance those interests with the rights and freedoms of the individual. The collection of hourly data was, according to the CNIL, particularly intrusive and detrimental to the privacy of the individuals and in fact disregarded their rights and interests.

Direct Energie did not help themselves by publishing within its privacy notice that the hourly rate data would enable the customer to benefit from tariff deals, yet there were no tariff offers based on hourly consumption.

CNIL thereby concluded that the processing had no legal basis, since it was not based on valid consent, and that other possible legal bases failed.

Fortunately for Direct Energie, so long as it complies within the deadline set down by CNIL, it will not issue any penalty.

GDPR Article 21 sets down that an individual has the to object at any time to the profiling of personal data for direct marketing purposes. The similarities with this case, while subtle, make clear that prior consent is required due to the sensitive nature of energy consumption data collected, in all future cases where companies wish to have a better understanding of their customers’ behaviour by analysing their consumption habits which, ultimately, is linked to marketing strategies.  Organisations must therefore ensure they adapt their systems and adopt a way of working to ensure that any marketing or perceived 'customer benefits' which essentially form the basis of their own analysing data, is separate from the overall contract that their customer-base has entered into.

Facebook in particular, given the collection methods it uses, will have to change the way its marketing/analytical/statistical data is separated from its core function as a social media 'platform'.

Supporting GDPR Gap Analysis and Audits

 There are various tools out there which cover essential elements on a data project, such as data discovery, data mapping and data lineage. Meanwhile, gap analyses tend to be performed by traditional auditing methods, such as reviewing the organisational and process documents and liaising with those departments involved in data processing. 

Below is a non-exhaustive list of support tools:

There are effectively two points to consider here, firstly, the requested consent for data usage during the retention period and secondly, how the business manages the information collected in order to document and evidence as compliance.

The business should consider things such as:

• how the data is stored, i.e. primary storages such as databases; secondary storages such as email, employee contact records, printed materials and spreadsheets etc; thirdly, backups.
• The stage at which a contract occurs - this may affect the data retention

An individual who contacts a business with the intent of custom will often expect to be contacted back by the business. It would be wise for the business to record the contact details and make a note of the time and the conversation and ask the customer permission to send out information. There should also be mention that once the transaction has completed, their personal data will be destroyed, and in what time frame, taking account of any warranty periods etc.

Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

Supermarket chain, Morrisons face paying out compensation claims to more than 5,000 of their staff after the Court of Appeal upheld the High Court’s ruling in regard to Morrisons being liable for the data leak conducted by their former employee, Andrew Skelton.

The supermarket chain is now involved in the UK’s first data leak group action, due to Mr Skelton’s actions in 2014, in which the former senior internal auditor leaked payroll data whilst working at Morrison’s head office in Bradford.

The claimants are a mixture of both former and current employee, who allege that the data breach enabled them vulnerable to the possibility of identity theft and financial losses. This has been ruled as Morrison’s responsibility, and they are therefore in breach of data protection, privacy and confidence laws.

The GDPR law is not the only new European privacy regulation everyone is talking about. There has been a lot of discussion regarding the ePrivacy Regulation, which deals with e-communication, although technically it is a revised version of the ePrivacy Directive or the ‘cookies law’. The ePrivacy Regulation was initially supposed to be introduced on 25^th of May 2018, the same day as GDPR. However, it has been delayed but it is still expected to come in to effect this year pending review by the European Union’s member states.

Although, some of the changes may appear small, as a whole it will have a huge impact in the long run and will also make organisations more aware of the regulations they must adhere to, which will also align with GDPR requirements.

Cloud solutions tend not store data for small companies on its servers. Instead, the data is stored in data centres in the US (such as in the case of Dropbox). Similarly, OneDrive enables some users to locate their data within the EU but general users do not have that option.

This makes it tough for organisations to comply with GDPR requirements, particularly where there is a cross-border transfer of data. Some of the larger software providers, including Microsoft Azure, Google and AWS have implementing 'GDPR-ready' platforms. Microsoft also offers a compliance portal, while its OneDrive - as part of Office 365 – means the location of the data is tied to the Office 365 billing address. Sharefile by Citrixis another which enables storage within the EU jurisdiction.

Away from these platforms, it is of course possible to encrypt the data before it is stored in the Cloud. That way, it matters less the location of the server, as the Cloud service provider, such as Dropbox, will have no access to the data.  Encryption and holding keys before the data leaves the organisation is perhaps the most sensible way to overcome such an issue, while pseudonymising data in cloud SaaS applications should also be considered.

A Data Protection Impact Assessment (DPIA) is a procedure which assists you in detecting and minimising data protection risks of a project. You should always complete a DPIA when undertaking tasks of a high risk, usually new tasks or projects.

In order to conduct an assessment, you can utilize certain applications in order to produce an efficient DPIA.

When a data subject challenges the accuracy or legitimacy of you holding their data you must restrict processing, including access, while you investigate. But, this leads to questions as to how this is this being done. And, more importantly, what are YOU doing about it? The reality is not many are actually doing this yet, and while systems can be configured to do so, very few applications comply with privacy by design. Practically-speaking, databases should only be accessed by a designated few while the redaction investigations are performed. This means only authorised staff can access personal data. If the data is used for analytics purposes, it should be anonymised.

Document management solutions provide:

• structured organisation and control of documents
• enable search
• provide document security, audit, versioning
• capability to manage retention

What they are not necessarily capable of is identifying and separating personally identifiable information (PII) from everything else in each document.  

The ePrivacy Regulation (PECR) is set to particularise GDPR for electronic communications and is focused only on electronics — devices, processing techniques, storage, browsers etc.

It is the successor to the current ePrivacy Directive, known as the ‘Cookie Law’ because it has governed the statement frequently seen on Europe-based sites that declares users agree to the use of cookies if they agree to use the site.

According to the e-Privacy rules of email marketing (Reg.22), marketing emails & texts should not be sent to individuals without specific consent, although there are limited exceptions for existing customers. 

Industry group, UK Finance have discovered that customers of UK banks have had more than £500m stolen from their accounts at the start of this year. This consisted of £358m being lost to unauthorised fraud and £145m being obtained through authorised push payment (APP) scams. The difference being banks usually refund unauthorised fraud victims, whereas APP victims are rarely refunded.

At the start of 2017, APP scams hit a total of £101m, and this number has now shown an increase of £44m, since four more banks reported fraud data.

UK Finance’s managing director for economic crime, Katy Worobec discussed how the new figures highlighted fraud as a top “major threat” in the UK. She also stated that the money obtained from bank accounts are used to fund terrorism, people smuggling and drug trafficking.”

Under the Privacy and Electronic Communications Regulations (PECR), it was possible to use lists of people who purchased good or services in the past and give ‘opt-out’ of future mailings.

Under GDPR is this no longer valid because there is no clear and active consent, as it has been assumed or implied. Soft opt-in, however, is not changing, and so this can still be used.

Recently, there has been discussion regarding whether or not it is GDPR-compliant to transfer encrypted data on applications based outside of the EU. An example of this is Dropbox, as they have US-based servers, therefore if personal data is transferred through the Dropbox system, then technically it has been transferred outside of EU jurisdiction and is no longer GDPR compliant.

However, personal data sent in this format is usually encrypted and only the necessary individuals are given the encryption key to gain access to the data. So, in this instance, is the transference of the data compliant?

Although, the data may have been transferred outside of the EU the encryption key is not stored on the Cloud servers, therefore there is no identifiable information from the provider. However, there is always a possible risk that a data breach will occur if an unauthorised source obtains the key by force.

From the 25^th May 2018, to avoid the risk of breaching the General Data Protection Regulation, employer’s are obligated to take on new responsibilities, as well as updating their contracts, policies and procedures, in order to maintain compliance under the GDPR requirements.

This means employer’s must:

The legal requirements pertaining to surveillance and personal cameras are contained within the code of practice issued by the ICO.

Surveillance is now a proactive technology which can identify people and keep detailed records of activities.

As a consequence of the greater use of personal surveillance, the Protection of Freedoms Act (POFA) was passed in England and Wales. The POFA has seen the introduction of a new surveillance camera code and appointment of a Surveillance Camera Commissioner, while the ICO's code of practice adds even more enforcement powers.