This document provides an overview of trends and issues from the Information Commissioner's Office (ICO), including key statistics on Data Protection Act (DPA) complaints and enforcement actions. Common data protection failures seen by the ICO include a lack of training, inadequate policies and procedures, and failure to implement appropriate technical solutions like encryption. The ICO has a range of regulatory and enforcement options, including civil monetary penalties (CMPs), with a framework that considers the seriousness, aggravating/mitigating factors, financial impact, objectives, and consistency with past cases. An example CMP of £50,000 issued to Amber UPVC Fabrications Ltd is described.
1. Data protection 2013
Friday 8 February
#dmadata
Supported by
DMA Scotland legal update
Wednesday 28 May 2014, Standard Life House
#dmascotland
2. 8.30am Registration and breakfast
9.00am Welcome from the chair
Lynsey Fusco, CCRM manager, Visit Scotland
9.05am EU draft Data Protection Regulation – the current position, potential changes and
Impact on the industry
James Milligan, Solicitor, DMA
9.45am Information Commissioner’s Office – trends and issues
Maureen Falconer, Senior policy officer, ICO
10.25am Current legal issues affecting the direct marketing industry
James Milligan, Solicitor, DMA
11.10am Questions
11.30am Closing comments from the chair
Lynsey Fusco, CCRM manager, Visit Scotland
Agenda
3. Welcome from chair
Lynsey Fusco, CCRM manager, VisitScotland & Chair of
DMA Scotland council
#dmascotland
4. EU Draft Data Protection Regulation –
the current position, potential changes
and impact on the industry
James Milligan, Solicitor, DMA
#dmascotland
5. Impact of the new Data Protection
Regulation – Why now?
• Data Protection Directive 95/46/EC ("Directive") (implemented
in UK by 1998 Data Protection Act) showing its age
• New technologies and more complex information networks
• Lack of common European law and differences in national
implementation
• Consumer concern over privacy
• Data protection now a fundamental right under EU Charter of
Fundamental Rights
5
6. EU data protection reform timeline
• Jan 2012 -first draft Data Protection Regulation ("DPR")
• December 2012-amendments suggested by the
Rapporteur of EC Committee on Civil Liberties, Justice and
Home Affairs ("LIBE Report")
• February – May 2013 – Reported that 4000 amendments
tabled
• May 2013- partial "compromise" draft from Justice and
Home Affairs Ministers ( "CD" )
• October 2013 -LIBE voted on amendments
• October 2013 – Heads of Government meeting
• December 2013 – Inconclusive Justice and Home Affairs
Ministers meeting
6
7. EU data protection reform timeline
• Jan 2014 Civil servants working group meetings
continue
• Mar 2014 Inconclusive Justice and Home Affairs
Ministers meeting
• Mar 2014 MEPs adopted LIBE report
• May 2014 European Parliament elections
• June 2014 Next Justice and Home Affairs Ministers
Meeting
• Nov 2014 New European Justice Commissioner and
other Commissioners take office
• Dec 2014 Justice and Home Affairs Ministers agree
position
• 2015 Regulation is passed in Brussels
• 2017 Implemented into UK law
8. 8
8
• LIBE report adopted by all MEPs March 2014
• Proposes a number of changes to European Commission
original text
• Majority of changes favour consumer rather than businesses
Changes proposed by the European
Parliament to the draft Data Protection
Regulation (LIBE Report)
9. The "compromise draft" agreed by
EU Justice Ministers 31 May 2013
• "More business friendly" compromise draft ("CD") is only
partial: Chapters I-IV
• More changes to Chapters I-IV may be needed once the
remainder has been updated
• Regulation or Directive? – wording proposed allows for
Regulation to be transformed into a Directive (supported by
8 member states)
• June 2014 Chapter V may be added to draft
9
10. Headline proposed changes
• Expanded definitions: “personal data” and “data subject”
• Explicit consent required
• Right to be forgotten
• Greater emphasis on accountability
• Notification of data security breaches
• More onerous sanctions for breach
• Data processors directly covered
10
11. Consent
Consent: Current Position Consent: Proposed Position
- Freely given, specific,
informed indication of the
data subject’s wishes
- Explicit consent required
for sensitive personal data
only
-Freely given, specific, informed and
explicit indication of data subject’s
wishes
-Given either by a statement or a
clear affirmative action
- Data controller / data subject
relationship to be taken into
account
- Burden of proof on controller to
demonstrate consent
11
12. Introduction of opt-in/explicit consent
• Review language used at point of data collection to ensure
that consent is explicit /opt-in
• Do people understand what they are agreeing to? – nation
of liars
• Think about how you will update legacy databases
• Children – consent wording for under 13’s if offering them
an information society service
12
13. Key points in the draft Regulation
IP addresses and cookies
• Definition of personal data extended so could cover some
IP addresses and cookies as “online identifiers”
• But IP addresses identify a device not an individual + some
IPs are general
• Huge implications for digital marketers
• Web analytics & profiling made much more difficult, if not
impossible
• Interaction with new cookie rules problematic
13
14. IP addresses and cookies
• Think about how you will deal with extension to Include
location data, IP addresses, cookies, online identifiers
• Pseudonymous/annonymous data – will you be able to
take advantage of exceptions?
14
15. • Right for individuals to request organisations to delete any
information held on them
• Drafted with social media in mind – but goes beyond this
• Problem of information that has already been passed on to
third parties
• Possibility of misleading consumers by raising unrealistic
expectations
• Changes to current text likely
• European Court of Justice Google Spain case
15
Key points in the draft Regulation
The right to be forgotten
16. The right to be forgotten
• Prepare to respond to requests
• Deletion/ suppression
• Other legal requirements to keep information e.g.
accounting, tax, money-laundering
16
17. Key points in the draft Regulation
Data Breach notification
• Any data security breach to be notified to ICO and the
individuals concerned within 24 hours
• Report to cover:
• nature of breach
• number of data subjects
• categories of data
• proposed mitigation
• Not always obvious if there has been a breach or how
extensive it is
• Problem of notification fatigue
• No threshold level specified
17
18. Data security breach notification
• Introduce breach notification detection procedures
• Think about how you will notify data protection authorities
and affected individuals within whatever timescale is
agreed
• Develop/review your data breach response plan
18
19. Key points in the draft Regulation
Subject Access Requests (SARs)
• Data subjects to be able to request full information on data
held on them free of any charge
• Currently can levy a £10 fee – doesn’t cover cost but deters
time-wasters, frivolous or vexatious requests
• Costs organisations £50 million p.a. now to meet SARs
• Proposal that can provide data in electronic form if data
subject agrees to this
• Particular problem for financial services with mis-selling
issues and claims management firms
19
20. Subject Access Rights
• New Regulation may lead to increased public awareness of
rights e.g., right to request information ( Data Subject Access
Requests, Right to be forgotten)
• Plan ahead for increase in queries from clients/public
• Training for client/customer service teams
• Amend wording on privacy policies/data collection notices to
take account of new rules on profiling.
20
21. Key points in the draft Regulation
Compliance obligations
• Data protection obligations now shared between agencies and
clients, for example if holding client’s database
• Privacy by Design/Privacy by Default
• Appointment of DP officer (250+ employees)
- 2 year appointment
- Independent reporting to board
- Information and training
- Maintenance of documentation
- Data protection impact reports
• International transfers of data outside EEA – law would
apply to any processing of data or EU citizens
21
22. Compliance obligations
• Review amount of data being processed, erasure policies
and data retention policies
• Requirement to demonstrate compliance will mean more
documentation in respect of policies and procedures
• Contact centres, mailing houses, email/SMS broadcasters
will also be subject to these new obligations, especially in
respect of data security
• Review staff training in data protection.
• Appointment of a data protection officer?
• Risk- based approach to compliance and data protection
impact assessments
22
23. Key points in the draft Regulation
Proposed enhanced sanctions
• Up to €500k or 1% annual worldwide turnover intentional or
negligent failure to respond to subject access requests in
accordance with Regulation
• Up to €1m or 2% of annual worldwide turnover for other
compliance failures
• Depends on:-
- size of organisation involved
- nature and gravity of breach
- whether intentional or negligent
- technical and organisational measures
- previous breaches
- co-operation with ICO
23
24. Enhanced sanctions/fines
• Watch out if you get it wrong!
• Increase focus on compliance – board level issue
• Review internal policies and procedures
24
25. Key Points in the draft Regulation
Delegated Acts
• Many details to be implemented through additional delegated
legislation – some 45 Delegated Acts mentioned.
• Details will not be clear until Regulation is passed
• These areas of secondary legislation will include:
- powers to specify further procedures
- technical standards for Privacy by Design/Default
- specification of lawful processing condition
- additional responsibilities for national data protection
authorities; etc.
• European Commission taking significant powers to itself away
from the national authorities - raises serious issues of
subsidiarity and accountability
• National governments and Data Protection Authorities are
concerned
25
26. • Main establishment/ one- stop shop provisions
• Think about which country’s national data protection
authority will be lead regulator
• Possibility of changing country where head office is located
• Review arrangements for transfers of data outside EEA (28
Member States of EU + Iceland ,Liechtenstein, Norway)
• Global group – application to EU citizens’ personal data.
• European Court of Justice Google Spain right to be forgotten
case - link between Google Spain and Google USA
26
Key Points in the draft Regulation
Cross – border issues
27. Impact on direct marketing
• Existing databases may not be usable: could decimate
prospect lists. Legacy data?
• No tracking data, profiling or segmentation without explicit
consent – less targeted and more generic communication?
• List broking severely restricted
• New information requirements and rights of the data
subject, e.g Right to be Forgotten
• Increased costs - £76,000 per business to comply +
possible £47 billion of lost sales in UK
27
28. Draft Regulation - DMA View
• DMA welcomes the Commission’s aim to reduce red tape
and simplify bureaucracy – but proposals do not achieve
that: overly strict, bureaucratic and unworkable
• Needs to be a fair balance between privacy and
legitimate business interests
• Current proposals will stifle innovation, add considerably
to business costs and place unnecessary obstacles to e-
commerce jobs growth
• Will be particularly harmful to SMEs – MoJ says
demonstrating compliance will cost £10m p.a.
• Hard to say how Commission’s estimate of 2.3 billion
euro saving to businesses was calculated
28
29. Ministry of Justice
• Disagrees with Commission’s 2.3bn Euro savings – burdens
imposed will far outweigh net benefits: in UK cost @ £100-
360 million
• Many unintended consequences, esp for SMEs
• Changes to consent, profiling & definition of personal data
particularly costly to industry
• Likely knock-on effects for growth in technological sector and
internet economy
• Regulatory Impact Assessment quotes DMA’s figures &
examples
• Impact on behavioural advertising
• Creates unrealistic expectations for consumers – R2BF
proposal is “unworkable”
29
30. Key lobbying messages
• Data is essential for economic growth
- UK has leading role in EU digital economy
- SMEs particularly affected
• Transparent and responsible use of data is a vital business
practice
- In industry’s interests to handle data with care
- Self-regulation has valid role to play
- Regulation will not stop bad players
• The proposed regulation is bad for consumers
- Would damage users’ online experience
- Danger of tick-box culture & unrealistic expectations
• Need a proportionate data regime that recognises that not all
data is the same
- Personal data, sensitive data, anonymous/pseudonymous
data
- Different levels of protection required 30
31. Lobbying activity
• In Brussels with key individuals in Council, Commission &
Parliament, e.g. MEPs & advisers; party groups
• In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition
spokesmen
• Alliance of interests – UK Data Group, FEDMA, CBI, etc. - for
collective lobbying of Council and Parliament & lobbying directly
where there is no national DMA
• Position papers on priorities for industry + draft amendments to
text
• Research on consumer attitudes to privacy and on economic
value of the dm industry
31
44. Trends - what goes wrong?
Lack of training, both DPA and job specific eg data ‘hidden’
in spreadsheets;
Inadequate, outdated or poorly communicated policies eg
homeworking;
Insufficient procedures eg checking documents before
posting;
Failure to implement appropriate technical solutions eg
encryption & updates;
Absent, inadequate or unclear contracts with data
processors eg what to do with data at contract
end/termination.
All of the above have featured in CMPs issued by the ICO
45. Wheel of data ‘misfortune’
*Adapted from David O’Hare (2000) the ‘Wheel of Misfortune’; a taxonomic approach to
human factors in accident analysis in aviation and other complex systems. Ergonomics, 2000,
vol 43 No 12 2011-2019
External Stakeholders External Pressures
Tertiary Layer of
Cause
Secondary Layer of
Cause
Task
(policies &
procedures)
Equipment / means
(Failure to secure
appropriately)
Management
(lack of commitment to
DPA)
Technical weakness
(failure to encrypt)
Training
&
EducationThe
Human Factors
(distractions, missed
steps etc.)
46. Regulatory action options
Closed – compliance likely Closed – compliance unlikely:
No further action taken
Remedial action taken
Referred to Enforcement – Civil investigation team:
Information Notice
Undertaking
Enforcement Notice
Civil Monetary Penalty
47. Framework for CMPs
Step 1
• Seriousness of the contravention
Step 2
• Aggravating and mitigating factors
Step 3
• Financial impact on the data controller
Step 4
• Underlying objective
Step 5
• Final determination
48. Factors for consideration:
the nature of the contravention or breach;
the scope of the potential harm caused; and
consideration of what is reasonable and proportionate.
Rating bands:
Serious = £40,000 to £100,000;
Very serious = more than £100,000 but less than £250,000;
Most serious = £250,000 up to the maximum of £500,000.
Step 1
• Seriousness of the contravention
49. Factors for consideration:
The behaviour of the data controller following the breach;
Whether the data controller had previously declined to
submit to an audit;
The general record of the data controller; and
Any other factors taken into account that were not
considered at Step 1.
Step 1
• Aggravating and mitigating factors
50. Factors for consideration:
Any proof of genuine financial hardship which has been
supplied.
The Information Commissioner will not impose a CMP that
would cause a business to cease trading!
Step 1
• Financial impact on the data controller
51. Factors for consideration:
Is the level consistent with comparable cases?
Is the level sufficient to promote compliance with the Act?
It is important that there is consistency in the monetary
penalties set by the ICO.
Step 1
• Underlying objective
52. Factors for consideration:
Is the level reasonable and proportionate?
Is the level consistent with similar cases?
Is the level sufficient to promote compliance with the Act?
Final sign-off is undertaken by the Information Commissioner
or his Deputy.
Step 1
• Final determination
53. Amber UPVC Fabrications Ltd:
CMP - £50,000
June 2006 - First complaints about unsolicited marketing calls received.
May 2011 - April 2013 - 513 complaints to TPS from registered individuals
who had received unsolicited direct marketing calls from Amber Windows.
On 377 occasions Amber Windows failed to respond to the TPS. When it did,
the following excuses were made:
On 67 occasions Amber Windows said it was a “programming error”.
On 37 occasions Amber Windows said “we use Telephone Europe Ltd for
outbound calling”.
On 24 occasions Amber Windows said it was “human error”.
On 3 occasions no reason was given.
On 3 occasions Amber Windows claimed that “there is no record of the call being
made by us”.
On 1 occasion Amber Windows claimed “we had prior consent to call this
number”.
On 1 occasion Amber Windows stated that “they need more information”.
54. First Financial (UK) Limited:
CMP - £175,000
February - March 2013 First Financial instigated the sending of or sent
4,031 unsolicited direct marketing texts to mobile phone subscribers who
had not consented to receive them.
It used unregistered SIM cards for the campaign to avoid detection by the
mobile telephone networks’ spam detectors.
The texts were sent at inconvenient and unsociable hours of the
morning and evening and at weekends e.g. 01:00 hours;
The texts interrupted people’s sleep;
The texts caused particular problems for vulnerable recipients;
People texted ‘stop’ only to receive the same message minutes later;
The texts, especially when sent at unsociable times, caused
unnecessary alarm and fears for the welfare of relatives particularly
where the recipient’s number was used only for contact with a sick,
elderly or otherwise vulnerable relative or close friend;
The texts were designed to appear as if they were from a friend and
were deceptive;
55. Tameside Energy Services Ltd:
CMP - £175,000
May 2011 - January 2013 TPS received 1,062 complaints from persons
registered with them who had received unsolicited direct marketing calls.
612 of these were during the time when Tameside was engaged in
correspondence with the Commissioner about the contraventions.
Tameside have held a TPS licence since March 2006, and, in spite of
assurances to the contrary, did not start downloading the list until January
2013.
The number of complaints against Tameside increased during the period
when the correspondence referred to was entered into, rather than
decreased.
56. Better Together Campaign
Sent out 100,000 text messages promoting the Better
Together Campaign.
Complaints made to ICO by rival political campaigners and
members of the public who received the texts.
Extensive investigation by ICO discovered some permissions
given as long ago as 2006 and from unrelated sources.
57. Better Together Marketing Campaign – data sources (2006-2013)
Better
Together
Marketing
Company
Data Company
Marketing
Company
Marketing
Company
Data
Company
Data
Company
Media
Company
Insurance
Company
Data
Company
Marketing
Company
Price
Comparator
Data
Company
Data
Company
Loan
Company
Catalogue
Company
Marketing
Company
Car
Company
Data
Company
Finance
Company
Loan
Company
Telephone
Marketing
Sales
Company
Insurance
Company
Media
Company
Loan
Company
Marketing
Company
Marketing
Company
Marketing
Company
Finance
Company
Car
Insurance
Bank
Car
Insurance
Price
Comparator
Car Loans
Data
Company
Marketing
Company
Graphics
Company
Travel
Company
Insurance
Company
Price
Comparator
Media
Company
Media
Company
Instigator Sender
List
broker
Data
collector
58. www.twitter.com/iconews
Keep in touch
Scotland Office:
45 Melville Street
Edinburgh
EH3 7HL
T: 0131 244 9001 E: Scotland@ico.org.uk
Subscribe to our e-newsletter at www.ico.org.uk
or find us on…
59. Current legal issues affecting
the direct marketing industry
James Milligan, Solicitor, DMA
#dmascotland
60. What we are going to look at
Current UK ICO Issues
Changes to UK Consumer law
Nuisance calls
Financial services
Other Issues – electoral roll, employment, environment and
postal
New DMA website
60
61. Current UK ICO issues
Direct marketing guidance
Privacy impact assessments
Annonymisation code
New approach to data protection concerns
ICO 2020 Strategic Vision
CCTV Code of Practice
Protecting Personal Information in online services
61
62. Direct marketing guidance
• ICO interpretation does not change law
• Issued 9 September2013
• Retrospective , transitional period
• Respect consumer expectations and preferences
• Tightening up of third party consent for digital marketing
• Time limits for consent
• Proof of consent
• DMA clarified issues with ICO
• Supplementary DMA guidance issued May 2014
62
63. Privacy Impact Assessment Code of
Practice
• Published 25 Feb 2014
• Annex 1 – PIA screening questions
• Annex 2 – PIA template
• Annex 3 – PIA and data protection principles
• Relevance to draft Regulation
63
64. Anonymisation Code of Practice
• Issued 20 November 2012
• Re-identification – "motivated intruder" test and risk
assessment of future identification
• Big Data – does it make annoymisation of data impossible?
• Consent – "legitimate interests“
• Pseudonymous and annoymous data may be included in
draft Regulation
• Currently ICO asking for comments prior to review
64
65. ICO- How we deal with complaints and
concerns- A guide for data controllers
• ICO wants organisations to handle their own data protection
complaints and concerns in the first instance
• ICO will direct members of public to contact organisation in
first instance
• If public not satisfied then may follow up with ICO
• ICO will then use explanation you gave them to make it’s
decision about your organisation's compliance with DPA
• Need for your organisation to demonstrate to its customers
and to ICO that you understand your information rights
obligations
• Link to ICO’s plan – more for less
65
66. ICO 2020 Strategic vision
• Challenges
• What and how the ICO expects to do over next 5 years
66
67. CCTV Code of Practice Consultation
• Revision of existing code of practice to take account of new
technologies, including drones
• Consultation closes 1 July 2014
67
68. Protecting personal data in online
services: learning from the mistakes of
others
• ICO has identified eight important areas of computer
security that have arisen during investigations of online
breaches, Examples of problems and best practice
• Areas are:
• Software updates
• SQL injection
• Unnecessary services
• Decommissioning of software or services
• Password storage
• Configuration of SSl and TLS
• Inappropriate locations for processing data
• Default credentials
68
69. Changes to Consumer Law
Consumer Protection Amendment Regulations
Consumer Contracts Regulations
Consumer Rights Bill
69
70. Consumer Protection Amendment
Regulations
• Come into force 1 October 2014
• Rights for consumers for redress in respect of aggressive
and misleading practices
• Aggressive and misleading practices defined in Consumer
(Protection from Unfair Trading) Regulations
• Redress includes:
• Right to end the contract and get a full refund
• Right to a discount depending on seriousness of practice
• Right to seek damages
70
71. Consumer Rights Bill
• Now delayed until later in 2014
• Will be carried over into 2014-15 Parliamentary Session
• Updating and reform of UK based consumer law
• Increase consumer confidence
• Improve enforcement powers
71
73. Nuisance Calls
• 2013 2 parliamentary inquiries
• All Party Parliamentary Group on Nuisance Calls
• Commons Select Committee on Culture Media and Sport
• 2014 Government Published Nuisance Call Action Plan
• Which? Taskforce on Consent
• ICO raided a SIM card ‘farm’ last week
• Make sure you are compliant with legal requirements in this
area
73
75. FCA replaces FSA
• New Vision – “To make relevant markets work well so
consumers get a fair deal”
• Consumers get financial services and products that meet
their needs from firms they can trust
• Markets and financial systems are sound and stable and
resilient with transparent pricing information
• Firms compete effectively with the interests of their
consumers and the integrity of the market at the heart of
how they run their business
75
77. Other issues
• Electoral register
– Electoral Registration & Administration Bill – introduction
of individual electoral registration and system opened up
for digital application.
– Edited version of register will be kept but issue on opt-
outs.
• Employment
– TUPE – Government consultation – outcome no changes
• Environment
– Unaddressed mail preference service - awaiting DEFRA
input
77
78. Other issues
• Postal
– Postcode address file – new changes.
– Simplify licensing process
– Change payment structure
78