Data Privacy Day

For any modern, forward-thinking business having an effective strategy in place to store, manage and process data is vital. And the more an organisation can harness its power to then use this data strategy to its advantage, the more successful that business is likely to be.

That’s why data handling and management matter so much. Yet despite this millions of people are still unaware of and uninformed about how their personal information is being used, collected, or shared in our digital society. 

Data Privacy Week - which started on Monday - aims to address this, inspire dialogue, and empower individuals and companies to act.

Here Lilian Tsang, Senior Data Protection and Privacy Solicitor from Harper James Solicitors, reflects on the challenges the pandemic has thrown up in this area - and how businesses can best assess what any data strategy should have it.

Lilian said: “We are over two years into the pandemic and businesses now face challenges from human resources concerns to new ways of working across the globe. However, we are far more connected as we continue to utilise software and tools many of us didn’t even know existed. 

 “The pandemic has brought several data protection and privacy challenges among businesses- not least in ensuring employees are able to work remotely. In most cases this means WFH (“Working From Home), a trend which has required businesses to effectively deploy the necessary tools, procedures and processes to enable employees to work productively. 

“Businesses have also had to ensure they are continually evolving IT security practices to ensure systems are maintained and are robust as ever. More so, we have seen nefarious actors taking advantage of the pandemic for their ill-gotten gains meaning businesses must be more vigilant than ever. Training and awareness of staff is therefore even more important to help halt any unsavoury activities. 

“The pandemic has also raised issues with monitoring of employees that may not have been thought of before Covid. The pandemic means employees are often now no longer “seen” in the office. This has required businesses to strike a balance between “fair” and “intrusive” monitoring and the type of monitoring deployed has certainly been high on the agenda for many businesses. 

“The pandemic itself has also brought disparity across data regulators’ views. Businesses often require specialist support on the amount of health data they are processing, the kind of data they are processing and what data should and shouldn’t be kept. There has been disparity between regulators’ views on what can and can’t be processed which kept data protection practitioners and the Privacy Office busy across the globe. 

“Moving forward, the pandemic has certainly brought an extra element to contend with in the data protection and privacy sphere. But businesses who have evolved processes to meet the challenges of the pandemic will surely have a strong data protection and privacy framework in place post the pandemic. This is not a bad thing and could in fact become one of the most positive legacies of these past two years.”

Breakout

Today (Friday January 28) is Data Privacy Today. But how do you begin assessing how to manage data within your business? Here, Harper James Solicitors share their advice on how to create a Data Protection Impact Assessment

What is a DPIA?

The Information Commissioner’s Office (ICO) describes a Data Protection Impact Assessment (DPIA) as a process to help you identify and minimise the data protection risks of a project.  It is a type of processing that would help businesses in identifying risks related to personal data processing. A DPIA would help towards demonstrating compliance in line with the accountability principle.  

When is it required? 

The GDPR states that a DPIA is required where a data controller is to process personal data that is ‘likely to result in a high risk to the rights and freedoms of natural persons’ (GDPR, Article 35). A good way to illustrate this, is if new technologies were to be introduced which will affect the rights and freedoms of individuals. This is highly likely if the new technologies involve: 

  1. Systematic and extensive profiling with significant effects 
  2. Large-scale use of sensitive data 
  3. Systematic monitoring of publicly accessible data on a large scale 

The ICO have further provided examples of processing that is ‘likely to result in high risk’. For example, a DPIA would be required where a Customer Relationship Management (CRM) system is being introduced in a business. The CRM would administer interactions with customers, which in turn can hold a lot of personal data, such as names, emails, addresses, dates of birth and interests. A DPIA would help determine the risks in this process and the thought process undertaken when determining outcomes and decision making.  At times, it’s quite clear cut where one is required. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is considered good practice and helpful in demonstrating compliance. After all, non-compliance would attract a penalty of the standard maximum amount of up to £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher. 

What is usually included in it? 

The ICO website provides a sample template of a DPIA and what should be included. However, there is no strict way in how to carry out a DPIA and what it should contain, the following is a non-exhaustive list: 

Provide a description of processing 

  • What type of personal data you will be collecting? 
  • How will you be collecting, storing and or accessing the personal data? 
  • Who will have access rights to the personal data? 
  • Who will you share the personal data with and why? 
  • What technologies will you use for processing the data? 
  • What technical, administrative, and organisational measures will you put in place to protect the personal data? 
  • The scope of the personal data and number of data subjects associated with the said personal data.

Other key tips:

  • Consult – speak with relevant functions involved in the process, and in some instances, you may need to seek the views of the data subjects unless there is a good reason not to. A record must be made of this. 
  • Assess necessity and proportionality – identify and assess the risks in your project. Depending on your risk scoring or outcomes, you need to document and establish your reasons for accepting any risk. 
  • Identify or introduce measures that will mitigate or eliminate risk – if you cannot mitigate high risk but wish to continue with your processing, then you must consult with the ICO. 
  • Record decision making – include how you came to the decision and names and roles of those that were involved in the process. 
  • Review – the process needs to remain under review by testing its purposes against GDPR compliance. 
Startup Details

Startup Details

TOTAL FUNDING AMOUNT
CB RANK (COMPANY)

Harper James Solicitors

Harper James Solicitors is a new breed of commercial law firm. A law firm designed to support ambitious businesses from start-up to scale-up.

We champion growing businesses that are starting up or scaling up, enabling them to access expert legal advice at an affordable cost when they need it most.

The Harper James model of remote-working lawyers, clever use of technology coupled with unique subscription plans, enables us to provide cost effective business legal services without compromising on quality.

  • Headquarters Regions
    Sheffield, UK
  • Founded Date
    2011
  • Founders
    Toby Harper
  • Operating Status
    Active
  • Number of Employees
    11-50