If you have been reading my earlier posts on the new General Data Protection Regulations (GDPR) you may already suspect that the title of this update is a bit ambitious for a single blog post. So straight away let me back out and go with:
Are you a Data Subject, a Data Protection Officer, a Data Controller or a Data Processor?
The answer is that you probably are all three in one way or another and, if you have drawn the short straw within your company, you could even be all four. So how are these terms applied - and to whom?
This is the easy one. If the data is about you then you are the data subject. GDPR gives you rights, some of which you already had, but some have been strengthened and as of 25th May, they are enshrined in law. What these rights are and what they mean are the subject of a whole other post – which I’ll get to at a later date.
Data Protection Officer (DPO)
Another easy one. If your company processes personally-identifiable data, you should consider appointing a Data Protection Officer (if you fall under Article 37 you HAVE to have one). This is a person who should be well-versed in the intricacies of the new regulations and would be responsible for answering to the Board on GDPR compliance and to Data Subjects who make information requests (among many other things).
Do you run a payroll, work on events and gather data of lots of attendees? Do you run big mailing lists, gather contractor personal data for security clearance checks and inductions? If so, you are processing personal data – and should seriously think about having a DPO!
It is important to note that this person does not have to be a full-time employee of your organisation. In fact, there are many consultants out there who are keen to get you to sign on the dotted line to avail yourself of their services.
This role is a very important one with many protections enshrined in the guidance. The DPO's recommendations have to be taken on board.
And while the DPO need not be a full-time member of your organisation’s board of directors, the role carries a similar level of responsibility, so this is not something that could be delegated to the office junior.
This is where things start to get complicated! An organisation is generally the entity viewed as the Data Controller. An easy example of your company being a Data Controller is with respect to payroll management.
You control the data needed to run the payroll. It doesn’t matter if you subcontract that function to a third party. The data subjects are your employees and you, at the very least, supply the information to run the payroll.
As the Data Controller you are responsible for the accuracy of that data. You must ensure that it is kept up to date, that it is stored and, if necessary, transmitted securely. Furthermore, you need to know who has had access to that data, and you must be in a position to tell a Data Subject who had access to their personal information and supply them with a copy of that data should they ask for it. (This is usually compiled by the DPO).
The Data Controller is also responsible for ensuring that any data shared with third parties is managed securely and responsibly. Stand by for bureaucracy at a whole new level of hard-to-live-with!
As a general rule, the Data Processor is the person or organisation that does something with the data. Let’s say you employ a web design company to create and manage an online portal that will manage event registration along with a nice whizzy database that sends out emails to attendees and enables you (or the web design company) to extract reports from. It is your web portal, you are the data controller. The web design agency is the Data Processor as they are processing the data on your behalf.
The Data Processor has the same responsibilities as the Data Controller in that they have to ensure the data they have been entrusted with is accurate, managed securely and can respond to a subject’s data access requests. If there is an issue with the personal data (e.g. loss or corruption of the database), the Data Processor MUST inform you as the Data Controller as soon as possible.
A Data Controller cannot offload their responsibilities to a Data Processor – both are equally responsible and, if the Information Commissioner’s Office is in a bad mood, equally liable for any potential fines that can be imposed.
If you are a Data Processor and in possession of personal data to manage, you can expect to be asked to jump through a few more hoops than you may have had to in the past.
Being both a Data Controller and a Data Processor
And now we really are heading down the hole after the White Rabbit!
It’s very probable that your organisation is acting as both a Data Controller and a Data Processor, especially in the whacky world of event management.
We know that our company is acting as both and there is a good chance that yours is too.
Here’s a typical example, you are running an event and want the names and contact details of the crew.
Gallowglass is the Data Controller (the workers are our crew; we control their personal information) and you are the Data Processor as we are sharing the information with you.
And now… you want to hand that information on to someone else, e.g. the venue or your client.
Suddenly you have moved in to the fun position of being both the Data Processor AND the Data Controller – GOOD LUCK!
In the unfortunate event of the third party you have shared the information with having a data breach (and yes, Fred on the door at the venue losing, or not shredding the print-out of all the names and telephone numbers, counts as a data breach!) … you will have the added responsibility of notifying Gallowglass (and potentially the Information Commissioner’s Office if the data lost is counted as high risk) of that breach.
We, as the original Data Controller who passed the information, would then have the task of informing our crew that someone you handed their personal information over to has had a ’moment’!
FYI – a list of names on its own isn’t reportable to the ICO. But if it's a list of names with email addresses, phone numbers, etc – you need to talk to your DPO.
We would both have 72 hours from the time we became aware of the situation, to start taking action. Did you really still need those crew names and contact details?!?!? It’s worth thinking about.
There’s been a breach. Do we need to tell the Information Commissioner’s Office?
Damn good question – and the answer, as far as I can tell, is - it depends!
I know that isn’t that helpful but the best advice I can give is: “Get advice”. Your Data Protection Officer should be your first port of call. They should make the decision as to whether a call to the ICO is warranted.
If your house is in order, there actually isn’t anything to be too worried about. The ICO will want to see that you have made EVERY REASONABLE effort to protect the data subjects’ information. They do actually want to help.
There’s been a breach, do we need to tell the Data Subjects?
Another damn good question and the answer this time is – talk to your DPO first and if necessary a lawyer depending on the risk level! They are best placed to decide on WHAT needs to be done AND HOW it is to be done so you don’t end up in court being sued for causing ‘emotional distress’.
The Data Subjects have a legal right to be informed of a breach under GDPR, especially if the data concerned is considered high risk.
The important thing is to stay calm and not to ignore what has happened in the hope that it will go away.
You need to be able to tell the Data Subjects what was lost and whether there is a serious risk for them.
If it’s only names and email addresses that are involved, the risk is going to be relatively low. Let’s face it, people give that info away all the time (Facebook, LinkedIn, other web sites, etc). Your DPO may even decide that it’s such a low risk that it isn’t necessary to inform the individuals concerned. That is THEIR call as they should be trained in making that judgement.
If, on the other hand, you have been doing an accreditation for a high security event and the information includes names, addresses, national insurance numbers, passport details, email, inside leg measurement and whatever else MI5 has decided to ask for this time … and you didn’t password-protect that spreadsheet then the level of risk is high – get on to your DPO and the ICO straight away and be prepared for a real headache and some really irate phone calls!
Regardless, don’t try and cover it up – that is a sure-fire route to a large fine!
The bottom line is that your Data Protection Office should have put in place a plan for dealing with situations like this. So, talk to them.