Accountability

So, what are the consequences of being a data controller? This slide sets out the essence of GDPR, that a controller must have a lawful basis for processing personal data and must comply with the data protection principles. Failure to do so could result in fines of up to 4% of a group’s worldwide turnover. The reason that GDPR has garnered so many headlines is just this, if you fail to comply with GDPR there is the potential for very significant fines. We will look again at this at the end of this step. So, what are the data protection principles?

The first one is that data must be processed lawfully, which we have looked at already, fairly and in a transparent manner in relation to the data subject. This last requirement imposes strict requirements on the information provided to the individual. For example, a proxy policy. The purpose limitation principle. Data must only be collected for specified, explicit and legitimate purposes and not used in a manner incompatible with those purposes. The data minimization principle. Personal data must be adequate, relevant and limited to what is necessary for the purpose for which it was collected. Accuracy. The accuracy principle requires that data must be kept accurate and up to date, and the controller must take every reasonable step to correct or erase inaccurate data swiftly.

Storage limitation. Data should only be kept for so long as is necessary for the original purpose. And the last, possibly one of the most important principles, the integrity and confidentiality principle sometimes known as the security principle. This requires that controllers take appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage to personal data. There is a huge amount of law and practice in respect of all these principles and we look at this in detail And the cybils course on the University of law’s academic master’s program. This week we’re going to look at three concepts which GDPR introduced, which go to the heart of understanding this area of the law.

The first of these is the accountability principle. The data controller needs not only to be responsible for, but must also be able to demonstrate compliance with the data protection principles. This is the accountability principle. This principle is a step change in the way that organizations handle data. It requires controllers to take proactive steps to ensure that they’re meeting the data protection principles. In particular Many organizations are now required under GDPR to appoint a Data Protection Oficer or DPO. DPOs are specialist roles designed to monitor internal compliance and inform and advise on a controllers data protection obligations. The DPO must be independent. They must be an expert in data protection, adequately resourced and report to the highest management level.

Data Protection Impact Assessments or DPIAs. These are processes to help an organization identify and minimize the data protection risks of a project. DPIAs are required for processing that is likely to result in a higher risk to individuals. In practice, whether or not they are required to many companies will undertake DPIAs when they’re looking at projects which involve the processing of personal data. The next key principle or new concept introduced by GDPR is the concept of data protection by design and default. You can see a definition of the on the slide. Privacy by design is a fundamental privacy concept, which has been used in the design of information technology systems for over 30.

GDPR now gives this design principle the force of law. Privacy by design requires a controller to embed or bekan data protection into its processing activities and business practices from the design stage right through the life cycle. It requires a controller to consider data protection and privacy issues up front and everything it does. Data Protection by Default is closely linked to the data principle of minimization. Personal data should only be collected and used for the minimum purpose necessary and no more. This may require decisions to close down functionality and applications designed to capture as much data as possible. The rise of artificial intelligence is symbiotic with access and processing of big data.

The more data AI can process, the more accurate and useful its results. This does not fit easily with the concept of data protection by design and default. The third key concept I would like to talk about today are Data Subject Rights. And on the slide you will see the three key rights that are given to data subjects. At the heart of the GDPR regime are these rights given to data subjects, i.e., to individuals to get some measure of control over the way the data is being used. Any organization needs to be mindful of the ability of data subjects to exercise these rights. This is also a key component of that controller being accountable. This slide highlights these three key rights.

The first one is known as the subject access request. This is a right of an individual to find out what personal data a data controller holds about them. Remember how the definition of personal data extends to all information relating to a data subject? This is relevant to a subject access request for an example, an employee requesting emails between managers and the company discussing the employee’s performance. Not all information has to be provided by a controller. The law sets out a number of exceptions such as confidential references and legally privileged information. These are looked at in detail on our master’s course. The second right on the slide is the right to erasure or more commonly known as the right to forget.

This is particularly relevant information that may be displayed publicly through Internet search results. Data subject may be able to require the search engine to remove these results in some, but not all cases. It is a qualified right. Google has had 845,000 right to be forgotten requests in the past five years and has removed 45% of the 3.3 million links referred to in those requests. Note also that a data subject can object at anytime to the data being used for direct marketing. And in that case, the controller would have to stop processing that data immediately. The third right and a new right introduced by GDPR is data portability.

The right to port or move your data to another supplier, for example, transferring your performance data on a wearable device such as a Fitbit to the provider of another similar service. Again, it is a qualified right and applies only with a lawful basis for processing is consent of fulfilling a contract. So, what happens when it goes wrong? Cyber attacks are an ever constant threat to organizations holding data. Humans also make mistakes which can lead to personal data being lost or made public. The security principle which we looked at above, requires that controllers take appropriate technical and organizational measures to protect against accidental loss of personal data.

But what will often happen is that principle is breached as a consequence of a cyber attack and personal data is lost or leaked. What then must the controller do? First, they must notify the Supervisory Authority. In this case, in the United Kingdom that is the Information Commissioner’s Office, or the ICO within 72 hours of the personal data breach. There is an exception where a breach is unlikely to cause a risk to the individuals. But this will only apply for minor breaches. Secondly, the controller also has to decide whether to inform data subjects. It must notify the data subjects of the breach without undue delay, where there is a high risk to their rights and freedoms.

For example, where the data could result in financial loss or result in identity theft. But, even if the controller does both of the actions above, the ICO still has the ability to find that control up to 4% of its worldwide turnover for breach of the data protection principles. The most high profile action to date in the UK, has been the ICOs proposal to fine British Airways £183 million with a personal data of approximately half a million customers were compromised. In addition, there’s also proposing to fine a Marriott £99.2 billion in respect of a data breach involving a company acquired by Marriott.

You will now move on to a short quiz to test your understanding of the material we have just covered.