Thursday Thoughts - 9 December 2021
Thursday Thoughts – 9th December 2021
This week’s Thursday thoughts follows an interesting week. Life in this field is rarely the same from one day to the next and this week I have dealt with SARs, Rights to be Forgotten, Audit reports, Rewriting Policies and a myriad of small one off tasks and calls. On Thursday was the inaugural Piccaso Special Interest Group featuring Vivienne Artz OBE, CPO LSEG, Cameron Craig, CPO HSBC and Emma Martins, the Guernsey Data Protection Regulator as guest speakers. The event was well received and I’ve included my takeaways from it.
My “advent” calendar of 24 Data protection ideas to keep you out of trouble has been getting quite a few comments. Day 9 is “write your record of processing activities” and day 10 “check how secure your data storage is”. The full list is later on in the blog. There’s some shocking news for users of Life 360. Finally, as usual there is the summary of fines (it’s been busy in Spain again) I’ve put some top news stories from the week.
This week I have topical top tip - this time from Ed Hays of TLT LLP for his explanation of why Santa has selected Legitimate Interests as his lawful basis for the Naughty List.
Blog/Podcast of the Week
Lisa Bradley (EML) – Déjà vu: What the latest instruction to work from home means for employers
Debbie Reynolds (The Data Diva) - Talks Privacy podcast about privacy in the public sphere with Olivia Holder, Senior Privacy Counsel, GitHub.
Key takeaways from the inaugural Piccaso Event
Although it was sad not to be able to meet CPOs, DPOs, CDOs, CIOs and CISOs in person I found the inaugural Piccaso Special Interest Groupe extremely interesting. The guest speakers (Vivienne Artz OBE, CPO LSEG, Cameron Craig, CPO HSBC and Emma Martins, the Guernsey Data Protection Regulator all spoke eloquently. It was clear from the comments from the audience that their views were resonating though the community. My key takeaways were:
The concept of privacy needs to be embedded in the organisation so that it becomes part of the culture.
The trick is to provide the translation between the legal obligations and how it works in that particular business – making it relevant and easy to understand.
Privacy shouldn’t just be approached from a legal and compliance standpoint you have to understand the business landscape.
Make the conversation about humans and use terms everyone can understand.
Look for open doors and pick your battles – you can’t win everyone over in one go.
Privacy and data protection extend further than the DPO and their team.
Make training relevant and fun so that people engage and remember more.
This week’s top tip came from Ed Hays of TLT LLP who also has an advent calendar of data protection. His explanation of why Santa has selected Legitimate interests rather than consent or any other of the other Lawful Bases for his “naughty list” is really easy to follow. If you want to use legitimate interests consider your purpose, establish a necessity, and then decide if an individual’s rights override this purpose/legitimate interest (this is a legitimate interests assessment). Job done!
Did you know that Life360 sells your exact location to data brokers?
Lots of parents use Life360 to track where their children are. However many are unaware that the company sells on it’s user’s data to “approximately a dozen” data brokers. The data brokers are then able to sell the information (much of which can still be tracked back to “real” people on to pretty much anyone who wants it including the US Department of Defense and CDC – that’s more than slightly worrying in my book! It’s a massive revenue stream for them and generated more than $16 Million in 2020 (almost 20% of their annual revenue). You can read more about it on themarkup.org. There is a way to turn off the data sales setting so if you haven’t done so already and don’t want anyone anywhere to be able to see you here’s what to do:
Go to the wheel, select “settings”, then “privacy” and toggle “sales of data” to off
News from Around the World
As businesses emerge from the pandemic nearly two-thirds of enterprises in the Asia-Pacific region have indicated they plan to increase their IT budgets next year. Investments in cloud computing and cyber security are expected to be at the forefront of this.
Chipset shortages may slow down the 5G roll-out in 2022
There are predictions that chipset shortages will lead to a slower 5G roll out than expected in 2022. 5G connection numbers will be limited by consumer upgrades to 5G handsets as well as the 5G network deployment. So even though operators will probably push for more 5G coverage and more networks the actual number of subscribers will be determined by users physically getting their hands on a 5G handset. The delays in shipments of these are expected to result in 105 million fewer 5G handsets in use in 2022 than previously forecast.
Network Security will be the focus for many in the post pandemic world
With the increase in remote working, cloud adoption and other digital transformation are will be at the forefront of organisation minds in 2022. It will leave many struggling to understand network security and how it applies in their own context. For organisations who are looking to revamp their security architecture at this time when cyber attackers are been on the prowl this helpful guide on the hybrid workplace from computer weekly may be useful. https://www.computerweekly.com/ehandbook/Network-security-in-the-post-pandemic-era
IT spending in Indian Subcontinent
According to the latest industry forecast by Gartner spending on IT in India in the next 12 months will grow by 7% as businesses move to modernise IT infrastructure and support a hybrid workforce. The industry spend is expected to reach $101.8bn.
ICO warning for Clearview AI over privacy breaches
The UK’s ICO has issued a warning to facial recognition company Clearview AI that it could face a £17M fine for privacy breaches.
The UK ICO fined the Cabinet office £585,000 for failing to have appropriate technical and organisational measures in place after it published a file on the Gov.uk website which included the unredacted names and addresses of more than 1000 recipients of Honours in the New Year’s Honours list. The information was available on line for just 2 hours and 21 minutes but had been accessed more than 3800 times.
The Lithuanian DPA fined UAB Prime Leasing (the owners of the short term car rental platform CityBee) €110,000 for failing to have appropriate technical and organisational measures in place. This followed a data breach whereby an unsecured back up of the company database was published on a hacking forum. The data compromised included the names, addresses, phone numbers, email addresses, personal identification numbers, driver's license numbers, type of payment card and the last four digits of credit card numbers for 110302 users.
The Dutch DPA fined the Minister for Finance £2.75Million for failing to have a legal basis on which to process data. This was after the department collected data on dual nationality over a number of years which was not required for the processing of childcare benefit applications, tax offices. This was considered to be unlawful processing and may have led to discrimination against data subjects.
The Belgian DPA fined a company €10,000 for repeatedly sending out advertising content to an individual who had objected to his data being processed and had asked for his data to be deleted. The company also failed to respond to enquiries from the DPA or inform the data subject about what processing was taking place.
The Spanish DPA made the following fines:
Restaurant owner €1,000 for failing to display CCTV information signs.
Neighbourhood community €1,500 for installing video cameras on their private property that also captured images of public space and a neighbours property. This was judged to be a violation of the principle of data minimisation.
Tigers Market €4,000 for continuing to call a data subject even though the phone number was registered on the advertising exclusion list.
Asociación Española Para La Enseñanza Online €5,000 for failing to fulfil the data subject’s rights after a data subject continued to receive advertising materials even though they had exercised their right to be forgotten.
Introduction Business Capital Media, €5,000 for failing to fulfil the data subject’s rights for continuing to call a data subject even though the phone number was registered on the advertising exclusion list.
Daviser Servicios €20,000 for noncompliance with GDPR principles after it used fingerprints to access certain rooms rather than the less intrusive means of key cards. This was judged to be a violation of the principle of data minimisation.
Blog of the Week
Lisa Bradley (EML) – Déjà vu: What the latest instruction to work from home means for employers
This is a really topical blog for when the latest government guidance to work from home which takes effect next Monday. A timely reminder that if staff are working from home employers still have a duty of care and if staff have to come into work then appropriate measures and a risk assessment need to be in place. There’s lots to consider especially as there is no government furlough scheme to fall back on. Check out the blog here: https://employeemanagement.co.uk/deja-vu-what-the-latest-instruction-to-work-from-home-means-for-employers/
Debbie Reynolds (The Data Diva) - Talks Privacy podcast with Olivia Holder, Senior Privacy Counsel, GitHub.
It’s great to hear this discussion of privacy in the public sphere especially children’s privacy and the importance of the UK Age Appropriate Design Code and why the data localisation conversation isn’t had in the US and App development. They both agree it’s an exciting time to be in privacy and that everything is moving at such a fast pace. The challenge for privacy professionals is to try to keep up to date and make sure everyone is informed. Olivia also recommended the book “Surveillance Capatalism” – one for the reading list. https://www.debbiereynoldsconsulting.com/podcast/e57-olivia-holder
Our Data Protection Advent Calendar
Register with the ICO
Write your Privacy Notice
Check your Cookie Banner is compliant
Know what Data you process
Know why you hold Data
Make sure you have a Legal Basis for holding data
Review/write your retention policy
Train your Staff
Update your Record of Processing Activities
Check how secure your data storage is
Update your Data Protection Policy