Teal blue header image

Data protection and cyber round up

Keep up-to-date with data protection and cyber security news with our round-up. We cover some of the key developments in the last quarter, what’s on the horizon and how to keep your business compliant and prepared.

In this round-up we report on:

Contractual necessity for online services

The European Data Protection Board (EDPB) has published draft guidelines on the use of contractual necessity as a legal basis for processing in the context of online services. The guidelines provide clarification on what may be considered "necessary", as well as useful guidance for processing personal data in the context of online services to ensure that this legal basis is only relied upon when appropriate.

If your organisation is relying on this legal basis, you must ensure that processing is objectively necessary for performing the contractual service, not just useful. If there are realistic and less intrusive alternatives to the type of processing envisaged, the processing will not be "necessary". Contractual necessity must be assessed objectively in accordance with the aim, purpose and essential elements of the contract and the mutual expectations of the parties. That assessment must be conducted before the processing takes place.

To assist organisations with these assessments, please see our quick reference guide based on the examples set out in the guidelines.

Updated ICO guidance on certification schemes

The ICO has updated its guidance on certification and called for organisations to get in touch if they are considering developing a certification scheme. The EDPB has adopted the final version of its guidelines on certification and accreditation and is in the midst of finalising its procedures in this area. The submission process for certification schemes has yet to open. Details about the submission process will be found on the ICO guidance webpage once they are made available. 

Certification not only permits organisations to demonstrate that their processing activities comply with the requirements of the GDPR, it can also provide customers with assurance that specific standards are being adhered to and enhance transparency in business-to-business relationships.

Once certification bodies have been accredited to issue GDPR certificates, it is likely that businesses will start to ask whether third party contractors hold a GDPR certificate for their processing operations prior to contracting work to third parties (as part of their due diligence obligations). If your organisation is keen to gain a competitive advantage, you should monitor developments carefully over the summer.

Security by design

The government has announced plans to ensure that millions of household items that are connected to the internet are better protected against cyber attacks. In its consultation on the government's regulatory proposals regarding IoT security, the Department of Digital, Culture, Media & Sport (DCMS) states that there is an urgent need to move the expectation away from consumers securing their own devices and instead ensure that strong cyber security is built into these IoT products by design.

The results of the consultation will be of interest not only to manufacturers of IoT devices but also to IoT service providers, mobile application developers and retailers selling internet-connected products and associated services. We will provide an analysis of the consultation results once the feedback is published.

The government has stated that it will look to introduce a positive or negative security label for IoT devices on a voluntary basis later in 2019, until regulation, based on the analysis of the consultation responses, comes into force.

In related news, the Surveillance Camera Commissioner's Office has announced the introduction of minimum security standards for video surveillance systems. More information on the work initiated in this area can be found on the blog post published by the Surveillance Camera Commissioner.

The problems with ID technology

The ICO has issued an enforcement notice against Her Majesty's Revenue and Customs (HMRC) for failing to obtain explicit consent to collect callers' personal data when using voice authentication for customer verification. The voice recordings constitute biometric data and are therefore classed as special category data under the GDPR. When the voice ID system was launched, users were not given further information about the system and there was no clear option available for callers who did not want to register.

If your organisation uses ID technology, the ICO has published a blog providing tips on how to you ensure that biometric data is used in a fair, transparent and accountable manner.

Meanwhile, the debate over the use of facial technology has continued to dominate the headlines with concerns over accuracy and misuse. In the US, the California legislature has voted to ban the use of facial recognition technology by local law enforcement authorities and other government agencies. Shareholders at Amazon also sought to halt Amazon's sale of its recognition technology to US police forces but were defeated in a vote on the matter. If your organisation uses facial technology, you should monitor developments in this area carefully.

Inferred data and behavioural advertising

Amidst the recommendations in the Government Response to the DCMS's final report on Disinformation and 'fake news', the government supports the recommendation from the ICO that inferred data should be given the same level of protection under the law as personal information.

Although behavioural targeting is common in the commercial sector, the use of 'lookalike audiences' without transparency is unpopular and problematic (particularly in the political arena). Businesses should monitor developments carefully as the government studies the way in which protections of privacy law can be expanded to include models that are used to make inferences about individuals.

Other news

Data protection and journalism code of practice: The ICO's has consulted on a data protection and journalism code of practice which will be finalised once it has considered the responses. The focus is on data protection issues arising from the use of personal information in journalism, and it aims to provide journalists and media organisations with a practical toolkit to enable them to comply with their data protection obligations.

Privacy Shield and Brexit: The US Department of Commerce has published a FAQs document explaining the steps certification participants must take to receive personal data from the UK following Brexit.

Automated decision making: If you use AI systems to process data, the ICO blog on ‘meaningful’ human involvement provides advice on how organisations can ensure that AI decisions are not classified as solely automated by mistake. The second blog in the series provides guidance on how organisations can comply with the data protection principle of accuracy in relation to AI systems.

Data protection trends in EU institutions:  The European Data Protection Supervisor (EDPS) has published the first in a series of infographics that put the spotlight on key issues and trends in data protection within the EU institutions regarding consultations, complaints and training topics.  New in the "top 3" lists of complaints this year is the proportionality of data collection, so this is an issue that organisations should continue to focus on as part of their ongoing compliance programmes.

Up next

  • The Court of Justice of the EU is expected to hear the parties' submissions in the case of Facebook Ireland v Schrems on 9 July. It will now be for the court to determine whether the standard contractual clauses used by Facebook to transfer Schrems's personal data from Ireland to the US were valid. The decision will be published on the court's website.
  • The DCMS aims to formulate a National Data Strategy, which it will consult on later this year. To that end, it has launched a call for evidence which closes on 14 July and will be used to inform its strategy. You can keep up to date with developments in this area by visiting the National Data Strategy webpage.
  • The government is looking at accelerating the development and use of new data-driven technologies and services to improve consumer outcomes and invites responses to its consultation by 6 August 2019.
  • The Morrison's data breach decision is expected on 6-7 November, when the Supreme Court will decide whether Morrison's can be held vicariously liable for a rogue employee's deliberate disclosure of co-workers' personal data. Further details of the decision will be available on the Supreme Court webpage once they have been announced.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.


Insights & events View all