uk election week

Suppression screening, terrorism and your vote

The election today and the aftermath of the appalling events at London Bridge and Borough Market have disrupted my momentum for writing about EU GDPR and what you need to know to get ready for next May 25th. I’m a frequent visitor to Borough Market and often walk across London Bridge, so like many others, this is the first time that terrorism has seemed so close to me.

Top of my mind this week is the news that the third mass murderer at London Bridge was an Italian/Moroccan whose name is apparently on the Schengen Information System – according to the BBC, “An Italian police source has confirmed to the BBC that Zaghba had been placed on a watch list, which is shared with many countries, including the UK.” Both the Westminster Bridge and London Bridge attacks were conducted using hired vehicles, the first a car and the second a van. Last month, the U.S. Transportation Security Administration announced that it wants truck rental agencies to be more vigilant in efforts to prevent these attacks and according to the same article, Penske (a nationwide truck leasing company in the US) screens customers using a watch list.

So, the first question that springs to my mind after London is “Should vehicle rental companies in Europe be screening customers against the Schengen list?” Obviously, not all such attacks are committed using hired vehicles, but many (if not most) are committed using hired or stolen vehicles – and stolen vehicles are likely to be on a police database with an active watch being kept out for them. The larger the vehicle, the more dangerous it is, the more likely it is to be able to crash through barriers and kill and maim people – and the more likely it is to be hired or stolen rather than owned.

The next question that rose to my mind was “Will the UK still have access to the Schengen list after Brexit?” Hopefully, however “hard” Brexit turns out to be, UK and EU negotiators will have cooperation on terrorism at the top of their list and such information will continue to be shared, so increasing systematic use of this data should be top of many people’s agendas.

Last, I worried whether the increased responsibilities for protection of personal data (and vastly increased fines) being introduced with GDPR next May will lead to companies putting their own interests first when it comes to (not) sharing information about suspicious persons with the authorities, or whether there need to be exemptions written into the guidance to ensure that individuals and organisations don’t get fined for breaches of GDPR through trying to do the right thing to help protect the public? I can ask this at next week’s techUK Data Protection Group, where one of the people developing the legislation and guidance from the Department for Culture, Media & Sport will be in attendance.

One other thought concerning data about people seems particularly relevant today – last Tuesday’s Telegraph “fears that thousands of postal ballots could have been sent out to voters who have died, putting their vote at risk of being used by somebody else”. Of course, speaking from personal experience, potentially a much bigger fraud could be all the residents of care homes, especially those with Alzheimer’s, being sent postal votes. Are additional precautions taken in checking that these votes are being filled in by the residents themselves? I know that in at least some cases, the postal vote addressee is not screened against the Power of Attorney registers. Given that GDPR obliges organisations to make sure the personal data that they keep is accurate and up-to-date, I wonder how the formula for fining an organisation 2-4% of global gross revenue under GDPR applies to a taxpayer-funded body such as a local authority!?

EU GDPR – what is changing next May?

This is the second in a series of posts about the EU GDPR – now less 12 months away! If you are a marketer, a business/systems analyst or a processor of third party data, this series of posts is written with you in mind – I hope you will be able to use it and the links that we provide to save you time and point you in the right direction as you grapple with the GDPR challenge. You can of course download the 130 page guide from the Information Commissioner’s website or browse through it during your lunch break, but if you want something targeted at you and split into manageable chunks, read on! In the first post, we mentioned how a genuine Single Customer View helps to keep data accurate and up to date. In this post we cover what will change from the current Data Protection Act.

At another very informative TechUK meeting last week on this topic, Rob Luke from the ICO described GDPR as an evolution of the existing rules and not a revolution. Essentially the GDPR is tightening up and clarifying existing rules more than introducing new ones, but there are two big differences:

  • Most obviously there are now huge penalties that can be imposed as discussed last week.
  • There are now responsibilities for data processors as well as data controllers, which is particularly significant for our industry.

Other key changes include mandatory notification of breaches, stricter rules on what constitutes sensitive personal data, making it harder to obtain consent and the introduction of mandatory data protection officers for some types of usage.

We will look at the new obligations for data processors in a later post aimed solely at our professional service provider audience, as well as looking at the new obligations for data controllers in a post specific to them. The key aspect of the GDPR which bears on the relationship between data controller and data processor is the much tighter control of data transfer and the need for written agreements between the two parties detailing their respective responsibilities. We will also look at when you need to obtain explicit consent and what has changed in this respect in a later post – whether you can adopt opt-out or have to settle for opt-in is now a more complex question.

Finally, if you are designing new systems, GDPR obliges you to undertake a Privacy Impact Assessment and incorporate Privacy by Design into your system – privacy and security should not be an afterthought. You must also incorporate privacy by default into collection of personal data: Fieldfisher’s blog summarises it as “businesses should only process personal data to the extent necessary for their intended purposes and should not store it for longer than is necessary for these purposes”. They state as an example that systems should “allow suppression of data of customers who have objected to receiving direct marketing”.

In the next post we will look at the key definitions in the GDPR so you can decide whether some of the obligations do indeed apply to your business. If you can’t wait, you can get a head start by reading this table in White & Case’s excellent handbook on GDPR. To be prompted about the next instalment in our series of posts, follow us on Twitter.

EU GDPR Headquarters

EU GDPR now just 12 months to go – where do you start?

As you should know, the EU General Data Protection Regulation (GDPR) comes into force one year from today, 25th May 2018. As we will still be in the EU then, whatever kind of Brexit we are in for, you only have 12 months to make sure that all your systems support compliance. If you need any incentive to start taking this seriously, you only have to consider that the maximum fine for breach of data protection regulations is increasing from £500,000 to €10 million or 2% of global gross revenue (whichever is higher) – that’s just for a level 1 breach, with double these amounts for a level 2 breach!

To help you on your journey to GDPR compliance, we will be publishing a series of posts about aspects of GDPR over the next few weeks. Initially, we will cover:

After that, we will look at how matchIT Data Quality Solutions can help you be compliant and avoid breaches of the new law – especially how a genuine Single Customer View helps to keep data accurate and up to date and ensures that you can respond to Subject Access Requests promptly, fully and efficiently.

The implications of GDPR are far reaching and HMG guidance is still being developed by the Department for Culture, Media and Sport, in consultation with industry bodies such as TechUK. Some companies may find that with only one year to go, they may not be able to become completely compliant by then – in which case, it is vital to mitigate potential costs of non-compliance by demonstrating effective progress, with a realistic timetable for full compliance. Look out for our next few posts to help you navigate towards that goal!