Page 33 - PWM2023_April
P. 33
TECHNOLOGY REPORT
underpin all of the rights and obligations of GDPR”. highlight for all employers the
set out in the GDPR. They are importance of taking data protection
lawfulness, fairness and transparency; Compliance compliance seriously”.
purpose limitation; data minimisation; Of course, for any regime to work it needs compliance from Padget clarifies that the penalties
accuracy; storage limitation; integrity those subject to it. And this needs to be demonstrable. It’s mentioned by Davies are generally
and confidentiality; and accountability. interesting that, as Padget comments, “GDPR does not prescribe applied to breaches of the basic
She adds that organisations “must how such compliance should be achieved or demonstrated, so it is principles for processing personal data
consider and comply with the principles advisable to put in place an appropriate internal compliance and infringements of data subjects’
in all decisions and actions relating to programme that is tailored to the business.” rights. However, she says that there is a
personal data. This, she says, means that She thinks that such a programme would consist of six points, lower tier of penalties with maximum
data cannot be processed with abandon. the first of which is oversight that covers clear responsibilities and amounts of £8.7m or 2% of total annual
Rather, personal data may only be lines of authority for staff in relation to data-protection activities. worldwide turnover, whichever is
processed if certain conditions are true: Next comes policies and procedures, and staff training – this higher, for other infringements such as
if there’s an individual’s consent; a “provides clarity and consistency by communicating what breaches of administrative
contractual necessity; a legal obligation; individuals in the business must do and why they must do it”. requirements. And in relation to direct
it protects vital interests; is a public task; Third on her list is transparency. Here Padget says that marketing breaches, under PECR, the
or furthers a legitimate interest such as “compliance with the requirement under GDPR necessitates ICO can issue a fine of up to £500,000.
that of an organisation or that of a third providing certain information to individuals about how firms The biggest fines issued by the ICO
party. process their personal data; the standard form for this is in a relate to security breaches leading to loss
But there is another category to bear privacy notice”. or unauthorised access to individuals’
in mind and it’s one that’s mentioned by After transparency is the need to have records of processing personal data (such as the £20m fine
Davies: special category personal data. which cover the type of personal data processed and the legal basis issued to British Airways in 2020, and
This covers any personal data which relied on in each case. Contracts and data sharing is Padget’s fifth the £18.4m fine issued to Marriott
reveals an individual’s racial or ethnic element. Of this she says that “where controllers share personal Hotels). The most frequent fines relate
The protection racket philosophical beliefs or trade union in place which includes all of the requirements under article 28 of in PECR. The most recent large fine
to breaches of the direct marketing rules
data with any third-party processor, parties must have a contract
origin, political opinions, religious or
handed out was the £4.4m penalty given
the GDPR”. This may be within a contract or put as an addendum
membership, data concerning an
individuals’ health, sex life or sexual
October 2022. Laura Steel, an associate
Lastly, there’s the need for a data protection impact assessment
orientation, or genetic or biometric data. to an existing agreement. to construction firm Interserve in
As he says, here a firm “must justify (DPIA). This is particularly important to Padget where data at Wright Hassall, thinks it pertinent to
why the processing of this specific data is protection processing is likely to result in a high risk to the rights the story.
‘necessary’, and it must be a and freedoms of individuals. A DPIA effectively involves an Although the case involved a firm in a
proportionate way of achieving one of analysis of the risks and steps to neutralise them. different sector, a phishing attack –
those purposes. This must be recorded If there is a breach of data protection legislation, organisations typified by scam emails, text messages or
before any processing is undertaken”. need to remember that individuals have the right to lodge a phone calls that seek to trick their
He recommends that “policies and complaint with the Information Commissioner’s Office (ICO). victims into allowing data breaches or
procedures must be clear, that the firm They can also seek an effective judicial remedy against a controller fraud to be committed – was forwarded
must not collect more health data than it or processor as well as compensation from a relevant controller or internally. That led to a colleague
needs and that there are appropriate processor for damage resulting from infringement of GDPR. downloading its content that resulted in
technical or organisational measures to In practice, however, Padget says that individual claims brought malware being installed onto the
ensure the data’s security”. by data subjects against a controller or processor are rare “but may employee’s workstation. This gave a
A key point for Padget is that increase based on the use of collective action.” cyber attacker remote access to the
individuals have rights. On this she says workstation and other corporate
that where a firm processes an Enforcement systems. Steel comments that this in
individual’s personal data they have the Just as there’s a need for compliance so there a need for turn “led to 283 systems being
right to be informed; have access to it; enforcement. Data protection law is overseen by the ICO, the compromised, including four HR
have errors rectified; have data erased; UK’s independent body set up to uphold information rights databases containing the personal data
have processing limited; have a copy of through the courts. Davies explains that the ICO can issue of up to 113,000 employees which the
their data and be able to reuse it; object enforcement notices to employers “requiring them to take – or attacker encrypted and made
refrain from taking – action under the regime.”
to data being collected; and have rights He details that “the ICO determines whether an infringement unavailable. The compromised
in relation to automated decision- has occurred and the severity of the penalty: the maximum employee personal data included
making and profiling. amount of the penalty that the ICO may impose is the higher of contact details, National Insurance
She adds that “not all of these rights the amount of £17.5m or 4% of the undertaking’s total annual numbers, bank details, salary
are absolute, and the parameters and worldwide turnover”. To this he adds that “the reputational information, sexual orientation, and
application are set out in articles 12 to 22 damage caused by data infringements and breaches, should health information”.
www.printweekmena.com April 2023 PrintWeek MENA 31