How Organisations Get Privacy Wrong

This section focuses on the privacy principles except lawful basis which is covered separately.

  1. Unfair processing

This is where an organisation uses the personal data, they hold in ways that people would not reasonably expect, and which potentially results in unjustified, adverse effects on them.

Big data is a useful analytical tool for many companies, but it is potentially unfair processing to data subjects when decisions are made based on that processing.

Solution:

If an organisation uses big data tools, then there needs to be a Data Protection Impact Assessment (DPIA) to ensure it meets the fairness requirement.  The DPIA answers the “Should we do this?” question and provides a supporting record in the case of a supervisory authority inspection.

The DPIA should be used whenever the processing is going to be high risk, high impact or very privacy intrusive to the data subject.

  1. Lack of transparency

Transparency means being clear, open, and honest with data subjects what you are going to do with their data.  Lack of transparency usually occurs where an organisation uses a poorly written privacy notice that either omits some processing that is being done, or the policy is written in “legalese” and is not easy to read and understand.  To be transparent, the policy must be easily understood and accessible.

Solution:

Leave the “legalese” for the T&C’s!

Ensure your privacy policy is easy to read and understand so that data subjects know why you are collecting the data, what the legal basis for that is, what you are going to do with it, how long you are going to keep it, who you will share it with and how they can exercise their rights with you.

  1. Repurposing

Repurposing, or “function creep”, has long been a problem for organisations where they consider the personal data a resource owned by the business and can be used to facilitate the business where necessary.

Providing the new processing is compatible with the original collection, there is no issue with repurposing.  For example, a charity has personal information relating to donors who make monthly donations.  They then use the personal details to send out a newsletter updating the donors on how their money is being spent and how they are helping the charity achieve its goals.

However, if the purpose is different and not compatible from the purpose that the data was collected for, then the organisation cannot do this processing without notifying the data subject and seeking their consent.

Solution:

Keep a clear record of the personal data processing purpose to assist in establishing if the new purpose is compatible with the original purpose.

If the purpose is different, consider using a DPIA to ensure the privacy impacts are justified.

If the DPIA shows there is justification for the processing, you should update your privacy notices and seek the consent of the data subject.

  1. Too much data is collected

The data minimisation principle obligates organisations to only collect the personal data which they need to carry out the processing.  It is tempting for organisations to collect more than is necessary “just in case” they may need the additional data later.

Solution:

The key data which needs to be collected for the processing should be asked for from the data subject.

The personal data being collected should be justifiable and clearly understood by data subjects in relation to why that is needed for the organisation to fulfil its obligations to the data subject.

Mandatory data should be kept to an absolute minimum.  For example, if you are collecting information and will need to contact the data subject, you should give them choice on how to be contacted and not make a phone number obligatory unless it is critical to the service or product being provided.

If an organisation collects too little personal data at the outset, it is permissible to ask the data subject for additional data, so too little data collected can be subsequently rectified.

  1. Organisations fail to take reasonable measures to keep data accurate

GDPR does not mean that an organisation needs to be constantly contacting data subjects to check if their data is still accurate, but it does need to ensure that some mechanism is in place to ensure personal data is corrected when it is clear it is not correct.

For example, if emails are returned from an address that no longer exists, that is clearly inaccurate personal data which needs to be corrected, as does returned postal mail.

Solution:

Organisations must verify they are dealing with the data subject before amending personal data, which is said to be incorrect to prevent identity theft and fraudulent activity by someone other than the data subject.

If a data subject is verified and informs the organisation of a change of details, then the organisation should facilitate these changes to be easily made.

If post is returned or email addresses show that the email address is invalid, then the organisation should consider whether the personal data is still required to be kept as the data subject has not informed them of the changes.

  1. Organisations keep data too long

Once personal data has been collected, a lot of organisations see it is as a useful resource within their business and rarely delete the data.  Data is often retained on a “just in case we need it” basis and data retention periods are often set with unjustifiable and disproportionate time frames to the purpose of processing.

For example, the data retention period for Ocado.com, an online supermarket in the UK is set as follows (authors emphasis in red):

In the UK, invoices are required to be kept for 6 years for tax purposes so, where customers have registered and shopped with Ocado, the 7-year retention period is closely tied to purpose of collection and their legal requirement to keep the data.  However, Ocado are keeping personal data for people who registered but never used their service for the best part of a decade!

 

Solution:

Organisations need to identify the personal data processing that they carry out and identify the length of time they need it, considering the lawful basis can change over time.

 

The data retention period should be proportionate, justifiable, and considerate of the data subject’s rights over the businesses reluctance to delete data they hold.

 

In the case of Ocado, if people have registered but subsequently never shopped with them, a period of several months is reasonable as a retention period.  But if a data subject has not used the service after 6 months, it is highly unlikely they will so the account and personal data should be automatically erased.

 

A clear schedule of retention should be included in the privacy policy.

 

  1. Confidentiality and Integrity

 

In 2019, a survey conducted by the Ponemon Institute for ServiceNow showed that 60% of data breaches were linked to a vulnerability where a patch was available but not applied, meaning that these breaches were preventable.

 

However, in the UK in the last quarter of 2020, there were 1857 non-cyber security incidents compared to 737 cyber security incidents reported to the UK data protection authority.

 

 

Most non-cyber incidents relate to the incorrect handling of personal data by employees.  The most common mistakes are:

  • personal data being emailed or posted to the incorrect recipient
  • loss or theft of paperwork or data left in an unsecure location
  • failure to redact documents before releasing them publicly.

 

Solution:

Organisations should adopt a risk-based approach to data protection and implement adequate security measures to protect the personal data.  It is understood that no organisation can be 100% safe, but where a breach was preventable, such as failure to patch, then an organisation may face significant fines.

 

Consideration should be given to pseudonymisation, where the data is partly anonymised and the data which is used to identify the individual is kept separately and under more secure measures to mitigate the impact of a breach.  This means that if the partially anonymised data is breached, it is not a data protection breach as there would be nothing that identifies the individual available.

 

Regular data protection training, seminars, and bulletins are a useful way to get staff to understand the importance of handling personal data correctly.  Enforcing security breaches is also critical – if staff know a breach will not result in any sanctions, there is no incentive to comply.