DATA PROTECTION SURVEY SPRING 2015 www.penningtons.co.uk
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DATA PROTECTION SURVEYSPRING 2015
www.penningtons.co.uk
ONE YEAR FORWARD - PENNINGTONS MANCHES 2014 ANNUAL REVIEW | 3
ACROSS EUROPE, DATA PROTECTION HAS NEVER BEEN HIGHER ON THE AGENDA, BOTH FOR BUSINESSES AND FOR THEIR CUSTOMERS.
Earlier this year, the Penningtons Manches data protection team sent an online questionnaire to data protection lawyers in Multilaw firms around Europe to gather and share our collective insight into the current trends and perceptions about data protection regulation across Europe.
Our questions focused on the relationships that businesses have with the data protection regulator in their country, from the perspective of data protection practitioners. We also looked at current hot topics such as information security, nuisance calls, the right to be forgotten, and the proposed EU General Data Protection Regulation.
Input was received from data protection practitioners in Austria, Bulgaria, the Czech Republic, Denmark, Germany, Greece, Italy, Luxembourg, Malta, Netherlands, Portugal, Turkey and the UK.
This document is a summary of the survey findings together with commentary from partner, Joanne Vengadesan and associate, Nadine Bhantoa of the Penningtons Manches data protection and privacy team.
www.penningtons.co.uk/expertise/solicitors-for-business-data-protection-and-privacy.
Abreu AdvogadosAdvokatgruppenAequitas LegalBosselaar & StrengersFelten & AssociesHeussen Rechtsanwaltsgesellschaft mbHJenny.Avvocati
Moroglu ArsevenPenningtons Manches LLPRödl Stoll Schulte Rechtsanwälte Partnerschaftsgesellschaft mbBRowan LegalSchmidtmayr Sorgo WankeTocheva & Mandazhieva Law Office
The following Multilaw firms participated in the survey:
PENNINGTONS MANCHES DATA PROTECTION SURVEY | 32 | PENNINGTONS MANCHES DATA PROTECTION SURVEY
4 | PENNINGTONS MANCHES DATA PROTECTION SURVEY
Eight out of ten respondents believe that businesses regard the data protection law in their country as bureaucratic, with comments such as:
¡ “It is difficult to comply with and not transparent”
¡ “It is complicated and requires expert advice”
¡ “It is a hurdle to overcome”
¡ “Data protection law is an obstacle to business “.
However, despite the perceived bureaucratic and complex nature of data protection law, two thirds of the respondents agree that it is an important consideration for businesses.
Client’s view on data protection law % of respondents
Bureaucratic 80
An important consideration for their customers
66
Irrelevant to their business 20
Clear and straightforward to comply with
4
Eight out of ten respondents think that their clients are ‘somewhat aware’ of their data protection obligations while 20% say that their clients are ‘not very aware’.
However, 87% of respondents agree that their clients have become more aware of their obligations over the past year. This is encouraging given that organisations are taking advantage of technology (e.g. via the cloud, the internet of things, social media) to capture and utilise more personal data than ever before.
SUMMARY OF FINDINGS
1. ATTITUDES TOWARDS DATA PROTECTION LAWS
2. AWARENESS OF DATA PROTECTION OBLIGATIONS
COMMENTARY
It is also possible that several high-profile data protection matters have increased awareness over the last year including:
• the controversial judgement of the Court of Justice of the European Union in the Google Spain case. This found that a ‘right to be forgotten’ applies to outdated and irrelevant personal data in search results
• the fallout from Edward Snowden’s revelations in 2013 about the NSA’s mass surveillance programmes
• the debates surrounding the impact of the proposed new EU General Data Protection Regulation.
COMMENTARY
These responses support the European Commission’s view that there is a need to cut red tape for businesses and highlight the importance of the forthcoming reforms which will introduce a single set of data protection rules across Europe.
8 OUT OF 1O SAY BUSINESSES REGARD THE DATA PROTECTION LAW IN THEIR COUNTRY AS
BUREAUCRATIC
PENNINGTONS MANCHES DATA PROTECTION SURVEY | 5
Respondents identified the health/social care (53%), marketing/advertising/PR (53%), accountancy/banking/finance (47%) and technology service providers (40%) as the sectors that had been most heavily targeted by the regulator over the past 12 months.
Sectors % of respondents
Healthcare and social care 53
Marketing, advertising, PR and sales 53
Accountancy, banking and finance 47
Technology service providers 40
Public sector bodies 33
Business, consulting and management 27
Media and publishing 27
Retail 20
Legal services 13
Energy and utilities 6
Regulators and law enforcement 6
Teaching and education 6
Credit information and credit report service providers
6
The two main perceived concerns of businesses across Europe are “having appropriate data protection and security policies in place” (66%) and “transferring personal data outside of the EEA” (60%). A third of respondents believe that businesses are concerned about the restrictions on their direct marketing activity and the need to obtain consents for this activity.
Client concerns % of respondents
Having appropriate data protection and security policies in place
66
Transferring personal data outside the EEA
60
Restrictions on their direct marketing activity / obtaining consents to direct marketing activity
33
Staff training, awareness and compliance 27
Dealing with subject access requests 20
Data security and dealing with breaches (i.e. the loss or theft of personal data)
13
Uncertainties about how the forthcoming EU regulation will affect their business
6
More than half (53%) of respondents rate the quality of information and guidance offered by their local data protection regulators as good or very good. These include respondents from the UK, Czech Republic and Slovakia. A third of respondents rate the quality as satisfactory but respondents from Turkey and Malta rated the information and guidance offered by their regulators as poor.
Quality of data protection regulator information and guidance
% of respondents
Very good 20
Good 33
Satisfactory 33
Poor 14
Two thirds of respondents said that there not been any noticeable change in the level of enforcement activity of the data protection regulator over the last year.
However, none of the respondents were of the view that the regulator has been less active in the last year and a third said their regulator had been more active, with 7% noting significantly more activity.
5. MAIN INDUSTRY SECTORS TARGETED BY REGULATORS3. BIGGEST DATA PROTECTION CONCERNS
6. QUALITY OF INFORMATION AND GUIDANCE OFFERED BY DATA PROTECTION REGULATORS
4. ENFORCEMENT OF DATA PROTECTION LAWS BY THE REGULATOR
COMMENTARY
Although there are significant differences between the guidance currently offered by national data protection regulators, when the new EU General Data Protection Regulation comes into force, guidance from a regulator in one member state could be used by other member states. The Regulation will have direct effect and apply more uniformly across the EU than the current Data Protection Directive which operates through nationally implemented legislation.
However, the current form of the draft Regulation does allow member states to provide for their own national rules for certain types of processing, including for processing of employee data, so the extent of uniformity that the Regulation will provide remains to be seen.
COMMENTARY
It is not surprising that some of the biggest concerns for organisations are to ensure that they have appropriate data protection and security policies in place and that they can operate globally in compliance with data protection laws. The high-profile nature of data security breaches has helped to bring data protection to the forefront of the public agenda. This awareness, coupled with the risks of transferring data outside of the EEA to countries which do not offer adequate protection (which may include affiliated companies or cloud providers who operate outside the EEA), mean that organisations must take data protection seriously if they want to maintain their reputation and customer confidence.
COMMENTARY
Understandably, regulators need to prioritise enforcement action as it would be impossible to address all risks equally. From these responses it appears that the regulators are more focused on data protection breaches that are in the public interest including those that:
¡ involve sensitive personal data (e.g. breaches by healthcare providers)
¡ are more likely to cause distress (e.g. breaches relating to an individual’s finances)
¡ affect a large number of people (e.g. breaches that involve large quantities of personal data which are often held by technology service providers).
HEALTHCARE & SOCIAL CARE
A HEAVILY TARGETED SECTOROVER THE PAST 12 MONTHS WAS
53%
THE NO 1 OF BUSINESSES ACROSS EUROPE IS HAVING APPROPRIATE DATA PROTECTION AND SECURITY POLICIES IN PLACE
PERCEIVED CONCERN
TWO THIRDS SAID THERE HAD BEEN NO NOTICABLE CHANGE IN ENFORCEMENT ACTIVITY 27% SAID THEIR REGULATOR HAD BEEN MORE ACTIVE, AND 7% NOTED SIGNIFICANTLY MORE ACTIVITY
66%
PENNINGTONS MANCHES DATA PROTECTION SURVEY | 76 | PENNINGTONS MANCHES DATA PROTECTION SURVEY
More than half (53%) of respondents said that the most common response by a regulator in the event of a data protection breach was to request an undertaking from the offending organisation to commit to improving its compliance. Only 13% said that the regulator would usually issue a fine for data protection breaches.
Other replies included: “on a case by case basis”; “depends on the nature of the breach”; “issuing a critique through the Danish Data Protection Agency” and “certain prison sentences under the Criminal Code for the illegal disclosure and process of personal data”.
Regulators’ responses % of respondents
By requesting an undertaking from the organisation, committing it to improve its compliance
53
By issuing a fine 13
By issuing an enforcement notice / ‘stop now’ order
6
The most common breaches of data protection law identified by respondents over the last year are the failure to have required policies and contracts in place (47%) and the failure to identify personal data (40%).
Cause of breach % of respondents
Failure to have required policies / contracts in place
47
Failure to identify personal data 40
Computer or telephone hacking 27
Transfer of data outside of the EEA without satisfying the conditions required for the transfer
27
Lack of employee training 20
Employee breaches (either due to lack of awareness, accidental or deliberate breach)
20
Emails sent in error 20
Lost documents 13
Failure to encrypt data 13
Lost devices (e.g. laptops, mobile phones, hard drives)
6
Stolen devices (e.g. laptops, mobile phones, hard drives)
6
Inadequate security measures 6
Unsolicited emails/nuisance calls 6
7. REGULATORS’ TYPICAL RESPONSE TO A DATA PROTECTION BREACH
8. COMMON CAUSES OF BREACHES OF DATA PROTECTION LAW
COMMENTARY
A regulator’s response will, of course, depend on the nature of the breach but the fact that the majority of respondents think that the regulator’s most common enforcement action is to request an undertaking shows that regulators often take a proportionate approach to enforcement action and engage with organisations that have breached data protection laws to try to avoid future breaches.
It is also worth noting that a more uniform approach to enforcement action is anticipated to be introduced under the proposed EU General Data Protection Regulation for businesses that operate in different member states across the EU. Businesses currently have to answer to the local data protection regulator in each member state in which they operate. Under the proposed Regulation, important cross-border cases could be handled by a single lead regulator based in the EU country where the business has its ‘main establishment’.
This regime will involve greater co-operation between national data protection regulators and will allow cases to be referred to a new European Data Protection Board (EDPB) to be resolved in the event of disagreement between the national regulators on what action to take.
COMMENTARY
The two most common breaches highlight the importance of ensuring that data controllers have robust contracts and privacy policies and appropriate, clear and practical information policies in place which are transparent about the way in which the organisation uses and discloses data.
It is also important for organisations to correctly identify personal data. The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has produced guidance on how to determine what is personal data but organisations should seek guidance if they have any uncertainty.
It will also be interesting to follow the rulings in the Vidal Hall v Google internet privacy case. The Court of Appeal has recently held that it is arguable that browser-generated information may be personal data if third party advertisers are able to identify individuals by making use of it.
However, this ruling is not definitive and relates to a preliminary stage of the proceedings about whether or not the claimants should have permission to serve English proceedings out of the jurisdiction on Google in the US. It is now up to Google to appeal the decision to the Supreme Court, otherwise the case will proceed to trial.
THE MOST COMMON BREACH WAS IDENTIFIED AS THE
FAILURE TO HAVE REQUIRED POLICIES OR CONTRACTS IN PLACE
THE SECOND MOST COMMONLY IDENTIFIED BREACH WAS THE
FAILURE TO IDENTIFY PERSONAL DATA
PERSONAL DATA IDENTIFICATION
40%
THE MOST COMMON BREACH WAS IDENTIFIED AS THE
FAILURE TO HAVE REQUIRED POLICIES OR CONTRACTS IN PLACE
THE SECOND MOST COMMONLY IDENTIFIED BREACH WAS THE
FAILURE TO IDENTIFY PERSONAL DATA
PERSONAL DATA IDENTIFICATION
40%
53% SAID THE MOST COMMON RESPONSE BY A REGULATOR IN THE EVENT OF A BREACH WAS TO REQUEST A COMMITMENT TO IMPROVING THEIR COMPLIANCE
IMPROVEMENT NEEDED!
ONLY13% SAID THE REGULATOR WOULD USUALLY ISSUE A FINE FOR DATA PROTECTION BREACHES
PENNINGTONS MANCHES DATA PROTECTION SURVEY | 98 | PENNINGTONS MANCHES DATA PROTECTION SURVEY
Almost three quarters (73%) of respondents think that the data protection regulator in their country has sufficient powers to act against nuisance calls (i.e. unsolicited sales or marketing calls). A fifth say that their regulator does not have enforcement powers and the remaining 7% say that the regulator only has sufficient powers when it can prove that the calls have caused substantial damage or distress.
11. POWER TO ACT
Only a third of respondents think that businesses are concerned about preparing for compliance with the proposed EU Data Protection Regulation.
9. REACTIONS TO THE PROPOSED EU GENERAL DATA PROTECTION REGULATION
THINK THE DATA PROTECTION REGULATOR IN THEIR COUNTRY HAS SUFFICIENT
POWERS TO ACT AGAINST NUISANCE CALLS73%
???
More than half (53%) of respondents said that the data protection regulator in their country had not issued guidance on how it deals with complaints relating to the handling of “right to be forgotten” requests (in response to the Google Spain case).
A fifth of respondents said that their regulator had issued guidance while another fifth said that the regulator had issued other guidance relating to this topic. This guidance ranged from a press release with brief details of how the regulator had dealt with 30 such complaints received after July 2014; various website statements; to a topic discussed in seminars organised by the Bulgarian Data Protection Commission.
10. GUIDANCE ON DEALING WITH COMPLAINTS ABOUT “RIGHT TO BE FORGOTTEN” REQUESTS
GUIDANCE ON HOW IT DEALS WITH REQUESTS FOR THE
SAID THEIR COUNTRY HAD NOT ISSUED53%
COMMENTARY
In the UK, the £500,000 threshold for issuing monetary penalty notices for nuisance calls and spam text messages has been lowered. Previously, the Information Commissioner’s Office (ICO) has had to prove that a company caused ‘substantial damage or substantial distress’ making nuisance calls or sending spam text messages. But from 6 April 2015, the ICO will just have to prove that the company was committing a serious breach of the Privacy and Electronic Communication Regulations 2003.
Respondents were asked to name the most significant issue currently affecting their data protection practice and their clients. The three most commonly mentioned issues were:
¡ the restrictions placed on businesses by the plethora of rules and regulations
¡ keeping up to date with the regulations
¡ the transfer of data outside the EEA and Binding Corporate Rules.
Below is a selection of respondents’ comments:
¡ The necessity of approval by regulator for certain transfers of personal data outside the EU (e.g. in case of transfers on the basis of Binding Corporate Rules).
¡ Complying with the requirements for transferring personal data outside of the EU, dealing with subject access requests and ensuring that privacy policies are up to date.
¡ Keeping up to date with the developments on the new EU General Data Protection Regulation
¡ Handling marketing campaigns in compliance with the relevant rules
¡ Dealing with personal data processed in cloud databases
12. SIGNIFICANT ISSUES AND CONCLUSION
COMMENTARY
With data protection firmly on the public and political agenda and the threat of huge fines for non-compliance with the impending EU Regulation, organisations cannot afford to ignore data protection compliance and it should be treated as a priority for all businesses processing personal data.
Robust compliance with the current legal framework will put an organisation in good stead to deal with the anticipated new laws and will help to create a culture of privacy awareness and good practice that will be key to compliance.
COMMENTARY
Although the Regulation has yet to be finalised and there will be a two year period after it has been approved before it takes direct effect, we do not expect the current text to change significantly.
We would, therefore, strongly recommend that organisations who are not up to date with the proposed changes seek guidance in order to prepare and be well-placed for compliance with the new regime. This is particularly important given that it is anticipated that failure to comply with the proposed Regulation could lead to fines of up to 5% of an organisation’s global annual turnover (although the exact percentage has yet to be finalised).
Half (53%) of respondents say that their government is not taking any steps to lower the legal threshold for enforcement action by the regulator against nuisance callers, a third do not know, and the remaining 13% say that their government is taking steps.
¡ Data protection and security policies
¡ Staff training.
One respondent summed up the respondents’ views: “Legal uncertainty makes it virtually impossible for most businesses to live up to every word of the law which, in turn, leads to a laissez-faire attitude towards data protection. The main concern for companies seems to be to “stay under the radar”.
These respondents thought that businesses’ main concerns would be:
1. The need to review and revise policies and contractual obligations
2. The increased fines for breach
3. The direct obligations on data processors
4. Greater scrutiny from the regulator
5. The mandatory appointment of a data processing officer.
PENNINGTONS MANCHES DATA PROTECTION SURVEY | 1110 | PENNINGTONS MANCHES DATA PROTECTION SURVEY
Penningtons Manches LLP is a limited liability partnership registered in England and Wales with registered number OC311575. San Francisco is an office of Penningtons Manches (US) LLP, a limited liability partnership registered in England and Wales with registered number OC396811.www.penningtons.co.uk
LONDONAbacus House33 Gutter LaneLondon EC2V 8ART: +44 (0)20 7457 3000F: +44 (0)20 7457 3240
BASINGSTOKEda Vinci HouseBasing ViewBasingstokeHampshire RG21 4EQT: +44 (0)1256 407100F: +44 (0)1256 479425
CAMBRIDGEClarendon HouseClarendon RoadCambridgeCambridgeshire CB2 8FHT: +44 (0)1223 465465F: +44 (0)1223 465400
GODALMINGHighfieldBrighton RoadGodalmingSurrey GU7 1NST: +44 (0)1483 791800F: +44 (0)1483 424177
GUILDFORD2 Bishops WharfWalnut Tree CloseGuildfordSurrey GU1 4UPT: +44 (0)1483 791800F: +44 (0)1483 574787
OXFORD9400 Garsington RoadOxford Business ParkOxfordOxfordshire OX4 2HNT: +44 (0)1865 722106F: +44 (0)1865 201012
READINGApex PlazaForbury RoadReadingBerkshire RG1 1AXT: +44 (0)118 982 2640F: +44 (0)118 982 2641
SAN FRANCISCOFour Embarcadero Center Suite 1400 San Francisco CA 94111T: +1 415 426 5655
Related Documents
