Ode to DPO’s managing GDPR risk

GDPR risk is often difficult for a DPO to convey to the business.  The risk of getting “caught” out for noncompliance oftentimes seems remote (rightly or wrongly), and business/management will often respond to risks with a commercial decision to “carry the risk”.  Sometimes this decision can feel cavalier and foolhardy to a DPO who has undertaken an assessment and identified a bucket of issues that really should be addressed before the processing continues.  So, when is it appropriate to “carry the risk” and when should the risk be addressed before proceeding?  When do we roll up our DPO sleeves and say “STOP”?

In order to answer the question it’s necessary to consider the issue that has been identified in the context of the GDPR. When any processing activity is being analysed for compliance there will nearly always be issues that surface.   Some big, some small.  Let’s say I’m zoning in on the processing of personal data relating to the onboarding and induction of new members of staff working in a company.  I map out the flow as follows, where the scope of processing under consideration is identified in the red box:

The following issues may be identified as we work through the process:

GAP	ANALYSIS
the online form being completed by the new employee has no reference to the data protection notice	Failure to meet the transparency requirements of the GDPR.
the contract of employment states that the employee must provide biometric data for entry to the building	“Contract” is not a valid legal basis for processing biometric data
the controller has no contract in place with the supplier of the payroll system	Failure to meet requirements to ensure that a valid data processing agreement is in place with supplier
the form requests certain information about the employees’ weight, age and height	Failure to meet data minimisation principles as this information is not required
The HR System has no access controls for users	Failure to implement appropriate technical measures
The “Benefits Hub” has not been configured to delete personal data and all data is held indefinitely	Failure to comply with “storage limitation” principle

 

Targeting in on any processing activity can often unearth a host of issues and it can feel overwhelming for the DPO.  In an ideal world, we should fix all the problems before the processing is undertaken.  Practically, in many cases the processing has already started or can’t wait until all the problems have been fixed.

As a first step when issues are identified it’s important to identify if there is a solution to the issue being raised.  In some cases it may be workable to “carry the risk” for a short period of time and start/continue the processing while the issue is being addressed.

There are however certain cases where processing should not continue because either (a) there is no solution to the particular issue, with the result that the processing is always going to be materially non-compliant and/or (b) the risk of non-compliance is too great given the issue identified.  I have identified below some of key areas of GDPR compliance where these circumstances can arise.

Legal Basis

A legal basis for processing is fundamental for GDPR compliance.  If, upon assessment, no legal basis can be identified and validated for a processing activity then the processing should not be undertaken.  Processing without a legal basis is non-compliant and it’s not something that is likely to change as the processing continues (ie. it’s going to be very hard to move to compliance over time).   The Enforcement Tracker available here shows that across all types of violations the highest number of fines across Europe have been levied for “insufficient legal basis for processing”.

In the HR induction example above an incorrect legal basis has been identified for the processing of biometric data.  In the case of a standard office building, with no unusual security/health and safety concerns, contract is not an appropriate legal basis.   The controller will need to identify a valid Article 6 and Article 9 legal basis for the processing of biometric data. The controller would need to meet the requirements for valid consent (which is a very high bar for employers) and ensure a viable alternative option is available for those employees who do not want to provide biometric data (e.g. swipe card system).

In this case, it should be strongly recommended that the processing should not be undertaken until a valid legal basis under Article 6 and Article 9 can be identified.

Transparency

In some cases when assessing a processing activity we will identify that the organisation has no viable touch point with the data subject to present a data protection notice.  This can be a real challenge in some cases (e.g. an organisation seeking to scrape personal data from websites).  If the  organisation has no means of providing notice to a data subject about how their personal data is going to be used then the processing should not be undertaken. The processing is invalidated before it begins for lack of transparency.

In the other case above, where the link to the data protection notice is not provided on a form, there is an easy solution for the organisation to update the relevant form with the correct reference to the employee data protection notice.

Data Processing Agreement

I’m sure that many DPOs are still chasing the execution of Data Processing Agreements with suppliers.  I raise my hat to the DPO that has every single one of the required DPAs signed up and in the bank. It’s reasonable to operate, in some cases, on the expectation that the DPA will fall into place in the near future.

Where the line needs to be drawn is where there is no reasonable hope of getting the DPA in place.  Imagine for example that the supplier of the payroll system in the above example has refused to enter into a DPA.  In this case it should be strongly recommended that processing should not be undertaken until a compliant supplier is identified.

Security of Processing

Again, if a supplier is unable to meet reasonable security standards and provide, for example, basic user access controls the risk of an issue arising is too great, again depending on the personal data being processed.   In the case of a HR system, the risk to the data subject could be majorly impactful if the information gets into the wrong hands.  The controller has to satisfy itself as to the security of the system before processing any personal data on it.

In addition to these examples, some of the other issues we frequently identify when examining processing activities for organisations include the following:

• while a data protection notice is provided to data subjects it is not clear/detailed enough in the information provided
• not all requirements under Art 28 for compliant Data Processing Agreements are met in the agreement with the supplier
• the supplier has not provided a set of technical and organisational measures
• no Standard Operating Procedures/Work Instructions are documented for high-risk processing activities
• no transfer impact assessment has been undertaken for a supplier outside the EU
• failure to meet data minimisation requirements (more information is collected on forms than is necessary for the purpose)
• keeping personal data for longer than is necessary

In many of the above cases we can identify an appropriate fix for the relevant issue.  A commercial decision may be made by the business to start/continue with the processing in parallel with the gap being addressed.  The risk is being carried in such cases for a limited period and a plan is in place, and can be produced, in the event that the processing is challenged before then.  This is still a risk for the organisation and the DPO should be very clear to the business that the best course of action is to address the gap before proceeding. 

Of course, there are also cases that arise where we get nearly everything over the line but we are unable to fix every issue.  Sometimes, again a commercial call may be made to carry the risk.   It’s not a case then of cross all fingers and toes and hope for the best.  A calculated risk is one that is managed correctly.  There are often mitigation steps that can be taken to reduce a risk.  Once everything that can reasonably be done is done, the risk should be reviewed regularly, and at least annually, to assess if anything has changed that would enable the risk to be mitigated further or indeed fully addressed.

As DPOs, our role is to identify the risks and make recommendations around addressing them.  If the business choses to “carry a risk” that we know should not be carried, because it cannot be addressed, then we have to formally make the case to the board/management team and ensure the issue is clearly understood. 

In cases where the processing will continue while the gap is being addressed, it must be clear that an issue may arise before the fix is implemented and this may have repercussions.  The risks that are carried should be assigned owners and timelines for completion and tracked.  At the very least the organisation should be able to show that suitable fixes are in progress. The DPO should provide a progress report on key risks to the board/management team regularly to ensure there is a clear understanding of the potential exposure to the business.

Finally, a word on proactive reviews.  Unfortunately what tends to happen is that the issues find us as opposed to us finding the issues. In other words, the organisation only becomes aware of noncompliance because of a breach or a subject access request or the supplier notifies the organisation of a slip up.  Per my recent blog the Data Protection Programme should allow for proactive compliance reviews.  The ROPA is a great place to start. Identify the high risk processing activities and start working through them.  Undertake targeted reviews of compliance in key areas. Give yourself a goal of reviewing a certain number per year.  Keep the scope tight and give yourself a chance to wrap your arms around it, ie don’t look at all HR processing as it’s too broad.  Look at a particular activity like recruitment, induction or payroll and get a clear picture of the moving parts.  Draw a flow diagram and validate it with the business.  Make sure all the systems involved are identified.  Build a checklist of questions to ask about the processing to help to identify any issues.  We have a great template for this if you want to contact me I will send it to you. 

This is a great way of finding issues before they find you. It’s also an excellent way of formally building Data Protection by Design & by Default into your Data Protection Programme. Happy reviewing 😊