tag:theconversation.com,2011:/us/topics/information-commissioners-office-19741/articlesInformation Commissioner's Office – The Conversation2018-02-20T10:42:33Ztag:theconversation.com,2011:article/906512018-02-20T10:42:33Z2018-02-20T10:42:33ZGDPR: ten easy steps all organisations should follow<figure><img src="https://images.theconversation.com/files/206972/original/file-20180219-116368-1b0a6hf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/download/confirm/152537702?size=huge_jpg">Shutterstock</a></span></figcaption></figure><p>Data protection law hasn’t undergone a significant update since the EU brought in legislation in 1995 – just six years after the <a href="https://home.cern/topics/birth-web">birth of the World Wide Web</a>. But GDPR is about to shake things up.</p>
<p>Now, 23 years later, the new law – known as the <a href="https://ec.europa.eu/info/law/law-topic/data-protection_en">General Data Protection Regulation</a> – will replace that <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML">aged directive</a> on May 25 in a move that, according to the UK’s Information Commissioner’s Office, <a href="https://iconewsblog.org.uk/2017/08/25/gdpr-is-an-evolution-in-data-protection-not-a-burdensome-revolution/">signals</a> an “evolution” rather than a “revolution” for data protection.</p>
<p>GDPR is intended to strengthen and unify data protection law in the digital age. It means that any organisation – large or <a href="https://ico.org.uk/for-organisations/business/guide-to-the-general-data-protection-regulation-gdpr-faqs/">small</a> – processing or controlling data in the European Union must comply with the legislation, which will be transposed into the national laws of each member state. Brexit <a href="https://ico.org.uk/media/about-the-ico/documents/2014356/international-strategy-03.pdf">doesn’t change this reality</a>. </p>
<p>Organisations that commit serious infringements – such as repeatedly failing to seek customer consent to process data – will <a href="https://www.eugdpr.org/gdpr-faqs.html">face fines of up to €20m</a> (£17.7m) or 4% of their worldwide annual revenue, whichever is higher. </p>
<p>But despite the alarmist tone about GDPR <a href="http://www.computerweekly.com/news/450426779/NetApp-privacy-chief-warns-enterprises-off-investing-in-GDPR-snake-oil-tech">coming from opportunist salespeople</a>, the best advice for many organisations is to keep calm and carry on. Most organisations are already dealing with EU citizen data, and are required to comply with the existing 1995 data protection directive. It means that the infrastructure to handle GDPR is largely in place already. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/eFNRgX049cw?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>GDPR is an opportunity to carry out a quality audit to get rid of bad practices and inappropriate procedures. </p>
<h2>What you need to know</h2>
<ol>
<li><p>If your organisation is a public authority or body, or you deal with sensitive data on a large scale, or data processing is core to your operations involving “regular and systematic monitoring”, then you will need to hire a <a href="https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/">data protection officer</a> (DPO). The DPO must be independent and should report directly to senior management. Tip: create an information protection unit (IPU) where legal experts and information security specialists from the IT department can work together.</p></li>
<li><p>Help the DPO run an “<a href="https://www.culturerepublic.co.uk/blog/news-&-resources/gdpr-information-asset-register/">information asset audit</a>”. In other words, map your data to determine which department is getting access to which data and for what purpose. Ensure good communication between the IPU and all internal functions, especially IT and marketing. Try to see the DPO as a figure who enables an organisation to function, rather than as just a compliance officer. The DPO can help you adopt “<a href="https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf">privacy-by-design</a>” principles at the time of developing new applications and services relevant to your customers.</p></li>
<li><p>Once you have completed the data asset audit, the DPO will help you find the appropriate “<a href="https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/">legal basis</a>” for processing in each case, and adapt procedures accordingly. Run “<a href="https://www.cnil.fr/en/guidelines-dpia">data protection impact assessments</a>” every time data processing is considered highly risky.</p></li>
<li><p>Be careful with the way you seek permission to process someone’s data. Let the IPU revise your “<a href="https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/">notice and consent</a>” forms. Explain in simple terms to customers what data you are collecting and how you are using that information. Give people an easy way to opt in to their data being collected and stored, and check the accuracy of their information. And remember to exercise their rights: access, rectification, erasure, restriction of processing and right to object. Find ways that allow people to access their data in digital form under “<a href="https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/">data portability</a>” rights.</p></li>
<li><p>Let the IPU revise your internal and external information management and security procedures. You need to be sure that your IT providers – such as those offering cloud services – are GDPR compliant, and that high information security standards are adopted all along your data supply chain.</p></li>
<li><p>Revise data transfer and sharing agreements. Use “<a href="https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection/data-transfers-outside-eu/binding-corporate-rules_en">binding corporate rules</a>” when appropriate. If you operate in various EU countries, make sure you know who your lead data protection authority is; you can ask for help on this from the independent data protection advisory board, the <a href="http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358">Article 29 Working Party</a>.</p></li>
<li><p>Train your employees to handle data appropriately. From customer support service, to HR staff, up to the strategic intelligence unit, all employees must understand some basic lessons about information security and data subject rights contained in GDPR.</p></li>
<li><p>Keep a log of all the decisions you take and be ready to explain and provide evidence of full compliance at any time. Be prepared for the day after your organisation has suffered a data breach. You will have <a href="https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/">72 hours</a> before being required to notify the data protection authority and the media. Remember that GDPR is about managing risks and fostering an accountability culture; if correctly implemented, it will help you protect your reputation and your precious information.</p></li>
<li><p>Remember GDPR is not a choice between privacy or innovation: <a href="http://oro.open.ac.uk/53072/">it’s about privacy and innovation</a>. See it as an opportunity to stop storing data for future use and to better understand what data you need to retain. GDPR is an opportunity to reduce the risk of being the victim of a data scandal caused by poor privacy practices. </p></li>
<li><p>Foster dialogue within your sector to identify best practices and set new standards. Ask your data protection authority for advice and let your IPU learn from others and share their achievements and concerns. GDPR promotes the creation of <a href="https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-9-codes-of-conduct-and-certifications/">codes of conduct and certification programs</a>. GDPR is about improving industry standards – you are definitely not alone.</p></li>
</ol>
<p>GDPR isn’t something organisations should fear as the clock ticks down to May 25. Take the right steps to build on your existing data-processing frameworks – the rest should be a breeze.</p><img src="https://counter.theconversation.com/content/90651/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Everything you need to know to prepare your business for changes to data protection law in the EU on May 25.Sara Degli-Esposti, Research Fellow, Coventry UniversityMaureen Meadows, Professor, Coventry UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/557982016-03-08T10:26:01Z2016-03-08T10:26:01ZEverything you ever wanted to know about nuisance phone calls<figure><img src="https://images.theconversation.com/files/113887/original/image-20160304-17726-trviyo.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">How not to deal with sales calls</span> <span class="attribution"><span class="source">wavebreakmedia/Shuuterstock</span></span></figcaption></figure><p>We’ve all experienced it. Your phone rings, you pick it up, say hello and it’s someone you don’t know trying to sell you something – or a recorded message. Nuisance calls can be irritating, time-wasting and for some people, highly distressing. But can anything be done about them?</p>
<p>In July 2013, the <a href="https://ico.org.uk/">Information Commissioners Office</a> (ICO) and telecommunications regulator, <a href="http://www.ofcom.org.uk/">Ofcom</a>, announced they were <a href="http://stakeholders.ofcom.org.uk/consultations/silent-calls/joint-action-plan/">joining forces</a> to tackle nuisance calls. Then, from last April, the <a href="https://ico.org.uk/action-weve-taken/nuisance-calls-and-messages/">ICO was given new powers to crack down</a> on nuisance calls through an amendment to the <a href="https://ico.org.uk/for-organisations/guide-to-pecr/">Privacy and Electronic Communications Regulations</a>. The results of which are now starting to be seen. </p>
<p>Only last month the ICO issued its <a href="https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/02/record-fine-for-company-behind-staggering-46-million-nuisance-calls/">largest ever fine of £350,000 to Prodial</a>, a company that had made more than 46m nuisance calls. </p>
<p>Manchester based <a href="http://www.manchestereveningnews.co.uk/business/business-news/marketing-cold-calls-firm-fined-10904916">MyIML</a>, a telemarking company selling solar panels was also recently fined £80,000 by the ICO for contacting people who had opted out of receiving marketing calls. </p>
<h2>Why are nuisance calls such an issue?</h2>
<p>One of the main reasons nuisance calls are such a big problem these days is that it has never been so easy or cheap to setup a call centre. Today’s telephone network is one large computer and with business connection charges falling, all a telesales company needs is their own computer loaded with software – which is <a href="https://www.google.co.uk/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=call%20centre%20software">readily available from the web</a>. </p>
<p>With <a href="http://www.voipfone.co.uk/What_Is_Voip.php">modern Voice over IP systems</a>, call centres don’t even need their own direct link to the telephone network, so long as they are connected to the internet. The telesales organisation’s computer can then automatically dial telephone numbers, connecting those that answer through to telesales operators or a recorded message. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/113889/original/image-20160304-17714-gy9gyt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/113889/original/image-20160304-17714-gy9gyt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/113889/original/image-20160304-17714-gy9gyt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/113889/original/image-20160304-17714-gy9gyt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/113889/original/image-20160304-17714-gy9gyt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/113889/original/image-20160304-17714-gy9gyt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/113889/original/image-20160304-17714-gy9gyt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Don’t call us, we’ll call you!</span>
<span class="attribution"><span class="source">Tyler Olson/shutterstock</span></span>
</figcaption>
</figure>
<p>There is generally considered to be <a href="http://consumers.ofcom.org.uk/phone/tackling-nuisance-calls-and-messages/?a=0">three types</a> of nuisance call. <a href="http://consumers.ofcom.org.uk/phone/tackling-nuisance-calls-and-messages/live-marketing-calls/">Live calls</a> are unwanted calls from a real person, normally from a telesales company. <a href="http://consumers.ofcom.org.uk/phone/tackling-nuisance-calls-and-messages/recorded-message-marketing-calls/">Automated calls</a> result in you hearing a pre-recorded marketing message when you answer the phone. And <a href="http://consumers.ofcom.org.uk/phone/tackling-nuisance-calls-and-messages/abandoned-and-silent-calls/">silent or abandoned calls</a> are just that – when you answer the phone no-one’s there. Then there’s also the issue of unwanted <a href="http://consumers.ofcom.org.uk/phone/tackling-nuisance-calls-and-messages/marketing-texts/">SMS text messages</a>. </p>
<p>In January 2016, <a href="https://ico.org.uk/action-weve-taken/nuisance-calls-and-messages/">the ICO received 9,633</a> reports of nuisance calls to be investigated: 45% of these related to automated calls, 42.5% live calls and 12.5% SMS text messages. </p>
<h2>How can you stop nuisance calls?</h2>
<p>With nuisance calls becoming such a, well, nuisance, the telephone providers are now moving to tackle the problem at source. <a href="http://help2.talktalk.co.uk/how-do-i-manage-nuisance-calls">Talk Talk</a> has expanded their HomeSafe system to monitor the frequency of calls and to automatically block those that exceed a threshold from even reaching a customer’s phone. And in February this year, <a href="http://home.bt.com/news/bt-life/bt-offers-breakthrough-service-to-divert-huge-numbers-of-nuisance-calls-11364039280071">BT announced a similar service</a> is to be rolled out across their network. </p>
<p>But on top of this, there is also a lot you can do yourself to help reduce the number of calls. First off, you should always report nuisance calls to either the ICO or Ofcom – so they can be investigated. It’s all too easy to get annoyed and slam the phone down, but if you take a minute to gather as much information as possible and pass it on to the relevant organisation, at least then you might be saving someone else from the nuisance of nuisance calls in the future.</p>
<p>You should also register with the <a href="http://www.tpsonline.org.uk/tps/index.html">Telephone Preference Service</a>. While this alone won’t stop nuisance calls, because it relies on the compliance of organisations, it does act as a deterrent, and is well worth doing if you haven’t done so already. </p>
<p>Another way of managing nuisance calls, is by using <a href="https://www.nfon.com/gb/solutions/resources/glossary/clip/">caller line identification</a> – which allows you to see the number of the person calling you. If you don’t recognise it, you simply have the option of not answering. You can also use call blocking either on your phone or through your telephone provider to stop calls from specific numbers. </p>
<p>Another tip, don’t immediately speak but listen when answering the phone because if it remains silent, there’s a good chance it’s a telesales call. </p>
<p>And of course, you’ve probably heard if before, but do be very careful of the small print on any paper or online form you complete, as you may inadvertently be allowing that organisation to contact you for marketing purposes - effectively saying yes to cold calling. </p>
<h2>Will they ever go away?</h2>
<p>Over the years, telecommunications firms have benefited from connecting companies to their networks and through the sale of services such as call blocking, so it is good to see some of that now being re-invested into tackling nuisance calls. </p>
<p>However, the next challenges are already emerging with a growing number of nuisance calls now being directed towards mobile phones. “<a href="http://consumers.ofcom.org.uk/phone/tackling-nuisance-calls-and-messages/phone-spoof-scam/">Spoofing</a>” has also become a big issue, with telesales companies now able to deceive us, and the network providers, by faking their own telephone number to get you to take the call. </p>
<p>So while it is good to see the regulators have begun the fightback with a renewed determination, sadly, so long as it remains profitable for telesales companies to operate, nuisance calls will continue to plague us. Even if overall volumes are reduced, each one we receive is still a nuisance.</p><img src="https://counter.theconversation.com/content/55798/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nigel Linge is a Fellow of the IET, ITP and BCS Professional Institutions.
He has also received funding for research projects from the EPSRC and EU.</span></em></p>Is hanging-up the only way of getting rid of cold callers?Nigel Linge, Professor, Computer Networking and Telecommunications, University of SalfordLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/464952015-08-24T16:00:43Z2015-08-24T16:00:43ZPrivacy watchdog takes first step against those undermining right to be forgotten<figure><img src="https://images.theconversation.com/files/92808/original/image-20150824-17799-a76gt4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">It's not erasing the past, just making memories fuzzier.</span> <span class="attribution"><span class="source">chalkboard by sergign/shutterstock.com</span></span></figcaption></figure><p>The UK’s data privacy watchdog has waded into the debate over the enforcement of the <a href="https://theconversation.com/googles-lip-service-to-privacy-cannot-conceal-that-its-profits-rely-on-your-data-37592">right to be forgotten</a> in Europe. </p>
<p>The Information Commissioner’s Office <a href="http://www.theguardian.com/technology/2015/aug/20/google-ordered-to-remove-links-to-stories-about-right-to-be-forgotten-removals">issued a notice to Google</a> to remove from its search results newspaper articles that discussed details from older articles that had themselves been subject to a successful right to be forgotten request.</p>
<p>The new reports included, wholly unnecessarily, the name of the person who had requested that Google remove reports of a ten-year-old shoplifting conviction from search results. Google agreed with this right to be forgotten request and de-linked the contemporary reports of the conviction, but then refused to do the same to new articles that carried the same details. Essentially, Google had granted the subject’s request for privacy, and then allowed it to be reversed via the back door. </p>
<p>The ICO’s action highlights the attitude of the press, which tries to draw as much attention to stories related to the right to be forgotten and their subjects as possible, generating new coverage that throws up details of the very events those making right to be forgotten requests are seeking to have buried.</p>
<p>There is no expectation of anonymity for people convicted of even minor crimes in the UK, something the press takes advantage of: such as the regional newspaper which tweeted a picture of the woman convicted of shoplifting a sex toy. However, after a criminal conviction is spent, the facts of the crime are deemed “irrelevant information” in the technical sense of the UK <a href="http://www.legislation.gov.uk/ukpga/1998/29/contents">Data Protection Act</a>.</p>
<p>The arrival of the right to be forgotten, or more accurately the right to have online search results de-linked, as <a href="http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf">made explicit by the EU Court of Justice in 2014</a>, does not entail retroactive censorship of newspaper reports from the time of the original event. But the <a href="http://www.theguardian.com/technology/2015/may/14/dear-google-open-letter-from-80-academics-on-right-to-be-forgotten">limited cases published by Google so far</a> suggest that such requests have normally been granted, except where there was a strong public interest.</p>
<h2>Stirring up a censorship storm</h2>
<p>It’s clear <a href="https://www.google.com/advisorycouncil/">Google does not like the right to be forgotten</a>, and it has from early on sent notifications to publishers of de-listed links in the hope they will cry “censorship”. Certainly BBC journalist Robert Peston felt “<a href="http://www.bbc.co.uk/news/business-28130581">cast into oblivion</a>” because his blog no longer appeared in search results for one particular commenter’s name. </p>
<p>It’s not clear that such notifications are required at all: the European Court of Justice judgment didn’t call for them, and the publishers are neither subject (as they’re not the person involved) nor controller (Google in this case) of the de-listed link. Experts and even the ICO have hinted that Google’s efforts to publicise the very details it is supposed to be minimising <a href="http://informationrightsandwrongs.com/2014/09/13/dancing-to-the-beat-of-the-google-drum/">might be viewed as a privacy breach or unfair processing</a> with regard to those making right to be forgotten requests.</p>
<h2>The Barry Gibb effect</h2>
<p>De-listing notifications achieve something similar to the <a href="http://www.economist.com/blogs/economist-explains/2013/04/economist-explains-what-streisand-effect">Streisand effect</a>, where publicity around a request for privacy leads to exactly the opposite result. I’ve previously called the attempt to stir up publisher unrest the <a href="https://blogs.kent.ac.uk/eerke/2014/09/15/the-barry-gibb-effect-it-oughta-be-illegal/">Barry Gibb effect</a>, because it goes so well with Streisand. So well, maybe <a href="http://www.youtube.com/watch?v=nVyeNZCENZA">it oughta be illegal</a>. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/nVyeNZCENZA?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>Some publishers are happy to dance to Google’s tune, accumulating and publishing these notifications in their own lists of de-listed links. Presumably this is intended to be seen as a bold move against censorship – the more accurate “List of things we once published that are now considered to contain irrelevant information about somebody” doesn’t sound as appealing. </p>
<p>In June 2015, <a href="http://www.bbc.co.uk/blogs/internet/entries/1d765aa8-600b-4f32-b110-d02fbf7fd379">even the BBC joined in</a>, and comments still show that readers find salacious value in such a list.</p>
<h2>Upholding the spirit and letter of the law</h2>
<p>While some reporters laugh at the idea of deleting links to articles about links, this misses the point. The ICO has not previously challenged the reporting of stories relating to the right to be forgotten, or lists of delisted links – even when these appear to subvert the spirit of data protection. But by naming the individual involved in these new reports, the de-listed story is brought straight back to the top of search results for the person in question. This is a much more direct subversion of the spirit of the law.</p>
<p>Google refused the subject’s request that it de-list nine search results repeating the old story, name and all, claiming they were relevant to journalistic reporting of the right to be forgotten. The ICO judgement weighed the arguments carefully over ten pages before finding for the complainant in its <a href="https://ico.org.uk/media/action-weve-taken/enforcement-notices/1432380/google-inc-enforcement-notice-18082015.pdf">resulting enforcement notice</a>. </p>
<p>The ICO dealt with 120 such complaints <a href="https://ico.org.uk/media/about-the-ico/documents/1431982/annual-report-2014-15.pdf">in the past year</a>, but this appears to be the only one where a Google refusal led to an enforcement notice.</p>
<p>The decision against Google is a significant step. However, its scope is narrow as it concerns stories that unwisely repeat personally identifying information, and again it only leads to de-listing results from searches of a particular name. It remains to be seen whether <a href="http://www.theguardian.com/technology/2015/jul/01/bbc-wrong-right-to-be-forgotten">other more subtle forms of subversion</a> aimed at the right to be forgotten will continue to be tolerated.</p><img src="https://counter.theconversation.com/content/46495/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Eerke Boiten receives funding from EPSRC for the CryptoForma Network of Excellence on Cryptography and Formal Methods, and the Kent Academic Centre of Excellence in Cyber Security Research, as well as from the EU for an Innovative Training Network in Cyber Security.</span></em></p>Google and the media have done their bit to try and subvert the right to be forgotten, but an ICO ruling suggests its beginning to take notice.Eerke Boiten, Senior Lecturer, School of Computing and Director of Academic Centre of Excellence in Cyber Security Research, University of KentLicensed as Creative Commons – attribution, no derivatives.