International Data Transfers
Turning to our previous August Newsletter, you may recall we have previously talked about the upcoming requirement of Transfer Risk Assessments (“TRA’s”) in addition to the supporting International Data Transfer Agreements (“IDTA”).
When transferring personal data to a ‘restricted country’ an International Data Transfer Agreement and supporting Transfer Risk Assessment is required. This a regulatory obligation organisations must meet to remain complaint with the ICO’s guidelines and regulations from this month, the 21st of September 2022.
Hint: Having a Data Map, which I know some have already made a start on, is a great tool to visualize and plan where you may be transferring personal data, which should now include ‘restricted countries’ which requires TRA’s & IDTA post sharing, consider future foreign data projects here too. It may be that you also review and update internal supporting processes and procedures that could be used during this type of exercise.
Children’s Code
Children’s Code Self-Assessment Tool. With many children recently returning to their classrooms, it is a time where many parents may be educating their children on online harms and threats and how they can protect their own personal data.
With this in mind, it is a good time to remind you this tool is available to you and what some of the key challenges are, shown below:
- Providing child friendly privacy information
- Assessing the online service appeal to children of different ages and whether children use the service
- Applying appropriate age assurance measures
- Implementing new controls to existing services or products
You can find the assessment tool on the ICO’s website https://ico.org.uk/for-organisations/childrens-code-hub/children-s-code-self-assessment-risk-tool/.
ICO Complaint Handling
The ICO have recently published guidance on how small businesses handle Data Protection related complaints.
You may find even with the correct policies and procedures in place, people including staff may not be happy with how their personal data has been handled.
How you manage a compliant right from the moment you receive it, to the moment you provide a final response matters, as not only does effective complaint handling show the complainant you take their expression of dissatisfaction seriously, but it protects company reputation and can improves service levels.
The ICO’s guidance on how to handle complaints is made up of 6 stages:
Step 1- Acknowledge Receipt- Provide the subject with information explaining next steps, provide them a point of contact and reassure them you are investigating their complaint. Having a customer friendly Complaints Procedure is a great way of doing exactly this.
Step 2- Find Out What’s Gone Wrong/Source of dissatisfaction- Obtaining as much accurate information as possible is essential when carrying out root cause analysis. If you don’t know what has gone wrong, how are you going to know how to put it right, prevent it happening again, and identify if the complaint is one that is reportable to the ICO!
Step 3- Provide Regular Updates- Providing regular updates on where you are with the subject’s complaint, provides reassurance you take their complaints seriously, helps minimise any frustration the subject may feel. And in many cases makes working with the complainant a smoother and nicer process for all. It is quite often companies’ customer facing Complaints Procedure outlines at which stages of the complaints procedure the subject can expect an update from you.
Should you want further guidance on customer facing Complaints Procedures and/or how often you should contact complainants please contact our DPO, who will provide advice on ‘best practise’ and review any regulatory obligations you may have such as those under the FCA.
Step 4- Record Your Actions- Make a record of the date you received the data protection complaint and the date your response is due. Keep details of any related conversations and copies of all relevant documents from start to finish, including the reasons for the decisions you’ve made, and any action taken, or not taken. It will also provide evidence of what you’ve done, which the ICO or industry bodies may need in the future.
Step 5- Respond to Complainant- Having completed your investigation, let the person know the outcome. Clearly explain what you’ve done to resolve the data protection complaint and any actions you’ve taken as a result. Include enough information to help them understand how you’ve reached your conclusion. It can be useful to bullet point the complaint areas and respond to each point, providing appropriate evidence where possible. You should also let the complainant know they have the right to complain to the ICO.
Step 6- Review Lesson Learned- Once you’ve responded to the complainant, take the opportunity to review what happened, review any ‘root cause’ you have identified. Consider if there’s anything you can learn or improve on to prevent future complaints, and what remedial or preventative measures could you take.
Hint: Keep an eye out for trends, if you routinely see a lot of complaints in similar areas, an appropriate change can make all the difference.
Should you wish to find out more on how to handle complaints, including tone and pace when handling complaints over the phone, please do not hesitate to reach out.
Regulatory Prosecutions
The Irish Data Protection Commission has fined Meta-owned social media platform Instagram €405 million for violations of the General Data Protection Regulation. The fine, which is the second largest GDPR penalty to ever be handed down, covers alleged violations stemming from Instagram’s default account settings for children ages 13-17 that exposed email addresses and phone numbers associated with child-operated accounts.
It is the third fine for a Meta-owned company handed down by the Irish regulator, after a 225 million euro fine for WhatsApp and a 17 million euro fine for Facebook. A Meta spokesperson said:
“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision”
For further information, guidance and advice on any of the subjects that have been mentioned in this month’s TenIntelligence Newsletter, please contact me at lynsey.hanson@tenintel.com
Kind regards,
Lynsey Hanson | DPO TenIntelligence