Data Transfers, Israel, It’s probably common knowledge amount DPOs that the European Commission approved Israel’s status as a country that provides an adequate level of protection for personal data transferred from the EU – i.e. that has an adequacy decision.

The decision removes many significant substantive obstacles that companies previously needed to overcome in order to transfer personal data from the EU or the UK to Israel. In practical terms the decision will make it easier for EU and UK entities to engage Israeli service providers (for example, in the area of financial services or analysis, insurance services or health data processing), for international companies to share personal data with their Israeli headquarters or affiliates, and for Israeli companies to conduct business with the EU.

“Let’s say, ‘caveat’

Our consultancy team looked into this in more detail, and after discussing the matter with several departments within the ICO we discovered there is a, let’s say, ‘caveat’.

Regulatory bodies have taken the stance that Israel’s adequacy decision only applies to the state of Israel as recognised by international law. This means it does not apply to the Golan Heights, the West Bank (including East Jerusalem) or the Gaza Strip.  This will include significant cities that house many companies providing services to EU and UK clients. These include Gaza City, Hebron, Nablus, Rafah and Ramallah.

If personal data is transferred to Israel and then on to any of these areas, the second part of the transfer will require an additional safeguard and almost certainly a transfer risk assessment to comply with the GDPR.

We’re sharing these findings because what it means in practical terms is that if the personal data your company is responsible for is finding its way to these locations, and you haven’t done the extra work to validify the transfer, you could be found to have breached the law.

It’s the ‘what if’ situation… What if there was an issue and the regulator asked you to justify why you were sending personal data to a place where it may not have been secure?

If this affects you and your business, if you want to be compliant with the GDPR and build a structured data security management strategy, Ametros Group specialises in just that.

Do you need help with GDPR?

Remember that the GDPR wasn’t created to make it more difficult for you to run you business, or to be profitable, no one wants to make things harder than they have to be; you just need to make the right decisions for your business.

We represent and support hundreds of organisations as their independent external Data Protection Officer, and we’ll always happy to take on new clients.

About Ametros Group

Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultancy, compliance framework implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data privacy experts have worked with FTSE100, Fortune500 and SMEs to deliver data protection excellence around the globe.

Press Contact

Ametros Group

press@ametrosgroup.com

GDPR Fine for Instagram, USA, Instagram, another company owned by Meta (same company that owns Facebook and WhatsApp) has been given notice of a £349 million fine for improper use of children’s personal data; it was actually €405 million Euros as it was imposed by the Irish GDPR regulator against Meta’s EU head office in Ireland.

Meta have obviously appealed the fine and we’ll have to wait to see how it pans out, diplomacy and politics will now play their part, but it’s interesting because this is the second fine in recent history to be aimed by the DPC (Irish Data Protection Commission) at this organisation. WhatsApp was hit with a €225m fine roughly this time last year for ‘Insufficient fulfilment of information obligations’ which (without reviewing the actual case file) says to me they weren’t providing enough detail on exactly what they were intending to do with your personal data after they got it…

Meta appeal £349M GDPR Fine

I find all this especially interesting as we at Ametros Group were approached recently by a US based company who, whilst concerned about GDPR and their EU/UK data handling, asked us if we could help them with their approach to the Children’s Online Privacy Protection Rule (COPPA).

COPPA is a US Federal Trade Commission act that imposes requirements for online services directed at children.

Any improper use of personal data, or failure to protect personal data, is a potential ‘black eye’ for an organisation should it come to the attention of the regulators, but mishandling children’s information will always carry a more serious penalty. The best defence is preparation; understanding what your organisation does with personal data and how it does it, then comparing that to a how regulators would expect you to mange your operations in contrast to the principles of the GDPR.

This doesn’t need to be difficult, costly, or even time consuming.

Do you need help with GDPR?

Remember that the GDPR wasn’t created to make it more difficult for you to run you business, or to be profitable, no one wants to make things harder than they have to be; you just need to make the right decisions for your business.

We represent and support hundreds of organisations as their independent external Data Protection Officer, and we’ll always happy to take on new clients.

About Ametros Group

Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultancy, compliance framework implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data privacy experts have worked with FTSE100, Fortune500 and SMEs to deliver data protection excellence around the globe.

Press Contact

Ametros Group

press@ametrosgroup.com

Under GDPR, certain organisations are required to appoint a Data Protection Officer (DPO). This includes public authorities and organisations that process special category personal data on a large scale. Though it is not a legal requirement for most, appointing an independent external DPO will demonstrate your commitment to GDPR and protect you from enforcement action.

What Does the Data Protection Officer Do?

Under GDPR, organisations must appoint a DPO (a.k.a. “Data Protection Officer”) to help ensure that they are aware of their GDPR obligations and can meet them. The DPO will also be responsible for ensuring that GDPR compliance is monitored and maintained. The DPO will be expected to act as a point of contact for the ICO (the UK data protection authority) and to cooperate with enforcement action on behalf of the organisation they represent.

Who should your Appoint as your Data Protection Officer

The Data Protection Officer (DPO) role under GDPR requires that they have “expert knowledge pertaining to data protection law” and be appointed based on professional qualities and their ability to fulfil the role. There is also a requirement for the DPO to have no conflict of interest.

In April 2020, a company in Belgium was fined €50,000 for appointing their Head of Compliance, Risk Management and Auditing to be their DPO. The regulator found that there was a significant conflict of interest with their other duties, and so the precedent was set that an internal DPO should be dedicated to that job, and that job alone.

Managing the DPO

The DPO is required by law to report to the highest levels of management and be allowed to carry out their duties without receiving instructions on the exercise of those tasks.

Outsourced DPO

Outsourcing can be a good way to secure a DPO. By hiring someone who has the necessary knowledge and experience, and who is independent and without conflict of interest, you can avoid any potential issues.

Data Protection Officer Outsourcing is a cost-effective way to secure professional representation. You can reserve a fixed monthly support allowance, and only pay for the time you need.

We have a vast amount of experience in the healthcare and charity sectors and provide expert compliance services to protect over £3Bn of assets world wide.

Our Outsourced DPO Services Team

Our Ametros Group DPO service is provided by a team of fully-employed DPOs who work exclusively for us. We do not outsource any of our duties to any third-party DPO providers, and we take our obligation to represent and support your organisation very seriously.

We have a team of experts available to offer advice and assistance whenever you need it.

Worried about GDPR Compliance?

If you’re worried about complying with privacy regulation, our consultancy can help you figure out the best way to do so without risking any legal liability. Contact Ametros Group to get started.

We’re here to help…

If you deal with personal data then you will need to comply with data privacy law, depending on how and where your organisation operates will have a direct link with the laws you must comply with. An outsourced data protection officer will help you achieve this cost-effectively.

About Ametros Group

Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 (DPA 2018) through consultancy, compliance framework implementation, auditing, outsourced DPO and EU/UK Representative services.

Established in 2015, our multi-award winning team of data privacy experts have worked with FTSE100, Fortune500 and SMEs to deliver data privacy excellence around the globe. Our consultant led approach to data privacy has helped organisations of all sizes and from all sectors comply with EU GDPR and the DPA 2018.

Our team of privacy specialists can help you comply with privacy regulation across the globe and professionally represent your organisation to the various supervisory authorities.

Press Contact

Ametros Group

press@ametrosgroup.com

Covid-10, (or Coronavirus), is making its way around the globe and everyone is putting coping mechanisms in place: governments, people, and businesses. Perhaps the biggest impact, and lasting impact, will be the working practices that are being put in place to minimise contact with other people, reducing the chance of catching the bug yourself and then passing it on to others – Working from Home.

I remember being told once that the two most expensive components of running a business are head count and floor space. Given the current climate, that Covid-19 is still spreading and it’s still likely to get worse before it starts getting better, home and remote working procedures are most likely going to be in effect for the next two to three months, but what happens after that?

If a company can continue operating for that long with key personnel working from home, it would beg the question ‘can we continue to work this way?’ Rent is a huge overhead, and bringing it down 50% could be an enormous saving; once the infrastructure is in place and the working procedures are set out, what are the advantages to reverting and bringing everyone back to the office?

Key Considerations for Remote Working

Communication, both internal and external. Home working protocols should have little to no impact on how customer contact you; any disruption to channels of communication (however understandable they may be) will give existing customers a poorer experience and will make it harder for potential new contacts to speak with the right person.

Efficiency, managing and sharing workloads quickly and effectively, giving those home workers the resources to do their job remotely with the same speed and consistency they would do at the office. This will mean access to systems and data, and the ability to share those systems and data with other members of the team through the internet.

Oversight, managing staff is a delicate art; understanding, motivation, encouragement, discipline, example, coaching. All these things (and many more) are things a leader has to give their team, but how do you get the best out of your team if you don’t see them? How can you be sure that they are motivated and doing their jobs to the standard you’ve set?

How indeed… That’s a tough one for home working; but with strong communication and efficient home working systems, managing a team of people remotely can be easily achieved.

Security, and here is the main point of the article, data security. I’ve spoken with a lot of people about the remote working procedures they are putting in place and always the main concern, the main question ‘Will it be GDPR compliant?’

Compliance with data protection law surrounding security measures and working practices is not black and white. The regulator can judge your organisation on its own specific approach to data security and the priority you attach to it, there is no ‘one-size-fits-all’ to data security which means the way we work from home will probably differ to they way you do; but the fundamentals are the same.

You must remain in control of the data; if an employee working from home were to quit, or if their house was burglarised and their computer stolen, what is the level of risk that presents, both to the individuals whose personal data was on the machine, and the risk to the company?

For people working from home – Consider some basics

Is the location secure, keep machines out of site and possibly locked up and night and when unattended.

Is the system secure, ensure all home/mobile equipment has appropriate security software

Is the system up to date, make sure that security software updates are being installed and that the data they are accessing is synchronised with other members of their team

Is the data secure, check that unauthorised persons won’t have access to company data; setting up users to work from home computers that are shared by family members for example is a poor practice.

Are you in control, f there was a problem, are you in control of the remote system and the data on it? Can you revoke access, disable accounts, remove data, etc…

In conclusion, I would suggest home working practices are progressive; but like any other aspect of running a business it must be managed properly. Remember that whilst your staff are working from home, that then becomes an extension of your business and you are responsible for what happens there.

If you need any help assessing or updating your Covid-19 response procedures, home working practices, or data security compliance in general, call Ametros Group and our team of DPOs will be able to help.

Are you in control of the data that was on that device?

Having staff working from home could be something companies look to invest in more, not only for cost saving but because it’s greener, less commuting, less fuel being burnt, less emissions. Climate change is something more businesses are taking notice of and reducing greenhouse gas emissions or becoming ‘carbon neutral’ is something the business world is keen to promote.

During the current situation with Covid-19 I would recommend that the authorities would be quite understanding of companies that are putting remote working procedures in place, but the ICO will still hold businesses accountable for their practices.

If your home working systems are poorly considered and do not have proper security controls, it could result in enforcement actions. Remember that the principal of Accountability means you are responsible for all of the data you process.

About Ametros Group

Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultancy, compliance framework implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data privacy experts have worked with FTSE100, Fortune500 and SMEs to deliver data protection excellence around the globe.

Press Contact

Ametros Group

press@ametrosgroup.com

GDPR Fine for estate agent, Frankfurt, the 30^th October 2019 the Berlin Commissioner for Data Protection issued a whopping fine of approximately €14,500,000 (or roughly £12,400,000) to a Property company based in Frankfurt called ‘Deutsche Wohnen SE’.

Before we say anything else, it’s important to remember that Deutsche Wohnen’s reported turn over in 2018 was 1.4 billion Euros, which makes this an approximately 1% fine. The Commissioner concluded that under the circumstances the maximum fine they could have imposed would have been 28 million Euros (2%). Always remember to perspective with matters concerning data protection, and ‘Don’t Panic’…

So, why were they fined such a huge amount of money?

Basically, because they were retaining personal data for longer than was necessary.

What’s interesting about this is that there was no data breach, no specific problem had occurred, but during onsite inspections the Commissioners agents found that the company was using an archive system to store their tenants data that didn’t allow for records to be removed when no longer necessary. They found personal data that dated back years, though the tenants had long ago left; in terms of data protection law this is referred to as data that is no longer necessary for the purpose it was originally collected.

In light of this enforcement action the National Association of Estate Agents (the NAEA) has warned all UK estate agents to review their own GDPR and data protection compliance systems and processes. The advice they are giving (quite rightly in my opinion) is that the judgement by the German regulator will be viewed by other regulators (including the ICO in the UK) as an indicator of fines, and that similar action will be taken if other property companies are found to be causing the same infraction.

In light of this enforcement action the National Association of Estate Agents (the NAEA) has warned all UK estate agents to review their own GDPR and data protection compliance systems and processes. The advice they are giving (quite rightly in my opinion) is that the judgement by the German regulator will be viewed by other regulators (including the ICO in the UK) as an indicator of fines, and that similar action will be taken if other property companies are found to be causing the same infraction.

Reviewing and creating an evidencable GDPR compliance strategy is not as difficult as it may seem, but it is a process. That doesn’t mean it has to be a painful process; our approach at Ametros Group is to try and use that process to not only build a string foundation of compliance into the business to protect it, but to use the process to actually improve the way the business runs. Introduce improvements that can reduce waste, make your staff more efficient, allow the company to work more flexibly…

Remember that the GDPR wasn’t created to make it more difficult for you to run you business, or to be profitable, no one wants to make things harder than they have to be; you just need to make the right decisions for your business.

Unsure how to proceed?

Remember that the GDPR wasn’t created to make it more difficult for you to run you business, or to be profitable, no one wants to make things harder than they have to be; you just need to make the right decisions for your business.

We represent and support hundreds of organisations as their independent external Data Protection Officer, and we’ll always happy to take on new clients.

About Ametros Group

Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultancy, compliance framework implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data privacy experts have worked with FTSE100, Fortune500 and SMEs to deliver data protection excellence around the globe.

Press Contact

Ametros Group

press@ametrosgroup.com

ICO takes action, UK Data Protection Regulator, it’s not uncommon that computer users in small businesses share the same levels of access due to profiles being copied when a new starter joins the business. This is a practice you should work to avoid in order to protect both your company and its staff. Some members of staff my find they have access to things that aren’t appropriate to their job role and access this information anyway because they can and out of curiosity, this can however have devastating consequences and can result in prosecution.

Michelle Shipsey is one employee that found out the hard way after being prosecuted by the ICO. She accessed social care records without authorisation and without any business need to do so. It was later discovered the records related to four individuals known to Ms Shipsey.

Pleading guilty to one offence of unlawfully obtaining personal data, in breach of s170 of the Data Protection Act 2018. She was sentenced to a 6-month conditional discharge, ordered to pay costs and victim surcharges.

Could this ICO action have been avoided?

Probably, it’s in human nature to be inquisitive, and when sat in front of a computer screen some individuals think it wont hurt to open or access files that are available to them, even though they are not necessarily related to their job role. Staff training, good IT security protocols and employee guidance are key to protecting both staff and personal data. Make sure you all new starters are trained and receive a copy of your acceptable use policy (AUP), ensure the AUP has clear guidance surrounding accessing and storing personal identifiable information and ensure the AUP also outlines potential disciplinary procedures and criminal prosecution under the Data Protection Act 2018.

About Ametros Group

Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultancy, compliance framework implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data privacy experts have worked with FTSE100, Fortune500 and SMEs to deliver data protection excellence around the globe.

Press Contact

Ametros Group

press@ametrosgroup.com

Data Protection Fee, UK Data Protection, hasn’t gone unnoticed that the Information Commissioners Office (ICO) has started its program of contacting organisations who haven’t paid their data protection fee; the roll out of compliance with the GDPR and DPA 2018 continues.

From May 2018 the every organisation or sole trader in the UK that processes personal data were required to pay a data protection fee to the ICO (though there are some exceptions), and would appear that the ICO is now taking steps to ensure everyone has paid. They have started the process of comparing the data protection register with organisations listed on Companies House, and from those records they are contacting everyone who is not yet registered.

If you receive such a letter some of the questions you’ll need to ask yourself are ‘Is the company exempt?’ and if it’s not then ‘What tier does the company fall into?’, of which there are three. Then the bigger questions ‘Is the company actually compliant with new data protection regulations?’

Data Protection Representative

It’s important to be aware that since Brexit a couple of other requirements have come into force. UK based organisations that process the data of EU citizens will need to appoint an EU Representative under article 27. Likewise, organisations that are based in the EU and process data belonging to UK citizens will need to appoint a UK Representative. If you need help to determine if you need to appoint a representative please contact a member of our data protection consultancy team who will be happy to assist.

Paying the UK Data Protection Fee

Paying the data protection fee isn’t especially difficult, the ICO has an online payment portal (https://ico.org.uk/registration/new) that you can use, and if you receive a letter reminding you to pay the data protection fee they will give you about a months grace to take care of it. The last thing you should do in this situation is ignore it, the ICO can fine an organisation up to £4,350 for not having paid the fee (or for having registered as the wrong tier), and considering the cost for a Tier 1 organisation is only £40.00pa and Tier 2 is £60.00 pa (Tier 3 being £2,900) it’s certainly more cost effective to pay the fee than pay the penalty.

There are other tools available on the ICO website that can help; they have a self-assessment process (https://ico.org.uk/for-organisations/how-much-will-i-need-to-pay/) which can help you determine which tier your company fits into.

Remember that the data protection fee applies to ‘Organisations that are Data Controllers’ and separate fees must be paid for individual companies. If you have multiple sites that are part of the same legal entity then a single fee would cover all of them, but if you own multiple limited companies that process personal data in their own right then they will each need to register with the ICO as a separate entity and pay the required data protection fee.

Ultimately when it comes to the GDPR, the Data Protection Act 2018 and the ICO, the best offense is a good defence. Any decent DPO worth their salt would be able to help an organisation address and update it’s compliance status from a ‘top down’ perspective, ensuring that compliance measures, security controls and the culture of data protection starts in the board room and permeates through every level of the business.

If you receive a letter from the ICO (or from any third-party organisation or authority) that calls into question the compliance of your business it’s best to be prepared. We would recommend consolidating your risk in a single compliance strategy that would show accountability. This is something that is key to every organisations data protection compliance, accountability; as every company operates differently, no two will have exactly the same compliance strategy (other than the standard mandatory compliance measures of course), so your approach has to be specific and appropriate, and you should be able to show that the company is accountable for the decisions that went into creating that approach.

The larger the organisation the more considerations have to be made, and the more people have to be involved, which of course means it will take longer to implement. For smaller businesses, those in the SME sector, this doesn’t have to be a painful process at all. If you need any help working out your own data protection fee, or if you’d like to consider appointing an external independent (and affordable) DPO, then give Ametros Group a call; We’re always happy to help.

Be vigilant for scams, we are aware a number of businesses have been contacted for payment of the data protection fee by fraudsters. You should only pay the data protection fee by visiting the ICO’s website and selecting Pay fee, renew fee or change your details from the menu provided.

Top Tip: When paying the Data Protection Fee make sure you select to pay by direct debit, this way you will wont risk missing registration next year. Paying via direct debit is a quick and reliable method to make sure you remain registered with the ICO. Failure to keep up with your Data Protection Fee can result in monetary penalties under the UK Data Protection Act 2018. It’s important that you pay the correct fee and review this on an annual basis to avoid complacency. If in doubt, we recommend you speak to a member of our team here at Ametros, we can help guide you to make the right decision on which data protection fee you need to pay, and our data privacy experts can help ensure you remain complaint with an annual compliance review.

About Ametros Group

Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultant led compliance framework, GDPR implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data protection consultants have worked with FTSE100, Fortune500 and SMEs to deliver data protection consultancy excellence around the globe.

Press Contact

Ametros Group

press@ametrosgroup.com

Data Protection, Cyber Security, Donec pede justo, ipGaming company EA has come up with a fantastic way to incentivise IT security with their customers. Anybody who signs up to their 2 factor authenification during October will get a free month of Origin Access Basic, which will allow users access to hundreds of games.

This is a great way to get customers to take cyber security seriously and shows that EA take their responsibility seriously in trying to protect their customers.

All businesses should try and adopt this kind of approach and think about how they can encourage customers to be more careful online.

About Ametros Group

Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultancy, compliance framework implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data privacy experts have worked with FTSE100, Fortune500 and SMEs to deliver data protection excellence around the globe.

Press Contact

Ametros Group

press@ametrosgroup.com