There's rarely a quiet week in data protection — and this one was no exception. Below are two developments from the past seven days that caught my eye.
Story #1: Verifying data subject requests
As in life, it’s advisable not to apply a one-size-fits-all approach to data protection compliance.
An area in which I see this manifest is verifying the identity of individuals who seek to exercise their GDPR rights. Indeed, this very scenario was the subject of a recent regulatory enforcement action taken by the Finnish data protection authority.
The facts in these type of cases tend to fall within a narrow range. Here, the controller required all individuals to provide a signed form and copy of their ID before it responded to the request. The requester declined to do so, the controller refused to honour the request, and the requester complained to the DPA — which ordered the controller to comply with the request.
The rights and wrongs of this practice turn on Article 12(6) of the GDPR, which allows the controller, where it has “reasonable doubts” about the identity of the requester, to ask for additional information in order to confirm that identity.
In some cases those doubts will be reasonable. For example, you may not have an ongoing relationship with the requester. The request may be made on behalf of another person. Or the scope of the right being exercised is sufficiently serious that it is reasonable to check — for example, an individual requesting the deletion of their medical files.
It’s also the case that exercising a data subject right on behalf of the wrong individual is, in most situations, a data breach. So it’s understandable that organisations want to take a belt and braces approach to the verification of requesters.
And, of course, a blanket rule is easier to operationalise.
But this is an aspect of data protection compliance about which individuals often complain — particularly where the additional information requested feels, or is, excessive (e.g., a passport). The fact that this feeling often won’t be based on any legal knowledge is by the by.
If you need to have a verification process in place, individuals will react better — and comply with the process — if it feels benign. For example, asking them to confirm their identity using the contact details you have on file will likely seem reasonable to most people.
Is this the type of issue that'll keep your board of directors up at night? Almost certainly not. But it is important in the context of day-to-day compliance, and it's fairly easy to get right. Do get in touch if you'd like to learn more.
Story #2: The rights and wrongs of drafting privacy notices
Certain aspects of data protection compliance are, if not entirely out of your hands, also not entirely within them.
For example, you can have in place robust technical and organisational measures, but nevertheless suffer a data breach — whether as a result of employee error or a highly sophisticated cyber-attack.
Similarly, you can do your best to address data subjects’ questions and/or concerns about your processing activities, but you can’t stop them complaining to the regulator. Indeed, you have to inform them of their right to do so.
In contrast, the extent to which your privacy notices meet the requirements of Articles 13 and 14 of the EU/UK GDPR (and indeed any laws with such requirements) lies squarely with you.
The fact that these notices are by necessity public-facing (e.g., a website or app or otherwise provided to individuals when you collect their data) means that they will be subject to scrutiny in a way that your internal documentation may never be.
Those factors might lead one to think that European regulators have limited scope to bring privacy notice-related enforcement actions.
In fact, the reality is quite the opposite: non-compliance with the GDPR's transparency requirements constitutes a large slice of the enforcement pie, given the number of notices that don’t contain all of the necessary Article 13/14 disclosures.
It's to be expected that some notices are better than others. They’re more detailed, or clearer, or more creative. And clearly that’s the standard to meet.
But provided that your notice addresses the applicable legal requirements, and isn’t an exercise in legalese, you’ll generally be okay. The EDPB doesn’t award style points.
When trainees join our team, one of the first documents we give them is a privacy notice checklist. It has two columns: one with the Article 13/14 requirements, and the other with a “yes” or “no”. Its effectiveness is in its simplicity, and it works just as well when drafting or reviewing notices.
Candidly, I still sometimes use the checklist myself.
The point here is that, unlike so much in privacy and data protection, we're talking about an aspect of compliance that is as close to binary as its gets.
That doesn’t mean that drafting a privacy notice is always easy. Indeed, the balance of providing sufficient information to allow individuals to understand how their personal data will be processed, but doing so in a digestible way, can often be a real — but engaging — challenge.
Not all notices get the balance right, given that the process is more art than science. But what’s harder to square is a notice that doesn’t contain all of the legal requirements.
Do yours?
The good news is that those requirements are readily accessible. And if it means reviewing your notices against a checklist, so much the better.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.