IT Masterclass - GDPR Update

Jocelyn Paulley: Good afternoon everyone and welcome to Gowling WLG's first ever IT Masterclass by Webinar. We are very pleased you could all join us this afternoon when we are going to be talking on a range of topics broadly along the theme of what has been happening in the last six months since GDPR went live on 25 May.

My name is Jocelyn Paulley, I am a Data Protection and IT Specialist and I will be looking at some of the common implementation issues that we saw clients experience and then have a brief look at data protection in the context of Brexit towards the end.

Rocio De La Cruz: And you've also got Rocio De la Cruz. I am a Data Protection and Information Lawyer here at the firm. During the last year, I have been helping clients on the implementation and development on the data of the data protection regime and I will cover the importance of looking at the Data Protection Act and the GDPR together.

Helen Davenport: And I am Helen Davenport a Director at Gowling WLG and I help clients with contentious data privacy issues and also technology disputes and I will be speaking today on dealing with data breaches following the GDPR.

A few housekeeping points before we get started, we have allowed some time at the end for questions so as we are going through please ask as many questions as you have through the webinar platform and we will answer as many as we can at the end. Secondly, as Jocelyn has said this is the first time we have done an IT Masterclass webinar. Hopefully, many of you will have attended one of our IT Masterclasses at our Birmingham and London offices that we have now been running for over ten years. At the end of this session, we would be grateful of your feedback on this new format and we also already have IT Masterclasses in the traditional format planned for January 2019 so if there is anything you would particularly like us to cover in that session please let us know that too. Having covered those points, I will now hand over to Jocelyn to talk about common implementation issues.

Jocelyn: So what have we been finding since the 25 May? Well happily, there were those companies who were well organised and had completed their compliance programmes by the date that the legislation came into force, so congratulations to those. There are, however, still a substantial number who were not ready at the date who are working through compliance regimes and in a risk-based fashion addressing the points in order of priority and certainly. If you are in that camp, you should certainly keep working towards your dates and your roles and to keep the programme going in line with what you had committed to do.

It's not all plain sailing though, I think, for those who are now into business as usual privacy governance. Some clients are finding that the project team who had been assembled for the compliance programme, once they have disbursed, the new people enrolled such as privacy managers and data protection officers are having some trouble picking up the reins from those projects. Maybe documents weren't stored centrally and have been disbursed or knowledge about decisions and why they were made weren't documented which would have made it easy for those following them to pick up and run with and manage afterwards.

Other companies are coming back to look at broader governance issues that they identified in the course of their GDPR compliance. Often companies found that to truly address issues such as implementation and subject access rights and deletion of documents and document retention, what was really required for a slick solution was a broader document management or information management regime and software and procedures so it was easier to find and locate information, easier to search through it, easier to set rules around deletion and retention. That's clearly a much bigger project requiring more, and potentially different, resource and money to purely focussing on data protection issues.

Some companies are entering what I have termed a phase two compliance regime. So by that I mean that they have crossed the finish line for the key issues that needed to be addressed for 25 May and are now coming back to look at some issues again in more detail. Maybe that is because they were trickier issues or because the time and resource wasn't there at the point at which they did the programme and now they are coming back to focus on those.

Rocio: What are these trickier areas that you have been dealing with during this time?

Jocelyn: I think it depended, to a certain extent, on which sector clients were in. Different sectors had different particular issues but I think there were some common issues across clients that we were advising. One of those was around retention of emails - this goes back to the document management system as I was just mentioning. If one of those is not in place, it is much harder to decide how to deal with emails. If companies live in their inboxes and that is effectively used as a storage solution, it is much, much harder to see how you can break down retention of emails when you start to think of them not as emails but as different categories of personal data. Similarly with destruction, if you have managed to set a policy around how long different pieces of data need to be kept for, it is still a different matter actually implementing rules around making sure those items of data are deleted at the time that you said they would be and, again, doing that requires assistance from an IT department and understanding where the document is kept to be able to set those kinds of rules.

Many businesses, I think, are still engaging with the issue of privacy managers or champions or data protection officers (whatever label you have given them and depending on whether or not there is a mandatory requirement for a DPO). Clearly, in some countries, such as Germany, data protection officers have been in place for some time and there is a ready-made set of people with that skill-set but that is not the case in the UK and, I think, there has been as we anticipated there might be, a shortage of that skill-set in the market.

So many companies I know are using existing people and building on their knowledge within an organisation. I think though there is still a challenge in people taking on a new role alongside what was probably already a full time role and putting in place new escalations, new reporting lines and making sure that those work fluidly and easily, particularly difficult when many people in that reporting line might be new.

In a similar vein is the idea of training the business in order to be compliant for the accountability principals in GDPR. Anyone in the business handling personal data clearly needs to be trained in what the legislation says and what they should and shouldn't be doing. Many compliance programmes obviously addressed this and it's all very well doing training as a one off activity as the legislation comes into force but clearly that needs to be refreshed on an ongoing basis and also rolled out to new starters. They also need to get over the difficulties of disparate geographical locations of businesses, say if you are a retailer with lots of outlets and across geographies as well dealing with different languages.

An auditing process of those handling personal data for you, I think, is a difficult issue because of the scale of the task and also knowing what the right approach is, what are the questions that should be asked and what are the responses that you are actually looking for and if you get a response you feel isn't sufficient how do you then take that forward?

Rocio: Do you think there are solutions in the market that can help organisations within their compliance plans?

Jocelyn: That is a really common question that we are seeing about whether software can help with compliance. I think auditing processes is one area where it can but it is quite a complex area. There are, if you've been looking I am sure you're aware, a plethora of software solutions out there now all claiming they can help you become GDPR compliant or just help with the process. We've had a look at some of them and, I think, the difficulty is that different software programmes address different aspects of GDPR compliance. Some might be fantastic auditing tools so you can see that a flag was raised, an action was assigned and someone dealt with it. Some might be great for dataflow mapping, some might be just repositories, others might help with disclosure of subject access requests and redaction but I don't think there is a single silver bullet that can help with the whole regime. I think you have to understand what your particular needs are and, therefore, find some software to assist with it. I do think though it is something that can help when it comes to auditing processes. I think that's very much looking from the point of view of if you are a processor it can save all of your clients and customers coming to you and asking you, "please give us information to show that you are GDPR compliant". I have seen some companies using dashboards in a really effective way to present all that information to their customers, so it's effectively a help-yourself library where you can go in, look through the documentation that's available and make your own assessment about GDPR compliance.

Certainly, I think, to help address the training challenge that I mentioned, software in terms in of e-learning or modular based resources are very useful for an ongoing training programme as new people join a business and for refresher training. Obviously it also has the added benefit of auditability because you can tell who has taken the training and at what time.

There are some problems of course that the software can't help with, one of those being recruitment of data protection officers as I mentioned earlier. You do get virtual DPO resources offered as a service by some companies although clearly that's just facilitated by software, it's not the software itself but there's certainly a role for humans here and some things that we will have to do on our own just with the assistance of the software.

Now I'm going to hand over to Rocio who's going to talk about the Data Protection Act 2018 given that that came out just as GDPR came into force.

Rocio: Thank you Jocelyn.

So in this the Data Protection Act is an important piece of legislation that you need to consider along with GDPR, so the important thing is to bear in mind that you need to apply both together and remember that the data protection regime is covered by different pieces of legislation so there is a right to data protection which as you know is a fundamental right and then applicable in the UK with goods the General Data Protection Regulation, GDPR, we've got the Data Protection Act 2018 and we also have all the regulations for example relevant to marketing communications, we've got the Privacy & Electronic Communications Regulations 2003 and then we are expecting a new e-privacy regulation on possibly a similar regime in the UK if this comes into force after Brexit, so definitely different pieces of legislation that we need to look at.

Helen: So what's the first thing that organisations should be looking at within the Data Protection Act 2018, Rocio, in your view?

Rocio: Right, so as you can see in the slide, the Data Protection Act covers different parts so we can say that there are four different regimes included in one full act, so we have the general processing which is in part 2, which also covers all the processing which is not covered under GDPR but we are implementing here in the UK for example for the processing of unstructured manual data used by public bodies which are subject to the Freedom of Information Act. So all of that is covered in part 2 and then we've got part 3 dealing with law enforcement, part 4 dealing with the processing of personal data by the intelligence services.

Relevant to the general businesses, in addition to part 2, are the Schedules 1 to 19 and in particular the additional grounds and exceptions and these additional grounds, Helen, is what is the first thing to look at to make sure that you are processing personal data legally and just to recall, you know that to process any type of personal data you need to look at Article 6 of GDPR and we are talking about different legal basis here, like consent, or if it is necessary to perform the contract to comply with a legal obligation and so on. There are now many changes here under the Data Protection Act with regards to this type of legal basis, just be aware that with relation to consent if you are information so IT services providing services to children now the age for consent in the UK is over 13 years old as opposed to the original 16 DFO as published in the GDPR and then if you perform tasks carried out in a public interest and you use personal data for that purpose then this public interest is now further defined under the Data Protection Act, so if you would like to check sections 8 and 9 of the Data Protection Act to make sure that you are compliant.

Helen: So I understand there are some additional things to consider in relation to special categories of data?

Rocio: Definitely, so the most important thing here is to make sure that when you process a special category of data you have to consider all the relevant requirements stated in the Data Protection Act. So let's just remember that to process a special category of data or criminal record.

In terms of special categories of data you still need to comply with the condition in Article 6 of the GDPR and like we said look at sections 8 and 9 of the Data Protection Act, and in addition to that you need to rely on one of the special conditions stated in Article 9 of the GDPR and now in addition to that you need to look at Schedule 1 of the Data Protection Act.

So in terms of the additional requirements in general that you need to look, if you are relying on one of these conditions that are in the current slide you are looking at, you don't need to look at any additional requirements. So this would be if you are already relying on express consent or to protect the vital interests of the individuals, you are a religious or political association or using data manifestly made public by the individuals or in relation to legal claims. However, if you are relying on the other conditions; this would be for the purposes of employment or social protection, because it is in the substantial public interest or related to health or social care, public heath, or for research, any of these purposes, then it is when you definitely need to look at the Data Protection Act.

Helen: So you might need some additional documentation as well?

Rocio: Yes, one part of this that is important and I would say that in practice is what is making an additional change in terms of your compliance plan is this additional documentation that you need to put in place and this is part 4 of the Schedule 1 and it applies to some of the conditions that we are talking about; and this is basically putting in place what the Data Protection Act names an "appropriate policy document" and also other additional safeguards.

So this appropriate policy document that you need to put in place is in addition to what you have put in place already and it is one, it's kind of a data protection policy but only dealing with that particular data that you are processing under one of these Article 9 conditions and it's just focussed on the processing of that data for that purpose and you need to include things like why you are processing that data, how these specific requirements stated in the Data Protection Act are met in practice in your organisation, what retention period you are applying and how you have planned to delete that data once the retention period is expired and also how you are planning to or you will train the staff for them to be aware of this particular processing. So this is just in a separate and a standalone document that you need to put in place.

Also there are other additional safeguards still in part 4 of the Data Protection Act and they are actually very related to this appropriate policy document that we are talking about and this is to retain this document for six months after you stop processing that data for this purpose. So this is kind of for the related purposes only. To have these documents including all these points and including obviously the six months after available to the ICO, if they request for this document, to provide this documentation without charge, also whilst you have produced this document you need to make sure that this is updated and keep up to date from time to time, so you need to include in the policy a section dealing with how you plan to review, who will be responsible for that and so on.

So let's just look with a little bit more detail to the most relevant conditions and how these, looking at GDPR and the Data Protection Act, work together. So, I am handing out a document that you can find on the downloads tab that you can see at the top of the screen and this is a document named Legal Grounds for Processing GDPR and Data Protection Act. In that document, you can see a more extensive table including some examples and some tips in order to implement GDPR and Data Protection Act together.

So here, I'm just bringing a couple of examples to explain how it works. So let's say that I am processing data for the purpose of research. So I know that this is one of the conditions in Article 9, right? But now I know that in addition to that I need to look at section 10 or 11 of the Data Protection Act. When I look at that, I am told that a condition in part 1 of table 1 of the Data Protection Act needs to be met and I am told that I also need to look at section 19, so I go there, and see if it ticks all the requirements. So, that basically would be that you can use sensitive personal data for research purposes if the processing is not likely to cause substantial damage or distress to the individuals, if it is not used to take decisions on one particular individual subject to some exemptions that they are including in section 19 as well and if it is in the public interest. Otherwise, even though in Article 9 of the GDPR it says that you can use sensitive personal data for research if you are not able to meet these requirements we are talking about you will not be able to rely on this condition. So, this is how important it is to look at the Data Protection Act because if you conclude that you wouldn't be able to use this data for research on this basis then you might need to get back to all the participants and collect consent for example, so it is really important that you look at these together.

It is exactly the same for the substantial public interest. So it is very important to understand that if you rely on substantial public interest this is now detailed and defined in the Data Protection Act, meaning we've been seeing clients looking at the Article 9 GDPR and assessing by themselves: "I think, this is in the substantial public interests and I'm going to do that". However, now, what is considered substantial public interest is stated in the Data Protection Act and you need to look at the conditions. So this is in Schedule 1 part 2 of the Data Protection Act and again in the document I am handing over you have more details but basically let's say that, for example, I am using special category of personal data for the purposes of the prevention of unlawful acts but in addition to that, as this is considered now officially under the Act as a substantial public interest purpose, you need to look at the condition dealing with that particular purpose in the Data Protection Act to make sure that the additional requirements included there are met. Otherwise, again, you'd need to consider a different approach and rely on a different legal basis for that purpose. Kind of the same applies if you use criminal offence data. If you use this for employment purposes be careful because the scheme is now a little bit more narrow than historically, basically you need to check sections 10 and 11 of the Data Protection Act and also make sure that if you are processing criminal offence data you need to meet one of the conditions in Schedule 1 of the Data Protection Act Parts 1-6 and it works practically the same as the other ones.

Helen: So what actions need immediate attention when considering the legal grounds for processing?

Rocio: Right, so basically obviously for you to look at having a review of the entire legal basis you are using. Look at your data map and make sure that you identify those in need of further input from the Data Protection Act. This will also affect to their record of processing activities if you are under the obligation to comply with article 30 of the GDPR. It will affect your privacy notice so make sure that this is in line with what you are telling people about what you do and under what legal basis and also the relationship with your data processors because if you put in place one appropriate document your data processors need to be aware of that as well. And then the other point that I wanted to just quickly stress is relying on exemptions. So, now we've got the exemptions incorporated in Schedules 2 to 4 of the Data Protection Act. Historically we have seen that not many organisations were relying on the exemptions properly, and the basics are actually that the same than what I am saying for the legal basis. You need to make sure that you read properly the exemptions you want to rely on and to make sure that you meet all the requirements properly. So, let's say for example if I want to disclose some information to my legal advisor because it is related to a legal proceeding or suitable legal proceeding, this is one of the exemptions, but this is not an absolute exception, so the way this works in practice is, for example, if I have details of one of my employees, I can disclose that to some legal advisers based on this exception because even though I didn't collect that data for that purpose this is allowed under the exemption. However, the extent to which I can process that data under this exemption is only to the extent that it does not prevent me to disclose the data and this means that I cannot just assume that all subjects' rights are limited by this exemption. Only, if applying this right prevents me from that disclosure to happen. So, if this employee makes a subject access request, responding to that request does not affect me to the fact that I want to disclose their data to my legal adviser, and therefore I wouldn't be able to refuse responding to this request based on this exemption. I may be able based on different exemptions but not on this one. However, if the employee asks me to delete all the data then if I delete the data obviously this would prevent me from disclosing the data to my legal advisor and, therefore, I would be able to rely on this exemption and make this limitation on this right to be forgotten to tell the individual that I am not complying with this request because I am relying on this exemption.

Helen: So, Rocio, what actions need immediate attention when considering the exemptions then?

Rocio: So, yes, it is kind of easy looking at the exemptions that you used to apply under the former Data Protection Act 1998, and then identifying which is the equivalent under the new Data Protection Act, and putting the policies in place. I just have to know how to deal with these exemptions.

And these are the two most relevant points in terms of the Data Protection Act that apply to many organisations in general. Another relevant area where we are seeing a lot of movement since GDPR are breaches and now I am very happy to hand over to Helen who will cover this part.

Helen: Thank you so in the next 10 to 15 minutes we are going to cover what has changed since 25 May 2018, we will also look at some recent examples of data breaches and also talk about dealing with breaches. So what has changed since 25 May 2018? Well the ICO has confirmed that there has actually not been that much change in the sectors reporting the greatest number of breaches so health, education, government, general business and also solicitors and barristers remain the sectors reporting most breaches. Also common incident types remain largely the same, the common incident types are lost and stolen data and emails and faxes to the wrong recipients. One in five reported breaches involved cyber incidents with nearly half of those phishing but what has changed significantly, not surprisingly, is the number of breaches being reported. Lots of reports by telephone and also lots of reports using the ICO's online form. Now as I say perhaps that isn't surprising given the GDPR was a move towards mandatory reporting but perhaps this has been exacerbated by some cautious over reporting which is something that we'll come onto.

Jocelyn: So have you got any statistics and numbers for us, Helen, on how many breaches are now being reported under GDPR?

Helen: So, in terms of the actual numbers reported, Jocelyn, in March and April this year, so obviously pre-GDPR, the ICO received 398 and 367 reports respectively. In May, the numbers were up to 657 and, of course, the GDPR came into force on 25 May so there were seven days at the end of the month when the new laws applied and then in June, the ICO reported that they actually received 1,792 reports and more recently the ICO has confirmed it's still handling around 500 reports per week. So moving on to some recent examples, Equifax Limited is an example that's been in the news recently so this all arose after an incident at Equifax's US parent which affected 146 million customers, the incident arose between 13 May and 30 July 2017 and the reason why the ICO in the UK were interested in it is that Equifax's US parent was processing data of up to 15 million UK citizens on Equifax Limited's behalf. Now, the first ICO statement on that particular case was 8 September 2017, as I say it's been in the news again more recently and that is because on 20 September this year the ICO announced that they were going to fine Equifax Limited on the basis that it had breached five out of eight of the data protection principles and, in particular, it had failed to secure personal data, it had poor retention practices and a lack of legal basis for international transfers. Equifax was fined £500,000 but this, of course, was a fine under the Data Protection Act 1998 given when the event giving rise to the fine occurred so that was a maximum fine although it does not give us any insight into what is or what might happen in terms of the ICO taking regulatory action under the GDPR.

Jocelyn: So have there been any breaches, Helen, under GDPR that have also been fined under GDPR?

Helen: We don't Jocelyn, we have had lots of further press reports of breaches, here we've got one with Dixons Carphone breach but many of the breaches like this one appear to have involved breaches prior to 25 May so, for example, Dixons Carphone say that the hacking attempt - this allegedly involved 6 million credit cards and debit cards plus 10 million data records - was discovered in June 2018 but it took place in July 2017 so assuming that's right any regulatory action would be under 1998 Act so again won't tell us about the ICO's approach under the GDPR. Another example of a breach involves Butlin's. More recently we have started to see incidents that involve breaches that have occurred post 25 May and British Airways being one example; British Airways have said on their website that their recent breach involved theft of data that took place between 21 August and 5 September 2018 so we can expect that to be dealt with under the new law but it will be apparent from the ICO's first statement in the Equifax case if you remember that was in September 2017 and when we've actually seen regulatory action (which was a whole year later) we shouldn't necessarily expect news any time soon.

In the meantime, what is clear is that the prospect of organisations having to notify breaches and work with the regulator are much greater than ever before and that's what I'm going to focus on in the remainder of my time.

So some things to think about in terms of an immediate response. If you have a potential breach of security leading to the accidental or unlawful destruction, loss, alteration and authorised disclosure of or access to personal data - and bearing in mind that's a wide definition - the first thing to do is, of course, to begin the initial investigation as soon as possible. The notification obligation being on the data controller and the data controller having to notify the regulator without undue delay and if feasible within the 72 hour deadline after having become aware of the breach unless it's unlikely to result in a risk to the rights and freedoms of individuals. If the 72 hours isn't feasible then the data controller must provide a reason/justification but that I would suggest is territory that data controllers don't want to be in and they should assume that will be a significant threshold for them to get over.

So when does that 72 hours start? We know from the Article 29 Working Party Guidance, it starts when the controller has a reasonable degree of certainty that a data security incident has occurred that has led to personal data being compromised. Now the guidance does acknowledge that the data controller might initially not be sure and it acknowledges that the data controller can have a short period of time after having being informed of or detecting an incident to investigate it and during that time it won't be considered to be aware, the clock won't be running. However, the objective of that first investigation must be to establish awareness. So, as I said, begin that initial investigation as soon as possible otherwise following the guidance from the Article 29 Working Party there is a risk that the ICO might find you had awareness and your 72 hours are running when you didn't think they were and, of course, regulatory action can, of course, be taken for failure to comply with the notification obligations.

A related point, at the same time, of course, you will want to contain the breach if there is any possibility or potential loss of a further loss of personal data.

Some further things to think about in terms of immediate response (and I am dealing with these sequentially but actually they are all things that you should be thinking about as soon as an incident or you think an incident may have arisen) dig out your incident response plan if you've got one. You may well have spent an awful long time putting this plan together and it should, therefore, be helpful to you so it would be good to have and secondly it is also important that if this breach is investigated by the authorities down the line you will want to demonstrate that you were following the plans that you've put in place beforehand.

Next point; don't forget to notify insurers while you're running around actually dealing with the incident because you don't want any notification to insurers to be out of time and, therefore, the insurers not to cover the issue when in other circumstances they might have done.

Next point - privilege. If you may want the documents that you're creating to be protected by privilege then you want to start thinking about that early and in circumstances where you don't actually know quite what's gone on yet, I think privilege is something you should be thinking about so, therefore, involve a lawyer and take legal advice on that.

Jocelyn: And then I see you've put up, Helen, assessing risk as one of the immediate things to do when a breach occurs but at that point aren't you really thinking about notification?

Helen: That's right, Jocelyn. Assessing risk is something that obviously you do when you come on to notification but it's again important to be thinking about this from the outset as well so that your response is also proportionate and all of the steps that you're taking in response to the breach is proportionate to the potential risk to individuals from the data breach that's arisen.

I'm not going to, for the purposes of this webinar, talk in any detail about how you assess risk - we don't have the time to do so but the Working Party 29 Guidance emphasises the importance of considering likelihood and severity and also sets out a number of other points and criteria for you to work through.

So then when you come on to your notification, some things to think about, should you use the ICO's telephone hotline, the number being on its website or should you use its online form? This is one for me where it very much depends on your personal circumstances I think. The ICO say that around a third of data breaches reported to it are resolved by way of the first call so that obviously helps the ICO as there is then no need for follow up correspondence that would be necessary if those had been reported online but if you do report by telephone you should assume that that is going to be treated and recorded as if it is a formal report. Don't necessarily assume you will be able to have an initial informal conversation, so you should be really prepared for that conversation and I would recommend preparing answers to all of the questions on the online form because that will help the call be as efficient as possible and demonstrate you're managing the situation. Of course, the telephone hotline isn't available all of the time so if you need to make a report out of hours then that's going to send you down the online form route.

If you're going down making a report in writing - should you use your own form or should you use the online form? I am aware a number of clients spent a lot of time putting in place incident response plans prior to the ICO putting their form on the website so you may well have your very own form for this purpose. What I would suggest is that you use the online form where possible. We know that demonstrating co-operation with the ICO may be a factor in any subsequent regulatory action so make it easy for the ICO in using their online form but that doesn't mean that you can't also attach additional documents (including your own form if that will add to the report).

Cautious approach versus over reporting - something I mentioned at the outset. Because of the potential regulatory penalties for not notifying, there is some sense on erring on the side caution when assessing whether or not to report a breach and indeed that's what the Article 29 Working Party Guidance says. However, the ICO has flagged that one of the trends it's seeing is over reporting and it warns against this particularly as organisations become more familiar with the new laws. I would say particular issues to avoid are serial over reporting, jumping the gun when it comes to lost documents or devices that may be found within the 72 hours reporting window and also where you're sure you haven't got a breach of confidentiality and there's also no risk to lack of availability.

If you're going down the telephone route, avoid busy periods with the ICO. The ICO is openly acknowledging that there are times when its phone lines are busy especially Friday afternoons, so the key on this is to plan ahead. If you're maybe reporting a breach late on a Friday, it would be unwise to assume that the ICO's availability will coincide nicely with yours and you will be able to wrap everything up before the weekend. I would recommend better in those circumstances to be prepared to file online.

A final point on notification. So you can have a phased report but I think that is a very different thing to an incomplete report. Incomplete reports are to be avoided and the issue of incomplete reports is something that the ICO has also raised and I think over time obviously we're in relatively early days following the GDPR but, I think, this is something that we can expect the ICO to start clamping down on especially where the data breach concerned is significant.

So once you've reported what's going to happen next? Well, in all cases you will get an acknowledgement from the ICO. You may then get further action in a variety of forms - you may get some further questions on the breach that's arisen and, ultimately, you will get a decision from the ICO on the action that they are going to take or may not be taking but essentially no news or at least not hearing anything following the acknowledgement too soon is good news because that means your breach won't be that high up in the ICO's list of priorities. However, as I said you should still receive an outcome from the ICO at some point and the ICO has confirmed that that's what will happen.

A final point is just to anticipate next steps particularly if you think you're making a phased report and you've got further investigations going on. In that case, it's worth thinking about that when you put in your first report to try and plan ahead, let the ICO know when you might be in a positon to provide more information again to look like you're managing the situation and try not to end up with being given a deadline that doesn't work in with what's achievable at your end.

So that's data breach reporting to the ICO. However, it's obviously a much broader topic and there are a number of others things to think about that we've not had time to cover in the session today that I've summarised on this final slide that I'm leaving you with.

Jocelyn: And finally for a bit of a change of perspective, rather than looking back at those last six months, just very briefly a look to the future on what might happen when the UK leaves the European Union on 29 March next year. Will it affect data protection legislation in this country?

On the one hand, no it won't. As Rocio has talked about the Data Protection Act 2018, which is now in force and it incorporates the GDPR into our legislation so we know for certain it will continue to apply in the form it is now in.

Of course, looking to the future though, that might diverge and might not be the case. The DPA 2018 incorporates GDPR as it was at the exit date. So if the Europeans take their legislation in one direction going forwards and the UK doesn't make equivalent amendments to its own Data Protection Act, then those two pieces of legislation could end up being different but that's a problem for the future and not immediately on Brexit.

The DPA also very helpfully tidies up references to other EU legislation when it talks about member states and regulators in other jurisdictions. A lot of legislation is going to have to wait its turn through the Withdrawal Act for the Government to get round to doing that for a lot of historic legislation. The Data Protection Act was actually quite high up the agenda for legislators and they've done that ahead of time. So on the one hand, no, it won't change.

The aspect though where it might change is around international transfers in and out of the UK and the EU. The Government has published one of its technical response papers on this topic in amongst its other Brexit no deal preparation papers and essentially what that says is that you will be able to send data out of the UK to the EU without needing to jump through any hoops because we recognise that the EU has very comprehensive regimes for the protection of personal data. Going the other way, it might not be so simple. The Government is pushing for either a finding of adequacy as the Commission has made for other third countries such as Argentina, Israel, Canada (to name a few) or pushing for more of a special relationship that might also give our regulator, the ICO, access to the group of regulators across Europe. That hasn't happened as yet and there is an issue over not so much ordinary civilian and corporate use of personal data, but on the law enforcement side where the EU takes issue with the access that the Government has to elements of data and retention periods. So at the moment, if you look at a hard Brexit, the likely situation is that the EU will treat the UK as it does any other third country and all the usual rules on international transfers will apply. So if you wanted to send information from France, Germany or anywhere on the continent to the UK, you would need to use most likely the standard contractual clauses in order to send that data legally unless you had binding corporate rules you were able to rely on.

And the other element where the UK's relationship with the EU may well change is around this point about the ICO's access to other supervisory authorities across Europe. Will they enforce the legislation in the same way? To what extent will the ICO have their feet at the table when the European authorities are making more policy and guidance in shaping how those are applied to industry?

That was just a brief roundup of issues we've been seeing since 25 May. I apologise we have slightly run overtime and therefore are out of time for questions. Thank you very much to those who did submit via the webinar - we will endeavour to leave time for questions in future and we will respond to those in future over email or be in touch with you in some other way.

Thank you very much for joining everyone. I hope you enjoyed that session and have a good day. Goodbye.