Different Direction

‘Function Creep’: A Very Real Risk That Every DPO Should Be Aware Of

Published 21 January 2022

For those eagle-eyed Data Protection Professionals among you, we are talking about the second of the seven principles within the General Data Protection Regulation (GDPR) known as ‘Purpose Limitation’.

Nobody wants to sign up to marketing with your local supermarket expecting the latest deals on food to then find out, they have expanded into Digital Marketing and are now tracking you across your devices to see where you are shopping, what you are buying and how much you have spent! This is ‘Function Creep’.

For those eagle-eyed Data Protection Professionals among you, we are talking about the second of the seven principles within the General Data Protection Regulation (GDPR) known as ‘Purpose Limitation’.

You may be asking yourself, ‘Why does every DPO need to worry about this?’. The answer is that it is all too easy to get wrong and regulators are really focusing on risks in this area.

What is ‘Purpose Limitation’ and ‘Function Creep’?

‘Purpose Limitation’ is all around being upfront with people and being honest about how you will use their data, documenting the reasons that you will use their data and assessing if you ever want to use that data for any other reason. This GDPR principle ties in elements of the others as it means you have to be transparent with people and you have to be accountable for what you do with their information.

‘Function Creep’ usually happens over a period whereby new features or changes (functions) are made to a system or process. It results in data being used for different purposes than the ones the individual consented to or was told about upfront.

Regulatory Enforcement

German Regulators are currently in the process of investigating a case linked to COVID Tracking data being used by law enforcement. During November 2021, a man was involved in an incident and police used the app known as ‘Luca’ (designed to track individual visiting bars and restaurants in the case of COVID outbreaks) to trace witnesses of the incident. This resulted in personal data including name, postal addresses, and telephone numbers to be collected and used for completely unrelated purposes to the ones the data was originally collected for.

Regulators in France fined Ikea 1 million euros for using CCTV cameras to monitor staff. Both the Head of Risk & CEO were delivered suspended sentences and individual fines for their part in the surveillance. The CCTV cameras were installed for security purposes and the employees were not made aware that they would be monitored.

Finally, whilst this enforcement action was taken under the Data Protection Act 1998 (and therefore, was not enforceable under the UK GDPR), nobody can forget the Cambridge Analytical Scandal. Large amounts of data were being processed by Facebook and accessed by Cambridge Analytica for them to use for multiple purposes, including political campaigning.

How can my organisation prevent ‘Function Creep’?

The best to way to prevent ‘Function Creep’ is to embed checkpoints or stage gates into release and review processes. This is an example of how to embed Data Protection by Design and Default. Those checkpoints can help you to review your changes or new features with a Data Protection Lens.

Your organisations Data Protection Team or Data Protection Officer should be included in all new releases or changes to systems and processes to provide that specialist review and approval.

What should be considered during a release and review process?

Data Protection Teams will think about many things when assessing new features ready for release including:

  • Whether the new purpose for processing is compatible with the original purpose.
  • Consideration of whether the new purpose is one that is pre-approved under the UK GDPR. Archiving in the public interest, scientific and historical purposes and statistical purposes are pre-approved under the GDPR.
  • Would the individual expect their data to be used in this way? You wouldn’t expect your health data to be used for marketing purposes; so that would be an incompatible purpose.
  • What are the risks and consequences to the individual of the new purpose? Does the new purpose give rise to an impact such as inability to access services or greater exposure to potential data breaches?

What can you do as a DPO to help reduce the risk to your organisation?

  1. Maintain Records: All organisations have a legal obligation under the GDPR to maintain Records of Processing Activities (RoPA). Your RoPA will help you to understand what data you are processing, in which systems and locations, for what purposes.
  2. Data Protection by Design & Default: Embed checkpoints or stage gates into release and review processes. Ideally, try to embed your Data Protection processes into existing governance structures so it isn’t ‘additional red tape’ for your organisation. The reviews will help you get an understanding of what changes are coming down the tracks and will allow for you to review all new functions or changes to current functions with a Data Protection Lens.
  3. Maintain Records: No, this wasn’t a mistake. It’s that important it’s here twice! Maintain records of any reviews that you carry out. Were the new purposes compatible with the old one? If not, did you accept the risk, mitigate the risk, or decide not to proceed with the change?
  4. Training & Awareness: Carry out, at least, annual Data Protection training with all employees and contractors including things to consider during projects like purpose limitation, accountability, and transparency. International Data Protection Day (January 28th each year) is a great time to kick of awareness activities for your organisation.

If you need help understanding the requirements of how the GDPR applies to your organisation, Bridewell can help. We provide several Data Protection services including consultancy on one off projects, Data Protection Maturity Assessments, ISO27701:2019 Implementation and Data Protection Officer as a Service.