PDP - Compliance News Updates - 22 May 2018

Its GDPR (and DPA) week!
PDP header graphic
  Issue: 22.05.2018

Its GDPR (and DPA) week!
The General Data Protection Regulation will come into force throughout the 28 Member States of the European Union on Friday. In the UK, Matt Hancock, the Culture Secretary, has announced that the Data Protection Bill has been passed by Parliament, and will (subject to Royal Assent) come into force on Friday. The Bill will go through Parliament without an amendment calling for a second Leveson inquiry, as peers backed down after weeks of ping-ponging between the two Houses. Mr Hancock added a series of new amendments to the Data Protection Bill last week, including one widening the scope of the Information Commissioner's review into media compliance with the new data protection law.

Eight countries to miss EU data protection deadline

Eight EU states will not be ready to fully enforce the General Data Protection Regulation when it comes into force on Friday. It is understood that Belgium, Bulgaria, Cyprus, the Czech Republic, Greece, Hungary, Lithuania and Slovenia will not be ready until far beyond the 25th May deadline. Vera Jourova, the European Commissioner for Justice, said she would not hesitate to take the EU countries to court in serious cases, blaming negligence and domestic debates for the delays. Only Austria, Germany, France, Croatia, the Netherlands, Sweden and Slovakia are currently ready, with other countries poised to have their national acts passed by 25th May. Spain, Italy, Portugal, Romania and Latvia are expected to be ready either at the end of May, or beginning of June. The UK passed it's Data Protection Bill yesterday. Although not required to implement the GDPR (which is directly effective in all Member States from Friday), the national Data Protection Acts are required to create local exceptions to some of the GDPR's provisions, such as the those relating to processing special category personal data, and to bestow enforcement powers on the national regulators.

Firms needlessly seeking opt-in permissions

In the last few weeks people's inboxes have been awash with requests for opt-in permissions. In many cases these are unnecessary, either due to the existing relationship between the sender and the recipient or because opt-in permission is not needed for the type of communications contemplated. The next edition of Privacy & Data Protection will contain an in-depth article on exactly when opt-in permissions are needed and why many organisations may have been overly cautious in of their recent email communications.

UK prosecution body fined £325,000 after losing victim interview videos

The Crown Prosecution Service has been fined £325,000 by the ICO after losing unencrypted DVDs containing recordings of police interviews. The recordings were of 15 victims of child sex abuse to be used at trial, and contained the most intimate sensitive details of the victims, as well as the sensitive personal data of the perpetrator, and some identifying information about other parties. The penalty is the second to be imposed on the CPS following the loss of sensitive video recordings. Steve Eckersley, Head of Enforcement, said: "The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress." The CPS has self-identified systemic failings and is taking action to remedy them. 

Facial recognition technology used by police is 'dangerously inaccurate'

The Metropolitan Police's use of facial recognition is misidentifying innocent people as wanted criminals more than nine times out of 10, according to a privacy campaign group. Civil liberties organisation Big Brother Watch published its findings into the Met's use of facial recognition technology in a report that that it presented to Parliament. The Met admitted that as a result of using facial recognition, it has stored 102 innocent people's biometrics data for 30 days. Despite this, the force is planning seven more deployments this year. Silkie Carlo, Director of Big Brother Watch said: "It is deeply disturbing and undemocratic that police are using technology that is almost entirely inaccurate, that they have no legal power for, and that poses a major risk to our freedoms." The reports have attracted the interest of the UK Commissioner Elizabeth Denham, who said "technology represents both a risk and an opportunity, and this is why I have recently published our first Technology Strategy which addresses these new technological developments and ensures the ICO can deliver the outcomes which the public expect of us.  

Ipswich Hospital staff disciplined after accessing singer's records

Two members of hospital staff in the UK were disciplined for accessing Ed Sheeran's personal details with no legitimate reason, it has emerged. Ipswich Hospital said in response to a Freedom of Information request that one medical staff member was given a written warning, and one member of admin staff was sacked. The action happened after Sheeran was admitted to hospital last October, having broken his right wrist and left elbow. The incident was not referred to either the ICO or the Nursing and Midwifery Council.  

Former recruitment consultant prosecuted in UK

A former recruitment consultant has been fined for unlawfully taking personal data from his employer when he left his job to set up his own rival business. Daniel Short left the recruitment company he was working for, VetPro Recruitment, in October 2017 and a short time later set up his own similar company called VetSelect. The ICO later discovered that Short had stolen the details of 272 individuals from VetPro's database for commercial gain. Short pleaded guilty to unlawfully obtaining personal data under section 55 of the Data Protection Act 1998. He was fined £355 and was ordered to pay costs of £700 as well as a victim surcharge of £35.   

Council of Europe brings data protection Convention in line with GDPR

The Council of Europe has adopted an Amending Protocol which updates its data protection convention (known as Convention 108), bringing it into line with the GDPR. The Convention now requires organisations to notify data breaches, strengthens the accountability of data controllers and the transparency of data processing, and introduces the Privacy by Design principle, as well as additional safeguards for the processing of personal data in the context of algorithmic decision-making. Convention 108 is the only international treaty to address the right of individuals to the protection of their personal data, and is open for any country to sign and ratify. Current parties to the Convention are the 47 Member States of the Council of Europe and Mauritius, Senegal, Tunisia, and Uruguay.   

UK University fined after serious breach

The University of Greenwich has been fined £120,000 by the Information Commissioner following a security breach involving the personal data of nearly 20,000 people, including students and staff. The investigation centred on a microsite developed by an academic and a student in the then devolved University's Computing and Mathematics School, to facilitate a training conference in 2004. After the event, the site was not subsequently closed down or secured and was compromised in 2013. In 2016, multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server. The University is the first education body to have been fined by the Commissioner under the current UK data protection law.  

More in depth data protection news and articles... 

PDP Journals logo
New GDPR Article Series 

Privacy & Data Protection journalIntroducing a special series of articles on the practical changes that organisations need to implement in order to prepare for the GDPR

Visit the
Privacy & Data Protection for a Free Sample and to Subscribe

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal.

17th Annual Data Protection Conference (GDPR)

17th Annual Conference

11th & 12th October 2018 - London, UK 
** London's leading two-day GDPR Conference **  

James Dipple Johnstone
How the ICO will exercise its New Powers
James Dipple-Johnstone 
Infomation Commissioner's Office (ICO)
  This year, the conference is dedicated to reviewing the practical implications of the General Data Protection Regulation, and to help organisations ensure they are compliant.
16th Annual Data Protection Compliance Conference

* Speaker Highlight *

Rosemary Jay The UK Data Protection Act 2018 - gloss or substance?     
Rosemary Jay - Senior Consultant Attorney, Hunton Andrews Kurth LLPAlthough the GDPR is designed to bring greater harmony to EU law than the previous Directive, Member States are still permitted to deviate from the GDPR's provisions in limited areas. This talk, by the author of 'Guide to the General Data Protection Regulation', considers the key provisions of the UK's upcoming Data Protection Act, and provides delegates with practical guidance on how to implement them.

For more information and to book your place:

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here is a selection of courses taking place shortly:   
Peter Given_ Bond Dickinson
Peter Given
Womble Bond Dickinson
From May 2018, organisations will be required to notify serious data breaches to both national data protection authorities and individuals, except in a narrow range of circumstances. This practical training session looks at the new breach notification obligations in detail, including:
  • the types of incidents that will trigger the requirement to notify
  • actions that organisations should be taking now in order to prepare for mandatory breach notification
  • incident response plans and opportunities to mitigate risk
  • implications for data processors
  • what the ICO, and other relevant regulators, will expect organisations to do
  • the requirement for an internal breach register and how to maintain it
  • consequences of failing to notify breaches 
It is recommended that delegates attending this session have a basic knowledge of current data protection legal requirements. Delegates with no existing knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.

The next available dates for this course are:
  • London    Monday, 25th June 2018
  • London    Monday, 3rd December 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Alison Deighton_ TLT Solicitors
Alison Deighton
TLT Solicitors
All organisations are required to observe the rights of individuals under data protection law. A key objective of the GDPR is to strengthen and extend those rights. Additionally, individuals have a right to claim compensation from both controllers and processors where financial loss or other damage occurs as a result of processing operations which breach the requirements of the GDPR.This training session looks at the new rights under the GDPR in detail, and also considers the changes to the pre-existing rights, including updates to time limits and new requirements for documentation. The session covers:
  • the right to be informed
  • requirements for handling subject access requests
  • profiling and automated decision taking
  • the right to data deletion
  • the right to restriction of processing
  • the right to object to processing
  • the right to data portability
  • compensation
  • the right to cessation of direct marketing
  • exemptions for organisations
  • changes that should be made to organisations' privacy policies 
Delegates attending this session must have a basic knowledge of current data protection legal requirements in order to be able to understand the material in this session. Delegates with little no existing knowledge should attend Data Protection Essential Knowledge Level 1 before attending this training course. The course is taking place on the following dates:
  • Belfast             Thursday, 7th June 2018
  • Glasgow          Monday, 24th September 2018 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Fedelma Good
Fedelma Good
Big Data is big business, and the technology that gives rise to the activity known as profiling has multiple benefits for both organisations and individuals. However, these benefits come with risks, and it is these risks that the General Data Protection Regulation ('GDPR') seeks to mitigate against.This practical session considers how organisations can reap the benefits of Big Data whilst minimising the risks of falling foul of the legal provisions, including:
  • how data protection law applies to profiling and Big Data
  • how the extended territorial scope of the GDPR catches ever more profiling activities
  • the rights individuals have under the GDPR, including transparency, control, data minimisation and data portability
  • controllers' increased accountability to individuals and the remedies available to individuals
  • the circumstances in which profiling is acceptable
  • how to reduce the risks of 'discriminatory' decision-making
  • the relevance of the privacy by design and default regime
  • the GDPR position on profiling and special category personal data
  • practical guidance on what information must be supplied to customers and others
  • how to obtain explicit consent, where required.
The course is taking place on the following dates:
  • London    Tuesday, 12th June 2018
  • Belfast     Thursday, 6th December 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue

Practitioner Certificate in Data Protection - GDPR Conversion Programme
The online self-study Programme for candidates who gained their qualification prior to 2018 to upgrade their qualification for the GDPR era.

"I'm delighted to have passed the GDPR Conversion Programme Examination. The Programme was both enjoyable and challenging, providing an in depth look at the changes GDPR brings and how to apply these in practice.  I am now confident that my knowledge of Data Protection Law remains up to date and comfortable that I can apply the new regulations in practice in my day to day role."
Find out more >
* New course for 2018 *
Cybersecurity for Data Protection Professionals  2nd July 2018 - London
Breach Notifications Training Course 

This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations.

"By far the most practical resource available to help understand the complexities of the GDPR..."
A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in preparing for the new era of compliance under the GDPR.
Find out more & Order your copy here >

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitmentsMore information >  
"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority
"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy
"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust
"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes
"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager
"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions
PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom