PDP - Compliance News Updates - 14 August 2018

PDP header graphic
  Issue: 14.08.2018

Data broking company fined £140,000 in UK
The Information Commissioner's Office has finedpregnancy and childcare advice company, Emma's Diary, £140,000 for illegally collecting and selling personal information belonging to more than one million people. The data broking company sold the information to Experian Marketing Services, a branch of the credit reference agency, specifically for use by the Labour Party. Experian then created a database which the party used to profile the new mums in the run up to the 2017 General Election. The Labour Party was consequently able to send targeted direct mail to mums living in areas with marginal seats about its intention to protect Sure Start Children's centres. The regulator signalled its intention to fine the company in July, as it released an interim report of its comprehensive investigation into data analytics for political purposes. The ICO has outstanding enquiries with a number of data brokers, including Experian. 

FTC to expand power to regulate corporate privacy practices

The US Federal Trade Commission is considering expanding its enforcement power over corporate privacy and data security practices. The action follows FTC Chairman Joseph Simons' recent declaration that the regulator's current authority under Section 5 of the FTC Act is inadequate to deal with the privacy and security issues in today's market. The FTC is also considering growing its authority in several other areas, including the intersection between privacy, big data and competition. Beginning in September 2018, the FTC will conduct a series of public hearings to consider these issues.       

Company director disqualified after marketing calls breach

A man whose business was responsible for millions of nuisance marketing calls in the UK has been barred from serving as a company director for six years. Coventry-based Easyleads Limited was issued with a £260,000 fine by the Information Commissioner's Office in September 2017, after the regulator found the company responsible for making 16.7 million automated marketing calls without the prior consent of recipients. Easyleads failed to pay the fine which led the ICO to file for and obtain a court order to wind up the company. The Insolvency Service subsequently investigated and has now announced that the sole director of Easyleads, Shaun Harkin, 48 from Coventry, has accepted a disqualification undertaking that will prevent him from being directly or indirectly involved n the promotion, formation or management of a company for six years from 13th July 2018.           

ICANN loses injunction bid in dispute over WHOIS data in Germany

A German appeals court has rejected a bid from the internet's global domain name organisation, the Internet Corporation for Assigned Names and Numbers (ICANN), to force a domain name registrar in the country to collect additional personal data. ICANN had applied for a court order to be issued against EPAG Domainservices to force EPAG to collect the personal data of technical and administrative contacts of organisations that register domain names with it. EPAG already collect the domain name holder's contact data in accordance with the terms of its contractual agreement with ICANN. It previously collected the data of technical and administrative contacts too on a voluntary basis, but stopped doing so in light of the GDPR. ICANN will still have an opportunity to "enforce the rights it asserts" in the main proceedings in the dispute, according to the new ruling.        

Butlin's warns of potential personal data breach

UK holiday camp chain Butlin's has warned that the personal data of up to 34,000 customers may have been exposed in a cyber breach. The company has blamed the breach on a phishing attack, which indicates that an employee was tricked into divulging user credentials for a customer data system, rather than any high-tech hacking technique. Butlin's said the data at risk includes names, addresses, contact details and holiday arrival dates, but does not include any financial information. The company began notifying customers of the breach within 72 hours in line with the requirements of the GDPR.         

More in depth data protection news and articles... 

PDP Journals logo
Privacy & Data Protection journal
Privacy & Data Protection Journal 
Visit the Privacy & Data Protection for a Free Sample and to Subscribe

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal. 

17th Annual Data Protection Conference (GDPR)

17th Annual Conference

11th & 12th October 2018 - London, UK  
** London's leading two-day GDPR Conference ** 

James Dipple Johnstone
How the ICO will exercise its New Powers
James Dipple-Johnstone  
Deputy Commissioner (Operations) 
Infomation Commissioner's Office (ICO)
  This year, the conference is dedicated to reviewing the practical implications of the General Data Protection Regulation, and to help organisations ensure they are compliant.
16th Annual Data Protection Compliance Conference

* Workshop Highlight * 

Jenai NissimWorkshop C.  Compulsory Documentation - What is now Required of Organisations 
Jenai Nissim, Legal Director, TLT Solicitors
In contrast to pre-GDPR law, several sets of documents must now be created and be made available in order to demonstrate compliance with the GDPR. This Workshop looks in detail at the requirements of the GDPR in terms of accountability, and provides delegates with the knowledge and tools necessary to achieve compliance in their organisations, including:
  • what policies must be drafted, and the necessary content of those policies
  • how existing data protection statements and privacy notices need to be altered and extended
  • how organisations can raise awareness of data protection in their data protection policies and procedures

For more information and to book your place:
  • Visit PDP Conferences 
  • Send us an This email address is being protected from spambots. You need JavaScript enabled to view it. 
  • Telephone +44 (0)207 014 3399

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here is a selection of courses taking place shortly:
Data Protection Essential Knowledge - Level 1
Estelle Dehon_ Cornerstone Barristers
Estelle Dehon
Cornerstone Barristers
This course is an introductory level course for all those that are new to data protection, or those that require a refresher on the fundamental concepts. It is designed for people who work with, or will work with, data protection issues on a regular basis.This invaluable and practical training session examines core concepts of practical data protection compliance.This course can be used as credit towards the Practitioner Certificate in Data Protection (GDPR)The course is next taking place on the following dates (further dates available online):
  • Belfast     Monday, 10th September 2018
  • London    Monday, 17th September 2018
  • Bristol      Monday, 22nd October 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Data Protection Essential Knowledge - Level 2
This practical training session is designed for those that work in the field of data protection. The Level 1 and Level 2 courses taken together constitute a complete training package on the fundamentals of data protection. This session provides a thorough grounding in the important aspects of data protection practice.The Level 2 course is designed as a natural progression from Data Protection Essential Knowledge - Level 1, although attending Data Protection Essential Knowledge - Level 1 is not a pre-requisite to attending the Level 2 unless you are a complete beginner to data protection.Attendance on this course can be used as credit towards the Practitioner Certificate in Data Protection.The course is next taking place on the following dates (further dates available online):
  • Belfast     Tuesday, 11th September 2018
  • London    Tuesday, 18th September 2018
  • Bristol      Tuesday, 23rd October 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Phil Tompkins, Dickinson Dees
Phil Tompkins
Ward Hadaway
Data protection law requires that personal information be held and used securely. The law also requires that relevant security arrangements be put in place for all outsourcing arrangements. News headlines consistently show that organisations are not doing enough to ensure the security of people's personal information, both within the organisation and externally. It is not always obvious what measures should be taken by organisations to comply with the legal obligations.This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), as well as the implications of Brexit, examines the law as it relates to data security and the practical steps that organisations need to take to ensure compliance with their obligations. It concentrates on how to avoid a data security breach, as well as what can be done to mitigate the effects of a breach that does occur. It also considers the steps that must be taken when an organisation outsources operations, such as payroll, website hosting, digitisation of records, debt collection and waste management. The session considers lessons that must be learned by the fines that have been imposed by regulators.This session can be used as a credit towards the Practitioner Certificate in Data Protection (GDPR)
The course is next taking place on the following dates (further dates available online):
  • Belfast          Wednesday, 12th September 2018
  • London         Wednesday, 19th September 2018
  • Edinburgh    Wednesday, 31st October 2018 
For further information and to make a booking
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Jenai Nissim_ TLT
Jenai Nissim
Data Protection Impact Assessments (DPIAs) enable organisations to assess potential data protection and other privacy implications at the design stage of a new system or process. Such risks can be assessed and addressed within the development of the system or process, rather than being a "bolt-on" after implementation (when it may be too late to address all the concerns, at least without significant cost implications).DPIAs are recommended by data protection regulators, and they are a requirement in some sectors. DPIAs are an important part of the "privacy by design" culture, and they will be mandatory under the General Data Protection Regulation.Different approaches and levels of assessment can be undertaken depending on the nature of the system/process and the size of the organisation. This course gives practical guidance on conducting DPIAs, and includes:
  • what is a DPIA, and when should one be carried out
  • national regulators' recommendations and guidance
  • stages of a DPIA and what to do in practice: initial assessment, preparation, information flows, consultation with stakeholders, analysis, documentation
  • the relationship between conducting PIAs with other risk and project management activities (e.g. other risk assessments, data protection audits)
  • legal and compliance issues to consider.
Attendance on this course can be used as credit towards gaining the Practitioner Certificate in Data Protection.

The course is next taking place on the following dates (further dates available online):
  • Belfast         Friday, 14th September 2018
  • London        Friday, 21st September 2018
  • Edinburgh    Friday, 2nd November 2018 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Practitioner Certificate in Data Protection - GDPR Conversion Programme 
Upcoming intensive training weeks in Belfast, London Edinburgh and Manchester 
Ensure you are have the knowledge to practically implement the GDPR in your organisation.  
The Practitioner Certificate in Data Protection is the practical qualification which can be taken either on an intensive, flexible or distance-learning basis. 
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the new Regulation." 
Joanne Maurizi 
Find out more >

Upcoming course dates in Brussels, Manchester, Isle of Man and London 
Demonstrating compliance with 'Accountability' consists of several elements, including preparing policies, monitoring compliance with internal policies and procedures, amending job roles and updating customer facing documentation such as websites and offline forms.
This highly practical sessions looks at the detail of what accountability requires...

"By far the most practical resource available to help understand the complexities of the GDPR..."
A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in meeting the requirements of the GDPR.
 Find out more & Order your copy here >

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitmentsMore information >  
"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."  Caroline Chalk 
Head External Information Services 
Civil Aviation Authority 
"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role." 
Brendan Byrne
Senior Managing Consultant Security & Privacy 
"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely." 
Kim Bellis 
Records Service Manager 
Royal Cornwall Hospitals NHS Trust 
"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance." 
Alan White 
Data Protection Manager 
Pitney Bowes 
"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law." 
Bleneta Carr
Pearson Education 
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation." 
Joanne Maurizi 
Assistant Manager
"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions
PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom