PDP header graphic

Issue: 03.03.2020

EU Council Presidency releases proposed amendments to draft ePrivacy Regulation

The Presidency of the Council of the European Union has published a revised part of the proposed Draft ePrivacy Regulation following meetings between the Working Party on Telecommunications and Information Society, the Permanent Representatives Committee, and the Transport, Telecommunications and Energy Council. According to the EU Council Presidency, it became clear during the discussions that the existing proposed text would not be supported by the majority of the Member States delegations who expressed their wish for substantial changes to rules for the processing of metadata and use of cookies or similar technologies. The most significant revision proposed by the EU Council Presidency is the introduction of the possibility to rely on the 'legitimate interest' ground to (1) process electronic communications' metadata, and (2) place cookies or similar technologies on end-users' terminals, subject to specific conditions and safeguards. The revisions will be discussed at the next WP Tele meetings on 5th and 12th March.

Scottish company receives maximum fine for making nearly 200 million nuisance calls

The UK's Information Commissioner's Office has fined CRDNN Limited with the maximum £500,000 fine for making more than 193 million automated nuisance calls. The company, whose Clydebank-based premises were raided by the regulator following complaints, was making nearly 1.6 million calls per day about window scrappage, debt management, window conservatory and boiler sales between June and October 2018. Some of the calls potentially put people's safety at risk as they were made to a Network Rail Control Centre, and clogged up the line for drivers and pedestrians at unmanned level crossings, who were calling to check it was safe to cross the rails. The company did not obtain consent from the phone owners to make those calls and did not provide a valid opt out opportunity.

UK regulator publishes guidance on codes of conduct and certification schemes
The ICO has published guidance for organisations wanting to develop GDPR Codes of Conduct or Certification schemes. From 28th February, organisations can submit their proposals for GDPR Codes of Conduct or Certification scheme criteria to the ICO for approval. Ian Hulme, ICO Director of Regulatory Assurance, said: "I would encourage any organisation that can speak on behalf of a group of organisations, or who has expertise in developing standards or certification criteria, to have a look at our guidance and speak to us about developing a GDPR Code of Conduct or Certification scheme. Both mechanisms are a really good way for organisations to show their commitment to complying with data protection legislation and ultimately, build public trust and confidence in their organisation." 

UK retailer sends security warning to Clubcard holders

Tesco is issuing new cards to 600,000 members of its rewards scheme after discovering a security issue whereby fraudsters attempted to redeem customers' vouchers. The supermarket said it believed a database of stolen usernames and passwords from other platforms had been tried out on its websites, and may have worked in some cases. No financial data was accessed and its systems have not been hacked, it added. The supermarket said it had emailed everybody potentially affected.

UK will have an 'independent policy on data protection'

The UK has published its approach to Brexit negotiations in the form of a document called 'The Future Relationship with the EU', indicating that the UK intends to set its own data agenda. The document released last week states: "The UK will have an independent policy on data protection at the end of the transition period and will remain committed to high data protection standards. To maintain the continued free flow of personal data from the EU to the UK, the UK will seek 'adequacy decisions' from the EU under both the GDPR and the Law Enforcement Directive before the end of the transition period. On a transitional basis, the UK has allowed for the continued free flow of personal data from the UK to the EU. The UK will conduct assessments of the EEA States and other countries under an independent international transfer regime." In addition, the UK has said that it will seek appropriate arrangements to allow continued cooperation between the UK Information Commissioner's Office and EU Member State Supervisory Authorities.

Google's acquisition of Fitbit could pose 'high level of risk to privacy and data protection'
The European Data Protection Board has ordered Google to conduct "a full assessment of the data protection requirements and privacy implications" of its acquisition of wearables giant Fitbit. During a Board plenary session on 20th February, concerns were raised about the privacy implications of a merger of obligations under the GDPR. The Board urged both firms "to mitigate possible risks to the rights to privacy and data protection before notifying the merger to the European Commission". It added that the EDPB will "consider any implications for the protection of personal data in the European Economic Area". An ICO spokesperson said: "We are aware of Google's acquisition of Fitbit and we are considering the potential impact on the privacy rights of UK users."

Facial recognition business suffers data breach
A controversial facial recognition company has just informed its customers of a data breach in which its entire client list was stolen. Clearview AI leapt to fame in January 2020 when a New York Times report claimed that the start-up had scraped up to three billion images from social media sites to add to its database. Those clients have now been exposed after an unauthorised intruder managed to access the Clearview AI's entire customer list, the number of user accounts those companies have set up, and the number of searches they've carried out. The intruder did not access client search histories. The firm has claimed that its own servers, systems and network were not compromised.

FCC proposes millions in fines for top US wireless carriers
The Federal Communications Commission wants the US's largest wireless carriers to pay tens of millions of dollars to resolve accusations the companies failed to protect the privacy of US mobile phone users. The proposed fines for AT&T, Sprint, T-Mobile and Verizon follow years of reports that the companies improperly shared customers' real-time geolocation information with third parties. One of Verizon's indirect corporate customers, a prison phone company called Securus, had used Verizon's customer location data in a system that effectively let correctional officers spy on millions of Americans. FCC Chairman, Ajit Pai, has said that the total potential penalties would add up to more than $200 million.

PDP Journals logo
Receive further Expert guidance and in-depth articles on data protection direct to your mailbox or home address...  
Privacy & Data Protection journal
Privacy & Data Protection Journal 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal


19th Annual Data Protection Compliance Conference
8th & 9th October 2019 - London, UK  
London's leading two-day Data Protection Conference
 This year, the conference is dedicated to examining the developments in data protection; the continued practical implications for organisations of complying with the GDPR, as well as what could be next for organisations post-Brexit.

Bridget Treacy
Conference Chair: 
Bridget Treacy 
Hunton Andrews Kurth  

**Day 2 Workshops have now  
been released** 
Full details of each workshop can now be viewed online.  

* Workshop Highlight * 

James Clark Workshop C:
Data Subject Rights: Preparing Compliant Responses While Minimising Organisational Burden

Whilst most data protection practitioners are now familiar with the range of rights offered to individuals under the GDPR, many organisations are still grappling with the operational question of how to respond to requests in a way which is compliant, but also as cost and time efficient as possible.

This Workshop arms attendees with the tools needed to maximise an effective approach to data subject rights handling.

For more information and to book your place:
  1. Visit PDP Conferences 
  2. Send us an Email 
  3. Telephone +44 (0)207 014 3399

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:

John Fitzsimons
Cornerstone Barristers
This course is an introductory level course for all those that are new to data protection, or those that require a refresher on the fundamental concepts. It is designed for people who work with, or will work with, data protection issues on a regular basis.

This invaluable and practical training session examines core concepts of practical data protection compliance.

This course can be used as credit towards the Practitioner Certificate in Data Protection

The next available dates for this course are:
  • Glasgow          Monday, 16th March 2020
  • Isle of Man      Monday, 30th March 2020
  • Belfast             Monday, 20th April 2020
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
The Level 1 and Level 2 courses taken together constitute a complete training package on the fundamentals of data protection. This session provides a thorough grounding in the important aspects of data protection practice.

This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, provides a thorough grounding in the following important aspects of data protection practice:
  • transferring data to third parties - the legal requirements for transferring data between organisations
  • data retention - the restrictions on keeping data, and how to establish a retention schedule
  • the main exemptions, including 'crime and tax' and 'disclosures required by law'
  • the role and powers of the data protection regulator, including the circumstances where fines can be imposed
  • an introduction to when it will be necessary to carry out a Data Protection Impact Assessment
Attendance on this course can be used as credit towards the Practitioner Certificate in Data Protection.

The next available dates for this course are:
  • Glasgow          Tuesday, 17th March 2020
  • Isle of Man      Tuesday, 31st March 2020
  • Belfast             Tuesday, 21st April 2020
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue

Peter Given_ Womble Bond Dickinson
Peter Given
Womble Bond Dickinson
Meeting the requirements of data protection law whilst handling staff data can be particularly challenging. Holding and using staff information carries significant legal responsibilities and risks.

This invaluable one-day session is designed to meet the needs of anyone who has responsibility for the use of employee data, including Human Resources Officers and Compliance Officers. It is also useful to Employment Lawyers and companies providing outsourced HR functions to other organisations.

This course, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, uses case studies based on real scenarios to give delegates a practical understanding of the data protection compliance issues involved in employing and managing staff. The session lets delegates know the key areas of risk, and includes practical advice on:
  • ensuring that the recruitment and selection process meets the legal requirements, including the content of application forms, pre-employment vetting, criminal records, medical checks and the interview process
  • retaining staff records, and appropriate periods of time for keeping information
  • dealing with information requests from staff - what must be disclosed and what you can withhold
  • disclosing staff information to outside third parties - the legal requirements that must be met before staff information can be sent outside the organisation
  • references and the rights of ex-members of staff
  • monitoring staff activities and communications, including using line managers, private detectives, CCTV cameras and website monitoring technologies
  • handling sensitive information such as health and sickness records and medical data
  • how to handle mergers, acquisitions and restructuring
  • outsourcing functions to third party providers
  • how to comply with the Employment Code
  • how to handle staff complaints
  • the role of the Information Commissioner and what to do if she investigates
Attendance on this course can be used as credit towards gaining the Practitioner Certificate in Data Protection

The next available dates for this course are:
  • Manchester   Friday, 6th March 2020
  • Glasgow         Friday, 20th March 2020 
  • Isle of Man     Friday, 3rd April 2020
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue  
Understanding your obligations when advertising directly to your potential or existing customers is governed by direct mailing rules as well as data protection rules and in some cases the criminal law. Knowing where you stand before commencing a marketing campaign is key to avoiding potential pitfalls and ensuring the campaign runs as smoothly as possible. Recent fines by the Information Commissioner's Office in the context of marketing emails, marketing texts and marking calls highlights the need to ensure that organisations fully understand the rules.

This practical training session, which is fully up to date with the requirements of the GDPR, the Data Protection Act 2018, the direct marketing rules and the implications of Brexit, looks in detail at direct marketing and common problems which can arise, including:
  • issues concerning the purchase and sale of marketing lists
  • how the GDPR affects the use of your existing database for marketing purposes
  • whether, and in what circumstances, consent is needed
  • the distinction between opt-out and opt-in permissions, and when to use each
  • the different rules that apply to marketing by email, text message, telephone and post
  • call centre issues
  • profiling and analytics
  • the functions, powers and role of the Information Commissioner, and other relevant regulators, in the context of direct marketing
  • examples of recent fines and how to avoid them
Participants in this session will gain all the knowledge needed in order to ensure that their organisations are able to conduct successful marketing campaigns which avoid the attention of regulators.

The next dates for this training session are:
  • Manchester    Friday, 27th March 2020
  • Glasgow          Monday, 22nd June 2020
  • London            Monday, 14th September 2020
For further information and to make a booking
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

PDP Conferences
** Workshop Topics have now been released **
This year, the conference is dedicated to examining the developments in data protection; the continued practical implications for organisations of complying with the GDPR, as well as what could be next for organisations post-Brexit.  

Upcoming session dates in London, Manchester & Dublin  
This practical training course equips those who may be closely involved in an internal investigation with the skill set needed to navigate the investigation successfully and strategically.
It gives delegates the knowledge needed to lead or contribute to an internal investigation and maximise the likelihood of a positive outcome (both internally and externally) for the organisation.  
Tuesday 20th October - Friday 23rd October 2020 (early booking recommended)  
PC.dp Residential Programme

The residential option on the
Practitioner Certificate in Data Protection Programme (GDPR) provides candidates with the opportunity to study the Programme intensively on four consecutive days (rather than five for the Standard Programme)

Taking place in a well-equipped countryside hotel in Southern England, the Residential offers a comfortable and peaceful location for study (and is inclusive of all food, drink and accommodation). 
Latest edition of Privacy & Data Protection Journal 
The latest edition includes the following articles: 
Blockchain and the GDPR - friends or foes?

The ICO's new Direct Marketing Code

ISO Standards - a guide for privacy
Data protection in Japan

Intensive training over the next few months taking place in Manchester, Isle of Man, Belfast, Jersey & London 
Practitioner Certificate in Data Protection _GDPR_ 
The Practitioner Certificate in Data Protection ("PC.dp.") is the practical qualification for those that work in the fields of data protection and privacy. It is fully up to date with the requirements of the General Data Protection Regulation (GDPR)
Find out more >   
Training course running in Manchester later this month  
Highly practical Training session taking place later this month - book now to secure your place 
Role of the DPO 
This course analyses the role and duties of the DPO in a practical context and provides delegates with the information that they need to become more effective and efficient 

PDP 2020 Training Catalogue  
Download our latest  
Training Catalogue for a comprehensive overview of 2020 training courses and qualifications for those working in Data Protection and Information Management

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitments

More information >  

"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority

"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy

"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust

"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes

"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager

"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom