PDP header graphic

Issue: 06.11.2018

MPs to question Mark Zuckerberg in unprecedented international joint hearing
Politicians are campaigning harder to get Facebook boss Mark Zuckerberg to appear before them to answer questions on data privacy and disinformation. Damian Collins MP, Chair of the Digital, Culture, Media and Sport Committee, has joined forces with Bob Zimmer MP, Chair of the Canadian Standing Committee on Access to Information, Privacy and Ethics, to form an 'international grand committee' on disinformation and 'fake news', with a joint hearing scheduled for 27th November. Damian Collins has urged Mr Zuckerberg to appear, saying his "evidence is now overdue and urgent". Facebook was recently fined 500,000 by the UK's data protection regulator after the ICO found it had given app developers access to up to 87 million users' data "without clear consent". 

ICO publishes new GDPR guidance

The UK regulator has published new guidance on passwords and encryption under the GDPR. Although the GDPR does not say anything specific about passwords, organisations are required to process personal data securely by means of appropriate technical and organisational measures, and passwords are a commonly-used means of protecting access to systems that process personal data. The guidance advises organisations to consider whether there are any better alternatives to using passwords, and notes additional considerations that organisations need to take account of when designing password systems, such as the use of an appropriate hashing algorithm.

Travel company resets customer passwords following hack attack

Eurostar has reset its customers' login passwords after detecting attempts to break into an unspecified number of accounts. The rail service said it had notified those whose accounts had been targeted, and other passengers will be informed the next time they try to log in, and asked to reset their details. Payment details were not affected, the company reassuring that "we deliberately never store any bank card information, so there is no possibility of compromise to credit card or payment details." The Information Commissioner's Office has been made aware of the incident.  

GPs warn of strain caused by new data protection rules

Doctors in the UK have warned they are under increasing strain from paperwork as a result of the new data protection rules. The British Medical Association is claiming that the additional red tape caused by the GDPR is putting extra pressure on doctors and reducing time spent with patients. Dr Michael McKenna, a GP based in Belfast, said "in my experience, I would have had one or two requests, maybe three a month, but since 24th May that has increased approximately five fold. What that entails is a member of my staff being taken out from frontline patient care to allow them to photocopy the records, and then I have to read and examine the notes and remove any third party or sensitive information from those records under the GDPR legislation...another job of work which takes me away from frontline patient care."  

Hotel group advises members of confirmed data breach

The Radisson Hotel Group has announced a data breach, saying members of its Radisson Rewards scheme were targeted by hackers that managed to steal a "small percentage" of its members' data. The company released a statement, saying no payment details, stay details or passwords were put at risk, but the information stolen did include member names and addresses, email addresses, company names, phone numbers, Radisson Rewards member numbers and any frequent flyer numbers.

Flat owners take Tate Modern to court over 'invasion of privacy'

Residents of London flats overlooked by the Tate Modern have gone to the High Court in an effort to stop hundreds of thousands of visitors looking into their homes from the art gallery's viewing platform. The owners of four flats in the Neo Bankside development on London's Southbank say the use of the platform "unreasonably interferes with their use of their flats" and that the Tate is "committing a nuisance". Five claimants are seeking an injunction requiring the gallery to prevent members of the public observing their flats by cordoning off parts of the platform or erecting screening.

Proposed data privacy law could send company execs to prison for 20 years

A US senator has proposed a privacy law that could issue steep fines to companies and send their top executives to prison for up to 20 years if they violate Americans' privacy. Under US Senator Ron Wyden's Bill, executives could be fined up to $5,000,000, imprisoned for up to 20 years, or both. Commentators say that the Bill seems unlikely to pass given the extreme penalties, lobbying clout of big businesses, and Republicans' control of Congress. However, both Republicans and Democrats have been pushing for some kind of privacy law, and Wyden's proposal may make big fines and prison sentences part of the discussion

PDP Journals logo 
Receive further Expert guidance and in-depth articles on data protection, the GDPR and DPA 2018 direct to your mailbox or home address...  
Privacy & Data Protection journal
Privacy & Data Protection Journal 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:
Eduardo Ustaran_ Hogan Lovells
Eduardo Ustaran Hogan Lovells
This session provides a practical hands-on approach to the different mechanisms available to overcome the legal limitations affecting international data transfers. Attend this session to identify the most appropriate solution to the challenges faced by your organisation and learn about the most cost-effective way to comply with the law.

This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, addresses all of the practical questions affecting international transfers of personal data such as:
  • what amounts to a transfer of personal data?
  • what are the methods of ensuring that transfers are lawful?
  • which is the best method to use for the foreign outsourcing of functions such as website hosting, IT maintenance and call centres?
  • how will I ensure that my organisation is lawfully using 'cloud' providers?
  • in what circumstances can my organisation make its own determination of 'adequacy'?
  • how do Binding Corporate Rules work and how would I go about obtaining approval?
  • what is the "Privacy Shield", and how can I use it to legalise transfers of data from the EU to the United States?
  • how and when can we use consent to justify international transfers?
  • what is the right approach to adopt in my organisation's particular case?
Delegates will acquire the knowledge necessary to determine the most effective method for ensuring the legality of international transfers in any given circumstance.

The course is taking place on the following dates:
  • London          Friday, 23rd November 2018
  • Manchester    Friday, 22nd March 2019
  • Glasgow        Friday, 12th April 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Damien Welfare_ Cornerstonoe Barristers
Damien Welfare
Cornerstone Barristers
The Data Protection Act 2018 makes key changes to data protection law in the United Kingdom. It supplements the GDPR, and the two have to be read together to have a complete picture of the UK position. It adds to the "lawful bases" on which special category data may be processed, sets out the extensive exemptions to the GDPR which apply in the UK, defines the scope of much processing in the public sector, and applies rules based on those in the GDPR to processing for activities which fall outside EU competence.

This course focuses on assisting those working in mainstream data protection compliance (in both the private and public sectors) to understand the DPA 2018's implications from a practical perspective, including:
  • modifications to key definitions contained in the GDPR, and their significance
  • the lawful bases  for processing special category personal data in the UK - when and how they will apply, and how controllers can take advantage of them
  • exemptions from the GDPR in the UK
  • the age of consent of children to processing for internet society services
  • how provisions based on the GDPR are applied by the Act to activities outside EU competence
  • the conditions for processing personal data on criminal matters
  • modifications to the rights of individuals
  • public interest processing - scope and applicability
  • restrictions on the applicability of certain aspects of the GDPR in the UK
  • enhanced powers of the Information Commissioner, including entry and inspection, and the new enforcement regime
It is recommended that delegates attending this session have at least a basic knowledge of current data protection legal requirements under the GDPR. Delegates with no existing knowledge may find it helpful to attend  Data Protection Essential Knowledge Level 1 before attending this training course.

The course is next taking place on the following dates (further dates available online):
  • Manchester    Monday, 12th November 2018
  • London          Monday, 21st January 2019
  • Glasgow        Tuesday, 30th April 2019 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Peter Given_ Bond Dickinson
Peter Given
Womble Bond Dickinson
From May 2018, organisations will be required to notify serious data breaches to both national data protection authorities and individuals, except in a narrow range of circumstances. This practical training session looks at the new breach notification obligations in detail, including:
  • the types of incidents that will trigger the requirement to notify
  • actions that organisations should be taking now in order to prepare for mandatory breach notification
  • incident response plans and opportunities to mitigate risk
  • implications for data processors
  • what the ICO, and other relevant regulators, will expect organisations to do
  • the requirement for an internal breach register and how to maintain it
  • consequences of failing to notify breaches 
It is recommended that delegates attending this session have a basic knowledge of current data protection legal requirements. Delegates with no existing knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.

The next available dates for this course are:
  • London        Monday, 3rd December 2018
  • London        Monday, 8th July 2019
  • Glasgow      Wednesday, 27th November 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Next training sessions taking place in London & Manchester later this month 
Data Protection in the Workplace  
This course, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, uses case studies based on real scenarios to give delegates a practical understanding of the data protection compliance issues involved in employing and managing staff.   

Next training sessions taking place in London and Manchester later this month 
Data Protection Impact Assessments  
These training sessions give practical guidance on conducting DPIAs, and includes:
what is a DPIA, and when should one be carried out     
national regulators' recommendations and guidance


stages of a DPIA and what to do in practice: initial assessment, preparation, information flows, consultation with stakeholders, analysis, documentation


the relationship between conducting PIAs with other risk and project management activities (e.g. other risk


assessments, data protection audits)


legal and compliance issues to consider



Practitioner Certificate in Data Protection - GDPR Conversion Programme

Upcoming intensive training weeks in London and Manchester 
Ensure you are have the knowledge to practically implement the GDPR in your organisation.  
The Practitioner Certificate in Data Protection is the practical qualification which can be taken either on an intensive, flexible or distance-learning basis.
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the new Regulation." 
Joanne Maurizi 
Find out more >

"By far the most practical resource available to help understand the complexities of the GDPR..."

A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in meeting the requirements of the GDPR.

Find out more &
Order your copy here >

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitments

More information >  

"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority

"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy

"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust

"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes

"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager

"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom