PDP header graphic

Issue: 12.03.2019
Latest Sweep concludes that companies need to do more to achieve privacy accountability
The Global Privacy Enforcement Network's latest report shows that last year's sweep found that a number of organisations had no processes in place to deal with the complaints and queries raised by data subjects, and were not equipped to handle data security incidents appropriately. Participating GPEN members made contact with 356 organisations in 18 countries during the sweep, and concluded that when it comes to monitoring internal performance in relation to data protection standards, many organisations were found to fall short, with around a quarter who responded having no programmes in place to conduct self-assessments and/or internal audits. Organisations were generally found to be quite good at giving initial data protection training to staff, but often failed to provide refresher training.

Equifax CEO testifies about data security practices
Equifax's new CEO Mark Begor has told US Senators that the credit ratings agency has made many changes since its 2017 breach of the personal information of 143 million people, and defended the company against a harsh new Senate report about the incident. The report in question says that unlike Equifax, the company's competitors Experian and TransUnion "were able to avoid a similar data breach." The report also criticised Equifax for not properly saving records of internal conversations about the breach. Employees used an internal chat service called Microsoft Lync, which was set to not preserve conversations. "The fact that Equifax did not have an impenetrable information security program and suffered a breach does not mean that the company failed to take cybersecurity seriously," Mr Begor said in response. Mr Begor joined Equifax's Chief Information Security Officer, Jamil Farshchi, and Marriott CEO Arne Sorenson to discuss private-sector data breaches at a hearing in front of the Senate's Homeland Security and Governmental Affairs Subcommittee on Investigations.

UK regulator gives guidance to GPs on SARs
The ICO has issued some practical advice and tips for dealing with SARs specifically for medical practices. Such bodies have reported a huge rise in requests since the GDPR came into effect. The ICO suggests that such bodies may be able to comply with a SAR by offering to provide a patient with online access to their health records, where available. It also suggests that practices can provide the SAR response electronically (subject to safeguards such as encryption). "A surgery only needs to print paper copies if it is asked to do so and this is reasonable" the guidance states. "If GPs hold a large amount of information about a patient they can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR."

ICOs Adtech fact finding forum shows consensus on need for change
Simon McDougall, Executive Director for Technology Policy and Innovation at the ICO, has given feedback following the ICOs recent adtech fact finding forum. He said there was a consensus in the need for improvements. "From the regulator's perspective, we know we have more work to do. We need to absorb the views shared yesterday, and have invited attendees to provide any further reflections and comments on the day's discussion in a brief email." The ICO has said that it is happy to accept comments from those who could not attend, limited to 1,000 words, by the end of this week. Interested parties should send their comments by email.

Dutch regulator cracks down on "take it or leave it" consent
Take-it-or-leave-it cookie walls do not comply with the General Data Protection Regulation, the Dutch Supervisory Authority has reminded organisations. Cookie walls, also known as tracking walls, are some of the most severe strategies used by organisations to absorb personal data. The websites that employ them throw up a notification page which prevents individuals from accessing any of the website's contents unless they agree to tracking. The Dutch Supervisory Authority issued a statement on the topic, following what it said were multiple complaints from people who had been unable to access websites they wanted to after they refused cookies. The regulator said it would intensify its monitoring of proper compliance, and that it had sent the organisations subject to the most complaints a letter to warn them about their activities.

Bulgaria's new data protection law enters into force
Bulgaria's new data protection law has now entered into force, and it supplements the GDPR. The Law on Amending and Supplementing the Law on Personal Data Protection modernises the original Data Protection Act from 2002. It also transposes the EU Law Enforcement Directive.

PDP Journals logo 
Receive further Expert guidance and in-depth articles on data protection direct to your mailbox or home address...  
Privacy & Data Protection journal
Privacy & Data Protection Journal 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal

18th Annual Data Protection Compliance Conference
10th & 11th October 2019 - London, UK  
London's leading two-day GDPR Conference

Elizabeth Denham - UK Information Commissioner
Keynote Speaker:
Elizabeth Denham
UK Information Commissioner 


This year, the conference is dedicated to examining the developments in data protection and continued practical implications of the GDPR.
16th Annual Data Protection Compliance Conference

* Workshop Highlight * 

Workshop F: Do I really need consent?

The GDPR has brought a much closer focus on the need for a controller to have a 'lawful basis' to process personal data and, if relevant, special category personal data. While obtaining a data subject's consent is one of a range of possible options, it is by no means always required and is often not the most appropriate basis. This workshop looks closely at the circumstances when consent should (and shouldn't) be the 'go to' basis, as opposed on other lawful bases available, by considering a variety of practical scenarios and asking:
  • what are the requirements for a lawfully valid consent?
  • is consent practical?
  • what is the impact on individual rights?
  • when are other lawful bases better?

For more information and to book your place:

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:

Alison Deighton_ HelloDPO
Alison Deighton HelloDPO
Data Protection Impact Assessments (DPIAs) enable organisations to assess potential data protection and other privacy implications at the design stage of a new system or process. Such risks can be assessed and addressed within the development of the system or process, rather than being a "bolt-on" after implementation (when it may be too late to address all the concerns, at least without significant cost implications).

DPIAs are recommended by data protection regulators, and they are a requirement in some sectors. DPIAs are an important part of the "privacy by design" culture, and they are mandatory under the General Data Protection Regulation.

Different approaches and levels of assessment can be undertaken depending on the nature of the system/process and the size of the organisation. This course gives practical guidance on conducting DPIAs, and includes:
  • what is a DPIA, and when should one be carried out
  • national regulators' recommendations and guidance
  • stages of a DPIA and what to do in practice: initial assessment, preparation, information flows, consultation with stakeholders, analysis, documentation
  • the relationship between conducting PIAs with other risk and project management activities (e.g. other risk assessments, data protection audits)
  • legal and compliance issues to consider
Attendance on this course can be used as credit towards gaining the Practitioner Certificate in Data Protection

The course is taking place on the following dates:
  • Manchester    Friday, 22nd March 2019
  • Glasgow         Friday, 12th April 2019
  • London           Friday, 24th May 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Peter Given_ Womble Bond Dickinson
Peter Given
Womble Bond Dickinson
This course, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR) as well as implications of Brexit, uses case studies based on real scenarios to give delegates a practical understanding of the data protection compliance issues involved in employing and managing staff. The session lets delegates know the key areas of risk, and includes practical advice on:
  • ensuring that the recruitment and selection process meets the legal requirements, including the content of application forms, pre-employment vetting, criminal records, medical checks and the interview process
  • retaining staff records, and appropriate periods of time for keeping information
  • dealing with information requests from staff - what must be disclosed and what you can withhold
  • disclosing staff information to outside third parties - the legal requirements that must be met before staff information can be sent outside the organisation
  • references and the rights of ex-members of staff
  • monitoring staff activities and communications, including using line managers, private detectives, CCTV cameras and website monitoring technologies
  • handling sensitive information such as health and sickness records and medical data
  • how to handle mergers, acquisitions and restructuring
  • outsourcing functions to third party providers
  • how to comply with the Employment Code
  • how to handle staff complaints
  • the role of the Information Commissioner and what to do if she investigates
Attendance on this course can be used as credit towards gaining the Practitioner Certificate in Data Protection

The course is taking place on the following dates:
  • Manchester    Friday, 22nd March 2019
  • Glasgow         Friday, 12th April 2019
  • London           Friday, 24th May 2019 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Sian Rudgard_ Hogan Lovells
Sian Rudgard
Hogan Lovells
This session provides a practical hands-on approach to the different mechanisms available to overcome the legal limitations affecting international data transfers. Attend this session to identify the most appropriate solution to the challenges faced by your organisation and learn about the most cost-effective way to comply with the law.

This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, addresses all of the practical questions affecting international transfers of personal data such as:
  • what amounts to a transfer of personal data?
  • what are the methods of ensuring that transfers are lawful?
  • which is the best method to use for the foreign outsourcing of functions such as website hosting, IT maintenance and call centres?
  • how will I ensure that my organisation is lawfully using 'cloud' providers?
  • in what circumstances can my organisation make its own determination of 'adequacy'?
  • how do Binding Corporate Rules work and how would I go about obtaining approval?
  • what is the "Privacy Shield", and how can I use it to legalise transfers of data from the EU to the United States?
  • how and when can we use consent to justify international transfers?
  • what is the right approach to adopt in my organisation's particular case?
Delegates will acquire the knowledge necessary to determine the most effective method for ensuring the legality of international transfers in any given circumstance.

The course is taking place on the following dates:
  • Glasgow         Friday, 12th April 2019
  • London           Friday, 24th May 2019 
  • Belfast            Friday, 13th September 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Residential Programme 

Next Residential taking place 15th-18th May 2019
PC.dp Residential Programme

The residential option on the Practitioner Certificate in Data Protection Programme (GDPR) provides candidates with the opportunity to study the Programme intensively on four consecutive days (rather than five for the Standard Programme)

Find out more >


Elizabeth Denham - UK Information Commissioner 
Keynote Speaker:
Elizabeth Denham
UK Information 
This year, PDP's annual data protection conference is dedicated to examining the developments in data protection and continued practical implications of the GDPR.

PDP Training Catalogue 2019 
Download our latest Training Catalogue for a comprehensive list of 2019 courses and qualifications for those working in Data Protection and Information Management

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitments

More information >  

"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority

"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy

"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust

"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes

"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager

"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom