PDP header graphic

Issue: 15.01.2019
Man admits to being behind German cyber attack
A 20-year-old man has admitted to police that he was behind a recent data breach in Germany in which the private details of almost 1,000 public figures were leaked. The man, who lives with his parents in the central German state of Hesse and is still in the education system, told police he had acted alone and was not politically motivated. German Interior Minister, Horst Seehofer, revealed that the hacker would not have been able to gather as much data as he had, if his victims had created more sophisticated passwords. "Bad passwords were one of the reasons he had it so easy," Seehofer said. "I was shocked at how simple most passwords were: 'ILoveYou', '1,2,3'. A whole array of really simple things." He said both politicians and the public needed to greatly increase their awareness of cybersecurity.

Cambridge Analytica firm fined 15k for ignoring data protection notice
A business that failed to respond fully to a data subject access request and later ignored an enforcement notice issued by the UK regulator has been fined 15,000 for breaching UK data protection laws. SCL Elections, better known as the firm behind the now defunct data analytics company Cambridge Analytica, was prosecuted at Hendon Magistrates' Court in London last Wednesday. SCL Elections pleaded guilty to breaching section 47(1) of the Data Protection Act (DPA) 1998 in a prosecution brought by the ICO. UK Information Commissioner, Elizabeth Denham, said: "This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law. Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply."

EU advisor's advice limits scope of 'right to be forgotten'
Search engines should not be forced to alter their search results for users outside of the EU when complying with 'right to be forgotten' requests made under EU data protection laws, a senior adviser to the EU's highest court has said. The Court of Justice of the EU had previously established that a search engine has a qualified duty to delist a webpage, or URL, from its search results when requested to do so by an individual if the webpage in question contains information about that individual and the information in question is "inadequate, irrelevant, no longer relevant or excessive". However, there has been a debate over the scope of delisting that search engines must implement, leading to France's Council of State asking the CJEU to clarify the matter. Giving his preliminary opinion, Advocate General Maciej Szpunar said "search requests made outside the EU should not be affected by the de-referencing of the search results". Szpunar came to this conclusion after acknowledging that previous EU data protection laws, since replaced with the GDPR, "do not expressly govern the issue of the territorial scope of de-referencing", concluding that it was appropriate to make "a distinction ... depending on the location from which the search is performed".

Former First Minister refers concerns to ICO
Former First Minister in Scotland, Alex Salmond, has reported the Scottish government to the ICO over details of sexual harassment claims against him appearing in the media. Mr Salmond wants to know how the claims, which he strenuously denies, got into the public domain. The action came two days after Salmond won a legal challenge against the Scottish government, which admitted to acting unlawfully while investigating sexual harassment claims against Mr Salmond. Confirmation of the ICO's involvement also followed the Scottish government's announcement that a "detailed review" had found that no data breach had been committed.

Marriott faces sprawling class-action lawsuit over hotel reservation data breach
Marriott, the world's largest hotel chain operator, has been hit with a class-action lawsuit over the data breach dating back to 2014 and now believed to affect more than 300 million people. The suit, brought by more than 150 past hotel guests, accuses Marriott of involvement in "deceptive, unconscionable, and substantially injurious practices." In addition to seeking compensatory damages and other forms of relief deemed appropriate by the court, the suit seeks an injunctive relief to prohibit Marriott from "continuing to engage" in "unlawful acts, omissions, and practices".  In its most recent update on 4th January, Marriott International said the personal information of fewer than 383 million former guests may have been accessed without authorisation as part of the breach, which is one of the largest in recent history.

US telecommunications company to stop selling all location data
AT&T is to stop selling all location data to brokers following report that companies are passing the information to shadowy firms without customer knowledge. Last year, AT&T and other carriers pledged to stop providing location information to data brokers, but AT&T made an exception for useful services that, for instance, help customers with roadside assistance or fraud protection. Now the company says it will also end those sales in March. The move follows a report on Vice's Motherboard site that showed how bounty hunters can track phone locations using carrier data.

PDP Journals logo 
Receive further Expert guidance and in-depth articles on data protection direct to your mailbox or home address...  
Privacy & Data Protection journal
Privacy & Data Protection Journal 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:
John Wilson, Mosaic
Organisations face increasing pressure to manage their records according to statutory and business requirements. As the use of electronic records and the deployment of electronic document and records management systems continue to increase, the core skills of the person responsible for records management become ever more important to the organisation. In many cases, appropriate data protection and FOI compliance will depend upon a good records management system.

This invaluable training session, led by John Wilson, examines core concepts of good records management practice.

Records Management 1 is an introductory level session that provides delegates with a thorough grounding in the fundamentals of records management, including:
  • introduction - basic concepts
  • records management tools
  • records lifecycle approach
  • designing a file plan
  • records destruction
  • legal framework / compliance
  • management of electronic records and email 
Upcoming dates for this training course are:
  • Manchester    Thursday, 24th January 2019
  • Cardiff            Thursday, 7th February 2019
  • Glasgow         Thursday, 14th February 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399

This course examines how to implement good records management practice. Led by John Wilson, Records Management 2 is an intermediate level session that provides a grounding in the fundamentals of records management, including:
  • introduction - initiating a records management project
  • records audit
  • process mapping
  • building a business classification scheme
  • measuring performance
  • sustaining a records management programme
Delegates are encouraged to share their own experiences at the session. The day will be a mixture of presentation and practical exercises. There will be plenty of opportunity for questions.

Upcoming dates for this training course are:
  • Manchester    Friday, 25th January 2019
  • Cardiff            Friday, 8th February 2019
  • Glasgow         Friday, 15th February 2019
A discount is available for delegates attending both the Level 1 and Level 2 sessions, as well as for multiple delegates attending from the same organisation.

For further information and to make a booking,
  1. Visit PDP's website  
  2. Telephone PDP at +44 (0)207 014 3399
John Wilson_ JMW Mosaic
John Wilson
JMW Mosaic
This training course provides an in-depth analysis of the key issues and challenges facing those responsible for the management of records and information in the current business environment. This training session is designed to meet the needs of senior and more experienced practitioners and builds on the basic and intermediate skills and techniques covered on the Records Management 1 and Records Management 2 training courses. Topics covered include:
  • Information governance
  • Dealing with risk
  • Records management policy development
  • Embedding good records management practice
  • Records migration and dealing with legacy records
  • Digital continuity - managing electronic records over time
Delegates are encouraged to share their own experiences in the session. 

The next available dates for this course are:
  • Manchester    Friday, 22nd February 2019
  • London          Monday, 29th April 2019
  • Edinburgh      Friday, 18th October 2019 
   For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
Manish Soni
Manish Soni
Herbert Smith Freehills
Breaches of information security are consistently one of the top two reasons for data protection regulator enforcement action. And fines for breaches of security are usually higher than for other types of breaches.

With mandatory breach notification under the GDPR and the significant uplift in potential monetary penalties, compliance professionals need to be suitably empowered with cybersecurity knowledge and awareness to assist their organisations to both mitigate ongoing data security risks and to deal with personal data breaches. It is also useful for compliance professionals to have a basic knowledge of cybersecurity terminology to facilitate effective communications with IT Team members.

This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations. Find out more...

The course is taking place on the following dates:
  • London          Tuesday, 12th February 2019
  • Manchester    Wednesday, 26th June 2019
  • Edinburgh      Wednesday, 17th July 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399

Upcoming course dates in Manchester & London 
Direct Marketing - Legal Risks - Training Course  
Recent fines by the Information 
Commissioner's Office in the context of marketing emails, marketing texts and marking calls highlights the need to ensure that organisations fully understand the rules.

Ensure you're organisation is compliant by attending this highly practical training session, which looks in detail at direct marketing and common problems which can arise.  

This self-study Programme allows previously qualified candidates to study at their own pace, either at home or in the office.

Next training session taking place in London - 12th February 2019 
Cybersecurity training course  
This session has been designed specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations   

Is your organisation complying with the requirements of the Data Protection Act 2018? 
Data Protection Act 2018  
This course focusses on assisting those working in mainstream data protection compliance (in both the private and public sectors) to understand the DPA 2018's implications from a practical perspective

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitments

More information >  

"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority

"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy

"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust

"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes

"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager

"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom