PDP header graphic

Issue: 17.03.2020

ICO addresses concerns about committing data breaches whilst seeking to contain outbreak

The UK regulator has issued a statement regarding coronavirus, attempting to address any data protection concerns that could be inhibiting measures to prevent the spread of the virus. "Data protection and electronic communication laws do not stop government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing" said the regulator. "Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses," it added. The GDPR allows the temporary suspension of some data protection rights in times of crisis. Specifically, Article 9 (2) (i) of the GDPR allows the processing of these special categories of data if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. Italy, the most affected country in Europe, has already adopted an urgent measure to combat the spread of COVID-19: an Ordinance granting civil protection personnel in Italy extensive powers to process personal data related to the outbreak. Currently, the measure is only valid until July 2020, but it could be extended. An article on how data protection interlays with coronavirus will feature in the upcoming edition of Privacy & Data Protection.

Google and Swedish SA lock heads over delisting notifications

The Swedish data protection authority has fined Google SEK75m (€7m/ £6.13m) for right to be forgotten failures in a dispute that shows how contested certain aspects of the GDPR remain. "When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site owner knowledge of which webpage link was removed and who was behind the delisting request," the regulator said - an act that "does not have a legal basis". However, Google says doing this is consistent with the GDPR. The fine follows three years of audits by the SA into how Google handles the requested removal of individuals' search results, when information published on websites is "demonstrably false, irrelevant or superfluous." A Google spokesperson said: "We disagree with this decision on principle and plan to appeal."  

Princess Cruises admits data breach

A cruise liner which was forced to halt its global operations after two of its ships confirmed on-board outbreaks of the coronavirus, has now confirmed a data breach. The notice posted on its website in early March said the company detected unauthorised access to a number of its email accounts over a four-month period between April and July 2019, some of which contained personal information on its employees, crew and guests. Princess said names, addresses, Social Security numbers and government IDs - such as passport numbers and driver license numbers - may have been accessed, along with financial and health information. the cruise liner said the potentially impacted data is 'not specific' to each guest.

Israeli PM sparks privacy scare with move to track corona patients' phones

Prime Minister of Israel, Benjamin Netanyahu, has announced that Israel would begin using advanced digital monitoring tools to track carriers of the coronavirus, raising major privacy concerns and prompting accusations of mass surveillance. "Up until today I avoided using these measures in the civilian population but there is no choice," Netanyahu said. The Taiwanese government credited its aggressive tracking program with helping the island territory rein in the coronavirus outbreak, though in that case, GPS data were primarily used to ensure that those in quarantine remained at home, rather than tracking their past movements, as Israel is proposing. The head of the left-wing Meretz party in Israel, Nitzan Horowitz, denounced the proposal, saying that such surveillance shouldn't take place without parliamentary and judicial oversight. "Monitoring citizens with the help of information databases and advanced technology is a harsh blow to privacy and basic liberty. Therefore, this is forbidden in democratic countries," Horowitz said.

Everyone has a problem with India's New Data Protection Law
Privacy advocates, business and social media giants are all opposing India's long-awaited national data protection law, the Personal Data Protection Bill, currently under inspection by a joint Parliamentary Committee. The main issue for privacy advocates is that the law allows the government to exempt itself from the requirements. Any government agency can be granted exemption from the data protection law for a variety of fairly vague reasons including 'preventing incitement', 'in the interest of sovereignty and integrity of India', 'breakdown of public order' or 'friendly relations with foreign states'. Private companies are also objecting to the terms, which stipulate fines and costs they feel are too high. Mozilla noted that privacy protection could be compromised by government access. The Software Alliance, a lobbying firm that represents information technology giants such as IBM and Microsoft, specifically criticised the bill's requirement that companies keep sensitive personal information about users on servers located in India. And social media companies have objected to the data protection law's requirement that 'voluntary identity verification' of users be made available, claiming it will be a massive drain on resources.

PDP Journals logo
Receive further Expert guidance and in-depth articles on data protection direct to your mailbox or home address...  
Privacy & Data Protection journal
Privacy & Data Protection Journal 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal


19th Annual Data Protection Compliance Conference
8th & 9th October 2019 - London, UK  
London's leading two-day Data Protection Conference
This year, the conference is dedicated to examining the developments in data protection; the continued practical implications for organisations of complying with the GDPR, as well as what could be next for organisations post-Brexit.

Bridget Treacy
Conference Chair: 
Bridget Treacy 
Hunton Andrews Kurth  

**Day 2 Workshops have now  
been released** 
Full details of each workshop can now be viewed online.  

* Workshop Highlight * 

Peter Given Workshop B:
Direct Marketing: Common Issues and Pitfalls and How to Avoid Them

An effective direct marketing strategy is critical for most organisations. However, direct marketing is fraught with danger for the unwary and regulators have shown their willingness to punish non-compliance in this area. This Workshop, which is based in real-life war stories and case studies, provides practical guidance on:
  • the legal requirements in relation to direct marketing, as well as the latest guidance from the ICO's Direct Marketing Code 2020
  • common problems and issues faced by organisations in complying with these requirements, including adtech and using cookies
  • solutions and strategies to overcome these challenges

For more information and to book your place:
  1. Visit PDP Conferences 
  2. Send us an Email 
  3. Telephone +44 (0)207 014 3399

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:

John Fitzsimons
Cornerstone Barristers
This course is an introductory level course for all those that are new to data protection, or those that require a refresher on the fundamental concepts. It is designed for people who work with, or will work with, data protection issues on a regular basis.

This invaluable and practical training session examines core concepts of practical data protection compliance.

This course can be used as credit towards the Practitioner Certificate in Data Protection

The next available dates for this course are:
  • London    Monday, 11th May 2020
  • Cardiff      Monday, 6th July 2020
  • London    Monday, 13th July 2020
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
The Level 1 and Level 2 courses taken together constitute a complete training package on the fundamentals of data protection. This session provides a thorough grounding in the important aspects of data protection practice.

This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, provides a thorough grounding in the following important aspects of data protection practice:
  • transferring data to third parties - the legal requirements for transferring data between organisations
  • data retention - the restrictions on keeping data, and how to establish a retention schedule
  • the main exemptions, including 'crime and tax' and 'disclosures required by law'
  • the role and powers of the data protection regulator, including the circumstances where fines can be imposed
  • an introduction to when it will be necessary to carry out a Data Protection Impact Assessment
Attendance on this course can be used as credit towards the Practitioner Certificate in Data Protection.

The next available dates for this course are:
  • London     Tuesday, 12th May 2020
  • Cardiff       Tuesday, 7th July 2020
  • London     Tuesday, 14th July 2020
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Dan Whitehead
Dan Whitehead
Hogan Lovells
Breaches of information security are consistently one of the top two reasons for data protection regulator enforcement action. And fines for breaches of security are usually higher than for other types of breaches.

With mandatory breach notification under the GDPR and the significant uplift in potential monetary penalties, compliance professionals need to be suitably empowered with cybersecurity knowledge and awareness to assist their organisations to both mitigate ongoing data security risks and to deal with personal data breaches. It is also useful for compliance professionals to have a basic knowledge of cybersecurity terminology to facilitate effective communications with IT Team members.

This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations. The session addresses:
  • what exactly cybersecurity means and encompasses
  • threats, vulnerabilities and risk from a security perspective
  • comparing and contrasting "risk" in security, and data protection under the GDPR
  • risk analysis and management from a security and data protection standpoint
  • cryptography as a privacy tool: encryption, at rest and in transit; hashing and salting
  • managing identity and authentication, security operations
  • security baselines: including ISO 27001 and Cyber Essentials
  • introduction to malware: botnets, ransomware, Denial of Service (and DDoS), Advanced Persistent Threats (APTs)
  • personal data breach / incident management and crisis management
  • business continuity planning and disaster recovery
  • data breach simulations
No technical knowledge is required in order to attend this session. A basic working knowledge of data protection legal requirements would be useful. Delegates with limited data protection knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.

The next dates for this training session are:
  • London          Thursday, 30th April 2020
  • Manchester    Thursday, 2nd July 2020
  • Edinburgh      Friday, 16th October 2020 
For further information and to make a booking
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Phil Tompkins, Dickinson Dees
Phil Tompkins
Ward Hadaway
Data protection law requires that personal information be held and used securely. The law also requires that relevant security arrangements be put in place for all outsourcing arrangements. News headlines consistently show that organisations are not doing enough to ensure the security of people's personal information, both within the organisation and externally. It is not always obvious what measures should be taken by organisations to comply with the legal obligations.

This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), as well as the implications of Brexit, examines the law as it relates to data security and the practical steps that organisations need to take to ensure compliance with their obligations. It concentrates on how to avoid a data security breach, as well as what can be done to mitigate the effects of a breach that does occur. It also considers the steps that must be taken when an organisation outsources operations, such as payroll, website hosting, digitisation of records, debt collection and waste management. The session considers lessons that must be learned by the fines that have been imposed by regulators.

This session can be used as a credit towards the Practitioner Certificate in Data Protection (GDPR)
The course is next taking place on the following dates (further dates available online):
  • London    Wednesday, 13th May 2020
  • Cardiff      Wednesday, 8th July 2020
  • Belfast     Thursday, 16th July 2020
For further information and to make a booking
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Distance Learning Programme

The eLearning option provides candidates with the opportunity to study the Programme in their own time and at their own pace. The comprehensive materials consist of 14 learning modules. Each module contains self-assessment questions (with answers) to allow candidates to test their knowledge and to prepare for the online examination.

8th & 9th October 2020 - London  
PDP Conferences 
** Workshop Topics have now been released **
This year, the conference is dedicated to examining the developments in data protection; the continued practical implications for organisations of complying with the GDPR, as well as what could be next for organisations post-Brexit.  
20th - 23rd October 2020 (early booking recommended)  
PC.dp Residential Programme

The residential option on the
Practitioner Certificate in Data Protection Programme (GDPR) provides candidates with the opportunity to study the Programme intensively on four consecutive days (rather than five for the Standard Programme)

Taking place in a well-equipped countryside hotel in Southern England, the Residential offers a comfortable and peaceful location for study (and is inclusive of all food, drink and accommodation). 
(Also available on an  
Available as an eSubscription 
Latest edition of Privacy & Data Protection Journal 
The latest edition includes the following articles: 
Blockchain and the GDPR - friends or foes?

The ICO's new Direct Marketing Code

ISO Standards - a guide for privacy
Data protection in Japan

PDP 2020 Training Catalogue  
Download our latest  
Training Catalogue for a comprehensive overview of 2020 training courses and qualifications for those working in Data Protection and Information Management

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitments

More information >  

"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority

"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy

"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust

"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes

"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager

"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom