PDP header graphic

Issue: 27.11.2018

Facebook documents seized by MPs investigating privacy breach
A cache of Facebook documents has been seized by MPs investigating the Cambridge Analytica data scandal. The documents were intercepted under rarely used Parliamentary powers when an executive of US tech firm Six4Three was on a trip to London. The House of Commons serjeant-at-arms was sent to the businessman's hotel, and he was given a final warning and a two-hour deadline to comply with the order. When the executive failed to do so, he was escorted to Parliament and warned he risked fines and imprisonment if the documents were not surrendered. Damian Collins, Chairman of the Commons Digital, Culture, Media and Sport Committee, said "This is an unprecedented move but it's an unprecedented situation. We've failed to get answers from Facebook and we believe the documents contain information of very high public interest."

Spain approves contested data protection law
The Spanish Senate has approved a controversial online data protection law which critics say will enable political parties to target voters with ads based on their internet browsing history. The Spanish law, which creates provisions which are supplemental to the GDPR for the Spanish territory, includes an amendment which allows political parties to "use personal data obtained from web pages and other publicly accessible sources to carry out political activities" during election campaign periods. The law stipulates that individuals who do not wish to receive targeted adverts from parties should be provided with a "simple and free way to exercise their opposition". Spanish consumer group FACUA, and far-left party Unidos Podemos, both said in separate statements that they would challenge the law in Spain's Constitutional Court.

MEPs call for business GDPR 'guarantee' on using blockchain
Businesses should not begin using blockchain technology to process personal data until they can guarantee compliance with EU data protection laws, a Committee of MEPs has said. The Committee on Civil Liberties, Justice and Home Affairs said that businesses using blockchain must, in particular, be able to respect the rights of data subjects under the GDPR to the rectification and erasure of their data. The LIBE Committee's opinion was published in response to an earlier draft report published by the European Parliament's Committee on International Trade, which flagged the potential for blockchain to cut up to $1 trillion in costs associated with global trade. Guidance was issued recently by the French data protection authority on the topic supports the MPs view.

New UK law provides for director liability
UK law will be updated to make it possible to hold company directors personally liable for nuisance calls made by their businesses, following a government consultation earlier this year. The new rules, which will come into force on 17th December, give the Information Commissioner's Office new powers to fine company directors up to 500,000 for breaches of the Privacy and Electronic Communications Regulations. The new Privacy and Electronic Communications (Amendment) Regulations will give the ICO scope to fine the company, its directors, or both. The change would also allow the ICO to hold individual directors to account where the company fails to pay the fine or is placed into liquidation, and where the individual is no longer in a senior position, for example through resignation.

Irish Commission clarifies record-keeping and DPIAs interaction
Ireland's data protection authority has clarified how record-keeping obligations under the GDPR interact with the duties of businesses to carry out Data Protection Impact Assessments. The Commission recently published guidance outlining ten types of 'processing operation' that it believes fall within the 'likely high risk' provisions. In its guidance, the DPC said businesses should carry out a "documented screening or preliminary risk assessment" to determine whether their processing operations will trigger the need to undertake a full DPIA. When asked to clarify the legal basis for this preliminary step, the DPC said: "the data controller needs to go through a methodological process to identify the threats to data subjects and a calculation of the inherent risks involved. Clearly, if a processing operation is not high risk this can be easily recorded alongside the record keeping required for processing operations under Article 30. On the other hand, if a processing operation is complex, then a full scale screening process may be required and it may in fact form the preliminary steps of a DPIA. Other less complex processing operations may not require such an in depth risk analysis. If this analysis step determines in fact that the risks are low and no further work on a DPIA is required then, this can be recorded with other Article 30 records."

Finland adopts supplemental data protection law
Finland has finally adopted its national law which is supplemental to the GDPR, after a delay which occurred partly as a result of deliberations on the role of the Data Protection Ombudsman (equivalent of Data Protection Commissioner) in imposing administrative fines. Finland was initially uncomfortable with one person deciding on a very high level of sanctions, as it does not fit with Finland's legislative tradition. The result was to set up a three-member board, whose chairman will be the Ombudsman, Mr Reijo Aarnio. No administrative fines can be imposed on public authorities under the new law. Other national specifics include amendments on the right of access to public documents, and setting the age-limit of consent at 13 with respect to offering information society services.

Amazon hit by data leak
Amazon suffered a customer data leak less than two days before Black Friday, it has emerged. Amazon customer service contacted people to warn them that their names and email addresses had been compromised, though it is not yet clear how many customers were affected or how it happened.  An Amazon spokesperson said: "We have fixed the issue and informed customers who may have been impacted."

Facebook appeals against Cambridge Analytica fine
Facebook has taken the decision to appeal against a fine imposed on it by the ICO after the Cambridge Analytica scandal. The social network says that because the regulator found no evidence that UK users' personal data had been shared inappropriately, the 500,000 penalty was unjustified. "The ICO's investigation stemmed from concerns that UK citizens' data may have been impacted by Cambridge Analytica, yet they now have confirmed that they have found no evidence to suggest that information of Facebook users in the UK was ever shared by Dr Kogan with Cambridge Analytica, or used by its affiliates in the Brexit referendum," said a statement from Facebook's lawyer Anna Benckert. "Therefore, the core of the ICO's argument no longer relates to the events involving Cambridge Analytica."

ICO comments on regulatory sandbox
FThe ICO has released an analysis of the initial responses to its regulatory sandbox project. The regulator said it expects the sandbox to be broad in scope and open to any sector and any size of organisation. It also plans to make use of eligibility criteria to control entry in three main areas: innovation, public benefit and what the ICO is calling 'fitness to participate'. The ICO is also planning to encourage applications in particular from those organisations that are dealing with specific data protection challenges that were flagged in responses as being central to enabling innovation. "Work now continues to develop the operational processes needed to deliver the sandbox. We plan to undertake further consultation in the New Year as our operational model develops, and this will include events for organisations interested in the project which are provisionally scheduled to take place early in February 2019. Further information on these events will be published in the ICO e-newsletter on December 6th and in an update on the blog", the ICO said.

UK ICO issues warning to newspaper over cookie consent practices
The UK Information Commissioner's Office has issued a warning to the US-based The Washington Post over its approach to obtaining consent for cookies to access the service. The Washington Post presents readers with three options to access its service: (1) free access to a limited number of articles dependent on consent to the use of cookies and tracking for the delivery of personalized ads; (2) a basic subscription consisting of paid access to an unlimited number of articles that is also dependent on consent to the use of cookies and tracking; or (3) a premium subscription consisting of paid access to an unlimited number of articles with no on-site advertising or third party ad tracking for a higher fee. Responding to a complaint submitted by a reader of The Register, the ICO concluded that since newspaper has not offered a free alternative to accepting cookies, consent cannot be freely given and the newspaper is in contravention of Article 7(4) of the GDPR.

PDP Journals logo 
Receive further Expert guidance and in-depth articles on data protection, the GDPR and DPA 2018 direct to your mailbox or home address...  
Privacy & Data Protection journal
Privacy & Data Protection Journal 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:
Ashley Roughton - Barrister 
Understanding your obligations when advertising directly to your potential or existing customers is governed by direct mailing rules as well as data protection rules and in some cases the criminal law. Knowing where you stand before commencing a marketing campaign is key to avoiding potential pitfalls and ensuring the campaign runs as smoothly as possible. Recent fines by the Information Commissioner's Office in the context of marketing emails, marketing texts and marking calls highlights the need to ensure that organisations fully understand the rules.

This practical training session, which is fully up to date with the requirements of the GDPR, the Data Protection Act 2018, the direct marketing rules and the implications of Brexit, looks in detail at direct marketing and common problems which can arise, including:
  • issues concerning the purchase and sale of marketing lists
  • how the GDPR affects the use of your existing database for marketing purposes
  • whether, and in what circumstances, consent is needed
  • the distinction between opt-out and opt-in permissions, and when to use each
  • the different rules that apply to marketing by email, text message, telephone and post
  • call centre issues
  • profiling and analytics
  • the functions, powers and role of the Information Commissioner, and other relevant regulators, in the context of direct marketing
  • examples of recent fines and how to avoid them
Participants in this session will gain all the knowledge needed in order to ensure that their organisations are able to conduct successful marketing campaigns which avoid the attention of regulators.
The next dates for the next training sessions are:
  • London             Friday, 14th December 2018
  • Manchester    Monday, 4th February 2019
  • Glasgow          Tuesday, 14th May 2019
For further information and to make a booking:
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Peter Given_ Bond Dickinson
Peter Given
Womble Bond Dickinson
Organisations are legally required to notify a personal data breach to the national data protection authority unless the breach is unlikely to negatively impact individuals. Organisations are additionally obligated to inform affected, and potentially affected, individuals where the breach is likely to result in a high risk for the rights and freedoms of those individuals.

This practical training session looks at the new breach notification obligations in detail, including:
  • the types of incidents that trigger the requirement to notify
  • actions that organisations should be taking now in order to prepare for a possible security breach
  • incident response plans and opportunities to mitigate risk
  • implications for processors
  • what the ICO, and other relevant regulators, expect organisations to do
  • the requirement for an internal breach register and how to maintain it
  • consequences of failing to notify breaches
It is recommended that delegates attending this session have a basic knowledge of current data protection legal requirements. Delegates with no existing knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.

The next available dates for this course are:
  • London        Monday, 3rd December 2018
  • London        Monday, 8th July 2019
  • Glasgow      Wednesday, 27th November 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Stephanie Pritchett, Pritchetts Law
 Stephanie Pritchett
Having responsibility for training staff on data protection issues can be a daunting prospect. Yet it is essential that all staff who handle personal information understand the fundamental principles and the practical requirements for complying with data protection rules. It is also important that staff members are able to identify breaches or potential breaches of data protection law, and to react appropriately.

Practical and non-technical, this training session gives an insight into suitable training methods and assessing knowledge levels amongst different categories of staff. It will also consider the key issues in planning for and preparing a staff training session, including:
  • who should be trained, and what do they need to know?
  • appropriate training tools for different groups of staff
  • putting together slides, exercises, case studies, and taking examples from "real life"
  • session length and timings
  • getting the audience on-side and keeping them engaged
  • assessment and follow-up
The session will look at how to train staff to:
  • appreciate who and what is covered by data protection rules
  • understand the organisation's policy and aims on personal data use
  • understand their individual responsibilities
  • know and apply the 8 core Principles for personal data use
  • understand the additional measures required for sensitive data use
  • recognise when, and for what purposes, staff / customer data may be used
  • identify appropriate steps to help keep personal information secure
  • deal with external requests for information, and understand the safeguards to apply
  • understand the rights of individuals and third parties
  • recognise and deal with a subject access request
  • know what to do in the event of a data protection breach

The course is next taking place on the following dates:

  • London    Thursday, 6th December 2018
  • London    Tuesday, 18th June 2019
  • London    Tuesday, 10th December 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Thursday, 6th December 2018 - Central London
Training Staff in Data Protection 
Train the Trainer 
This course is dedicated to equipping you with the knowledge and skills you need in order to be able to train your staff effectively and efficiently on essential data protection compliance issues.

Next training session taking place in December 2018 
Direct Marketing - Legal Risks - Training Course  
Recent fines by the Information 
Commissioner's Office in the context of marketing emails, marketing texts and marking calls highlights the need to ensure that organisations fully understand the rules.

Ensure you're organisation is compliant by attending this highly practical training session, which looks in detail at direct marketing and common problems which can arise.  

Practitioner Certificate in Data Protection - GDPR Conversion Programme

Upcoming intensive training weeks in London and Manchester 
Ensure you are have the knowledge to practically implement the GDPR in your organisation.  
The Practitioner Certificate in Data Protection is the practical qualification which can be taken either on an intensive, flexible or distance-learning basis.
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the new Regulation." 
Joanne Maurizi 
Find out more >

"By far the most practical resource available to help understand the complexities of the GDPR..."

A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in meeting the requirements of the GDPR.

Find out more &
Order your copy here >

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitments

More information >  

"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority

"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy

"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust

"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes

"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager

"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom