PDP header graphic

Issue: 30.10.2018

UK regulator fines Facebook for failing to protect users' personal information
The Information Commissioner's Office has fined Facebook £500,000 for serious breaches of data protection law. In July, the regulator issued a Notice of Intent to fine Facebook as part of a wide ranging investigation into the use of data analytics for political purposes. The ICO issued the fine after considering representations from the company and confirmed that the amount - the maximum allowable under the laws which applied at the time the incidents occurred - will remain unchanged. Elizabeth Denham, Information Commissioner, said: "Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better." Ms Denham added: "The fine would inevitably have been significantly higher under the GDPR."

EU and US regulators issue joint statement on Privacy Shield review

The European Commissioner for Justice, Consumers and Gender Equality Věra JourovŠ and US Secretary of Commerce Wilbur Ross have issued a joint statement regarding the second annual review of the EU-US Privacy Shield framework. The statement highlighted that over 4,000 companies have become Privacy Shield-certified since the inception of the framework in 2016, and three new members have been appointed to the US Privacy and Civil Oversights Board. It also mentioned the need for the US to promptly appoint a permanent Under Secretary, and the Commerce Department's promise to revoke the certification of companies that do not comply with the Privacy Shield's principles. The European Commission plans to publish a report on the functioning of the Privacy Shield by the end of 2019.

Commissioners endorse guidelines on AI

The 40th International Conference of Data Protection and Privacy Commissioners has released a Declaration on Ethics and Protection in Artificial Intelligence. In it, the Conference endorsed several guiding principles as "core values" to protect human rights as the development of artificial intelligence continues apace. The Conference called for the establishment of international common governance principles on AI in line with these concepts. As an initial step toward that goal, the Conference announced a permanent working group on Ethics and Data Protection in Artificial Intelligence. 

Apple Chief blasts 'weaponisation' of personal data and praises GDPR

Giving an unusual speech in Europe, Apple Chief Executive Tim Cook has demanded a tough new US data protection law. Referring to the misuse of personal data, he said it was being "weaponised against us with military efficiency". "We shouldn't sugar-coat the consequences," he added. "This is surveillance." Mr Cook also praised the GDPR. 

Philip Green outed as the businessman who gagged the media from publishing sexual harassment allegations

British billionaire Sir Philip Green has been revealed as the businessman who won a privacy injunction preventing the media publishing allegations of misconduct by former employees. The 66-year-old chairman of Arcadia Group was named by Lord Hain in the House of Lords using parliamentary privilege, which gives MPs and peers the right to say whatever they like in Parliament and not be sued for libel. Lord Hain said he was contacted by someone "intimately involved" in the case, and that Sir Philip had made "substantial payments" to conceal allegations of "serious and repeated sexual harassment, racist abuse and bullying". Sir Philip said he "categorically and wholly" denied the allegations.

EDPB dealing with 162 cross border cases

The European Data Protection Board has 162 cross-border cases on its case register, the Board's Chair Andrea Jellinek said in Brussels last week. Ms Jellinek said that the first five months of the GDPR have been busy for the authorities. Some 80,000 breach notifications have been received by the 25 EU DPAs which have issued their statistics, and 15 One Stop Shop procedures have been started at the Board. In addition, there have been 233 procedures relating to Mutual Assistance between the DPAs.

Mobile app data sharing 'out of control'

Data harvesting and sharing by mobile apps is "out of control", University of Oxford researchers have warned. Professor Nigel Shadbolt, who lead the research team, said "people [in businesses] are desperate to get as many eyeballs and click-throughs as they can." Associate Professor Max Van Kleek added: "I don't think there's any notion of control." Almost 90% of free apps on the Google Play store share data with Google parent company Alphabet, the Financial Times has reported. Google said it had clear policies for how developers could handle data, and that the research had mischaracterised some "ordinary functions" of apps. 

PDP Journals logo 
Receive further Expert guidance and in-depth articles on data protection, the GDPR and DPA 2018 direct to your mailbox or home address...  
Privacy & Data Protection journal
Privacy & Data Protection Journal 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:
Jenai Nissim
Jenai Nissim
Data Protection Consultant
For the first time in data protection law, the GDPR introduces the requirement of "accountability". In basic terms, accountability means that organisations are not only be required to comply with data protection requirements, but also that they must demonstrate that they comply.

Demonstrating compliance consists of several elements, including preparing policies, monitoring compliance with internal policies and procedures, amending job roles and updating customer facing documentation such as websites and offline forms.

This highly practical sessions looks at the detail of what accountability requires, and provides delegates with all the knowledge and tools necessary to achieve compliance in their organisations.

It is recommended that delegates attending this session have a basic knowledge of current data protection legal requirements. Delegates with no existing knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.

The course is taking place on the following dates:
  • London          Tuesday, 4th December 2018
  • Belfast            Wednesday, 6th March 2019 
  • Manchester    Wednesday, 20th March 2019 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Estelle Dehon_ Cornerstone Barristers
Estelle Dehon
Cornerstone Barristers
This invaluable and practical training session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, examines core concepts of practical data protection compliance, including:
  •  how data protection law applies to your organisation
  • what can and cannot be done with staff information and customer information
  • an introduction to the requirement to keep data secure, and how to meet that requirement
  • the rights of individuals, such as customers and staff, in respect of data held by your organisation
  • the legal requirements for gathering information for marketing, including an introduction to the use of opt-out and opt-in clauses
  • the requirements for using CCTV cameras
  • an introduction to handling requests for information by individuals
  • the rules that apply to using special categories of personal data ( e.g. medical and health information, genetic data, information on sexual orientation, ethnicity data )
  • an introduction to the restrictions on sending personal data abroad
  • the legal requirements for outsourcing personal data processing operations, e.g. payroll, call-centres, private investigators and confidential waste management companies
  • an introduction to the principle of 'accountability'
  •  the role of the data protection regulator
This course can be used as credit towards the
Practitioner Certificate in Data Protection

 The next available dates for this course are:
  • London          Monday, 19th November 2018
  • Manchester    Monday, 26th November 2018  
  • London          Monday, 7th January 2019
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
This practical training session is designed for those that work in the field of data protection. The Level 1 and Level 2 courses taken together constitute a complete training package on the fundamentals of data protection. This session provides a thorough grounding in the important aspects of data protection practice.

The Level 2 course is designed as a natural progression from Data Protection Essential Knowledge - Level 1, although attending Data Protection Essential Knowledge - Level 1 is not a pre-requisite to attending the Level 2 unless you are a complete beginner to data protection.

Attendance on this course can be used as credit towards the Practitioner Certificate in Data Protection.

The next available dates for this course are:
  • London          Tuesday, 20th November 2018
  • Manchester    Tuesday, 27th November 2018  
  • London          Tuesday, 8th January 2019 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Damien Welfare_ Cornerstonoe Barristers
Damien Welfare
Cornerstone Barristers
The Data Protection Act 2018 makes key changes to data protection law in the United Kingdom. It supplements the GDPR, and the two have to be read together to have a complete picture of the UK position. It adds to the "lawful bases" on which special category data may be processed, sets out the extensive exemptions to the GDPR which apply in the UK, defines the scope of much processing in the public sector, and applies rules based on those in the GDPR to processing for activities which fall outside EU competence.

This course focuses on assisting those working in mainstream data protection compliance (in both the private and public sectors) to understand the DPA 2018's implications from a practical perspective, including:
  • modifications to key definitions contained in the GDPR, and their significance
  • the lawful bases  for processing special category personal data in the UK - when and how they will apply, and how controllers can take advantage of them
  • exemptions from the GDPR in the UK
  • the age of consent of children to processing for internet society services
  • how provisions based on the GDPR are applied by the Act to activities outside EU competence
  • the conditions for processing personal data on criminal matters
  • modifications to the rights of individuals
  • public interest processing - scope and applicability
  • restrictions on the applicability of certain aspects of the GDPR in the UK
  • enhanced powers of the Information Commissioner, including entry and inspection, and the new enforcement regime
It is recommended that delegates attending this session have at least a basic knowledge of current data protection legal requirements under the GDPR. Delegates with no existing knowledge may find it helpful to attend  Data Protection Essential Knowledge Level 1 before attending this training course.

The course is next taking place on the following dates (further dates available online):
  • Manchester    Monday, 12th November 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Next training session taking place in Manchester - November 2018
Cybersecurity training course  
This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations.  

Training taking place in Edinburgh, London and Manchester before the end of 2018 
Data Protection Impact Assessments  
These training sessions give practical guidance on conducting DPIAs, and includes:
  • what is a DPIA, and when should one be carried out    national regulators'
  • recommendations and guidance
  • stages of a DPIA and what to do in practice: initial assessment, preparation, information flows, consultation with stakeholders, analysis, documentation
  • the relationship between conducting PIAs with other risk and project management activities (e.g. other risk
  • assessments, data protection audits)
  • legal and compliance issues to consider

Practitioner Certificate in Data Protection - GDPR Conversion Programme

Upcoming intensive training weeks in London and Manchester 
Ensure you are have the knowledge to practically implement the GDPR in your organisation.  
The Practitioner Certificate in Data Protection is the practical qualification which can be taken either on an intensive, flexible or distance-learning basis.
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the new Regulation." 
Joanne Maurizi 
Find out more >

"By far the most practical resource available to help understand the complexities of the GDPR..."

A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in meeting the requirements of the GDPR.

Find out more &
Order your copy here >

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitments

More information >  

"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority

"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy

"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust

"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes

"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager

"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom