PDP - Compliance News Updates - 24 April 2018

Final guidelines on consent, transparency and BCRs
PDP header graphic
  Issue: 24.04.2018

Final guidelines on consent, transparency and BCRs
The Article 29 Working Party has now published its final guidance on consent. One new change from the draft guidance is the insertion of a new section addressing requests for consent online, where continued use of a site is stated to amount to consent (the Working Party says that this will be inadequate). The Working Party also issued final guidelines on transparency and the BCRs approval procedure. The contents of the final guidelines will be analysed in-depth as part of Privacy & Data Protection's ongoing GDPR series.
Two UK firms fined for making nuisance calls
Two firms in West Yorkshire have been fined by the Information Commissioner's Office for calling people registered with the Telephone Preference Service. Bradford-based Energy Saving Centre Ltd, which offers services such as replacement windows and doors and guttering, made seven million calls over a seven month period without screening them against the TPS register. The ICO fined the firm £250,000 because at least 34,000 of these calls were made to TPS subscribers. In a separate case, Alex Goldthorpe, trading as Approved Green Energy Solutions, was fined £150,000 for making over 300,000 calls to TPS subscribers between April and July 2017. Energy Saving Centre has also been issued with an enforcement notice ordering it to stop illegal marketing.
Hamburg opens non-compliance procedure against Facebook
Hamburg's data protection regulator is the latest to open an investigation against Facebook over the Cambridge Analytica scandal. Hamburg's Data Protection Commissioner, Johannes Caspar, notified Facebook in writing that he had opened the probe, saying that "first we will seek a statement from Facebook and then hearings will begin". The investigation could lead to a fine of up to 300,000 euros ($370,000).
US court drops long-running data access case involving Microsoft
TA long-running case over whether US authorities have a right to access data stored outside of the country has been brought to an end after the Supreme Court found the legal dispute to be "moot" in light of recent developments. The dispute stemmed from a drug trafficking case in which Microsoft was served with a domestic warrant requesting emails stored at a data centre in Ireland. Microsoft challenged the warrant, stating that the government didn't have the right to access private information stored abroad at the time. In March, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed by Congress and signed into law, providing a legal framework that clarified the position with warrants. It was on this basis that the Supreme Court reached its decision. The case isn't over yet however: the Justice Department has since obtained a new warrant under the new law. Microsoft is currently in the process of reviewing the warrant and deciding how to respond.
MPs raise 'serious concerns' over NHS Digital stewardship of data
A group of UK MPs said it had "serious concerns" over the ability of the senior leadership of NHS Digital to understand and protect health and social care data. The comments came within a House of Commons Health and Social Care Committee report into the memorandum of understanding on data-sharing between NHS Digital and the Home Office which came into effect on 1st January. In January 2018 the Committee asked NHS Digital to suspend its involvement in the agreement, saying that there was "inadequate consultation during the formulation of the MOU and a failure to pay due regard to the underlying ethical considerations and potential unintended consequences for public health [which] resulted in a situation where data-sharing is taking place in a manner which...could lead to serious unintentional consequences for both individuals and wider public health." The request was rejected, so the Committee took further evidence on the issue and has now come to the same conclusion.
TSB apologises following online banking data breach
UK bank TSB has apologised to customers who could not access their accounts through the company's app and online banking service on Sunday night and Monday morning. A number of customers complained of a "data breach" and said that they were able to view other people's account information through the app. The issues came after TSB carried out planned upgrade work to its technology over the weekend. One honest customer said he had been credited with a large sum of money that was not his once he managed to get back into the app. "My balance, because of my overdraft, is in minus, but my balance was showing at £13,000," said Laim McKenzie, from Paisley in Scotland.
Belgian Privacy Commission issues recommendation on Impact Assessment
The Belgian Privacy Commission has issued a recommendation (currently only available in French and Dutch) on Data Protection Impact Assessments and the prior consultation requirements under Articles 35 and 36 of the GDPR. The recommendation is intended to provide guidance on the core elements and requirements of a DPIA. Among the key takeaways, the Belgian DPA states that the obligation to conduct a DPIA in certain circumstances should be interpreted in light of two central principles of the GDPR: the principle of accountability and the risk-based approach. In terms of when a DPIA is required, the DPA said that carrying out a DPIA is not mandatory for every processing operation. Instead, a DPIA is only required where a type of processing is "likely to result in a high risk to the rights and freedoms of natural persons."
FTC revises its security settlement with Uber
The Federal Trade Commission has modified its 2017 settlement with Uber after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach which took place during the time that the FTC was investigating an earlier, 2014 breach. The revised proposed agreement goes beyond the FTC's original settlement and requires Uber to address software design, development and testing, how the company reviews and responds to third-party security vulnerability reports, and prevention, detection and response to attacks, intrusions or systems failures. Uber also would be required to report to the FTC any incident where the company is required to notify any US government entity about the unauthorised access of any consumer's information.
Facebook moves 1.5bn users out of reach of new European privacy law
In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law. The move is due to come into effect shortly before General Data Protection Regulation comes into force in Europe on 25th May. Meanwhile, the company has also started asking European and Canadian users to let it use facial recognition technology to identify them in photos and videos. Facebook originally began face-matching users outside Canada in 2011, but stopped doing so for EU citizens the following year after protests from regulators and privacy campaigners. The move is likely to be controversial.

More in depth data protection news and articles... 

PDP Journals logo
New GDPR Article Series 

Privacy & Data Protection journalIntroducing a special series of articles on the practical changes that organisations need to implement in order to prepare for the GDPR

Visit the
Privacy & Data Protection for a Free Sample and to Subscribe

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal.

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here is a selection of courses taking place shortly:   
Alison Deighton_ TLT Solicitors
Alison Deighton
TLT Solicitors
All organisations are required to observe the rights of individuals under data protection law. A key objective of the GDPR is to strengthen and extend those rights. Additionally, individuals have a right to claim compensation from both controllers and processors where financial loss or other damage occurs as a result of processing operations which breach the requirements of the GDPR.This training session looks at the new rights under the GDPR in detail, and also considers the changes to the pre-existing rights, including updates to time limits and new requirements for documentation. The session covers:
  • the right to be informed
  • requirements for handling subject access requests
  • profiling and automated decision taking
  • the right to data deletion
  • the right to restriction of processing
  • the right to object to processing
  • the right to data portability
  • compensation
  • the right to cessation of direct marketing
  • exemptions for organisations
  • changes that should be made to organisations' privacy policies 
Delegates attending this session must have a basic knowledge of current data protection legal requirements in order to be able to understand the material in this session. Delegates with little no existing knowledge should attend Data Protection Essential Knowledge Level 1 before attending this training course. The course is taking place on the following dates:
  • Belfast             Thursday, 7th June 2018
  • Glasgow          Monday, 24th September 2018 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Fedelma Good
Fedelma Good
Big Data is big business, and the technology that gives rise to the activity known as profiling has multiple benefits for both organisations and individuals. However, these benefits come with risks, and it is these risks that the General Data Protection Regulation ('GDPR') seeks to mitigate against.This practical session considers how organisations can reap the benefits of Big Data whilst minimising the risks of falling foul of the legal provisions, including:
  • how data protection law applies to profiling and Big Data
  • how the extended territorial scope of the GDPR catches ever more profiling activities
  • the rights individuals have under the GDPR, including transparency, control, data minimisation and data portability
  • controllers' increased accountability to individuals and the remedies available to individuals
  • the circumstances in which profiling is acceptable
  • how to reduce the risks of 'discriminatory' decision-making
  • the relevance of the privacy by design and default regime
  • the GDPR position on profiling and special category personal data
  • practical guidance on what information must be supplied to customers and others
  • how to obtain explicit consent, where required.
The course is taking place on the following dates:
  • London    Tuesday, 12th June 2018
  • Belfast     Thursday, 6th December 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
John Wilson_ JMW Mosaic
John Wilson
JMW Mosaic
This training course provides an in-depth analysis of the key issues and challenges facing those responsible for the management of records and information in the current business environment. This training session is designed to meet the needs of senior and more experienced practitioners and builds on the basic and intermediate skills and techniques covered on the Records Management 1 and Records Management 2 training courses. Topics covered include:Information governance
  •  Dealing with risk
  •  Records management policy development
  • Embedding good records management practice
  • Records migration and dealing with legacy records
  • Digital continuity - managing electronic records over time
Delegates are encouraged to share their own experiences in the session. 

The next available dates for this course are:
  • Glasgow        Friday, 22nd June 2018
  • London          Wednesday, 26 September 2018 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue

Final few places remaining for May 2018
PC.dp Residential Programme

The residential option on the Practitioner Certificate in Data Protection Programme (GDPR) provides candidates with the opportunity to study the Programme intensively on four consecutive days (rather than five for the
Standard Programme)  

"By far the most practical resource available to help understand the complexities of the GDPR..."
A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in preparing for the new era of compliance under the GDPR.
Find out more & Order your copy here >
* New course *
Cybersecurity for Data Protection Professionals  2nd July 2018 - London
Breach Notifications Training Course 

This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations.

Qualify as a Data Protection Practitioner

Flexible training options allow you to train alongside other commitmentsMore information >  
"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority
"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy
"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust
"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes
"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager
"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions
PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom