PDP - Compliance News Updates - 9 May 2018

ICO orders Cambridge Analytica to hand over American's personal data
PDP header graphic
  Issue: 09.05.2018

ICO orders Cambridge Analytica to hand over American's personal data
The UK regulator has ordered Cambridge Analytica to hand over all the personal information it holds on a US academic, confirming the right of people abroad to seek data held by a UK firm. The Information Commissioner's Office served notice to SCL Elections, Cambridge Analytica's parent, to provide the information it holds on David Carroll, saying failure to do so would be a criminal offence punishable by an unlimited fine. The order comes days after both firms filed for insolvency.

ICO launches consultation on investigatory powers

The Information Commissioner has launched a consultation on stronger powers for the UK regualtor which are written into the Data Protection Bill currently going through Parliament. In addition to the much publicised powers to levy penalties being brought in by the GDPR, the proposed new powers include no-notice inspections, compelling people and organisations to hand over information, and making it a criminal offence to destroy, falsify or conceal evidence. The consultation closes on 28th June and the revised policy will be subject to Parliamentary consideration and final approval.

Pseudonymised data in scope of portability rules, says ICO

The ICO has expanded its guidance on GDPR data portability. The GDPR requires controllers to make the personal data they possess available to consumers in "a structured, commonly used and machine-readable format" so that those consumers can share that data with rival companies "without hindrance" and to transmit that data direct to other businesses at the request of consumers where it is "technically feasible". According to the ICO's guidance, personal data that have been subjected to pseudonymisation will be in scope of new data portability rules. An article explaining the new right to data portability in depth featured in Volume 17, Issue 3 of Privacy & Data Protection

UK government told to amend communication surveillance laws

The UK government has been given until 1st November to introduce revised communication surveillance laws after existing legislation was found to be "incompatible with fundamental EU rights in the area of criminal justice". The UK High Court made its ruling after civil liberties group Liberty challenged the lawfulness of the UK's Investigatory Powers Act which came into force in November 2016. The High Court ruled the Act's communications data regime unlawful because it does not limit access to retained data to the purpose of combating 'serious crime', and because access to the data is not subject to prior review by a court or an independent administrative body.

Keynote Speech on ICO Enforcement Powers

PDP is pleased to announce that James Dipple-Johnstone, Deputy Commissioner at the UK's Information Commissioner's Office, will present the Keynote speech at the 17th Annual Data Protection Compliance Conference, taking place in London on 11th & 12th October. Mr Dipple-Johnstone will review the ICO's increased powers, including the power to audit organisations and to impose significant financial penalties, and will discuss the ICO's intentions for the use of its new powers.

Enhanced practical guidance on data protection offered in Singapore

Organisations in Singapore will be given the opportunity to obtain 'enhanced practical guidance' on data protection issues under new plans recently outlined by the country's Personal Data Protection Commission. Businesses will be able to obtain enhanced practical guidance from the Commission where the query relates to a complex or novel compliance issue, where the query cannot be addressed by PDPC's general guidance, and where the query does not amount to a request for legal advice. The Commission also published plans for new legislation on unsolicited commercial messages. The proposals are open to consultation until 7th June.

Advocate General gives key opinion in communications data case

An advisor to the EU's highest court has said that EU law permits communications data laws to be enforced by law enforcement bodies even when the crimes they are investigating are not 'serious', providing there is no serious interference with privacy rights. The non-binding view, expressed by Advocate General to the Court of Justice of the EU Henrik Saugmandsgaard Øe, could have major implications for the scope of communications data laws in place across Europe. The case before the CJEU, which is likely to be ruled on formally later this year, stems from a dispute in Spain over the scope of Spanish communications data laws.

EDPS warns businesses about GDPR privacy policies

Updated privacy policies being sent out by organisations may not be GDPR compliant, the European Data Protection Supervisor Giovanni Buttarelli has said. According to Buttarelli, some of the policies he has seen present a "take-it-or-leave-it proposition". He said that he and other DPAs were "worried that even the biggest companies may not yet understand that these manipulative approaches must change...to satisfy Article 7(4) of the GDPR" (which states that consent is not freely given if the provision of a service is made conditional on processing personal data not necessary for the performance of a contract).

Two firms fined in UK for nuisance calls and spam texts

The Information Commissioner's Office has fined two firms in Stockport for disrupting the public with nuisance marketing. IAG Nationwide Limited was fined £100,000 for making more than 69,000 "frightening" and "aggressive" calls to people registered with the Telephone Preference Service. IAG also failed to correctly identify itself in the calls, did not give people the chance to opt-out of receiving them and provided misleading information about the nature of the call. In a separate ICO investigation, Bramhall-based Costelloe and Kelly Limited was issued with a £19,000 fine for sending more than 260,000 spam texts promoting funeral plans.

Australia's Commonwealth bank lost data of 20 million accounts

As part of the latest scandal involving Australia's largest lender, the country's Commonwealth Bank has admitted losing the bank records of almost 20 million people. Names, addresses, account numbers and statements were stored on two magnetic tapes which were meant to be destroyed by a subcontractor in 2016. Despite not receiving evidence the tapes had been destroyed, the bank did not alert customers there was a potential problem.

Data Protection Bill reaches Report stage

The UK House of Commons will vote on proposed changes to the Data Protection Bill today (9th) which would impose financial penalties on the media for being involved in data protection disputes. Tom Watson, Labour's Deputy Leader, intends to introduce sanctions on newspapers for data protection complaints, compelling them to pay court costs even if the case is thrown out. Bosses of regional and local newspapers have condemned the "draconian measures" that will cause "irreparable damage to the sector if enacted".

WhatsApp Co-Founder quits, possibly due to data protection rift

WhatsApp Chief Executive Jan Koum has quit the popular messaging service he co-founded saying he was "taking some time off to do things I enjoy outside of technology". Although it is not the stated reason for his departure, a Washington Post report said that Mr Koum had clashed with parent company Facebook over WhatsApp's strategy. It is understood that he also objected to Facebook attempts to use WhatsApp's personal data and weaken its encryption standards.

Election regulator faces probe over data gaffe

The UK Electoral Commission has apologised after mistakenly releasing details of donors to a pro-Union campaign group. The regulator attempted to redact details of 168 individuals who had donated to Scotland in Union following a FOI request, but a "technical issue" meant the full names could be seen simply by cutting and pasting the spreadsheet. The body now faces investigation by the Information Commissioner's Office.

More in depth data protection news and articles... 

PDP Journals logo
New GDPR Article Series 

Privacy & Data Protection journalIntroducing a special series of articles on the practical changes that organisations need to implement in order to prepare for the GDPR

Visit the
Privacy & Data Protection for a Free Sample and to Subscribe

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal.

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here is a selection of courses taking place shortly:   
Alison Deighton_ TLT Solicitors
Alison Deighton
TLT Solicitors
All organisations are required to observe the rights of individuals under data protection law. A key objective of the GDPR is to strengthen and extend those rights. Additionally, individuals have a right to claim compensation from both controllers and processors where financial loss or other damage occurs as a result of processing operations which breach the requirements of the GDPR.This training session looks at the new rights under the GDPR in detail, and also considers the changes to the pre-existing rights, including updates to time limits and new requirements for documentation. The session covers:
  • the right to be informed
  • requirements for handling subject access requests
  • profiling and automated decision taking
  • the right to data deletion
  • the right to restriction of processing
  • the right to object to processing
  • the right to data portability
  • compensation
  • the right to cessation of direct marketing
  • exemptions for organisations
  • changes that should be made to organisations' privacy policies 
Delegates attending this session must have a basic knowledge of current data protection legal requirements in order to be able to understand the material in this session. Delegates with little no existing knowledge should attend Data Protection Essential Knowledge Level 1 before attending this training course. The course is taking place on the following dates:
  • Belfast             Thursday, 7th June 2018
  • Glasgow          Monday, 24th September 2018
  • London            Monday, 12 November 2018 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Fedelma Good
Fedelma Good
Big Data is big business, and the technology that gives rise to the activity known as profiling has multiple benefits for both organisations and individuals. However, these benefits come with risks, and it is these risks that the General Data Protection Regulation ('GDPR') seeks to mitigate against.This practical session considers how organisations can reap the benefits of Big Data whilst minimising the risks of falling foul of the legal provisions, including:
  • how data protection law applies to profiling and Big Data
  • how the extended territorial scope of the GDPR catches ever more profiling activities
  • the rights individuals have under the GDPR, including transparency, control, data minimisation and data portability
  • controllers' increased accountability to individuals and the remedies available to individuals
  • the circumstances in which profiling is acceptable
  • how to reduce the risks of 'discriminatory' decision-making
  • the relevance of the privacy by design and default regime
  • the GDPR position on profiling and special category personal data
  • practical guidance on what information must be supplied to customers and others
  • how to obtain explicit consent, where required.
The course is taking place on the following dates:
  • London    Tuesday, 12th June 2018
  • Belfast     Thursday, 6th December 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Peter Given_ Bond Dickinson
Peter Given
Womble Bond Dickinson
From May 2018, organisations will be required to notify serious data breaches to both national data protection authorities and individuals, except in a narrow range of circumstances. This practical training session looks at the new breach notification obligations in detail, including:
  • the types of incidents that will trigger the requirement to notify
  • actions that organisations should be taking now in order to prepare for mandatory breach notification
  • incident response plans and opportunities to mitigate risk
  • implications for data processors
  • what the ICO, and other relevant regulators, will expect organisations to do
  • the requirement for an internal breach register and how to maintain it
  • consequences of failing to notify breaches 
It is recommended that delegates attending this session have a basic knowledge of current data protection legal requirements. Delegates with no existing knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.

The next available dates for this course are:
  • London    Monday, 25th June 2018
  • London    Monday, 3rd December 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Did you pass the
Practitioner Certificate in Data Protection prior to 2018?

Practitioner Certificate in Data Protection - GDPR Conversion Programme

The online self-study Programme for candidates who gained their qualification prior to 2018 to upgrade their qualification for the GDPR era.

GDPR Event
11th & 12th October 2018 London, UK 


* Workshop Topics have been announced *

This year, the conference is dedicated to reviewing the practical implications of the General Data Protection Regulation, and to help organisations ensure they are compliant
* New course for 2018 *
Cybersecurity for Data Protection Professionals  2nd July 2018 - London
Breach Notifications Training Course 

This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations.

"By far the most practical resource available to help understand the complexities of the GDPR..."
A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in preparing for the new era of compliance under the GDPR.
Find out more & Order your copy here >

Qualify as a Data Protection Practitioner

Flexible training options allow you to train alongside other commitmentsMore information >  
"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority
"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy
"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust
"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes
"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager
"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions
PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom