PDP - Compliance News Updates - 26 June 2018

BT fined £77,000 by the ICO for five million spam emails
PDP header graphic
  Issue: 26.06.2018

BT fined £77,000 by the ICO for five million spam emails
British Telecommunications plc has been fined £77,000 by the Information Commissioner's Office after it sent nearly five million nuisance emails to customers. The 4.9 million emails, promoting three charity initiatives, were sent between December 2015 and November 2016. During the investigation, BT accepted that emails for two of the charities, Giving Tuesday and Stand up to Cancer, were unlawful, but disputed the assessment that those to the third charity, My Donate, were direct marketing. The ICO found that all of the emails sent constituted marketing, and were not simply service messages. The messages were delivered to recipients who had not given the necessary consent, and were therefore sent in breach of Regulation 22 of the Privacy and Electronic Communications Regulations.    

Supreme Court rules on mobile location data

In a landmark ruling, which protects the privacy of mobile phone users, the US Supreme Court confirmed that the government generally needs a warrant to collect location data on customers of mobile phone companies. The case, Carpenter v. United States,  arose from armed robberies of Radio Shacks and other stores in the Detroit area starting in 2010. The court ruled that the damning location evidence of the alleged perpetrators was inadmissible due to a breach of their 4th Amendment rights. The 5-to-4 ruling made exceptions for emergencies such as bomb threats and child abductions. Eduardo Ustaran, Partner at Hogan Lovells, tweeted that the decision was "a nod in the right direction from US judiciary for those concerned about the Privacy Shield and Model Clauses, and limits to access to data by the state." Mr Ustaran is speaking on the Privacy Shield and Model Clauses at the upcoming 17th Annual Data Protection Practical Compliance Conference taking place in London on 11th and 12th October. His article on the future of EU international data transfers appears in June edition of Privacy & Data Protection

Campaign group alleges illegitimate use of data by UK revenue service

The Information Commissioner's Office is investigating complaints that the voices of millions of taxpayers have been analysed and stored by HM Revenue and Customs without consent. According to the campaign group Big Brother Watch, HMRC's Voice ID system, which was introduced last year, has collected 5.1 million audio signatures and is creating "biometric ID cards by the back door". HMRC says the data are held securely and emphasised that callers could elect not to use Voice ID.    

New rules on free flow of non-personal data closer to being finalised

EU governments would be required to justify national regulations requiring companies to store non-personal data locally, under proposed new rules that moved closer to being finalised last week. The European Parliament, Council of Ministers and European Commission reached political consensus on a new regulation on the free flow of non-personal data and prohibiting data localisation restrictions. The Regulation has no impact on the application of the GDPR as it does not cover personal data. However, the two Regulations will function together. In the case of a mixed dataset, the GDPR provision guaranteeing free flow of personal data will apply to the personal data part of the set, and the free flow of non-personal data principle will apply to the non-personal part.   

Twitter, comScore Sued For Allegedly Tracking Kids Who Use Disney Apps by Wendy Davis

A group of parents in the US who are suing Disney over alleged privacy violations have expanded their case by adding Twitter's MoPub and comScore as defendants. The class-action complaint being brought under the Children's Online Privacy Protection Act alleges that Disney allowed outside companies to embed code that tracked young children who used apps. According the new complaint, those outside companies include Twitter, comScore, Upsight, Unity Technologies and Kochava. Disney say that the complaint is based on a fundamental misunderstanding of COPPA principles.    

National data strategy to be developed in the UK

The UK government has announced that a national data strategy will be developed "to unlock the power of data in the UK economy and government, while building public confidence in its use". The plan to develop the strategy was outlined as the government published proposals on what role, objectives and areas of focus the new Centre for Data Ethics and Innovation should have. The consultation paper states "We want to ensure the Centre adds real value and builds confidence and clarity for businesses and citizens. We will therefore engage extensively with all those who have an interest and stake in the way data use and AI are governed and regulated. This includes citizens, businesses, regulators, local and devolved authorities, academia and civil society."       

Hackers steal crypto-exchange of £24 million

A leading crypto-coin exchange has suspended trading after declaring that hackers had stolen some of the digital currencies it stored. Seoul-based Bithumb said that 35bn won (£24m) worth of cyber-cash had been "seized" overnight, adding that it would fully compensate affected customers. The values of Bitcoin, Ethereum and Ripple all fell on the news. The occasion is the second within a year that Bithumb has been breached. Last July, the company acknowledged that an employee's PC had been hacked, exposing users' personal details.  

More in depth data protection news and articles... 

PDP Journals logo
New GDPR Article Series 

Privacy & Data Protection journalIntroducing a special series of articles on the practical changes that organisations need to implement in order to prepare for the GDPR

Visit the
Privacy & Data Protection for a Free Sample and to Subscribe

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal.

17th Annual Data Protection Conference (GDPR)

17th Annual Conference

11th & 12th October 2018 - London, UK 
** London's leading two-day GDPR Conference **  

James Dipple Johnstone
How the ICO will exercise its New Powers
James Dipple-Johnstone 
Infomation Commissioner's Office (ICO)
  This year, the conference is dedicated to reviewing the practical implications of the General Data Protection Regulation, and to help organisations ensure they are compliant.
16th Annual Data Protection Compliance Conference

* Speaker Highlight *
Eduardo Ustaran  
The Long Term Viability of the Privacy Shield and Model Clauses       
Eduardo Ustaran - Partner, Hogan Lovells
Some of the most commonly used methods to legitimise international data transfers are under serious scrutiny. For data exports to the United States, the Privacy Shield is an attractive option. But the constant challenges to the legality of the Shield, as well as the political climate, are questioning its survival. Commonly used tools like model clauses have also been challenged and will likely need to be revised. How can companies proceed in the uncertain world of data globalisation?

For more information and to book your place:

PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here is a selection of courses taking place shortly:
Estelle Dehon_ Cornerstone Barristers
Estelle Dehon
Cornerstone Barristers
This course is an introductory level course for all those that are new to data protection and the GDPR, or those that require a refresher on the fundamental concepts. It is designed for people who work with, or will work with, data protection issues on a regular basis.This invaluable and practical training session examines core concepts of practical data protection compliance.This course can be used as credit towards the Practitioner Certificate in Data Protection.The next available dates for this course are:
  • London    Monday, 9th July 2018
  • Belfast     Monday, 10th September 2018
  • London    Monday, 17th September 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
This practical training session is designed for those that work in the field of data protection. The Level 1 and Level 2 courses taken together constitute a complete training package on the fundamentals of data protection. This session provides a thorough grounding in the important aspects of data protection practice.The Level 2 course is designed as a natural progression from Data Protection Essential Knowledge - Level 1, although attending Data Protection Essential Knowledge - Level 1 is not a pre-requisite to attending the Level 2 unless you are a complete beginner to data protection.Attendance on this course can be used as credit towards the Practitioner Certificate in Data Protection.The next available dates for this course are:
  • London    Tuesday, 10th July 2018
  • Belfast     Tuesday, 11th September 2018
  • London    Tuesday, 18th September 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
John Wilson, Mosaic
Organisations face increasing pressure to manage their records according to statutory and business requirements. As the use of electronic records and the deployment of electronic document and records management systems continue to increase, the core skills of the person responsible for records management become ever more important to the organisation. In many cases, appropriate data protection and FOI compliance will depend upon a good records management system.This invaluable training session, led by John Wilson, examines core concepts of good records management practice.Records Management 1 is an introductory level session that provides delegates with a thorough grounding in the fundamentals of records management, including:
  • introduction - basic concepts
  • records management tools
  • records lifecycle approach
  • designing a file plan
  • records destruction
  • legal framework / compliance
  • management of electronic records and email 
Upcoming dates for this training course are:
  • London           Tuesday, 17th July 2018
  • Manchester    Wednesday, 5th September 2018
  • Edinburgh      Thursday, 4th October 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

This course examines how to implement good records management practice. Led by John Wilson, Records Management 2 is an intermediate level session that provides a grounding in the fundamentals of records management, including:
  • introduction - initiating a records management project
  • records audit
  • process mapping
  • building a business classification scheme
  • measuring performance
  • sustaining a records management programme
Delegates are encouraged to share their own experiences at the session. The day will be a mixture of presentation and practical exercises. There will be plenty of opportunity for questions.Upcoming dates for this training course are:
  • London           Wednesday, 18th July 2018
  • Manchester    Thursday, 6th September 2018
  • Edinburgh       Friday, 5th October 2018
A discount is available for delegates attending both the Level 1 and Level 2 sessions, as well as for multiple delegates attending from the same organisation.For further information and to make a booking,
  1. Visit PDP's website  
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Practitioner Certificate in Data Protection - GDPR Conversion Programme
Ensure you are have the knowledge to practically implement the GDPR in your organisation.  
The Practitioner Certificate in Data Protection is the practical qualification which can be taken either on an intensive, flexible or distance-learning basis.
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the new Regulation." 
Joanne Maurizi 
Find out more >
Records Management Levels 1&2
Next sessions: 17th & 18th July 2018 - London
Records Management Levels 1 & 2
These highly practical sessions provide a thorough grounding and examine the core concepts of good records management practice.  

"By far the most practical resource available to help understand the complexities of the GDPR..."
A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in meeting the requirements of the GDPR.
Find out more & Order your copy here >

Practitioner Certificate in Data Protection - GDPR Conversion Programme
The online self-study Programme for candidates who gained their qualification prior to 2018 to upgrade their qualification for the GDPR era.

"I'm delighted to have passed the GDPR Conversion Programme Examination. The Programme was both enjoyable and challenging, providing an in depth look at the changes GDPR brings and how to apply these in practice.  I am now confident that my knowledge of Data Protection Law remains up to date and comfortable that I can apply the new regulations in practice in my day to day role."
Find out more >

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitmentsMore information >  
"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority
"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy
"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust
"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes
"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager
"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions
PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom