IHRIM

PDP - Compliance News Updates - 16 October 2018




PDP header graphic

 

 

Issue: 16.10.2018

News 

 

EDPB adopts Opinions on DPIA 

The European Data Protection Board has published 22 Opinions on the draft lists supplied by Supervisory Authorities in compliance with Article 35(4) of the GDPR, regarding which processing operations are subject to the requirement of conducting a data protection impact assessment. In some cases, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. In other cases, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The opinion on the ICO's list states that businesses planning to process biometric, genetic or location data should not automatically have to carry out a data protection impact assessment first to comply with the GDPR. After receiving the EDPB's opinions, the SAs have two weeks to communicate to the EDPB whether they intend to amend their draft list or maintain it in its current form, and provide an explanation for such decision.  


Be transparent, says UK Deputy Commissioner, and you may avoid trouble

James Dipple-Johnstone, Deputy Commissioner of Operations at the ICO, has warned organisations: "If you want to keep the ICO from your door, don't underestimate the importance of transparency and accountability." Speaking at the 17th Annual Data Protection Practical Compliance Conference, Mr Dipple-Johnston said "Whilst we do intend to use all of our new
powers, we will continue to use them in a fair and proportionate way. Contrary to popular opinion, we are not in a race to exercise the new powers." Under the ICO's Regulatory Action Policy, willful, negligent or repeated breaches will attract the highest fines. An article on the policy appeared in Volume 18, Issue 7 of Privacy & Data Protection journal


New data protection self-assessment checklist for sole traders

The ICO has launched a self-assessment checklist to assist sole traders and self-employed individuals in assessing their compliance with the GDPR. The checklist shows sole traders how compliant they are by generating a rating based on their responses and provides links to relevant ICO guidance and further information. It also includes practical suggestions of how to stay in line with the law. Anulka Clarke, ICO's Head of Assurance, said: "We are committed to help sole traders and those who are self-employed to navigate data protection law and improve their practices."


Anonymity order lifted over mystery 'unexplained wealth' target 

Reporting restrictions which assured the anonymity of a woman subject to new enforcement powers have been lifted to reveal that the subject of the regulatory action is Zamira Hajiyeva - the wife of the former head of the International Bank of Azerbaijan. The UK National Crime Agency has used new legislation to apply for an unexplained wealth order requiring Mrs Hajiyeva to explain how she acquired properties worth £22m. Hajiyeva's lawyers appealed against the ruling and asked for the anonymity order to be kept in place, but after a week's extension the court finally set aside the reporting restrictions. More on this in the next issue of Compliance & Risk journal, which will also shortly feature an article on the new regulatory powers.


CNIL publishes assessment on blockchain and the GDPR

The French Data Protection Authority has published an initial assessment of the compatibility of blockchain technology with the GDPR and proposed concrete solutions for organisations wishing to use blockchain technology when implementing data processing activities. According to the CNIL, businesses can use blockchain technologies but must be mindful of the difficulties doing so could present to their compliance with EU data protection laws and properly embrace the principle of 'privacy by design' as a result. In the CNIL's view, the challenges posed by blockchain technology call for a response at the European level. The CNIL announced that it will cooperate with other EU supervisory authorities to propose a robust and harmonised approach to blockchain technology.


ICO fines firm £90,000 for nuisance emails 

The Information Commissioner has fined London-based marketing company, Boost Finance Ltd, a company responsible for millions of nuisance emails about pre-paid funeral plans. Trading as findmeafuneralplan.com, BFL was responsible for 4,396,780 emails that were sent from January to September 2017. The emails were sent to people who had subscribed to websites operated by BFL's affiliates, but who had not given their consent to receive them. The ICO investigation found that in all but one of the websites, it was not made obvious who the emails were from - although they did make generic mention of prepaid funeral plan providers in some cases. The majority of the websites did not provide subscribers with the opportunity to opt out of third party marketing.


Google iPhone data privacy case blocked by High Court

The UK High Court has blocked a bid to sue Google for allegedly unlawfully taking data from 4.4 million UK iPhone users. The legal case was mounted by a group called Google You Owe Us, led by former Which? Director, Richard Lloyd. It sought compensation for people whose handsets were tracked by Google for several months in 2011 and 2012. Mr Justice Warby, who oversaw the case, explained that it was blocked because the claims that people suffered damage were not supported by the facts advanced by the campaign group. Another reason for blocking it, he said, was the impossibility of reliably calculating the number of iPhone users affected by the alleged privacy breach. Mr Lloyd said that he would seek permission to appeal against the verdict on behalf of the 20,000 people who signed up to the campaign.


Google iPhone data privacy case blocked by High Court

The UK High Court has blocked a bid to sue Google for allegedly unlawfully taking data from 4.4 million UK iPhone users. The legal case was mounted by a group called Google You Owe Us, led by former Which? Director, Richard Lloyd. It sought compensation for people whose handsets were tracked by Google for several months in 2011 and 2012. Mr Justice Warby, who oversaw the case, explained that it was blocked because the claims that people suffered damage were not supported by the facts advanced by the campaign group. Another reason for blocking it, he said, was the impossibility of reliably calculating the number of iPhone users affected by the alleged privacy breach. Mr Lloyd said that he would seek permission to appeal against the verdict on behalf of the 20,000 people who signed up to the campaign.

Pension Regulator's powers are enhanced

The UK government has issued proposals to enhance the powers of The Pensions Regulator to help combat the deficits in defined benefit pension schemes that have become front-page news in the UK. If passed, the measures will increase the risk of non-compliance for directors and officers of employers who provided such final salary schemes, which is likely also to lead to further discussion as to how Director & Officer insurance can be used to mitigate such risks. Among the key proposals are the introduction of "punitive fines" against those who deliberately put a defined benefit scheme at risk, broader powers to facilitate information gathering, and a potential new criminal offence designed to sanction "willful or grossly reckless" behaviour by directors in relation to a defined benefit scheme. More on this development in the next issue of

Compliance & Risk journal.

 

PDP Journals logo

 

Receive further Expert guidance and in-depth articles on data protection, the GDPR and DPA 2018 direct to your mailbox or home address...

 

Privacy & Data Protection journalPrivacy & Data Protection Journal

 

Visit the Privacy & Data Protection for a Free Sample and to Subscribe


Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal

 

www.pdpjournals.com


 

PDP Training logo


Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.

Here are a selection of courses taking place shortly:

 

Data Protection Essential Knowledge - Level 1

Estelle Dehon_ Cornerstone Barristers

Estelle Dehon
Cornerstone Barristers

This invaluable and practical training session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, examines core concepts of practical data protection compliance, including:

  • how data protection law applies to your organisation
  • what can and cannot be done with staff information and customer information
  • an introduction to the requirement to keep data secure, and how to meet that requirement
  • the rights of individuals, such as customers and staff, in respect of data held by your organisation
  • the legal requirements for gathering information for marketing, including an introduction to the use of opt-out and opt-in clauses
  • the requirements for using CCTV cameras
  • an introduction to handling requests for information by individuals
  • the rules that apply to using special categories of personal data ( e.g. medical and health information, genetic data, information on sexual orientation, ethnicity data )
  • an introduction to the restrictions on sending personal data abroad
  • the legal requirements for outsourcing personal data processing operations, e.g. payroll, call-centres, private investigators and confidential waste management companies
  • an introduction to the principle of 'accountability'
  •  the role of the data protection regulator

This course can be used as credit towards the

Practitioner Certificate in Data Protection

The next available dates for this course are:

  • Bristol          Monday, 22nd October 2018
  • Edinburgh    Monday, 29th October 2018
  • London         Monday, 19th November 2018

For further information and to make a booking,

  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue


Data Protection Essential Knowledge - Level 2

This practical training session is designed for those that work in the field of data protection. The Level 1 and Level 2 courses taken together constitute a complete training package on the fundamentals of data protection. This session provides a thorough grounding in the important aspects of data protection practice.

The Level 2 course is designed as a natural progression from Data Protection Essential Knowledge - Level 1, although attending Data Protection Essential Knowledge - Level 1 is not a pre-requisite to attending the Level 2 unless you are a complete beginner to data protection.

Attendance on this course can be used as credit towards the Practitioner Certificate in Data Protection.

The next available dates for this course are:

  • Edinburgh     Tuesday, 30th October 2018
  • London         Tuesday, 20th November 2018
  • Manchester   Tuesday, 27th November 2018

For further information and to make a booking,

  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue

 

Data Protection in the Workplace

Peter Given_ Womble Bond Dickinson

Peter Given
Womble Bond Dickinson

This invaluable one-day session is designed to meet the needs of anyone who has responsibility for the use of employee data, including Human Resources Officers and Compliance Officers. It is also useful to Employment Lawyers and companies providing outsourced HR functions to other organisations.

This course, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, uses case studies based on real scenarios to give delegates a practical understanding of the data protection compliance issues involved in employing and managing staff. The session lets delegates know the key areas of risk, and includes practical advice on:

  • ensuring that the recruitment and selection process meets the legal requirements, including the content of application forms, pre-employment vetting, criminal records, medical checks and the interview process
  • retaining staff records, and appropriate periods of time for keeping information
  • dealing with information requests from staff - what must be disclosed and what you can withhold
  • disclosing staff information to outside third parties - the legal requirements that must be met before staff information can be sent outside the organisation
  • references and the rights of ex-members of staff
  • monitoring staff activities and communications, including using line managers, private detectives, CCTV cameras and website monitoring technologies
  • handling sensitive information such as health and sickness records and medical data
  • how to handle mergers, acquisitions and restructuring
  • outsourcing functions to third party providers
  • how to comply with the Employment Code
  • how to handle staff complaints
  • the role of the Information Commissioner and what to do if she investigates

Attendance on this course can be used as credit towards gaining the Practitioner Certificate in Data Protection

The course is taking place on the following dates:

  • Edinburgh      Friday, 2nd November 2018
  • London           Friday, 23rd November 2018
  • Manchester    Friday, 30th November 2018

For further information and to make a booking,

  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
 

Data Security

Phil Tompkins, Dickinson Dees

Phil Tompkins
Ward Hadaway

Data protection law requires that personal information be held and used securely. The law also requires that relevant security arrangements be put in place for all outsourcing arrangements. News headlines consistently show that organisations are not doing enough to ensure the security of people's personal information, both within the organisation and externally. It is not always obvious what measures should be taken by organisations to comply with the legal obligations.

This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, examines the law as it relates to data security and the practical steps that organisations need to take to ensure compliance with their obligations. It concentrates on how to avoid a data security breach, as well as what can be done to mitigate the effects of a breach that does occur. It also considers the steps that must be taken when an organisation outsources operations, such as payroll, website hosting, digitisation of records, debt collection and waste management. The session considers lessons that must be learned by the fines that have been imposed by regulators.  

This session can be used as a credit towards the Practitioner Certificate in Data Protection (GDPR)


The next dates for this training session are:

  • Edinburgh      Wednesday, 31st October 2018
  • London           Wednesday, 21st November 2018
  • Manchester    Wednesday, 28th November 2018

For further information and to make a booking: 

  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

 

Practitioner Certificate in Data Protection (GDPR)

 

Practitioner Certificate in Data Protection - GDPR Conversion Programme

Upcoming intensive training weeks in Edinburgh and Manchester

Ensure you are have the knowledge to practically implement the GDPR in your organisation.  

The Practitioner Certificate in Data Protection is the practical qualification which can be taken either on an intensive, flexible or distance-learning basis.

 

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the new Regulation."

Joanne Maurizi

MutualOne

 

Find out more >

   

 

 

 

Data Protection: A Practical Guide to UK and EU Law (2018) 


"By far the most practical resource available to help understand the complexities of the GDPR..."

A Practical Guide to UK and EU Law


This book is an invaluable practical resource for organisations in meeting the requirements of the GDPR.


Find out more &
Order your copy here >


 

 



Cybersecurity for Data Protection Professionals 

 

Next training session taking place in Manchester - November 2018

 

Cybersecurity training course

This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations.  

    

Find out more >

 

 

 

Practitioner Certificate in Data Protection (GDPR)

Practitioner Certificate in Data Protection

 

Qualify as a GDPR Data Protection Practitioner


Flexible training options allow you to train alongside other commitments

More information >  



"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority


"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy
IBM


"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust


"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes


"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Investigator
Pearson Education


"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager
mutualone


"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

Contact IHRIM

Office open Monday to Friday
9AM to 2PM

Connect with IHRIM

We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of this site have already been set. To find out more about the cookies we use and how to delete them, see our privacy policy.

  I accept cookies from this site.
EU Cookie Directive Module Information