Home » News updates and thoughts » Data Protection » Page 2

Category: Data Protection

GDPR free resources

The ICO web site contains a raft of free information, advice and guidance on data protection, GDPR and PECR.

For those who prefer a more personal approach our one day courses highlight all the key information in a more enjoyable and interactive way.

UK GDPR and PECR Changes 2022

The United Kingdom’s Data Protection Regime will be reformed.”
Queen’s Speech – 10 May 2022

UK Data Protection Legislation faces major reforms in the coming months – what are the implications for the UK GDPR and PECR?

Introduction
Many of our courses, including those on data protection, GDPR and PECR, highlight within the “Breaking News” section, that Post Brexit changes are on their way. In June reported on over 28 new pieces of legislation through the current Parliament until 2022. The Data Protection Reform Bill is one of these changes and it gives the clearest indication to date on Government thinking in respect of data protection, GDPR and PECR.

In a nutshell the key messages are:

  • The Government will take advantage of the benefits of Brexit to create a world class data rights regime that will allow them to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.
  • Modernisation of the Information Commissioner’s Office (ICO), making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public.
  • Increasing industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data.
  • Helping those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.
  • The reforms will create over £1 billion in business savings over ten years by reducing burdens on businesses of all sizes.
  • A 2018 economic analysis by the Department for Digital, Culture, Media and Sport and Ctrl-Shift estimates that the productivity and competition benefits enabled by safe and efficient data flows would create a £27.8 billion uplift in the UK

Key changes to GDPR and PECR


GDPR


Accountability:

  • The Government plans to proceed with the requirement for organisations to implement Privacy Management Programmes (PMPs) in all networks and offices.
  • Organisations will have to implement a PMP based on the ‘level’ of processing they’re engaged in & the volume and sensitivity of personal data they handle.
  • These requirements will be subject to the same sanctions as under current laws.


Data Protection Officers:

  • The requirement to designate a Data Protection Officer (DPO) will be repealed when these reforms are implemented.
  • There will be a new requirement to appoint a senior individual responsible for data protection. Most of the tasks of a DPO will become ‘the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’


Data Protection Impact Assessments: (DPIAs)

  • Under the new PMP requirement, organisations will be required to identify and manage risks, but ‘they will be granted greater flexibility as to how to meet these requirements.
  • There will no longer be requirements to undertake DPIAs as prescribed by the UK’s GDPR. However, organisations will be required to make sure they have ‘risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’
  • Organisations will be able to continue using their DPIAs (if required) but can tailor them based on the nature of their processing activities.
  • Existing DPIAs will remain a valid way of achieving the new requirements.

Record of Processing Activities:

  • Personal data inventories will be needed as part of organisation’s PMP, covering what and where personal data is held, why it has been collected and how sensitive it is.
  • Organisations will not have to stick to the prescribed requirements set out underArticle 30, UK GDPR.

Reporting of Data Breaches:

  • No changes will be introduced to alter the threshold for reporting a data breach.
  • The Government will work with the Information Commissioner (ICO) to explore the feasibility of clearer guidance for organisations.

Subject Access Requests:

  • The Government plans to proceed with changing the current threshold for refusing or charging a fee for Subject Access Requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It is said this will bring it in line with the Freedom of Information regime.
  • No re-introduction of a nominal fee for processing access requests.

PECR

Cookies:

  • In the immediate term, the Government intends to permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes. It’s anticipated this will include analytics cookies which allow organisations to measure traffic to webpages and improve offerings to users.
  • It’s intended these changes will apply to connected technology, including apps on smartphones, tablets, smart TVs, or other connected devices, as well as websites.
  • In the future, the Government intends to move to an ‘opt-out model of consent for cookies placed by websites. The Government says its ambition is to improve the user experience and remove the need for ‘unnecessary’ cookie consent banners. It stresses an opt-out model would not apply to websites likely to be accessed by children (we’re assuming this means consent would be required) and its ambitions will be subject to an assessment that effective solutions are widely available for use.

Use of ‘soft opt-in’ extended:

  • The‘soft opt-in’ exemptionto consent (for email and SMS marketing) is set to be extended to charities and not-for-profits.

PECR fines to be increased:

  • The Government plans to proceed with proposals to increase fines under PECR. This will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover. This would bring fines in line with current fines under the existing regime. Currently the maximum fine under PECR is capped at £500,000.

Political campaigning:

  • The Government plans to consider whether the political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).
  • It also intends to extend the soft opt-in so that ‘political parties and elected representatives can contact individuals who have previously shown an interest in the activities of the party (for example, by attending a conference or donating) without their explicit consent, provided they have been given an opportunity to refuse such communications at the point of providing their details’.

Human oversight of automated decision-making and profiling:

  • The Government notes that during the consultation on the reforms, a vast majority of the respondents opposed the proposal to removeArticle 22. The right to human review of automated decisions is considered a fundamental safeguard. It was also confirmed that this proposal will not be pursued.
  • The Government says it will be considering how to amend Article 22 to clarify the circumstances in which, this must apply. It says it wants to align proposals in this area ‘with the broader approach to governing AI-powered automated decision-making’. This will form part of an upcoming white paper on AI governance.

Legitimate Interests:

  • The Government intends to create a limited list of defined processing activities where there would not be a requirement to conduct a balancing test for legitimate interests. This list will initially be limited to ‘carefully defined processing activities.
  • This is likely to include processing activities to prevent crime, reporting safeguarding concerns or those which are necessary for important public interests’ reasons.
  • The Government proposes a new power to be able to update this list subject

Adequacy:

A key concern is whether the Government’s changes to data protection legislation will risk the EU’s adequacy decision for the UK. This allows for the free flow of data from the EU to the UK without the need for additional safeguards. Adequacy is not referenced in the Government response to the consultation.

Response from the ICO:

UK Commissioner, John Edwards stated that ‘he will support and share his ambitions for implementation of these reforms” In particular he says, “I am pleased to see the government has taken our concerns about independence on board. (in recent evidence given to the House of Commons Science and Technology Committee the independence of the ICO was cited by Mr Edwards as an area which could jeopardise adequacy)

What next?

We now have to await the detail of the Data Reform Bill, which will be subject to parliamentary scrutiny. So still a long way to go before the intended changes come into play. Our training courses will continue to capture the latest breaking news and clarification of the growing amount of jargon that builds around both GDPR and PECR and ensure participants maintain an accurate and up to date understanding of data protection.

Annual Data Protection Training

With nearly 10,000 breaches reported to the ICO each year there is no room for complacency. Whilst headline breaches often revolve round cyber security only 1 of the 2172 breaches reported to the ICO in in quarter 4 of 2021/22 related to brute force cyber-attack. The vast majority of breaches may have been avoided had management and staff paid more attention to the key principles of data protection, GDPR and PECR. Our one day courses heighten awareness and help keep data protection in everyone mind, it doing so they help organisations prevent breaches, fines and the adverse publicity that accompanies them.

Our courses include: –

  1. The General Data Protection Regulations (GDPR)
  2. Privacy Impact Assessments
  3. Privacy and Electronic Communications Regulations (PECR)
  4. Information Governance
  5. Cyber Security (details on request)
  6. Online Safety Bill (details on request)

Contact us today for more information

Header image: based on BREXIT by ChralJon used under CC BY 2.0 text “GDPR Post” added and top/bottom image removed

GDPR Fines 2022

ICO logo

as at 10 June 2022 1087 fines had been issued for breaches of the GDPR. These fines totalled Euro1,631,665,332 that is an average of over euro150,000 per fine.

Fines can be issued to companies, charities, individuals in fact anyone the breaches the legislation.

The smallest fine issued so far was for Euro28, the largest Euro746,000,000

some notable names who have been warned, fined or both include:

  • Marriott International
  • British Airways
  • Facebook
  • Google
  • The Conservative Party
  • Reed online
  • Royal Mail Group
  • The Ministry of Justice
  • Virgin Media
  • The Cabinet Office
  • Unite the Union
  • Saga Services
  • Saga Personal Finance
  • Sports Direct
  • Papa Johns
  • American Express

Fines are also being issued for non payment of data protection fees!

Our courses on GDPR and PECR help you understand legislation and good practice and consequently be better able to stay within the law

7726 equals Spam

7726 = SPAM = £85000 Fine for Tempcover Ltd

Received an unsolicited marketing sms on your phone and you can report it by forwarding to the number 7726. The number is easy to remember 7726 spells out spam on your phone key pad.

12 users reported marketing sms messages from short term car and van insurer Temp Cover via the 7726 services and one additional user reported the messages direct to the ICO.

These complaints investigated by the ICO and Tempcover Ltd were fined £85,000.

Digging deeper into the case Tempcover believed they had consent because users had confirmed their agreement to Tempcover processing their details in line with Tempcover’s ” privacy policy and terms of business” But the ICO ruled that this was not sufficient stating Tempcover

“had failed to provide subscribers with an opportunity to opt-out of direct marketing when first obtaining their details, and essentially made agreement to marketing a condition of service. For this reason, the consent to receive unsolicited direct marketing messages cannot be said to have been ‘freely given’.”

This is clear example of why regular high quality GDPR training is essential for all businesses. No organisation can afford to get caught out by employees failing to understand or remember the rules

Concrew Trainings data protection courses start at just £285 for 14 people, at our prices all organisations can afford high quality GDPR and PECR training every year.

GDPR – 3 pivotal thoughts

Data Protection Training £285

For front line staff, getting 3 pivotal areas understood and adhered can be the difference between GDPR compliance and breach.

  1. Is all filing robust?
  2. When, where and how is information used and shared?
  3. Have all service users actively agreed to this?

Think about the following:

Filing
is everything that contains a personal name filed under lock and key?

  • staff records
  • service user records
  • customer details
  • supplier details
  • invoices – purchase/sales
  • what about laptops – are they encrypted?

Sharing of data
do you know in the ins and outs of how, when and where you share data?

  • with whom
  • by what method
  • how shared data is stored
  • how long shared data is kept for
  • how shared data is destroyed
  • what about?
    • telephone answer messages
    • online and cashless payment systems
    • data back ups
    • emails
    • what about any apps the organisation uses
    • what about any social networks use

Consent

    • have all service users been told about all of all of the above
    • have they agreed to it

If all staff, all honesty answer no to any of these questions you really do need to instigate update training on the latest rules and regulations relating to data protection, GDPR and PECR.

to be fully compliant every system procedure, process, project and initiative needs to assessed to ensure privacy is maintained at every stage. As a bare minimum every member of staff needs to think about the above questions and point out where things may be going wrong.

Our training courses on data protection, GDPR, PECR and Privacy Impact Assessments help.

GDPR & PECR Training 2022

ICO Logo

Following the appointment of John Edwards as the new Information Commissioner we are expecting changes in strategy, direction, guidelines, rules and regulations that impact on data protection, the UK-GDPR and the UK-PECR.

We are keeping a close eye on changes and will incorporate them into our data protection related courses as the appear

Whilst most of the headline news around GDPR/PECR relates to data breaches analysis of action and fines by the Information Commissioners Office (ICO) shows that most breaches are down to human error; poor understanding of data protection laws and poor practice; bad judgments and naivety remain the most common drivers behind breaches.

It is imperative that management and data protection teams keep up to date with the all the changes as they occur. Embed them in their policies and procedures and cascade to staff.

Regular update training for all is a low cost way to stay compliant and avoid the huge fines that apply in the event of GDPR/PECR breaches.

Check out our courses here. Prices start at just £285+vat for a group of 14.

 

 

 

 

30000 GDPR breaches

GDPR 2021

Hundreds of Afghan interpreters who worked with UK troops have had their lives, potentially, put at risk because an email was sent without using the BCC option.

A simple easy to make mistake you may say but one has to question the quality of the GDPR training in place. Avoiding mistakes like this is essential if breaches of the GDPR are to be avoided.

Unfortunately GDPR beaches are common, over 30,000 have been reported to the ICO and most are down to human errors and easily avoided mistakes.

It is essential that all organisations have robust annual training in place. The consequences and fines make robust training a high value solution.

ICO FINE We Buy Any Car, Sports Direct and Saga

ICO Logo

The ICO has announced fines totalling £495,000 to well-known companies that between them sent more than 354 million nuisance messages.

We Buy Any Car was fined £200,000 for sending more than 191 million emails. The firm also sent 3.6 million nuisance texts.Saga Services LtdandSaga Personal Financewere fined £150,000 and £75,000 respectively for instigating more than 157 million emails between them.Sports Direct has been fined £70,000 for sending 2.5 million emails.

None of the companies had permission from people to send them marketing emails or texts. This is against the law.

Concrew Trainings Courses help management and staff understand data protection laws and help keep you safe. Find out more via the links below

GDPR Training

PECR Training

Impact Assessment Training – Online Practice Sessions

Impact Assessment Training

To meet customer demand for practical hands on support on how to conduct low burden, high quality, impact assessments we now offer a 3 hour online session to help you carry out a live impact assessment on two of your policies, practices or procedures.

These sessions are not a replacement for training on equality, data protection, the GDPR or PECR but rather follow on sessions that complement and dove tail with such training to help ensure implementation is more robust and effective.

Our full courses on the Equality Act, the General Data Protection Regulations (GDPR) and the Privacy in Electronic and Communications Regulations (PECR) all have built in audits at the end that enable participants to consider how their specific policies and procedures measure up against expected legal compliance and best practice.

Our follow on course on Impact Assessments explore why this approach is key to legal compliance and provides guidance on how to develop a low burden effective approach to impact assessments, these new online sessions take the training a stage further and allow participants, guided by a subject specialist to impact assess two policies, practices or procedures of their choice.

The Public Sector Equality Duty (PSED) in the Equality Act requires public bodies to pay “due regard” to securing equality of choice and process in policies, practices, and procedures. ‘Due Regard’ is usually facilitated through an Equality Impact Assessments (EIAs).

By analogy, Data Protection laws have within them a new concept- “Privacy by Design”. Organisations simply have to think harder about privacy. This means adopting a “Risk Based Approach”. And where appropriate, Privacy Impact Assessments (PIAs) must be carried out on policies, practices, and procedures all with a focus on protecting data subject rights.

If you and/or your colleagues have received training on the equality and data protection laws but now need help in carrying out equality or privacy impact assessments we can assist.

Our online practice sessions enable up to 3 representatives from your organisation to carry live risk assessments on two of your policies, practices or procedures. In doing so they gain the knowledge and confidence to cascade and roll out further.

Whilst the session sets the stage with a brief overview of the latest legal position on equality and data protection laws it is assumed participants are fully conversant with the legislation applying to the policy, practice or procedure being assessed. Notably:

  • The Equality Act
  • General Data Protection Regulation (GDPR) and UK Data Protection Act
  • Privacy and Electronic Communication Regulations (PECR)

The live session focus on your specifically chosen policies, procedures, or practices. We have other courses that provide the necessary background information if necessary

The small print

  • Each session costs £695+ vat and the invoice needs to be paid in advance
  • Our standard cancellation terms apply
  • Each session is are run live on your video conferencing platform at a mutually convenient time.
  • Each session is prefaced with a 1 hour telephone/video conferencing scoping call with your lead representative.
  • Copies of the chosen policies need to be submitted in confidence in advance of the training.
  • You can choose two policy, practices, or procedures on which you need live IMPACT assistance. You can choose one for equality, one for privacy or two for equality or two for privacy.
  • If you have an existing EIA and/or PIA toolkit we will need a copy in advance and will dovetail the training to it, If not, we will provide one