GDPR and Employee Data: H&M Fined 35 Million Euros


On 2nd October 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DP Commissioner) imposed a 35.3 million Euros fine on H&M Hennes &Mauritz for serious breaches of the General Data Protection Regulation (GDPR) at its service centre in Nuremberg. Specifically the breaches related to the covert and extensive monitoring of the personal information of several hundred employees. 

The Hamburg DP Commissioner is one of the 16 state Data Protection Commissioners in Germany. Details of the infringement and the fine were posted on the European Data Protection Board’s news feed

The Facts

H&M had been collecting and recording extensive information about the private lives of its employees since at least 2014.  The information was collected by supervisor during “Welcome Back Talks” which took place with employees after absences due to holidays or sickness; even after relatively short absences. Notes of the meetings were stored on a network drive. These included details of the employee’s vacation experiences, or details of their symptoms of illness and diagnosis if they had been taking sick leave. In some cases, supervisors had even obtained and recorded broader information about employees’ private lives such as details of family issues and religious beliefs. Some of the information that was recorded was highly detailed and recorded over extensive periods of time documenting the development of issues.

The information was digitally stored and partly readable by up to fifty other managers throughout the company. The company used this information to meticulously evaluate individual work performance and to obtain a detailed profile of employees for measures and decisions regarding their employment.

Employees were unaware that all this was happening until the data became accessible company-wide for several hours in October 2019 due to a configuration error.

The Hamburg Data Protection Commissioner became aware of this from press reports.
His first action was to order the company to” freeze” the network drive and then hand it over. The company submitted a data record of around 60 gigabytes for evaluation. Evidence from numerous witnesses confirmed the practice of collecting and recording this data. 

The Breaches and the Fine

The details of this case are quite shocking both in terms of the volume and type of information that was collected and recorded; the way in which it was done covertly; and the fact that the company used the information to evaluate its employees. The collection and recording of such ‘private information’ for monitoring purposes certainly breached the first three data protection principles in GDPR Article 5. The employees were not aware this was happening; so this was clearly neither fair nor transparent and they were therefore unable to exercise any rights in respect of this data. It is difficult to see what legal basis the company could have used to collect much of this information under both Articles 6 and 9 (the latter for the Special Category Data that was involved). The company collected far more information than was necessary and for much longer than necessary. It also appears that the company was conducting profiling of employees without employees knowledge, thus preventing them from exercising their rights under GDPR Article 22. There was no lawful basis for sharing very privet personal information with over 50 managers. In addition the activities of the company almost certainly breached the employee’s rights under Article 8 of the European Convention of Human Rights.
As the Hamburg Commissioner stated, this was a case of a serious disregard for the rights of the company’s employees.

What steps does H&M have to take now?

Based on the information reported by the European Data Protection Board it appears that the company has put forward a comprehensive plan of how it will take corrective action. The steps include the appointment of a “data protection coordinator” (It is unclear whether this is to be a Data Protection Officer); monthly data protection status updates and more protection for whistle-blowers. This seems to suggest the plan has come from the company rather than the Commissioner and it is not clear whether the Commissioner has used his regulatory powers to enforce this. In the UK the Information Commissioner could enforce these corrective actions by serving an Enforcement Notice under S.149 Data Protection Act 2018.

In addition the company has agreed to pay the employees “considerable compensation” as well as apologising. GDPR Article 82 provides that data subjects who have suffered material or non-material damage as a result of an infringement of the GDPR “shall have the right” to receive compensation from the Data Controller in respect of the damage suffered. According to the EDPB news post this is “an unprecedented acknowledgement of corporate responsibility following a data protection incident”. Whether or not it is unprecedented, it certainly is pragmatic given that the company avoids any protracted legal actions and the further adverse media attention that litigation would inevitably attract.  

Readers may be interested in our blogs on GDPR and Employee Surveillance. These and other GDPR developments will be discussed in detail by Ibrahim Hasan in our forthcoming online GDPR update workshop. Why not use the time working from home to achieve a GDPR qualification? Our next online GDPR Practitioner Certificate course is fully booked. There are a few places remaining on the courses following.

Posted in Uncategorized | Leave a comment

The British Airways Data Breach Fine


The ICO has finally issued a fine to British Airways (BA) for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by attackers.  

£20 million is a lot of money, even for British Airways, and especially in a global pandemic which has seen all airlines struggle financially. However it is a far cry from the original Notice of Intent, issued in issued in July 2018, for the sum of £183 Million.
But then again the smaller fine is no big surprise either.  

On 31st July, IAG (British Airways parent company) issued its Interim Management Report which states: 

The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018.
The process is ongoing and no final penalty notice has been issued“. 

The Cyber Attack 

The BA fine followed a cyber-attack during 2018, which remained undetected for more than two months. The attack involved diverting cardholder data from British Airways official website to one set up by the attacker.  

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed. 

Failure to Prevent the Attack 

According to the ICO, there were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include: 

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role 
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; 
  • protecting employee and third party accounts with multi-factor authentication. 

Additional mitigating measures BA could have used are listed in the penalty notice.
None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA. (You can read more about the causes of cyber security breaches in our recent blog post.) 

It may well be that British Airways launches an appeal in which case its reasoning and  actions when issuing fines under GDPR will be the subject of judicial scrutiny.
This will help GDPR Practitioners faced with similar ICO investigations.  

It will also be interesting to see what happens to the other outstanding Notice of Intent, relating to Marriott Hotels for £99 Million, as well as the ICO’s investigation into the more recent EasyJet data breach. Interesting times ahead. 

We have some places available on our Cyber Security for DPOs workshop in November. This and other GDPR developments will be covered in our new  online GDPR update workshop. 

Posted in Uncategorized | 1 Comment

Cyber Security and GDPR Compliance


Olu Odeniyi writes…

Data Protection Officers (DPOs), and others who work in data protection, will know that a fundamental requirement of GDPR is to protect personal data ”against accidental loss, destruction or damage, using appropriate technical or organisational measures” as stipulated in the sixth data protection principle in Article 5. As the recent British Airways data breach fine has shown, failure to comply can be costly.

Article 32 further requires measures to be implemented to ensure a level of security appropriate to the risk  including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. Other GDPR provisions, including article 24 and article 25, demand similar requirements. As threats to complying with these articles emanate from malicious activity, mistakes, process weaknesses and software application vulnerabilities, it is clear that cyber security is an essential element of GDPR compliance.

Although many organisations rely on the IT department, the Chief Information Security Officer (CISO) or the Senior Information Risk Officer (SIRO) to lead implementation of cyber security controls, DPOs need a good understanding  of this topic to most effectively discharge their responsibilities and ensure compliance. 

What is Cyber Security?

The first step is to understand what cyber security is and what it is not. Various definitions exist. Most people associate cyber security with digital services, computerised devices and other forms of information technology. Protection against accidental and malevolent activity, unauthorised data access and preservation of services are fundamental cyber security goals but there’s more. 

Cyber security touches the very heart of how we live work and play within the fourth industrial revolution as highlighted by the founder of the World Economic Forum. Boundaries between work and home life have never been so blurred.
Government engagement around the world is increasingly conducted via digital services and individuals can barely avoid interacting with online services on a daily basis. 

While numerous standards and frameworks exist to help drive best practice, each organisation needs to contextualise what cyber security means for itself. A survey of the most common standards and frameworks will be left for a later blog (some are highlighted further down in this article), yet every organisation should scope and detail its own meaningful definition of cyber security. High level definitions can be utilised if required to achieve this from respected organisations such as the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST)

However, it’s a myth to think cyber security is a standard or a framework of itself and that only technology is involved. People utilise technology and digital services by means of a process or procedure. Therefore, effective cyber security comprises people, process and technology and many breaches could have been avoided given changes to either of these three areas. The remainder of this blog introduces cyber security under each of these headings.


It is often stated that people are the greatest weakness when it comes to cyber security, but it doesn’t have to be this way – they can be the strongest defence. The National Cyber Security Centre (NCSC) has performed leading research around people centric cyber security which organisations can benefit from. Staff know the issues they face better than anyone else and should be included in the risk analysis. By understanding productivity roadblocks, working pressures and specific training needs, new ways of working can be formulated to minimise breaches and security mistakes. 

For example, some groups could possibly opt to use enterprise collaboration applications (e.g. Microsoft Teams) to eradicate or decrease emails being sent to the wrong recipients. Watch the NCSC video or read the transcript for more information on developing people centric cyber security.

Security awareness training conducted well can be effective and significantly help prevent data and security breaches. Nonetheless, developing a security culture takes an organisation to the next level as staff develop their own sense of how to best protect the organisation and personal data. Culture change isn’t an overnight occurrence.
Focused effort and dedicated resources are required but the results will be worth it. 

Developing a security culture involves engaging with staff and seeking their input.
Small group sessions, organisation wide campaigns and open communication forums are some of the many approaches to transform cultures. Useful reading on the human aspects of cyber security can be found in the Cyber Security Culture Guidelines: Behavioural Aspects of Cyber Security report by  the European Union Agency for Cyber Security (ENISA).

It is important to ensure security measures and controls don’t hinder staff productivity or increase the likelihood that they will circumvent organisation policies. As the NCSC video above states, “if security doesn’t work for people, it doesn’t work”.


Earlier this year I was asked to advise on a serious data breach where sensitive data had been disclosed. It so happened the breach could have been avoided if either processes, staff action or if different technology had otherwise been deployed. The role of policies, processes, guidelines and procedures in cyber security shouldn’t be underestimated, especially with large contingents of remote workers during a pandemic. (Read about the data protection challenges of remote working here)

Start by reviewing your organisation’s cyber and/or information security policies if they exist. Consider when the last updates were made and read the documents several times, making notes on their suitability or any glaring gaps. Check if any standards or frameworks are in use such as the ISO 27000 Information Security Family or the NIST Cyber Security Framework. Many others exist too. If so, familiarise yourself with the associated literature and determine where you can begin to get involved. 

Alternatively, you could be the staff member who introduces standards and frameworks into your organisation. You’ll likely need senior management support and the suggestion may have been considered previously. Either way, established best practice can help organisations review processes and streamline cyber security risk assessments. As mentioned previously, be sure to engage with staff who’ll likely see many process security risks for their departments that are blind to others.

At the very least, view the NCSC Risk management guidance which explains and recommends various concepts behind risk assessments. Combining cyber security risk assessments with Data Protection Impact Assessment (DPIAs) may also be an option in some cases. However, remember that while cyber security is essential for personal data protection, it extends to protecting the entire organisation too.


The use and maintenance of technology and digital services by staff, contractors and third-party suppliers forms the basis of technological aspects of cyber security. Online services, cloud computing and connected devices, or any other internet mediums through which data flows, are all cyber security concerns. Technology includes devices found in “smart homes” fitted with a degree of automation and the so-called Internet of Things (IoT), where numerous gadgets are connected online through a local network. Governments around the world are attempting to offer advice to mitigate the cyber risks associated with IoT devices. The UK Department for Digital, Culture, Media and Sport (DCMS) published a  Code of Practice for Consumer IoT Security in 2018, although widespread adoption is in its infancy.

Technology is also used to strengthen cyber defences through a number of security applications, which deliver varying levels of protection depending on how often they are updated. Basic anti-virus programs have long since been accompanied by a suite of new security applications many of which are connected to cloud-based detection engines which rely on Artificial Intelligence (AI) to improve performance. Nonetheless, a sound risk management methodology should always be established prior to investing in new protective technologies – benefits of the expected decrease in risk need to ideally be measurable and potential loss ought to supersede or equal expenditure. 

A great way to bring an organisations’ technical cyber security controls to a baseline standard is by adopting Cyber Essentials, a UK government backed scheme designed to guard against the most common cyber threats. Cyber Essentials outlines 5 control themes – firewalls, secure configuration, user configuration, malware protection and patch management. Organisations can become certified to Cyber Essentials in two ways – self-certification and Cyber Essentials Plus, where hands-on technical verification is carried out by an independent certified body.

Putting it all Together

Although this blog has described the people, process and technology aspects of cyber security separately, in reality all three areas need to be considered simultaneously.
A cyber security risk methodology should always form the heart of any cyber security defence strategy as part of overall business risk management. Those responsible for cyber security should also ensure they keep themselves updated as the security landscape has been changing rapidly, both in terms of malicious or accidental attacks and defences. The good news is that with a concerted effort, organisations can adequately protect themselves and their staff.

Olu will be examining this subject further in our Cyber Security for DPOs workshop in November. A few places left. Our GDPR Essentials E learning course is ideal for training frontline staff. In just over 30 minutes they will learn about the key provisions of GDPR and how to keep personal data safe.

Posted in cyber security, Uncategorized | Tagged | 1 Comment

Act Now Associate Appointed to Judicial Position


Act Now Training would like to congratulate Susan Wolf our senior associate, who has been appointed as a Fee Paid Member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction) and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction). 

We are delighted that Susan will continue in her current position at Act Now Training delivering our full range of online and classroom-based workshops. Susan also writes for our information law blog and has developed our very popular FOI Practitioner Certificate

Prior to joining us, Susan taught information rights practitioners on the LLM in Information Rights Law at at Northumbria University. She has also taught and presented workshops on FOI, EIR and access to EU information in Germany, the Czech Republic and throughout the UK. 

Commenting on Susan’s appointment Ibrahim Hasan Director of Act Now Training, said: 

“I am delighted that Susan’s expertise as an information rights lawyer has been recognised through this judicial appointment. I am sure that she will use her fantastic skills and experience to the benefit her new role.”

Posted in Information Rights, Tribunal | Tagged , , | Leave a comment

The Scottish Information Commissioner’s Annual (FOISA) Report 2020


The Scottish Information Commissioner, Daren Fitzhenry, recently published his Annual Report and Accounts for the year 2019-20. It is available to read and download from the Commissioner’s website. Mr Fitzhenry enforces the Freedom of Information (Scotland) Act 2002  (FOISA) as well as the Environmental Information (Scotland) Regulations 2004.  

In publishing, the Commissioner Daren Fitzhenry said: 

“I am publishing my Annual Report at a time dominated by the Covid-19 pandemic.
While freedom of information in Scotland has certainly not been immune from the impact of the pandemic, the importance of the right to information is one clear constant. 

“Inevitably we all have questions about the decisions being made by our governments and public services. Never more so than at a time when those decisions, sadly, may mean the difference between life and death.  

“This is why it is so vital that Scotland’s law ensures everyone has a right to seek information from public authorities and – with only very few, limited exceptions – to receive it.”

Key statistics from the report include:

  • 79,300 FOI requests were made to Scottish public bodies during the year. 12.6% of these were for environmental information (an increase from 10.3% in 2018-19)
  • 76% of requests to Scottish public authorities resulted in full or partial disclosure of information to the requester (an increase from 75% in 2018-19)
  • 251 interventions regarding authority practice improvements were carried out by the Commissioner (compared to 252 in 2018-19 and 234 in 2017-18)
  • There were 494 appeals made to the Commissioner (0.6% of total requests made to Scottish public bodies). 75% of appeals were made by members of the public. 
  • On average, cases appealed to the Commissioner were closed within 3.4 months
  • 23% of valid appeals to the Commissioner related to an authority’s failure to respond
  • 67% of the Commissioner’s decisions found wholly or partially in favour of the requester (an increase from 65% in 2018-19)

Please note that this annual report covers the period 1 April 2019 – 31 March 2020.
The Commissioner will publish an initial insights briefing specifically examining the impact of the Covid-19 on FOI in Scotland later in 2020.

Our most popular FOISA course will take place online in November. Click here for details.

Posted in FOISA, Scotland, Uncategorized | Tagged , | Leave a comment

Data Protection Challenges of Remote Working


In March 2020, businesses found themselves having to quickly adapt to managing a remote workforce. The IT department felt the pressure to create the infrastructure to enable this and information security teams looked for ways to effectively monitor the network in the new world. Remote working brings with it a number of data protection and privacy challenges.  

Challenge One – People

The number one cause for personal data breaches is people. It only takes a momentary lack of concentration for a senior manager to send the salaries and sickness leave details of their entire team to external clients by email or a very busy CEO to leave their laptop on a train. 

There will always be an element of risk to handling personal data, but the acknowledgement of this with mitigation and management can drastically reduce the risk of a large-scale reportable data breach. 

Understanding the following can all assist with the risk management strategy of an organisation:

  • How the workforce usually operate in the office versus how people may have to setup their working environment at home
  • How their emotions and mental health may be affected during these difficult times and how this could impact their working 
  • What employees need to retain some form of ‘normality’ for their remote working

Challenge Two – Technology

Many employees now work on laptops and some office workers are used to the occasional day working – from home. When this becomes a full-time arrangement for a large number of staff all at once, the technology supplied to employees is put to the test to withstand the almost instantaneous move to remote working.


Managing data appropriately and knowing what data is where, makes governance of risk far easier for those working in the field of cyber security as it is often only once something goes wrong that the unknown ways of working come to light!

Whilst working at home, it is far more tempting for employees to use personal devices, removable storage devices or their own personal drives to access data when easy access to what they need is restricted. Remote access to commonly used applications for the workforce, allows for data to be retained in applications already approved by the organisation for visibility and reduces the risk of additional copies of data being generated or used inappropriately by staff. 

Video Conferencing

Lockdown led a number of individuals to download video conferencing applications to keep in touch with family and friends. For some businesses, the use of video conferencing was not an option prior to March, but now most meetings occur across Teams, Skype or Zoom. The use of video conferencing brings with it many additional risks for a business and the security team must be satisfied that the exchanges within the application are protected by the required company standard. 

The press has reported on several cases of “Zoom Bombing” whereby third parties invade organised meetings and cause disruption. The unwelcome guests have been reported to have shared distressing images or displayed inappropriate language to all attendees, some of which have led to police investigations.


Email traffic over the past twelve weeks has inevitably risen for all businesses as workers seek to connect with their colleagues. The amount of data being generated and shared has understandably increased and organisations need to consider this risk over the coming months as business approaches adapt to the new normal. 

Inboxes tend to be the hardest data records to effectively manage. Ultimately the user needs to take ownership of the issue. Phishing emails are also one of the most common methods a hacker uses to hack a system and therefore it is imperative users know what to look out for and how to report potential threats. 

Awareness campaigns and an active push from managers for their staff to review their inboxes and ‘purge’ what they no longer need are good ideas.

Challenge Three – Paper

Some organisations still rely heavily on paper printouts to run their operations.
With individuals now working from home, there needs to be a greater awareness amongst staff around how to appropriately handle paper records and most importantly, how to securely destroy them. 

Where employees need to printout records, they should be advised how to manage these at home whilst the phase return to offices continues.

Challenge Four – Data Sharing

Without the option of walking over to someone’s desk to ask a question, people are using email and other communications platforms to deal with queries and share documents. 

Data sharing can test the principle of data minimisation as human nature often leads people to share far more than is required for the purpose. Engaging with employees and reminding them of how they must take the time to anonymise data where possible, or remove the excess columns from a spreadsheet before sending it, could prove useful in combatting the problem.  

A recent example of where email communications can go horribly wrong, is that of the disclosure of abuse survival victims details whereby the sender of the monthly newsletter failed to anonymise the data of the victims before pressing send.  

One way to manage and control the sharing within an organisation is to ensure the data protection policy has clear guidelines around company approved data sharing platforms. The key to keeping data sharing under control is to make the preferred method easy! If too much effort is required with granting external access to a sharing portal, uploading documents with passwords and then having to send links, people will stray and resort to the easier method of email attachments. 

Handy Tips

So as staff begin to return to work, here are some more practical tips to protect personal data:

  1. Engage with staff to gain an understanding of how their ways of working have changed and what difficulties they are facing with data management.
  2. Ensure that the company policies around remote working, data protection and information security are up-to-date and accessible to all.
  3. Offer a remote IT helpdesk service for employees who are having difficulties operating their hardware or software from home to prevent them using their own devices to work on.
  4. Ensure staff are installing software updates onto their work devices.
  5. Raise awareness of phishing emails and remind staff how to report them safely.
  6. Secure cloud storage solutions should be in place and staff should know how to use them. 
  7. Communicate the data breach or incident management procedure to staff.
  8. Account for any additional processing that has been required to take place over the past few months in the Record of Processing Activities.

Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors. 

Our GDPR Essentials E learning course is designed to teach frontline staff essential GDPR knowledge in an engaging, fun and interactive way. In just over 30 minutes staff will learn about the key provisions of GDPR and how to keep personal data safe.

Posted in coronavirus, COVID-19, Remote Working, Uncategorized | Tagged , , | 1 Comment

Ibrahim Hasan on the BBC


The last week has been really busy day for our managing director and data protection expert, Ibrahim Hasan, with a frenzy of media interviews. Well not quite a “frenzy” but three is a start!

Ibrahim was first interviewed on BBC Radio 5 live’s Drive programme by Anna Foster.
He spoke about the rules requiring restaurants and pubs to keep contact details of customers and the GDPR/DPA consequences if things go wrong. He emphasised the important of business owners complying with data protection laws and educating their staff on their responsibilities.

You can listen again here (14.35 onwards). More on customer contact tracing data in our blog.

Later in the day, Ibrahim had his first live television interview which was broadcast on BBC News 24 and BBC News Worldwide. He was asked about the new NHS Contact Tracing App and the privacy implications. He also talked about the consequences of misusing personal data. We are waiting to receive the recording of this interview. In the meantime you can read the feedback on our social media channels (LinkedIn and Twitter). You can also read more about the previous version of the NHS contact Tracing App in our blog.

Finally, on 18th September, Ibrahim appeared on BBC Radio Berkshire to talk about the same issue. This followed a lady who was contacted by a bus driver for a date using her T and T details! 

You can listen here (from 1.26.26):

These and other GDPR developments will be discussed in detail by Ibrahim in our online GDPR update workshop next week.

Posted in Data Protection, GDPR, media, media, NHS APP, Track and Trace | Tagged , , , , , , , | 1 Comment

Brexit, Trade Deals and GDPR: What happens next?


Regardless of whether we have a Brexit trade deal with the EU, GDPR and the Data Protection Act 2018 are here to stay. There will however be some changes to prepare for and a new title for GDPR to get used to. 

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the regulations”) were made last year to amend GDPR and the DPA ready for a post Brexit UK. Until the end of the Brexit transition period (currently 31st December 2020) the GDPR will apply “as is”. On 1st January 2021 the regulations will amend GDPR and retitle it as “UK GDPR”. 

The amendments are essentially a tidying up exercise. The EU version of GDPR, contains many references to EU laws, institutions, currency and powers which will cease to be relevant in the UK after the transition period. The UK GDPR will have these references omitted or replaced with British equivalents where applicable. The functions that are currently assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner. There are however more significant issues which will impact many organisations (both Data Controllers and Processors) as the UK leaves the EU data protection regime. 

EU Representative  

Just like the EU GDPR, the UK GDPR will have an extra territorial effect. In addition to applying to organisations established in the UK that process personal data, it will also apply to organisations outside the UK if they offer goods or services to or monitor the behaviour of UK residents. Consequently, some organisations may have to comply concurrently with both versions of GDPR. Article 27 of both versions requires organisations established outside their jurisdiction. This means UK organisations that continue to be subject to the EU GDPR, after 31st December, will need to appoint a representative in the EU and vice versa. A number of companies have sprung up to offer this service. Who to choose will depend on many factors including expertise, type of service offered and language spoken. 

International Transfers 

On 1st January 2021, the UK will become a third country for the purposes of international data transfers under the EU GDPR. This means that the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. This is proving increasingly unlikely before the deadline. 

The UK GDPR deals with post Brexit international data transfers from the UK by recognising all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision. It also contains a similar mechanism (to the EU GDPR) for data transfers to the US known as the Privacy Shield. This may be problematic given that the European Court of Justice ruled in the  “Schrems II case” that the Privacy Shield was invalid. In its ruling the ECJ was concerned about US authorities’ wide ranging powers to access the personal data of EU residents and the impact on their privacy. The same could be said for UK laws which means that there will also be uncertainty about EU transfers of personal data to the UK. 

The UK GDPR will also recognise current EU Standard Contractual Clauses as valid for international transfers. Use of such clauses, whilst still lawful, will again need careful consideration. The ECJ in Schrems was clear that the responsibility lies with Data Controllers in the EU and the recipient of the personal data to satisfy themselves, on a case by case basis, that the legislation of the third country enables the recipient to comply with the standard data protection clauses before transferring personal data to that third country. If a country, like the USA, has legislation in place that obliges recipients to share personal data with public authorities, then Data Controllers must assess, on a case by case basis, whether that mandatory requirement doesn’t go beyond what is necessary in a democratic society to safeguard national security, defence and public security. 

Keeling Schedule 

The Government has produced a  Keeling Schedule document showing the detailed changes that will be made to the GDPR to make it the UK GDPR. You can buy a bound colour copy here. This is a popular supplement to our GDPR Handbook

The regulations also amend the DPA 2018 which must be alongside GDPR. Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will soon become part of the UK GDPR. 

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes.  

Posted in Brexit, EU, Schrems, Uncategorized | Tagged , , | 2 Comments

The Importance of a DPIA


A Data Protection Impact Assessment (DPIA) helps Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal data. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles.


Failure to conduct a DPIA, or failures in the process, can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. 

A recent Norwegian case saw the data protection authority impose a fine of almost €47,000 on a town council in relation to its digital learning app. The Council communicated health-related information between school and home via the app, but insufficient security was put in place to avoid users accessing the personal data of others in their group. No risk assessment, DPIA or testing was undertaken before the application was rolled out. In May 2020, a company in Finland was fined €16,000 for failing to undertake a DPIA before  processing  the  location data of its employees by tracking vehicles.

Of course there is also the reputation damage of not conducting a DPIA especially when it comes to large scale projects which rely on public confidence to ensure take up and success. The Government has been criticised recently after it admitted that it had failed to complete a DPIA for the Covid19 Track and Trace Programme.

Article 35

Article 35 contains an obligation on Data Controllers to conduct a DPIA before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted. Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP, now the EDPB) data protection impact assessment guidelines and the ICO’s DPIA guidance.

Carrying out a DPIA is not mandatory for every personal data processing operation.
It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive evaluation of personal aspects relating to an individual  which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
  • a systematic monitoring of a publically accessible area on a large scale

So what other cases will involve “high risk” processing that may require a DPIA?
The ICO’s DPIA guidance states that it requires a Data Controller to conduct a DPIA if it plans to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant.
Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.


Act Now is using its expertise to help make the task of conducting a DPIA less daunting. We are supporting an exciting new public sector collaboration  to  co-design and develop a Digital DPIA which should make this task much easier. The final product will be available in the Autumn. Watch this space! We are also running a series of online workshops on How to do a DPIA.

Posted in dpia, Uncategorized | Tagged | Leave a comment

In House Training in the Age of a Global Pandemic


The first thing to suffer when there is a pandemic requiring social distancing and remote working is training courses particularly those that are off site. Gone are the days when employees could take time out of the office to sit in a hotel with others to talk about GDPR compliance or the vagaries of the FOI exemptions. With that goes the ability to share ideas, learn from others (may be even complain about the boss!) and have a nice lunch. 

But just because we have lockdown restrictions, does not mean that training must stop. If remote family get togethers and online drinks parties are all a rage why not information governance training? Here at Act Now Training we have developed our training programme so that it can now be delivered both online and in the classroom. Early on during the lockdown we launched our online GDPR Practitioner Certificate of which all seven courses so far have been fully booked. We recently launched the online FOI Practitioner Certificate which is also fully booked. 

Off the back of this success we are now delivering our full portfolio of online courses on an in house basis. They are specifically designed to ensure delegates receive all the fantastic features of our location-based courses but in a live online learning environment customised to the needs of the organisation. The courses are designed to be interactive and challenging, yet fun. To enable this, we use a range of tools including quizzes, case studies and discussion. The feedback from recent online delegates has been very positive: 

The course is very well structured and as Act Now only allow for small groups online, there is opportunity for everyone to ask questions and share knowledge. There is a lot of information to take in, but the speakers examples really brought the subject to life. I was particularly impressed that although it covers the legislation, it is based around understanding how to implement it in practice. I came away feeling much more confident in dealing with the GDPR.” AS, Tunbridge Wells Borough Council. 

ActNow webinars are exceptional and very interactive with latest industry news and information. Their training courses are excellent too and I highly recommend them.” RM, Office for Students. 

Very topical, the trainer picked up on issues which are actually going on now.
The course was very informative, the trainer very knowledgeable and open to answering questions throughout the session.” SK, Kings College.  

Act Now can deliver everything from short briefing sessions to full day workshops as well as certificate courses, using your organisation’s preferred platform be it Zoom, Go To Training or Microsoft Teams.  

We have been providing in house training and consultancy services for many years.
Most local authorities and public sector organisations have engaged us at some point as well as many private sector companies. We pride ourselves on having the most well known experts in the fields of Data Protection, Surveillance Law, Freedom of Information and Information Management. All have many years of experience of training and advice in this area. 

We have trained over 20,000 individuals from different backgrounds. Our strength lies in having a strong client base in all relevant sectors. This means that we are well informed about the most current information management issues in every sector. 

Feel free to get in touch to discuss your online in house training needs. 

Posted in Uncategorized | Leave a comment