Introducing the New UK GDPR Handbook

GDPR Handbook Front Cover with Tabs cropped

Act Now Training is pleased to announce the launch of the new UK GDPR Handbook.

The handbook is designed for data protection practitioners and legal advisers who require a complete guide to the UK Data Protection regime post Brexit.

The UK’s exit from the European Union has resulted in changes to the principal UK Data Protection legislation namely the EU General Data Protection Regulation 2016 (EU GDPR) and the Data Protection Act 2018 (DPA 2018). The revision of the GDPR, pursuant to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, is now known as the ‘UK GDPR’.

The UK GDPR Handbook sets out the full text of the UK GDPR laid out in a clear and easy to read format including tabs for ease of navigation. Tabs have been the most requested feature from user feedback of our popular EU GDPR Handbook.

The Handbook cross references the EU GDPR recitals, which also now form part of the UK GDPR, allowing for a more logical reading. Amendments, insertions and deletions (made by the 2019 regulations and shown in the Keeling Schedule) have been clearly indicated, using a colour coding system, to allow users to easily identify what has been changed. Relevant provisions of the amended DPA 2018 have been included where they contribute to the further understanding of the UK GDPR. Guidance from the Information Commissioner’s Office, Article 29 Working Party and the European Data Protection Board is also signposted to assist users in interpreting the legislation.

Act Now has sold over 3000 copies of the EU GDPR Handbook. This new publication will be a valuable addition to data protection practitioners’ libraries. Ibrahim Hasan, the editor of the UK GDPR Handbook, said:

“I am really pleased with the publication of the UK GDPR handbook. My team and I have tried to produce a clear and easy to follow publication which will help practitioners navigate their way around this complex legislation.”

SPECIAL PRE ORDER PRICE

The UK GDPR Handbook will soon be on sale at £54.95 plus p&p.

We have a special price of only pre order price of £44.95 plus p&p until 12th March 2021 for the first 500 copies. Orders will be shipped from 22nd March 2021. Order now here.

Act Now will be donating £1 for each handbook sold to our chosen charity Woodgate Community Food based in Leicester.

Delegates on  the Act NowAdvanced Certificate  in GDPR Practice  will receive a complimentary copy of the UK GDPR Handbook as part of their course materials.

Posted in GDPR Handboook, Handbook, UK GDPR, Uncategorized | Tagged , | Leave a comment

The New ICO Data Sharing Code of Practice

beatriz-perez-moya-XN4T2PVUUgk-unsplash

The sharing of personal data between organisations has many public and business benefits. However there is much confusion about what the law allows, particularly the General Data Protection Regulation (GDPR).

In December, the Information Commissioner’s Office (ICO) finally published its Data Sharing Code of Practice following a consultation exercise. The code does not impose any additional barriers to data sharing, but aims to help organisations comply with their legal obligations under the GDPR and the Data Protection Act 2018 (DPA 2018). In particular the code:

  • updates and reflects key changes in data protection law since the last data sharing code was published 
  • explains new developments and their impact on data protection;
  • references new areas for organisations to consider; and
  • helps organisations to manage risks in sharing data, which are magnified if the quantity of data is large

There is a useful section in the code addressing some misconceptions about data sharing and barriers to sharing. It also covers some special cases, such as databases and lists, sharing information about children, data sharing in an emergency and the ethics of data sharing. Reference is also made to the provisions of the Digital Economy Act 2017 which seeks to promote data sharing across the public sector.

The code contains a section on sharing data for the purposes of law enforcement processing under Part 3 of the DPA 2018. This is an important area which organisations have not really understood as demonstrated by the recent High Court ruling that Sussex Police unlawfully shared personal data about a vulnerable teenager putting her “at greater risk.”

This is a statutory code of practice under section 121 of the DPA 2018. Under section 127, the Information Commissioner must take account of it when considering whether a Data Controller has complied with its data protection obligations in relation to data sharing. The code can also be used in evidence in court proceedings and the courts must take its provisions into account wherever relevant.

Elizabeth Denham said the COVID-19 pandemic has brought the need for fair, transparent and secure data sharing into even sharper focus:

“I have seen first-hand how sharing data between organisations has been crucial to supporting and protecting people during the response to the COVID-19 pandemic.

That includes public authorities and supermarkets sharing information to support vulnerable people shielding or health data being shared to support fast, efficient and effective delivery of pandemic responses.”

Following the code, along with other ICO guidance, will help Data Controllers to manage risks; meet high standards; clarify any misconceptions about data sharing; and give confidence to share data appropriately and correctly. In addition to the statutory guidance, the code contains some optional good practice recommendations, which aim to help Data Controllers adopt an effective approach to data protection compliance.

Alongside the code, the ICO has launched a data sharing information hub where organisations can find targeted support and resources, including:

  • Data sharing myths busted 
  • Data sharing code: the basics for small organisations and businesses
  • Data sharing FAQs for small organisations and businesses
  • Case studies  
  • Data sharing checklists 
  • Data sharing request and decision forms template  
  • Sharing personal data with a law enforcement authority toolkit
  • Guidance on sharing personal data with law enforcement authorities
  • Guidance on data sharing and reuse of data by competent authorities for non-law enforcement purposes

Ibrahim Hasan will be presenting a one hour webinar on the new data sharing code. These and other GDPR developments will also be discussed in detail in our online GDPR update workshop.

Posted in Uncategorized | Leave a comment

So we have a Brexit Trade Deal. What now for GDPR and international transfers?

blur cartography close up concept

Photo by slon_dot_pics on Pexels.com

So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

Posted in Brexit, International transfers | Tagged , , | Leave a comment

Seasons Greetings

Seasons Greetings Banner - No Text

Act Now Training would like to wish everyone all of the seasons greetings and we wish you a happy and healthy 2021.

The office will be closed for the holiday season from Thursday the 24th December. We will be back in the office from the 4th January 2021.

Stay safe and stay well.

Posted in Uncategorized | 1 Comment

Act Now Supports Leicester Food Bank

fullsizeoutput_3617-scaled-e1605742235774-2048x1008

Act Now is pleased to announce its support for Woodgate Community Food which is a food bank for residents of the Fosse Ward in Leicester. It recently won the Leicestershire Community Champions Award (Community Organisation category). 

According to a report in the Guardian recently, food aid charities have identified the emergence of the UK’s “newly hungry”, a growing cohort of people previously in good jobs and enjoying comfortable incomes who have been forced to use food banks and claim welfare benefits for the first time during the pandemic. 

The Feeding Britain network and Independent Food Aid network (IFAN) said their members were providing food support to a new influx of middle-income families.
Typically with families, cars and often self-employed or business owners, they had been plunged into crisis by Covid-related job losses and gaps in the social security system. 

For the next four months, for each copy of our GDPR Handbook and GDPR Keeling Schedule we sell, we will donate £1 to Woodgate Community Food Bank. One of the founders and committee members is our senior Associate, Lynn Wyeth who said, 

“We are so grateful to Act Now for choosing our foodbank. Increasing poverty and Covid19 has had devastating effects on our communities with many turning to foodbanks to help them get by. Numbers have increased dramatically during the continued Leicester lockdown. We all want to see a society where food banks are not needed but until then our amazing community volunteers will support the most vulnerable in our neighbourhoods with food, toiletries and advice on where to get more help.” 

Act Now is pleased to be playing a small part in tackling the effects of the Covid pandemic. A similar initiative recently saw a substantial donation being made to Refuge to help in their efforts to tackle the increase in domestic violence during the pandemic. 

We can all play a part in alleviating suffering during this crisis. Get involved in a cause and spread the love. Support your local food bank and/or donate to Woodgate Food Bank here. You can also follow them on Facebook and Twitter

Posted in Uncategorized | 1 Comment

Care Home Records: My BBC Interview

Screenshot 2020-12-07 at 09.23.38

Ibrahim Hasan writes… 

Data Protection law is about protecting peoples’ human rights. When organisations fail to comply, it can have a big impact on peoples’ lives. I was proud to work with the BBC on a recent story which highlights the importance of protecting the personal data of some of the most vulnerable in society. 

Thanks to tenacious journalism by Ben Moore and Tobey Wadey, piles of patient data which were left unsecured in an abandoned care home, more than four years after it was shut down, were finally removed. It included care plans, bank details and photos of injuries we well as information about relatives. The Information Commissioner is now on the case. 

You can watch the BBC report, which includes an interview with me here.   

The BBC website feature can be read here

Posted in BBC Interview, care home records, GDPR, Ibrahim Hasan, Uncategorized | Tagged , , , , | Leave a comment

Act Now 2021 Course Programme Now Live

stil-flRm0z3MEoA-unsplash

Act Now is pleased to announce the launch of its course programme for the first quarter of 2021. For the moment, until we return to “normality”, all our courses will be delivered in an online learning environment (using Microsoft Teams) and have been redesigned to ensure that they are interactive, engaging and fun.  

Along with favourites such as GDPR and FOI AZ, we have added some new courses to help Data Protection Officers develop their skills and knowledge. The first of these is ran in November (“How to be a Data Protection Officer” with Kirsty Squires), and was fully booked. Delegates commentated on how much they valued learning from a practicing Data Protection Officer:

“This was exactly the learning that I’ve been looking for pretty much since doing the Practitioner course a 3 years ago. You’ve given me a lot of food for thought about how Sureserve Group handles its DPA obligations and, while these might not necessarily lie with me (or at least solely with me) in the future, you’ve helped me create a more structured idea of how we might do things ‘properly’ and also how to put as much ‘right’ as I can at the moment.”

More dates for this course have added in 2021.  

For those wishing to keep up to date with GDPR developments our online GDPR update workshop is a must. Our most popular certificate course, the GDPR Practitioner Certificate, is going from strength to strength. The last ten of these courses have been fully booked and delegates have given us excellent feedback: 

A highly informative and interactive course which helped to join the dots together and add layers to my understanding of a complex area. I had some reservations as to how it would be possible to achieve an effective course remotely and would it be as engaging as a classroom based alternative. Frank managed all this and more, he was approachable, highly knowledgeable and made sure the participants were understanding the content.
I would not hesitate to recommend to colleagues.” SW, Harrogate Borough Council

“Really enjoyed the online course and felt that I received the same knowledge without the need to leave my house!” GB, NHS Ayrshire & Arran

Excellent course, very informative and well organised, with useful practical exercises that complimented the presentations and helped to cement the learning.” JB, Cambridgeshire County Council

New Advanced Certificate in GDPR Practice 

For those who have completed the GDPR certificate, our Advanced Certificate in GDPR Practice has just been launched. This new course consists of a series of challenging masterclasses in which delegates will analyse and evaluate thought-provoking case studies designed to help them deconstruct and interpret complex GDPR issues. This will help them gain a deeper understanding of the GDPR and further their ability to navigate the legislation and its application.  

The course is set over three days; approximately one masterclass per month and will take a total of 12 weeks to complete. A practical project is required to be submitted at the end of the course. There are only two places left on the first course so please apply early. Click here for more information. 

Cyber Security 

In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices (aka fines). All related to breaches of GDPR’s security requirements as set out in Article 5 and 32. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information. The ICO has also fined Marriott International Inc for a cyber security breach which saw the personal details of millions of hotel guests being accessed by hackers. This followed a fine for British Airways also for a cyber breach.
You can read more about the causes of such breaches in our recent blog post.
Our new Introduction to Cyber Security Management will introduce you to the main concepts of cyber security, the benefits of good cyber security management and how risk management is used as a means of determining priorities for action. 

Surveillance 

The Coronavirus pandemic has seen an increased focus on surveillance especially by public authorities. Whether you are worried about employee surveillance or the use of drones we have a course for you. Alongside our regular RIPA workshop we have added a course on Surveillance Cameras, Drones and the Law. Look out for the launch of RIPA Essentials, our new e learning course.  

FOI Certificate 

In July we launched our online FOI Practitioner Certificate. This new course has been designed to mirror our classroom based course that was running successfully throughout the country before the lockdown. It has been really well received with most courses being fully booked.  

“Very useful course – really enjoyed it and didn’t find the online format any barrier at all to learning. The technology enables us to interact with the speaker and other delegates as if we were all meeting in person, and I found having 2 days a week for a fortnight (rather than 1 day a week over a month) helped keep the momentum of the course going and consolidated my learning.” AH, Invicta Law

In 2021 we will be delivering an improved version of the FOI certificate with even more case studies and exercises.   

In House Training 

Finally don’t forget that all our courses can be delivered on an In-house basis and customised to meet the training needs of your staff. We have delivered such training to a number of councils, NHS Trusts, a regulator and even a foreign government. Feel free to get in touch to discuss your in house training needs.

Posted in Uncategorized | Leave a comment

Act Now Launches New RIPA E Learning Course

Screenshot 2020-11-24 at 10.26.09

The Investigatory Powers Commissioner’s Office (IPCO), like its predecessor the Office of the Surveillance Commissioner(OSC), undertakes inspections of public authorities to ensure their compliance with Part 2 of the Regulation of Investigatory Act 2000 (RIPA).
A common feature of an IPCO report into a council is the highlighting of the lack of regular refresher training for those who undertake covert surveillance, including when using social media.  

The coronavirus pandemic as well as decreasing council budgets means that training staff is difficult to say the least. Social distancing and home working make face to face training impossible and live online training may not always be cost effective for those who need a quick refresher.  

Act Now Training is pleased to announce the launch of RIPA Essentials. This is a new e learning course, consisting of an animated video followed by an online quiz, designed to update local authority employees’ knowledge of Part 2 of RIPA which covers Directed Surveillance, Intrusive Surveillance and CHIS. Designed by our RIPA experts, Ibrahim Hasan and Steve Morris, it uses simple clear language and animation to make the complex simple. 

In just 30 minutes your employees can learn about the main provisions of Part 2 of RIPA including the different types of covert surveillance, the serious crime test and the authorisation process. It also covers how RIPA applies to social media monitoring and how to handle the product of surveillance having regard to data protection. All this at a time and in a place of your employees’ choosing. (See the full contents here.

Steve Morris said: 

“Ibrahim and I have over 40 years of experience in training and advising local authorities on covert surveillance and RIPA. We have used this experience, as well as the latest guidance from the Home Office and IPCO, to produce an online training course which is engaging, interactive and fun.” 

With full admin controls, RIPA Essentials will help you to build a RIPA compliance culture in your organisation and develop a workforce that is able to identify and address privacy risks when conducting surveillance. The course is specifically designed for local authority investigators including trading standards officers, environmental health officers, licensing officers, auditors and legal advisers.  

You can watch a demo of RIPA Essentials here. Prices start from as little as £69 plus vat per user. For a bespoke quote please get in touch

RIPA Essentials follows the successful launch of GDPR Essentials which has been used by our clients to train thousands of staff in the public and private sector.

Posted in Data Protection, e learning, RIPA, Social media, Surveillance, Training, Uncategorized | Leave a comment

Act Now Launches New Advanced Certificate in GDPR Practice

advanced_gdpr_cert

Act Now Training is pleased to announce the launch of the Advanced Certificate in GDPR Practice. It comes following 12 months of development and as a result of the success of our GDPR Practitioner Certificate which, over the last few years, has cemented its position as the gold standard for data protection qualifications.  

Our courses are practical and jargon free. We focus on teaching the skills and knowledge to help delegates do their job every day. Our aim is to help delegates become the most complete DPO for the ever-changing privacy landscape.  

The training provided practical guidance with useful examples to help inform my application of GDPR in the workplace. The focus was on how to use it rather than learning all the legal minutiae, and from the first session I was able to go away and use what I’d learnt in my Information Governance role.EG, Hampshire CC  

A highly informative and interactive course which helped to join the dots together and add layers to my understanding of a complex area. I had some reservations as to how it would be possible to achieve an effective course remotely and would it be as engaging as a classroom-based alternative. Frank managed all this and more, he was approachable, highly knowledgeable and made sure the participants were understanding the content.
I would not hesitate to recommend to colleagues.SW, Harrogate BC 

Having trained over 1500 data protection professionals on our GDPR Practitioner Certificate, we have now answered their call for a more advanced GDPR qualification to help them enhance their skills and knowledge. 

The new Advanced Certificate in GDPR Practice consists of a series of challenging masterclasses in which delegates will analyse and evaluate thought-provoking case studies designed to help them deconstruct and interpret complex GDPR issues. This will help them gain a deeper understanding of the GDPR and further their ability to navigate the legislation and its application. 

The course is set over three days; approximately one masterclass per month and will take a total of 12 weeks to complete. Delegates should expect to do at least five hours of self-study prior to each masterclass. A practical project will be required to be submitted at the end of the course.  

This course has been designed and will be delivered by our senior associate, Susan Wolf, and our director, Ibrahim Hasan. Susan has over ten years’ experience teaching practitioners on the LLM Information Rights Law at Practice at Northumbria University. She has also designed our very popular FOI Practitioner Certificate course. Ibrahim has been designing and delivering practical data protection courses for over 20 years. 

Ibrahim said: 

“I am really looking forward to teaching this course. I hope to challenge, inspire and provoke delegates into thinking about advanced GDPR concepts and their application.
It will be hard work for the delegates (and the tutor) but worth it! 

These together with a series of practical tasks is sure to enthuse and excite delegates on their way to advancing their skills.” 

This advanced course is exclusively available to those who have completed the Act Now  GDPR Practitioner Certificate as it builds on the knowledge and skills developed in that course. There is an application process for places which are limited to 8 per course.  

The course has a special introductory price of £2,150 plus vat, which is £500 off the RRP. Application forms are available on our website. If you wish to discuss your suitability for this course before applying, please get in touch and we will be happy to help. 

Posted in Advanced Certificate in GDPR Practice, Certificated course, GDPR, Uncategorized | Tagged , , | 2 Comments

Ticketmaster Fined £1.25m Over Cyber Attack

0_MGP_CHP_270618TICKETMASTER_0736ticketmasterJPG

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

Posted in cyber security, Data Breach, Fines, ICO, Ticketmaster, Uncategorized | Tagged , , , , | 1 Comment