PrivSec London Conference: Act Now Announces Winners of Free Tickets

DPWF Draw image

Act Now is pleased to announce the winners of the 7 free delegate tickets for the  PrivSec London Conference taking place on 4th and 5th February 2020. We are exhibiting at this two day event which will deliver  top-level strategic content, insights, networking, and discussion around data protection, privacy and security. In addition to leading content, tickets will include refreshments, lunch and access to exclusive post-event content.

And the winners are…

1.    Alison Hope of Greenwood Academies Trust
2.    Tony Sheppard of GDPR In Schools
3.    Rhiannon Platt of Royal Devon & Exeter NHS Foundation Trust
4.    Jamie Pickering of The Valuation Office
5.    Claire Owen of Cumbria County Council
6.    Amanda Godridge of Hampshire County Council
7.    Sam Smith of Herefordshire Council

Congratulations to all the winners who will receive an email informing them of how to claim their free ticket. Thank you to all of those who expressed an interest.

Act Now is in full conference mode now. Like last year, we hope to be exhibiting at the ICO Data Protection Practitioner’s Conference in Manchester.

In April, Ibrahim Hasan will travel to Las Vegas to address the 21st Annual NAPCP Commercial Card and Payment Conference. Ibrahim will be talking about the California Consumer Privacy Act (CCPA) which comes into force on 1st January 2020. It is sometimes known as the US equivalent of GDPR and provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

In May we will be exhibiting at the IRMS Conference in Birmingham. If you are attending any of these conferences, come and say hello on our stand and talk to us about our range of  GDPR Update Workshops,  E learning and Certificate Courses (Oh and collect some freebies!)

Posted in Data Protection, Privacy | Tagged , , | Leave a comment

The New Year Honours Data Breach

man in santa claus costume

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However more media attention this year has been on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26thDecember. The Cabinet Office said the list was downloadable from its website for around an hour and was taken down in the early hours of Saturday. The vast majority of people on the list had their house numbers, street names and postcodes published with their name.

Such a breach can result in the Information Commissioner’s Office (ICO) issuing a fine of up to 4% of a company’s annual global turnover or £17m, whichever is greater. It comes hot on the heels of the first GDPR fine issued to a London based pharmacy. Doorstep Dispensaree Ltd was fined £275,000 for careless storage of the medical data of half a million people. We are also waiting for a final decision on whether, and how much, British Airways and Marriot International will be fined after both were issued with Notices of Intent for millions of pounds.

The Cabinet Office, which (ironically) manages the UK’s cybersecurity, has apologised for the breach and said it is investigating the cause. The ICO is also “making inquiries.” Can the Cabinet Office expect a large fine? Article 83(2) of GDPR requires the ICO, when deciding whether to impose a fine and the amount, to have due regard to various factors including (amongst others):

  • The nature, gravity and duration of the infringement
  • The number of data subjects affected and the level of damage suffered by them
  • The intentional or negligent character of the infringement
  • Any action taken by the responsible party to mitigate the damage suffered by data subjects
  • The degree of cooperation with the ICO, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the ICO, in particular whether, and if so to what extent, it was notified of the infringement
  • Any other aggravating or mitigating factor applicable to the circumstances of the case

Whilst this data breach involved over 1000 people, the effect on each will be different. The leak could endanger the lives of some of them e.g police and government officials. “A number of those receiving honours are employed in extremely sensitive positions in the police and intelligence agencies,” Richard Walton, the former head of counterterrorism at Scotland Yard, told the Sunday Times.

“The release of the private addresses of these individuals into the public domain will mean that a threat and risk assessment will need to be undertaken resulting in some having new private security measures introduced into their homes,” he added.

The fact that the Cabinet Office took almost immediate action to remedy the situation and reported the data breach to the ICO will count in its favour. It has also said that it is contacting the individuals affected and providing them with guidance if they have security concerns.  As long as the Cabinet Office can satisfy the ICO that it had appropriate security measures in place and staff were aware of their data protection obligations, my personal view is that the ICO will exercise one of its less serious corrective powers, under Article 58(2) of GDPR, most probably a warning. Depending on what it discovers during its investigation, it may also issue an Enforcement Notice under Section 149 of the Data Protection Act 2018.

Training and awareness of staff involved in the data breach will also be one of the areas the ICO will wish to focus on during its investigation. Most of the audits and advisory visits completed recently feature recommendations on this topic. (See for example the report into North Bristol NHS Trust and Essex Police.) Our new e-learning course, GDPR Essentials is ideal for training frontline staff.

Even if the ICO decides not to impose a fine the Cabinet Office (at least in theory) faces the threat of legal action by those affected by the data breach.  Article 79 and 82 of GDPR give them a free-standing right to sue the Cabinet Office in the civil courts for compensation for the material and non-material damage suffered. A recent Court of Appeal decision as well as S.168 of the DPA make it clear that this includes distress. Much depends on the attitude of the affected individuals. Many may just be grateful for the accolade and will not want to sour relations with the Government. Others may put it down to human error and move on.

The Guardian reports that it was alerted to the list by a member of the public. So what of those who managed to download the full list, with the addresses, in the hour or so that it was available?  Section 170 of the DPA 2018 makes it a criminal offence to “… after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.”

There will be much to learn from conclusion of the ICO’s investigation into this high profile data breach. Whatever the outcome, it has certainly highlighted the importance of getting data protection right.  Furthermore, GDPR is now being mentioned in the same sentence as Sir Elton John, Ainsley Harriott and Olivia Newton-John. Proof, if it were needed, that data protection is cool!

These and other GDPR developments will be discussed in detail in our GDPR update workshop. Our new new e-learning course, GDPR Essentials will help you train your staff in 30 minutes. Watch the demo here

Photo by bruce mars on Pexels.com

 

Posted in Uncategorized | Leave a comment

First Fine under GDPR

canstockphoto3157426

The Information Commissioner’s Office (ICO) has issued the first fine under GDPR to a London-based pharmacy. Doorstep Dispensaree Ltd, has been issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data.

The company, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO held that this gave rise to infringements GDPR’s security and data retention obligations. Following a thorough investigation the ICO also concluded that the company’s privacy notices and internal policies were not up to scratch.

The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy. Steve Eckersley, Director of Investigations at the ICO, said:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

Doorstep Dispensaree has also been issued with an enforcement notice, under Section 149 of the Data Protection Act 2018, due to the significance of the contraventions. It has three months to:

Training seems to feature heavily in the ICO’s Enforcement Notice. GDPR requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?

GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe. Click here to read more and watch a demo.

After issuing Notices of Intent to two high profile companies for millions of pounds (British Airways and Marriot) the Information Commissioner has finally issued an actual fine, albeit for a much lower amount and to a less well known company. Data Controllers and Processors need to read the penalty notice carefully and ensure that are not repeating the same mistakes as Doorstep Dispensaree Ltd.

These and other GDPR developments will be discussed in detail in our GDPR update workshop.

Posted in Fines, GDPR, Uncategorized | Tagged , , | 1 Comment

European Data Protection Summit Free Places

dpwf040219

Act Now is delighted to announce that we will be exhibiting at the PrivSec London conference on the 4th and 5th of February 2020.

This conference will bring together privacy and security professionals from around the globe to address industry issues, challenges and opportunities. It will explore the inextricable link between data privacy and data security, providing attendees with access to first-rate content presented by a line-up of international experts. The five theatres at the event will feature talks on Data Protection, GDPR, privacy, security, governance and risk management.

We have 7 free delegate places to give away (worth £474 each).

If you would like a place, please get in touch using the contact form on our website. We will add your name to the draw which will take place on Tuesday 7th January at 11am. The winners will be announced shortly afterwards on our blog.

Act Now is in full conference mode at present. On 10th December our team were at DIGIT’s 3rd annual Data Protection Summit billed as “Scotland’s largest Data Protection and Privacy event for business”. The programme contextualised the changing Data Protection landscape, considering the business impact of the GDPR and DPA 2018 and how it is shaping policy and process in practice. The conference is run with assistance from the ICO, ScotlandIS and DMA. The conference was a huge success and our GDPR E-LEARNING stole the show. Follow this link to see a short demo.

In April, Ibrahim Hasan will travel to Las Vegas to address the 21st Annual NAPCP Commercial Card and Payment Conference. Ibrahim will be talking about the California Consumer Privacy Act (CCPA) which comes into force on 1st January 2020. It is sometimes known as the US equivalent of the General Data Protection Regulation (GDPR), and provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

If you are attending any of these conferences, come and say hello (and pick up a freebie!)

Posted in Conference, e-learning, GDPR, Uncategorized | Tagged , , , | Leave a comment

Boris, Brexit and GDPR: What next?

 

Big BenBig Ben and Westminster abbey in London, England

Boris Johnson’s election victory means that we are almost certainly heading for Brexit on 31st January 2020 with his version of a deal. Having won a large Conservative majority in the House of Commons, it should be relatively easy for him to pass the Withdrawal Agreement Bill which is likely to be re-introduced to Parliament this week.

What are the implications for the UK’s data protection regime in the form of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018). Can we bin them on the 31st January with our red EU passports? The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29th March 2019, with the rest coming into force on exit day (now 31st January 2020 unless something, akin to Elvis returning from the moon, happens in the next few weeks!).

With Boris’s deal likely to be approved by Parliament, the implications of the above regulations will not be felt until the end of the transition period (currently 31stDecember 2020). Until then GDPR will apply “as is”. Unless the transition period is extended (it was a Conservative manifesto pledge not to do so) a revision of GDPR, to be known as the “UK GDPR”, will come into force on 1stJanuary 2021. A brief summary of the key changes follows.

The EU version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner.

The regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR so that the UK will

  • Recognise all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision
  • Give powers to the Secretary of State to determine or revoke adequacy
  • Recognise current EU Standard Contractual Clauses as valid for international transfers but the ICO will have the power to issue more clauses
  • Recognise all Binding Corporate Rules authorised before Exit Day
  • Introduce an extraterritoriality into the UK data protection regime

Of course from Exit Day, the UK will become a third country for the purposes of international data transfers under GDPR. This means that after the end of the transitional period, the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly, but this is by no means a certainty. It is very unlikely to be achieved by 1st January 2021 which means that Data Controllers and Processors have to start putting in additional safeguards now to maintain the free flow of data.

The new regulations also amend the DPA 2018 which must be alongside GDPR.
Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will become part of the UK GDPR.

More on Brexit and the new regulations here. All Data Controllers and Processors need to prepare now for the UK GDPR.

Ibrahim Hasan is presenting a webinar in January on this topic. These and other GDPR developments will be discussed in detail in our GDPR update workshop.

Posted in Brexit, GDPR, Uncategorized | Tagged , | Leave a comment

Act Now Launches New E-learning Course

E Learning Banner 0.0.0

Act Now is pleased to announce the launch of its new e-learning course, GDPR Essentials.

Click on the video below to see a short demo trailer.

 

The General Data Protection Regulation (GDPR) requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?

GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe.

GDPR Essentials contains two modules each followed by a quiz. The modules consist of an animated video, narrated by a professional voiceover artist, and contain questions to test employees’ understanding during the learning process.

The target audience for GDPR Essentials is frontline employees, both in the public and private sector, and those who handle personal data on a day-to-day basis who need a basic knowledge of how to comply with GDPR in their role.

Learning Outcomes

Upon completion of GDPR Essentials employees will

  • Understand the importance of complying with GDPR and the consequences of not doing so
  • Have a good knowledge of the key provisions of GDPR
  • Understand what they need to do to comply with GDPR
  • Appreciate the importance of good data security
  • Know what they need to do to keep data safe
  • Be aware of the importance of appropriate data privacy and security policies
  • Be able to direct customers and colleagues to appropriate policies
  • Know when to ask managers and the data protection officer for advice

With full admin controls, GDPR Essentials helps you to build a data protection culture in your organisation and develop a workforce that is able to identify, manage and prevent data protection risks.

Clients who have bought our previous GDPR e learning course include retail companies, healthcare providers, local authorities, charities, schools and colleges. See the full list here.

 Get in touch to discuss your online training needs.

Posted in e-learning, GDPR, Uncategorized | Tagged , | Leave a comment

Calling all Information Governance Experts: We are Hiring

We Are Hiring

Are you an information governance expert with a proven track record of delivering engaging training on GDPR, FOI or Cyber Security? Act Now Training is recruiting trainers to join its team of experts who deliver in-house and external training courses throughout the UK.

Despite expanding our team recently, we are facing heavy demand for our courses and consultancy services from the both the public and private sector. With more courses planned for 2020, including some new ones like Key Skills For Data Protection Officers, we need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical jargon-free way.

We have opportunities for full time trainers as well as those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about GDPR, FOI or Cyber Security and want to deliver innovative training (not “death by PowerPoint”) to a range of audiences.

We are particularly interested in experienced Cyber Security trainers where we are facing a lot of demand after launching our Introduction to Cyber Security workshop. The health sector is also a focus area for us in 2020. Our workshops on GDPR, the role of SIROs and Caldicott Guardians have led to more interest in this area.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in GDPR, FOI or Cyber Security. A full privacy policy can be read on our website.

E Learning Banner 0.0.0

Posted in cyber security, FOI, GDPR, Uncategorized | Tagged , , | Leave a comment