Act Now Delivers GDPR Training In Dubai

WhatsApp Image 2018-06-28 at 18.57.11(1)

In June 2018 Ibrahim Hasan travelled to Dubai to deliver a GDPR workshop for international businesses and their advisers based in the Middle East. A wide range of delegates attended including representatives of the telecommunications, legal and technology sectors.

The General Data Protection Regulation (GDPR will not just have an impact on Data Controllers and Data Processors in the European Union (EU). It will also apply to organisations in the rest of world that are:

  • processing personal data of individuals living in the EU;
  • offering goods or services to individuals in the EU, even if there is no charge for such goods or services; or
  • engaging in monitoring or profiling activities of individuals in the EU (for example, the use of cookies/behavioural advertising).

Our Dubai workshop examined the legal and practical impact of GDPR on Middle East/GCC based organisations. All the key issues for Data Controllers as well as Data Processors were discussed including international transfers, contract clauses and guarantees, security and breach notification and when a Data Protection Officer needs to be appointed. Crucially we also discussed how GDPR is a business opportunity rather than a threat.

Questions from the floor included:

  • Application to subsidiaries
  • Practically dealing with the Right to Erasure
  • The overlap of GDPR with human rights
  • The link with local (UAE) laws
  • National security and GDPR
  • E mail disclosures
  • Insurance for GDPR breaches
  • Application to group companies outside the EU

The feedback from the delegates was excellent with many saying that the workshop gave them food for thought. The Act Now mugs and notebooks went down well too!

Dubai being Dubai, of course the hospitality extended by the hotel was par excellence.  At each refreshment break we were served what seemed to be a full meal! Check out the photos below:

Our thanks to the staff at Radisson Blu in Dubai Media City, particularly Amish the manager.

Ibrahim Hasan said:

“I was really pleased to design and deliver this workshop in Dubai. It adds to our growing experience of delivering data protection training abroad. I would like to thank my good friends the Hafiji family for hosting me during my stay and showing me the sights. It was an all round 5 star experience.” ***

Act Now Training is pleased to announce two more GDPR training workshops in Dubai (UAE). We can also deliver customized GDPR courses at clients’ premises.




(*** – M and A, it would have been six stars but you forgot the miniature shower gel!!)

Posted in Uncategorized | Leave a comment

GDPR Handbook: 2nd Edition Launched – Pre Order Now!

Screen Shot 2018-06-28 at 13.47.38

Act Now Training is pleased to announce the launch of the second edition of the GDPR handbook.

We sold over 1500 copies of the 1st Edition which was published in October 2017.

The revised handbook is designed for data protection practitioners and legal advisers who require a single printed resource cross-referencing the GDPR with the supplementary provisions set out in the new Data Protection Act 2018. It contains the full text of the final version of GDPR (as recently corrected by the European Commission) but laid out in a more logical and easy to read manner.

Key Features and Benefits

Under each Article of GDPR we have included:

  • The corresponding GDPR Recitals in a contrasting colour
  • Signposts to any relevant supplementary provisions of the DPA 2018
  • Links to any official guidance issued by the Information Commissioner’s Office explaining the subject matter of the Article
  • Links to any official guidance issued by the EU Article 29 Working party explaining the subject matter of the Article
  • Links to any relevant Act Now blogposts

A lot of the useful explanation of the provisions (Articles) is contained in the Recitals, However these are at the front of the official text of the GDPR. Consequently, the reader has to constantly flick back and forth between the two.

The Act Now GDPR Handbook places the corresponding Recitals under each Article, thus it allows a more natural and easier reading of the GDPR.


  • Full text of the corrected GDPR
  • A summary of the DPA 2018
  • Part 1 and 2 of the DPA 2018 together with schedules 1-4 (inclusive).


The Act Now GDPR Handbook (2nd Edition) is currently on sale at the special introductory price of only £29.99!  Save 30% from the RRP of £44.99.

Order now, First 1000 copies only! Offer valid until 31st July 2018! Orders will be shipped from July 9th. 


Through sales of the 1st Edition of this handbook we donated £1500 to the DEC Appeal to aid the 500,000 people, mostly Rohingya women and children, who have fled violence in Myanmar’s (Burma) Rakhine state.

For each copy of the 2nd Edition you order, we will donate £1 to Macmillan Cancer Care.


Our London workshop on the Data Protection Act is fully booked. We have places left in other venues. By popular demand, we have added an extra course for our GDPR Practitioner Certificate.

Posted in GDPR, Handbook | Tagged | Leave a comment

The Data Protection Act 2018: A Summary

Screen Shot 2018-05-30 at 11.47.24

The much-publicised Data Protection Act 2018 (DPA 2018) came into force last week (25thMay 2018), alongside the General Data Protection Regulation (GDPR). I recently wrote a blog post explaining the aims of the new Act and busting some of the myths.

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions and children’s consent. This part has to be read alongside the GDPR.

Much of the Act is the broadly the same as the Bill when it was introduced to Parliament e.g. children’s consent, automated decisions, Special Category Data etc. Read a summary of the Bill here.


Articles 6(3) and 23(1) of GDPR allow member states to introduce exemptions from various GDPR obligations e.g. transparency and individuals’ rights. All of the familiar exemptions from the old Data Protection Act 1998 (DPA 1998)(see S.29-35and Schedule 7) are set out in Schedules 2 – 4 of the new Act e.g.crime and taxation, legal proceedings, management forecasts, public functions, negotiations etc. There are some new exemptions and others have been changed.

Immigration: Paragraph 4 of Schedule 2 of the Act introduces a new exemption for personal data processed for the purposes of effective immigration control. This removes most of the Data Subjects’ rights (incl. subject access) where they would prejudice such matters. Campaigners have argued that this exemption means thatimmigrants, including the 3 million EU citizens in the EU, (and those affected by the Windrush scandal) will not have access to data and information regarding how the Government decides on their fate, including their potential deportation.  This makes any defence and legal action against unlawful deportation by the Government extremely difficult. Open Rights Group and campaigners for EU citizens’ rights (the3million) are preparing to challenge this exemption in court. (More here.)

References: The DPA 1998 contained an exemption from the right of subject access for confidential references about a Data Subject given by, amongst others, an employer. However no such exemption applied to a request made for the same reference to a prospective employer. Thus employees could still see what their employer had written about them and challenge it.

Paragraph 24 of Schedule 2 of the new Act has undergone a fundamental change since the Bill stage. It now allows confidential references to be kept secret in all circumstances not just in the hands of the employer/giver of the reference. It also gives an exemption from the right to be informed under Article 13 and 14 of GDPR i.e. the need to mention it in a privacy notice.

This new blanket exemption (which now incudes volunteering) takes away important rights of employees and volunteers. It should concern everyone, not just the unions, especially as it was passed without any debate or discussion.

Legal Professional Privilege: Paragraph 19 of Schedule 2 of the Act contains an exemption for personal data that consists of legally privileged information (LPP). It is similar to the one contained in the DPA 1998 but slightly broader in that it also covers personal data which is subject to a duty of confidentially owed by a professional legal adviser not just that information covered by LPP. The latter will apply to a much narrower range of information than the former. This exemption allows lawyers to refuse subject access requests and disregard the duty to inform (Article 13 and 14 of GDPR).

Barristers have warned that the Act could hand ‘big brother powers’ to the Information Commissioner’s Office (ICO) by granting it access to privileged material without client consent and subsequently disclosing it. However Section 132 of the Act (Confidentiality of Information) seems to guard against this. 

Freedom of Information

Part 1 of Schedule 19 of the Act amends the personal data exemption/exception under section 40 of the Freedom of Information Act 2000(FOI) and Regulation 13 of the Environmental Information Regulations 2004 (as well as the equivalent Scottish legislation). These are consequential amendments designed to ensure that the correct provisions of the GDPR and the new Act are referenced instead of the now repealed DPA 1998. They will not fundamentally impact when personal data can, and cannot, be disclosed in response to an FOI or EIR request.

Public Authorities

GDPR mentions public authorities in a number of places e.g. when stipulating who needs to appoint a Data Protection Officer in Article 37. Furthermore the ‘legitimate interests’ condition (Article 6(1)(f)) cannot be relied upon to justify data processing by public authorities in the performance of their public tasks. Section 7 of the Act defines ‘public authority’ as any organisation that is covered by FOI (or its equivalent in Scotland) as well as bodies specified by the Secretary of State. Certain bodies, pursuant to section 7(3), despite being subject to FOI, will not be deemed public authorities for GDPR purposes. Most notably this includes parish councils. Consequently parish councils do not need to appoint a DPO and can rely on the legitimate interests condition without restriction.

Criminal Offences

The Act creates two new criminal offences. Clause 171 makes it an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the Data Controller responsible for de-identifying the personal data. Offenders will be liable on summary conviction or on conviction on indictment, to a fine.

Clause 173 makes it an offence for the Data Controller or a person employed by it to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information that a Data Subject enforcing his/her rights would have been entitled to receive. Offenders will be liable on summary conviction to a fine. This is similar to the offence under S.77 of the Freedom of Information Act (FOI).

The offence under section 55 of the DPA 1998 is now to be found in Section 170 of the new Act; obtaining or disclosing personal data without the consent of the Data Controller and procuring a disclosure to another person. It is extended to include retaining personal data after obtaining data it, without the consent of the Data Controller.


Section 165 sets out what individuals can expect if they submit a complaint to the ICO about the way their personal data has been procesed under GDPR.  Clause 166 sets out a mechanism for a complaint to the Tribunal if the ICO fails to address it adequately.The ICO is currently consulting on its Draft Regulatory Action Policy.


Article 82 of GDPR states that any person who has suffered material or non-material damage as a result of an infringement of GDPR shall have the right to receive compensation from the Data Controller or Data Processor for the damage suffered. Section 169 of the Act explains that damage includes financial loss and damage not involving financial loss, such as distress. This is in marked contrast to the DPA 1998 which only allowed compensation for distress where it was linked to damage; although the Court of Appeal decision in Vidal-Hall v Google [2015] EWCA Civ 311 allowed claims for distress alone.

Notification and Fees

Under the DPA 1998 most Data Controllers had an obligation to register with the ICO (known as Notification). There is no such requirement in GDPR. However, as predicted on this blog last year, the Government has introduced a new charging structure for Data Controllers to ensure the continued funding of the ICO. The Data Protection (Charges and Information) Regulations 2018 also came into force on 25thMay 2018 and imposes different levels of fees depending the size of the Data Controller. Data Processors do not have to pay any fee to the ICO but then many will be Data Controllers in their own right.

The new regulations are made under a power contained in the Digital Economy Act 2017 (which is itself a controversial piece of legislation due to the wide ranging provisions about data sharing.) The ICO website has more details to help Data Controllers work out what fee is payable (See also our blog post here.)

Section 137 of the new Act goes further in that it allows regulations to be made which require Data Controllers to pay further charges regardless of whether the Commissioner has provided, or proposes to provide, a service to Controllers.

It’s never too late to put steps in place to comply with the DPA 2018 and GDPR. The Information Commissioner writes in her recent blog:

“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”

We are running DPA 2018 workshops throughout the UK. If you want a brief summary, Ibrahim is doing a webinar next week.

Our ever popular GDPR Practitioner Certificate has availability in Leeds starting on 9th July. Book now.

Need to train frontline staff quickly? Try our GDPR e learning course . Our next two GDPR Practitioner Certificate courses are fully booked!

Posted in DP ACT 2018, DP Bill, GDPR | Tagged , , | Leave a comment

The New UK Data Protection Regime


A new dawn broke today for the UK’s data protection regime. The Data Protection Act 1998 is no more. The Data Protection Act 2018came into force today, alongside the General Data Protection Regulation (GDPR). We have been hearing about GDPR but what does the new Act do?

The DPA 2018 does not, contrary what many commentators have been writing, incorporate or enshrine GDPR into UK law. GDPR is a Regulation and so directly applicable across the EU. It does not need to be “signed into British law” whilst the UK remains a member of the European Union. Post Brexit it will still be the law (until the Government decides to replace it) due to the provisions of the European Union (Withdrawal) Bill.

So what are the aims of the DPA 2018? The Information Commissioner says in her recent blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) which is also due to take effect in two days’ time. The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Chapter 2 of Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps in GDPR – what are known as “derogations”; where Members states are allowed to make their own rules e.g. about exemptions and children’s’ consent.

But the new Act does more than this; hence it’s length (339 pages).

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by the Freedom of Information Act 2000 (FOI)). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Part 4 of the Act makes provisions about the processing of personal data by the Intelligence Services. National security is also outside the scope of EU law. The Government has though decided that it is important the Intelligence Services are required to comply with internationally recognised data protection standards as set out in GDPR.

Parts 5 and 6 make provisions about the Information Commissioner and the enforcement of the data protection legislation. She consulted recently on her regulatory action policy ( 

Going back to Chapter 2 of Part 2 of the Act; remember this has to be read alongside the GDPR to make full sense of the latter. In most part this remains the same as the original draft bill. (Read a summary of the Bill here.)

The Information Commissioner says on her blog:

“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”

 It’s never too late to put steps in place to comply with the DPA 2018 and GDPR. We are of course talking about positive steps, not sending out this pesky GDPR consent e-mails! See our action plan.

We are running DPA 2018 workshopsthroughout the UK. If you want a brief summary, Ibrahim is doing a webinar.

We have just launched our GDPR helpline.

Posted in DP ACT 2018, GDPR | Leave a comment

The blind leading the blind


My brother in law’s a dispensing optician. He’s received GDPR advice recently from a professional body to which he belongs which says a few things. My brother in law is not an expert and this is what he thinks it says.

  1. Because he deals with the Health Service, GDPR has decided he is a public body. As a small business he is not exempt from GDPR. The Government said so.
  2. Public bodies need to appoint a DPO
  3. On his staff he has 3 people and a dog. All they know about GDPR can be written on a single pixel on a broken iPad. He as owner and his accountant (his wife) as financial person cannot act as DPO. That leaves his receptionist aged 18 called Beyoncé. He has no money for another staff member. If he appoints another member of staff he stops being a profitable business and goes out of business. The dog probably knows more than Beyoncé about GDPR.
  4. His professional body suggests that he contacts his nearest optician and acts as their DPO while they act as DPO for him. Commercial and competition interests make this an unappetising prospect let alone the fact that neither DPO will have the foggiest what GDPR means.
  5. He has to delete patient files after 10 years. If a patient dies he has to keep their record for 10 years. At the same time he should not hold any personal information or health records any longer than necessary.
  6. He’s worried that he’ll be non compliant and the massive fines will put him out of business.
  7. Their lawful basis for processing data is either Public Task (whatever that is) or Legitimate interest (same). He doesn’t understand either.
  8. The deadline for doing all this is today! The guidance arrived in the last few days.

What can we do to help him?

Here’s the guidance

ABDO, with the Optical Confederation, communicated to members in December 2017, has been negotiating with Westminster. The organisations requested that optical practices be exempt from appointing a Data Protection Officer (DPO). Unfortunately despite our best efforts this request was unsuccessful and all optical practices, now defined as Public Authorities under the new GDPR, will need to appoint a DPO.

You will find below what practices should consider when reviewing their position on GDPR and the ICO guidance on these points.

Small business owners who do not have existing staff who could potentially be the DPO, who may struggle financially to fulfil their GDPR obligations in employing a DPO, are encouraged to do as much possible to become compliant by reviewing:
• registration with the ICO – new fees apply,
• all records held. Appropriately dispose of those that should no longer be held in line with GOC guidance and ICO guidance,
• privacy and security policies,
• protocols on reporting a breach,
• protocols in responding to a request for information.

Some members of ABDO with one person practices are working with local colleagues to be the DPO for each other, which is reasonable if the individuals have a good knowledge and understanding of GDPR requirements to comply.

Please note that this is guidance and you should visit the ICO website for more detailed information and explanations. There is also an ICO helpline to provide advice for small businesses too.
ICO website: Tel: 0303 123 1113

What’s new and how does this affect optical practices?
All data processing should be lawful, transparent and fair.  The new GDPR law puts in place more requirements for businesses to make uniform processes they will already have in place:
• to prevent a breach (practices should be able to demonstrate all processes and have a DPO to manage GDPR under new law);
• to comply with data requests (you have one month to respond and you cannot charge under the new law);
• and to report a breach (72 hours to report a breach under new law).

You should not hold any personal information or health records any longer than necessary.

You should continue to abide by the GOC standards in this situation and consider the ICO advice that patient records contain personal data and should not be kept longer than necessary:

  • Adult patient records should be retained for 10 years, following the last contact with the patient.
  • In the case of children under 18, who have not been seen since their 18th birthday, you should keep records until their 25th birthday.
  • For deceased patients, records should be kept for 10 years following the last contact with the patient.
What you need to review
Practices need to review processes considering the new rules on:

Individuals Rights

The ICO website has detailed guidance on all rights:

o Right to be informed
o Right of access
o Right to rectification
o Right to erasure
o Right to restrict processing
o Right to data portability
o Right to object

You should continue to practice as you do currently with regards to providing GOS. This includes referring patients to secondary care, sending out reminders, appointments etc.

Communicating information/marketing on relevant products which are specific to your patients, which they currently expect, should remain the same too. Patients should always be given the option to opt out of receiving marketing material as they should be currently.

You should write to patients to inform them of your updated privacy policies, including your lawful basis under the new rules of GDPR.

Individuals have the right to access their record cards. This is known as a subject access request (SAR). Under the new rules you have one month to respond and you can no longer charge a fee for this. You should have a protocol in place for all SAR and make all staff aware of the process. Staff should also be made aware of the new law under GDPR including your practice process if there were a breach.  Examples of SARs, Legitimate interests assessment (LIA), and privacy policy templates are available on the ICO website and the OC will be issuing further supporting materials soon.

Lawful Basis

Optical practices that provide General Ophthalmic Services (GOS) lawful basis is Public Task (You can use the interactive toolkit on the ICO website to confirm your lawful basis) and for all other processing within practices the lawful basis is a Legitimate Interest.  All Practices Privacy notices should be reviewed to include your lawful basis and inform patients of this.

Public task – You can rely on this lawful basis if you need to process personal data:
• ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
• to perform a specific task in the public interest that is set out in law.

It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.

The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.

Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.

Legitimate interest is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.

There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required. See the ICO website for templates.
Data Protection Officers
Due to optical practices falling under the definition of a public authority within GDPR, all practices are required to appoint a DPO.  A DPO cannot be the practice owner or someone that has financial responsibility within the practice. You should contact the ICO helpline if you fall under this category for them to advise you on exactly what you need to do to be compliant. A DPO can be an existing member of staff. You could share a DPO with other companies. There are also external companies that offer DPO services.

ABDO is working with the Optical Confederation on the role and requirements of a DPO in small practices to be accepted by the ICO and will communicate on this separately.  We understand that for some practices that it may not be financially viable to appoint a DPO and if you need further advice, please email contact the ICO direct on the number provided above.

The ICO guidance on a DPO is noted below:

What professional qualities should the DPO have?
The GDPR says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.

It doesn’t specify the precise credentials they are expected to have, but it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.

So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight.

It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.

The DPO’s tasks are:
• to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
• to monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
• to advise on, and to monitor, data processing
• to cooperate with the supervisory authority; and
• to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

It is important to remember that the DPO’s tasks cover all personal data processing activities.

When carrying out their tasks the DPO is required to take into account the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context and purposes of the processing.

The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.

If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.

The GDPR says that you can assign further tasks and duties, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.

Please also note that there is no ICO recognised qualification/certificate for a DPO. There are companies that offer GDPR training but everything you need to know is on the ICO website.

Summary of Next Steps
You now need to:

  • Review detailed guidance from the ICO
  • Appoint a DPO
  • Update Privacy Policies to include the lawful basis and communicate this to patients
  • Implement protocols to comply with subject access requests (SAR)
  • Carry out a legitimate interest assessment (LIA)
  • Conduct a review of all record cards you hold and destroy those you are no longer required to keep by law
  • Make all staff aware of new practice processes under the new GDPR requirements

The Optical Confederation will be issuing further detailed guidance which we will communicate in due course.  In the meantime if you need further advice please email ABDO Policy Officer Debbie McGill


GDPR for ABDO Members
This guidance applies to ABDO members and their work in practice and with members of the public.

ABDO will be communicating separately with members about protection of members’ data in a letter enclosed in Dispensing Optics.


Act Now has a GDPR Helpline and many webinars to help get small business up to speed! Click on the links to find out more.

Posted in GDPR | Leave a comment

Consent, marketing and those pesky GDPR emails


In recent weeks many companies have been bombarding their customers with emails asking for consent to keep them on a mailing list or even to contact them ever again. We even received one from our regular printer!

Such emails, saying things like “Let’s not say goodbye” or “Don’t leave me this way”, are a misguided attempt at complying with the General Data Protection Regulation (GDPR), which becomes enforceable next Friday (25thMay). The irony is that by trying to comply with one law companies could be falling foul of another.

It’s a myth, which has been busted by the Information Commissioner, that the introduction of GDPR means that the only legal basis for personal data processing (including for marketing) is consent. There are an additional five legal bases set out in Article 6:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

GDPR does not fundamentally change the position set out in the current Data Protection Act 1998 (DPA). A similar list to the one above can be found in schedule 2 of the DPA.

Consequently there is no need to send consent e-mails to regular contacts and existing customers whether or not they are on a mailing list. Often companies will be able to rely on the legitimate interest condition (explained above) to continue to make use of such data even for marketing purposes, subject to compliance with PECR (see later).

Where personal data for marketing purposes has been gathered through consent there is no need to automatically refresh permission in preparation for the GDPR. But it is important to check that existing permissions meet the higher GDPR consent standard.

The GDPR states that consent must be freely given, specific, informed, and there must be an indication signifying agreement. Opt out boxes and pre-ticked opt-in boxes will no longer do. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.

Only where existing permissions do not meet GDPR’s higher standards or are poorly documented, will companies need to seek fresh consent, or identify a different lawful basis for processing. (See also the A29WP29 Guidelines on consent and our blog post here.)

But another equally important law has to be carefully considered. Where organisations are processing personal data to send out direct marketing, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) may also apply. PECR is 15 years old yet many organisations still fall foul of it. Failure to comply could lead to a fine of up to £500,000. When the E Privacy Regulation eventually replaces PECR, the fines will be in line with the GDPR i.e. up to 4% of gross annual turnover or EUR 20,000,000 which ever is higher.

PECR sets out the rules for sending direct unsolicited marketing to individuals and organisations using telephone, text, fax and email. Where such marketing is sent to individual subscribers, companies must get their consent (unless they rely on the so called “soft opt in”, namely that they collect an email address in the course of a sale of goods or services, and give the person the right to opt out of marketing emails at the time and in future communications). There is no such restriction when marketing to corporate subscribers i.e. a company e-mail address, even if it belongs to an individual.

The definition of marketing is very wide under PECR. Even sending an email asking someone to opt-in to receive emails or checking their marketing preferences is in itself a marketing email.

In 2017 Honda was fined £13,000 after the ICO found that it had sent 289,790 emails aiming to clarify customers’ choices for receiving marketing. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn’t provide evidence that the customers’ had ever given consent to receive this type of email, which is a breach of PECR. Flybe was fined £70,000 after it sent an email to 3 million individuals titled “Are your details correct? ” advising them to amend any out of date information and update any marketing preferences.

Personal information on marketing databases and mailing lists is of two types. That which has been gathered through regular contact or consent with the individual and that which as been gathered by other means (including information scraped from the internet or bought). In each case the lawful basis for processing such data under GDPR has to be considered and, where it is being used for direct marketing, the PECR rules have to be complied with. Just firing off emails using standard wording may cause more problems than they will solve.

The final word to Steve, the deputy Information Commissioner:

“We’ve heard stories of email in-boxes bursting with long emails from organisations asking people if they’re still happy to hear from them. Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

Posted in GDPR, Marketing, PECR | 4 Comments

GDPR and Data Protection Impact Assessments: When and How?


Article 35 of GDPR introduces a new obligation on Data Controllers to conduct a Data Protection Impact Assessment (DPIA) before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted.

DPIAs are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles (see Article 5(2)).


Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP) data protection impact assessment guidelinesand the ICO’s DPIA guidance.

When is a DPIA needed?

Carrying out a DPIA is not mandatory for every personal data processing operation. It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).

Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive evaluation of personal aspects relating to an individual  which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
  • a systematic monitoring of a publically accessible area on a large scale

So what other cases will involve “high risk” processing that may require a DPIA? The ICO’s DPIA guidance sates that it requires a Data Controller to do a DPIA if it plans to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

The ICO guidance contains screening checklists to help Data Controllers decide when to do a DPIA. In addition they are advised to think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any new major project involving the use of personal data.

What information should the DPIA contain?

The GDPR sets out the minimum features of a DPIA in Article 35(7) (see also Recitals 84 to  95):

  • A systematic description of the envisaged processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purposes.
  • An assessment of the risks to Data Subjects
  • The measures in place to address the risks, including safeguards and security measures, and to demonstrate that the Data Controller is complying with GDPR.

A DPIA can address more than one project. A sample DPIA template is included with the ICO guidance and number of methodologies are referenced in the A29WP guidance (Annex 2).

When should a DPIA be conducted?

DPIAs should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Designapproach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.

What about current data processing operations?

The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.

The ICO says that Data Controllers should also review their existing processing operations to identify whether they currently do anything that would be considered likely high risk under the GDPR. If so, they have to be confident that they have already adequately assessed and mitigated the risks of that project. If not, they may need to conduct a DPIA now to ensure the processing complies with the GDPR. However, the ICO does not expect Data Controllers to do a new DPIA for established processing where they have already considered relevant risks and safeguards (as part of a formal or informal risk assessment process) – unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.

The ICO recommends that Data Controllers document their review and reasons for not conducting a new DPIA where relevant, to help them demonstrate compliance if challenged.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’sadvice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.

If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the ICO may issue a formal warning not to process the data, or ban the processing altogether.

Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.

What are the risks of non-compliance?

Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

Posted in Data Protection, dpia, DPO, GDPR | Leave a comment