Act Now Launches GDPR Handbook

We all know that the General Data Protection Regulation (GDPR) cannot be read in isolation.

In September, the DCMS published the Data Protection Bill. Amongst other things, it sets out how the UK Government intends to exercise its GDPR “derogations”; where Members states are allowed to make their own rules.

There are also a number of guidance documents from the Information Commissioner’s Office as well as the Article 29 Working Party on different aspects of GDPR. Wouldn’t it be useful to have one version of the GDPR containing clear signposts to the relevant provisions of the Bill and official guidance under each Article/Recital?

Act Now is pleased to announce the launch of its GDPR Handbook. This is a B5 size colour document. It is designed for data protection practitioners who want a single printed resource on the GDPR. It contains the full text of the GDPR together with:

  • Corresponding GDPR Recitals under each Article
  • Notes on the relevant provisions of Data Protection Bill
  • Links to official guidance and useful blog posts
  • Relevant extracts of the Data Protection Bill (in the Appendices).

A lot of the useful explanation of the provisions (Articles) is contained in the Recitals, which are at the front of the official text of the GDPR. Consequently, the reader has to constantly flick back and forth between the two. By placing the corresponding Recitals under each Article, the Act Now GDPR Handbook allows a more natural readying of the GDPR.

The Act Now GDPR Handbook is currently on sale at the special introductory price of £29.99. There is a 33% discount for the public sector and charities.

This will be a very useful document for those acting as Data Protection Officer under GDPR as well as data protection lawyers and advisers.

CHARITY DONATION

In recent weeks, half a million people, mostly Rohingya women and children, have fled violence in Myanmar’s (Burma) Rakhine state. They are seeking refuge in Bangladesh, where they urgently need food, water, shelter and medical care.

For each copy of the GDPR handbook you order, Act Now Training will donate £1 to the Disasters Emergency Committee’s Emergency Appeal.

By popular demand, we have added an extra course in Manchester for our GDPR Practitioner Certificate. Our first workshop on the Data Protection Bill course is fully booked. We have places left in London and Manchester.

Scottish Information Commissioner’s Annual Report 2016/17

edinburgh-castle_thumb.jpg

Last month, Margaret Keyse, the Acting Scottish Information Commissioner, published her annual report for 2016/17.  Amongst other laws, Ms Keyse enforces the Freedom of Information (Scotland) Act 2002 (FOISA).

The report reveals that during 2016/17:

  • Public awareness of FOISA remained at its highest ever level, at 85%.
  • The Office of the Scottish Information Commissioner (OSIC) met or exceeded most of its investigation performance targets (10 out of 12).
  • It issued its first ever Enforcement Notices.
  • It carried out 15 level 4 interventions with authorities to address practice concerns.
  • It launched an online appeal service, making it possible for requestors to make appeals online, and receive real-time help and advice, at any time of day.
  • It responded to its 20,000th enquiry since 2005.

Act Now has a full programme of FOISA workshops in Scotland. If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate is ideal. The four day course is endorsed by the Centre for FOI ,based at Dundee University.

The next course starts in Edinburgh in February 2018. If you’re considering enrolling on the course, what can you expect? Read a successful candidate’s observations.

GDPR Practitioner Certificate: New Course For Manchester

Manchester_cityscape_photo

By popular demand Act Now Training has added an extra course in Manchester for its GDPR Practitioner Certificate.

Autumn 2017 has seen a massive upsurge in bookings for this course leading to every course being fully booked until the end of January 2018. This new Manchester course, starting on 14th November 2017, will give DP practitioners and advisers a chance to complete their training before the end of the year.

Candidate results and feedback so far has been excellent. Our first set of results came out back in May. Since then we have run many courses. Our latest results saw 10 delegates pass of whom 6 achieved a distinction.

The GDPR Practitioner Certificate is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

This course will teach delegates essential GDPR skills and knowledge. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate. Our course now takes account of the provisions of the Data Protection Bill, which was published a few weeks ago.

As the GDPR implementation date gets closer, more organisations are recruiting Data Protection staff. Now is the time to ensure that you are fully up to date with the new law.

 

More information about our GDPR Practitioner Certificate course as well as other GDPR offerings are on our website. If you would like to have this course delivered at your premised, please get in touch.

 

Image credits: www.paulgroganphotography.com

GDPR Practitioner Certificate: Another Set of Great Results

accomplishment, certificate, degree, successful, diploma, graduates, achievement, celebration

Act Now Training would like to congratulate the 10 delegates who have successfully completed our intensive one-week course leading to the GDPR Practitioner Certificate.

The course was delivered in London in August 2017. All 10 delegates passed with 6 achieving a distinction.  This is an even better than our first set of results back in May.

The GDPR Practitioner Certificate is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

This course will teach delegates essential GDPR skills and knowledge. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The August course delegates represented a diverse range of organisations including councils, universities and government departments from the UK as well as the Isle of Man and the USA(see comment below and at the end of this post). They all enjoyed the course and gave us some very positive feedback about the course and the trainer:

“Thank you very much and this is great news. Close to distinction I was and I am pleased for being the only American in the class. I have a solid foundation on GDPR and look forward to future trainings that will lead to a role as a DPO” Domenic DiLullo, USA

“The course content was comprehensive and the course material have real continuing value back in day-to-day work. The trainer’s expertise and experience was obvious but he also created a really fun, discursive environment to learn in.”  KG, University of London

“I feel well equipped to provide relevant advice and guidance on the GDPR as a result of taking this course. It was well presented with good quality, practical course material and access to a resource lab for articles, webinars and exam practice, all of which proved invaluable.” JD, East Sussex County Council

“Undertaking the Act Now GDPR practitioner course has reinforced my understanding of Data Protection and Privacy.  The training provided by the trainer has given me new strategies relating to implementing GDPR and privacy measures, achievable with much more confidence. I can now help my organisation understand, categorise and evidence risks associated with privacy and GDPR in more practical and robust way.” RS, Boston Council

“The course was excellent and well presented. I found the trainer approachable and entertaining and he helped to make what could be a dry subject come to life. Pre attendance the admin was excellent and everything went ahead without any glitch at all. Act Now have responded to me really quickly and efficiently every time.” SH, Swansea University

Demand for these courses has been phenomenal as have the testimonials. Due to this demand we have now added some further dates! Book early to avoid disappointment. Course starting on 21st November in Manchester!

GDPR: Notification and the future of ICO Charges

canstockphoto7747142

By Jon Baines

Data Protection law has, since 1984 in the UK (with the first Data Protection Act), and since 1995 across Europe (with the Data Protection Directive), contained a general obligation on those who process personal data to notify the fact to the relevant supervisory authority (the Information Commissioner’s Office, or “ICO”, in the UK) and pay a fee for doing so. For many organisations it has in effect meant the payment of an annual fee in order to deal with people’s personal data.

Currently, in the UK, under the Data Protection Act 1998 (DPA), data controllers (those organisations who determine the purposes for which and the manner in which personal data are processed) pay either £35 or £500, according to their size (data controllers whose annual turnover is £25.9m or more and who have more than 249 staff must, in general, pay the larger amount). There are various exemptions to the general obligation, for instance for some controllers who are not-for-profit and for those who process personal data only for staff administration (including payroll), or advertising, marketing and public relations (in connection with their own business activity), or for accounts and records.

Failure by a controller to make a notification, unless it has an exemption, is a criminal offence under sections 17 and 21 of the DPA, punishable by a fine. However, only one successful prosecution appears to have been brought by the ICO in the last calendar year – a surprisingly low figure, given that, anecdotally, the author is aware of large numbers of controllers failing to make a notification when they should do so.

The General Data Protection Regulation (GDPR) does away with what has often been seen as a fragmented and burdensome notification requirement, substituting for it, at least in part, an accountability principle, under which relevant organisations (“data controllers”) will have to keep internal records of processing activities. As far back as 1997 the Article 29 Working Party, representing data protection authorities across the EU, recognised that excessively bureaucratic requirements in relation to notification not only represent a burden for business but undermine the whole rationale of notification by becoming an excessive burden for the data protection authorities.

And in its impact assessment in 2012, when the GDPR was first proposed, the European Commission explained some of the reasoning behind the removal of the requirement:

“[Notification] imposes costs and cumbersome procedures on business, without delivering any clear corresponding benefit in terms of data protection. All economic stakeholders have confirmed…that the current notification regime is unnecessarily bureaucratic and costly. [Data protection authorities] themselves agree on the need to revise and simplify the current system.”

However, in the UK at least the removal under the GDPR of notification fees would have had a catastrophic effect on the ICO’s existence, because, at the moment, all of the funding for its data protection work comes from fees income – almost £24m last year.

To address this impending shortfall, the government has aimed to provide powers (actually in the form of two pieces of legislation – first the Digital Economy Act and now the recent Data Protection Bill (DP Bill) (presumably the former will fall away given the introduction of the latter) to make regulations to create a domestic scheme for data protection fees. The explanatory notes to the Data Protection Bill state that”

“[Clause 132] provides the Secretary of State with a power to make regulations requiring data controllers to pay a charge to the Commissioner. Those regulations may provide for different charges in different cases and for a discounted charge. In setting the charge the Secretary of State will take into account the desirability of offsetting the amount needed to fund the Commissioner’s data protection and privacy and electronic communications regulatory functions. It also provides that the Secretary of State may make regulations requiring a controller to provide information to the Commissioner to help the Commissioner identify the correct charge.”

A clue as to how the charges might be set has now been provided by means of a questionnaire, sent on behalf of the Department for Digital, Culture, Media and Sport (DCMS) to 300 lucky data controllers, seeking their views on what the fee structure might be. There is nothing on the DCMS, or ICO, website about this, so it’s not clear if it takes the form of a consultation, or, more likely, a scoping exercise. But what it appears to be putting forward for consideration is a three-tier scheme, under which data controllers would pay £55, £80 or £1000, based on the size of the data controller and the number of “customer records” it handles.

As drafted, the questionnaire doesn’t propose any exemptions. One assumes that these would follow, but even so, the proposal to levy a fee for data protection on business, at a time when the European legislature has removed it, must raise questions about how business-friendly this particular piece of law-making will be.

Additionally, it is not clear what the sanction for non-compliance, and what the enforcement regime, would be. As indicated above, the current criminal sanction does not appear to have prevented any number of data controllers from avoiding their legal obligations, with apparent impunity. One presumes, though, that enforcement would be left as a function of the ICO, and, given that Commissioner Elizabeth Denham has said on various occasions that her office needs to grow to cope with the demands of GDPR, it is to be supposed that she will aim to be strict on this matter.

There are estimated to be approximately 5.5 million businesses in the UK. If each of those paid only the bottom tier under the suggested fees structure, this could equate to a potential cost to business of about £3bn per annum. Even if only a proportion of businesses actually end up paying (bearing in mind the likely exemptions, and likely avoidance/ignorance of some – just like now), £55 is a 57% increase on the current lower fee, and, added to the administrative costs of actually making a notification marks a considerable overall burden on UK business and – indeed – other data controllers.

There is no easy answer to the question of how the ICO’s regulatory functions can effectively be funded, and on one view it makes sense to retain a similar arrangement to the existing one, despite the European legislature having determined it is both ineffective and burdensome. However, it would not be a great surprise to see business interests in the UK lobbying against a domestic measure which is in fact more costly for them than the measures of the European Union the UK is planning to leave.

Jon Baines, is chair of NADPO (www.nadpo.co.uk) and blogs in a personal capacity.

Many of our GDPR workshops are fully booked. We have added a new course on the Data Protection Bill to our programme. 

%d bloggers like this: