First Fine under GDPR

canstockphoto3157426

The Information Commissioner’s Office (ICO) has issued the first fine under GDPR to a London-based pharmacy. Doorstep Dispensaree Ltd, has been issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data.

The company, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO held that this gave rise to infringements GDPR’s security and data retention obligations. Following a thorough investigation the ICO also concluded that the company’s privacy notices and internal policies were not up to scratch.

The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy. Steve Eckersley, Director of Investigations at the ICO, said:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

Doorstep Dispensaree has also been issued with an enforcement notice, under Section 149 of the Data Protection Act 2018, due to the significance of the contraventions. It has three months to:

Training seems to feature heavily in the ICO’s Enforcement Notice. GDPR requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?

GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe. Click here to read more and watch a demo.

After issuing Notices of Intent to two high profile companies for millions of pounds (British Airways and Marriot) the Information Commissioner has finally issued an actual fine, albeit for a much lower amount and to a less well known company. Data Controllers and Processors need to read the penalty notice carefully and ensure that are not repeating the same mistakes as Doorstep Dispensaree Ltd.

These and other GDPR developments will be discussed in detail in our GDPR update workshop.

European Data Protection Summit Free Places

dpwf040219

Act Now is delighted to announce that we will be exhibiting at the PrivSec London conference on the 4th and 5th of February 2020.

This conference will bring together privacy and security professionals from around the globe to address industry issues, challenges and opportunities. It will explore the inextricable link between data privacy and data security, providing attendees with access to first-rate content presented by a line-up of international experts. The five theatres at the event will feature talks on Data Protection, GDPR, privacy, security, governance and risk management.

We have 7 free delegate places to give away (worth £474 each).

If you would like a place, please get in touch using the contact form on our website. We will add your name to the draw which will take place on Tuesday 7th January at 11am. The winners will be announced shortly afterwards on our blog.

Act Now is in full conference mode at present. On 10th December our team were at DIGIT’s 3rd annual Data Protection Summit billed as “Scotland’s largest Data Protection and Privacy event for business”. The programme contextualised the changing Data Protection landscape, considering the business impact of the GDPR and DPA 2018 and how it is shaping policy and process in practice. The conference is run with assistance from the ICO, ScotlandIS and DMA. The conference was a huge success and our GDPR E-LEARNING stole the show. Follow this link to see a short demo.

In April, Ibrahim Hasan will travel to Las Vegas to address the 21st Annual NAPCP Commercial Card and Payment Conference. Ibrahim will be talking about the California Consumer Privacy Act (CCPA) which comes into force on 1st January 2020. It is sometimes known as the US equivalent of the General Data Protection Regulation (GDPR), and provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

If you are attending any of these conferences, come and say hello (and pick up a freebie!)

Boris, Brexit and GDPR: What next?

 

Big BenBig Ben and Westminster abbey in London, England

Boris Johnson’s election victory means that we are almost certainly heading for Brexit on 31st January 2020 with his version of a deal. Having won a large Conservative majority in the House of Commons, it should be relatively easy for him to pass the Withdrawal Agreement Bill which is likely to be re-introduced to Parliament this week.

What are the implications for the UK’s data protection regime in the form of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018). Can we bin them on the 31st January with our red EU passports? The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29th March 2019, with the rest coming into force on exit day (now 31st January 2020 unless something, akin to Elvis returning from the moon, happens in the next few weeks!).

With Boris’s deal likely to be approved by Parliament, the implications of the above regulations will not be felt until the end of the transition period (currently 31stDecember 2020). Until then GDPR will apply “as is”. Unless the transition period is extended (it was a Conservative manifesto pledge not to do so) a revision of GDPR, to be known as the “UK GDPR”, will come into force on 1stJanuary 2021. A brief summary of the key changes follows.

The EU version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner.

The regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR so that the UK will

  • Recognise all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision
  • Give powers to the Secretary of State to determine or revoke adequacy
  • Recognise current EU Standard Contractual Clauses as valid for international transfers but the ICO will have the power to issue more clauses
  • Recognise all Binding Corporate Rules authorised before Exit Day
  • Introduce an extraterritoriality into the UK data protection regime

Of course from Exit Day, the UK will become a third country for the purposes of international data transfers under GDPR. This means that after the end of the transitional period, the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly, but this is by no means a certainty. It is very unlikely to be achieved by 1st January 2021 which means that Data Controllers and Processors have to start putting in additional safeguards now to maintain the free flow of data.

The new regulations also amend the DPA 2018 which must be alongside GDPR.
Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will become part of the UK GDPR.

More on Brexit and the new regulations here. All Data Controllers and Processors need to prepare now for the UK GDPR.

Ibrahim Hasan is presenting a webinar in January on this topic. These and other GDPR developments will be discussed in detail in our GDPR update workshop.

Act Now Launches New E-learning Course

E Learning Banner 0.0.0

Act Now is pleased to announce the launch of its new e-learning course, GDPR Essentials.

Click on the video below to see a short demo trailer.

 

The General Data Protection Regulation (GDPR) requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?

GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe.

GDPR Essentials contains two modules each followed by a quiz. The modules consist of an animated video, narrated by a professional voiceover artist, and contain questions to test employees’ understanding during the learning process.

The target audience for GDPR Essentials is frontline employees, both in the public and private sector, and those who handle personal data on a day-to-day basis who need a basic knowledge of how to comply with GDPR in their role.

Learning Outcomes

Upon completion of GDPR Essentials employees will

  • Understand the importance of complying with GDPR and the consequences of not doing so
  • Have a good knowledge of the key provisions of GDPR
  • Understand what they need to do to comply with GDPR
  • Appreciate the importance of good data security
  • Know what they need to do to keep data safe
  • Be aware of the importance of appropriate data privacy and security policies
  • Be able to direct customers and colleagues to appropriate policies
  • Know when to ask managers and the data protection officer for advice

With full admin controls, GDPR Essentials helps you to build a data protection culture in your organisation and develop a workforce that is able to identify, manage and prevent data protection risks.

Clients who have bought our previous GDPR e learning course include retail companies, healthcare providers, local authorities, charities, schools and colleges. See the full list here.

 Get in touch to discuss your online training needs.

Calling all Information Governance Experts: We are Hiring

We Are Hiring

Are you an information governance expert with a proven track record of delivering engaging training on GDPR, FOI or Cyber Security? Act Now Training is recruiting trainers to join its team of experts who deliver in-house and external training courses throughout the UK.

Despite expanding our team recently, we are facing heavy demand for our courses and consultancy services from the both the public and private sector. With more courses planned for 2020, including some new ones like Key Skills For Data Protection Officers, we need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical jargon-free way.

We have opportunities for full time trainers as well as those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about GDPR, FOI or Cyber Security and want to deliver innovative training (not “death by PowerPoint”) to a range of audiences.

We are particularly interested in experienced Cyber Security trainers where we are facing a lot of demand after launching our Introduction to Cyber Security workshop. The health sector is also a focus area for us in 2020. Our workshops on GDPR, the role of SIROs and Caldicott Guardians have led to more interest in this area.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in GDPR, FOI or Cyber Security. A full privacy policy can be read on our website.

E Learning Banner 0.0.0

%d bloggers like this: