Act Now Training is pleased to announce the launch of its new EU GDPR Handbook (

We sold over 3000 copies of the previous edition of the EU GDPR Handbook. That was back when the UK was still part of the EU and the handbook had to reflect the UK specific provisions as set out in the Data Protection Act 2018

As a result of Brexit, Europe now has two primary sources of data protection law.  

The EU General Data Protection Regulation (EU GDPR) applies primarily to personal data processed in the European Union. Following its exit from the EU, the United Kingdom’s
own version of the GDPR, known as the “UK GDPR”, came into force on 1st January 2021.  

Both versions of GDPR have an extra territorial effect in that personal data processed outside their jurisdiction is still regulated by them, if the processing is related to offering goods or services or to monitoring the behaviour of EU/UK residents (Article 3).   

The official publication of the EU GDPR contains 99 Articles and 173 Recitals. The Recitals further expand on the topics covered in the Articles. However, as the Recitals are placed at the start of the official publication it can be difficult to navigate the legislation.  
Just like the previous version, this EU GDPR Handbook is laid out in a logical and easier to read manner by helpfully placing all the Recitals (in blue) under their corresponding Articles. This saves the reader time and effort in cross-referencing and leads to a more natural reading of the legislation. In addition, under each Article we have included updated signposts to:   

  • Official guidance issued by the Article 29 Working Party (A29WP) and the European Data Protection Board (EDPB) 
  • The UK Information Commissioner’s Office (ICO) guidance  
  • Relevant UK court cases  

Data protection practitioners and legal advisers working for Data Controllers and Processors within the EU as well organisations who are caught by the extra territorial provisions of the EU GDPR will find this handbook of great benefit in their day to day work.  It is the perfect companion to the Act Now UK GDPR Handbook which is proving very popular amongst data protection professionals. 

Like with all our handbooks, Act Now will be donating £1 for each EU GDPR Handbook sold to our chosen charity Woodgate Community Food based in Leicester.

We only have one place left on our Advanced Certificate in GDPR Practice course starting in September and only four places left on our October course. Book now and reserve your place!

First GDPR Fine Issued to a Charity


On 8th July 2021, the Information Commissioner’s Office (ICO) fined the transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.
In particular this led to a breach of the Articles 5(l)(f) and 32(1) and (2) of the GDPR. 

The ICO found that Mermaids failed to implement an appropriate level of organisational and technical security to its internal email systems, which resulted in documents or emails containing personal data, including in some cases relating to children and/or including in some cases special category data, being searchable and viewable online by third parties through internet search engine results.  

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. 

The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal data, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as Special Category Data as mental and physical health and sexual orientation were exposed. 

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.  

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights. 

Steve Eckersley, Director of Investigations said: 

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse. 

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.” 

Up to April 2021, European Data Protection regulators had issued approximately €292 million worth of fines under GDPR. The greatest number of fines have been issued by Spain (212), Italy (67) and Romania (52) (source).  

Up to last week, the ICO had only issued four GDPR fines. Whilst fines are not the only GDPR enforcement tool, the ICO has faced criticism for lack of GDPR enforcement compared to PECR

The first ICO GDPR fine was issued back in December 2019 to a London-based pharmacy. Doorstep Dispensaree Ltd, was issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. In November 2020, Ticketmaster had to pay a fine of £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information. Others ICO fines include British Airways and Marriott which concerned cyber security breaches.  

It remains to be seen if the Mermaids fine is the start of more robust GDPR enforcement action by the ICO. It will certainly be a warning to all Data Controllers, particularly charities, to ensure that they have up to data protection data policies and procedures.  

Act Now Training’s GDPR Essentials e learning course is ideal for frontline staff who need to learn about data protection in a quick and cost-effective way. You can watch the trailer here. 

We only have two places left on our Advanced Certificate in GDPR Practice course starting in September.  

%d bloggers like this: