The New UK Data Protection Regime


A new dawn broke today for the UK’s data protection regime. The Data Protection Act 1998 is no more. The Data Protection Act 2018came into force today, alongside the General Data Protection Regulation (GDPR). We have been hearing about GDPR but what does the new Act do?

The DPA 2018 does not, contrary what many commentators have been writing, incorporate or enshrine GDPR into UK law. GDPR is a Regulation and so directly applicable across the EU. It does not need to be “signed into British law” whilst the UK remains a member of the European Union. Post Brexit it will still be the law (until the Government decides to replace it) due to the provisions of the European Union (Withdrawal) Bill.

So what are the aims of the DPA 2018? The Information Commissioner says in her recent blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) which is also due to take effect in two days’ time. The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Chapter 2 of Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps in GDPR – what are known as “derogations”; where Members states are allowed to make their own rules e.g. about exemptions and children’s’ consent.

But the new Act does more than this; hence it’s length (339 pages).

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by the Freedom of Information Act 2000 (FOI)). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Part 4 of the Act makes provisions about the processing of personal data by the Intelligence Services. National security is also outside the scope of EU law. The Government has though decided that it is important the Intelligence Services are required to comply with internationally recognised data protection standards as set out in GDPR.

Parts 5 and 6 make provisions about the Information Commissioner and the enforcement of the data protection legislation. She consulted recently on her regulatory action policy ( 

Going back to Chapter 2 of Part 2 of the Act; remember this has to be read alongside the GDPR to make full sense of the latter. In most part this remains the same as the original draft bill. (Read a summary of the Bill here.)

The Information Commissioner says on her blog:

“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”

 It’s never too late to put steps in place to comply with the DPA 2018 and GDPR. We are of course talking about positive steps, not sending out this pesky GDPR consent e-mails! See our action plan.

We are running DPA 2018 workshopsthroughout the UK. If you want a brief summary, Ibrahim is doing a webinar.

We have just launched our GDPR helpline.

Posted in DP ACT 2018, GDPR | Leave a comment

The blind leading the blind


My brother in law’s a dispensing optician. He’s received GDPR advice recently from a professional body to which he belongs which says a few things. My brother in law is not an expert and this is what he thinks it says.

  1. Because he deals with the Health Service, GDPR has decided he is a public body. As a small business he is not exempt from GDPR. The Government said so.
  2. Public bodies need to appoint a DPO
  3. On his staff he has 3 people and a dog. All they know about GDPR can be written on a single pixel on a broken iPad. He as owner and his accountant (his wife) as financial person cannot act as DPO. That leaves his receptionist aged 18 called Beyoncé. He has no money for another staff member. If he appoints another member of staff he stops being a profitable business and goes out of business. The dog probably knows more than Beyoncé about GDPR.
  4. His professional body suggests that he contacts his nearest optician and acts as their DPO while they act as DPO for him. Commercial and competition interests make this an unappetising prospect let alone the fact that neither DPO will have the foggiest what GDPR means.
  5. He has to delete patient files after 10 years. If a patient dies he has to keep their record for 10 years. At the same time he should not hold any personal information or health records any longer than necessary.
  6. He’s worried that he’ll be non compliant and the massive fines will put him out of business.
  7. Their lawful basis for processing data is either Public Task (whatever that is) or Legitimate interest (same). He doesn’t understand either.
  8. The deadline for doing all this is today! The guidance arrived in the last few days.

What can we do to help him?

Here’s the guidance

ABDO, with the Optical Confederation, communicated to members in December 2017, has been negotiating with Westminster. The organisations requested that optical practices be exempt from appointing a Data Protection Officer (DPO). Unfortunately despite our best efforts this request was unsuccessful and all optical practices, now defined as Public Authorities under the new GDPR, will need to appoint a DPO.

You will find below what practices should consider when reviewing their position on GDPR and the ICO guidance on these points.

Small business owners who do not have existing staff who could potentially be the DPO, who may struggle financially to fulfil their GDPR obligations in employing a DPO, are encouraged to do as much possible to become compliant by reviewing:
• registration with the ICO – new fees apply,
• all records held. Appropriately dispose of those that should no longer be held in line with GOC guidance and ICO guidance,
• privacy and security policies,
• protocols on reporting a breach,
• protocols in responding to a request for information.

Some members of ABDO with one person practices are working with local colleagues to be the DPO for each other, which is reasonable if the individuals have a good knowledge and understanding of GDPR requirements to comply.

Please note that this is guidance and you should visit the ICO website for more detailed information and explanations. There is also an ICO helpline to provide advice for small businesses too.
ICO website: Tel: 0303 123 1113

What’s new and how does this affect optical practices?
All data processing should be lawful, transparent and fair.  The new GDPR law puts in place more requirements for businesses to make uniform processes they will already have in place:
• to prevent a breach (practices should be able to demonstrate all processes and have a DPO to manage GDPR under new law);
• to comply with data requests (you have one month to respond and you cannot charge under the new law);
• and to report a breach (72 hours to report a breach under new law).

You should not hold any personal information or health records any longer than necessary.

You should continue to abide by the GOC standards in this situation and consider the ICO advice that patient records contain personal data and should not be kept longer than necessary:

  • Adult patient records should be retained for 10 years, following the last contact with the patient.
  • In the case of children under 18, who have not been seen since their 18th birthday, you should keep records until their 25th birthday.
  • For deceased patients, records should be kept for 10 years following the last contact with the patient.
What you need to review
Practices need to review processes considering the new rules on:

Individuals Rights

The ICO website has detailed guidance on all rights:

o Right to be informed
o Right of access
o Right to rectification
o Right to erasure
o Right to restrict processing
o Right to data portability
o Right to object

You should continue to practice as you do currently with regards to providing GOS. This includes referring patients to secondary care, sending out reminders, appointments etc.

Communicating information/marketing on relevant products which are specific to your patients, which they currently expect, should remain the same too. Patients should always be given the option to opt out of receiving marketing material as they should be currently.

You should write to patients to inform them of your updated privacy policies, including your lawful basis under the new rules of GDPR.

Individuals have the right to access their record cards. This is known as a subject access request (SAR). Under the new rules you have one month to respond and you can no longer charge a fee for this. You should have a protocol in place for all SAR and make all staff aware of the process. Staff should also be made aware of the new law under GDPR including your practice process if there were a breach.  Examples of SARs, Legitimate interests assessment (LIA), and privacy policy templates are available on the ICO website and the OC will be issuing further supporting materials soon.

Lawful Basis

Optical practices that provide General Ophthalmic Services (GOS) lawful basis is Public Task (You can use the interactive toolkit on the ICO website to confirm your lawful basis) and for all other processing within practices the lawful basis is a Legitimate Interest.  All Practices Privacy notices should be reviewed to include your lawful basis and inform patients of this.

Public task – You can rely on this lawful basis if you need to process personal data:
• ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
• to perform a specific task in the public interest that is set out in law.

It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.

The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.

Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.

Legitimate interest is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.

There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required. See the ICO website for templates.
Data Protection Officers
Due to optical practices falling under the definition of a public authority within GDPR, all practices are required to appoint a DPO.  A DPO cannot be the practice owner or someone that has financial responsibility within the practice. You should contact the ICO helpline if you fall under this category for them to advise you on exactly what you need to do to be compliant. A DPO can be an existing member of staff. You could share a DPO with other companies. There are also external companies that offer DPO services.

ABDO is working with the Optical Confederation on the role and requirements of a DPO in small practices to be accepted by the ICO and will communicate on this separately.  We understand that for some practices that it may not be financially viable to appoint a DPO and if you need further advice, please email contact the ICO direct on the number provided above.

The ICO guidance on a DPO is noted below:

What professional qualities should the DPO have?
The GDPR says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.

It doesn’t specify the precise credentials they are expected to have, but it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.

So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight.

It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.

The DPO’s tasks are:
• to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
• to monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
• to advise on, and to monitor, data processing
• to cooperate with the supervisory authority; and
• to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

It is important to remember that the DPO’s tasks cover all personal data processing activities.

When carrying out their tasks the DPO is required to take into account the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context and purposes of the processing.

The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.

If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.

The GDPR says that you can assign further tasks and duties, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.

Please also note that there is no ICO recognised qualification/certificate for a DPO. There are companies that offer GDPR training but everything you need to know is on the ICO website.

Summary of Next Steps
You now need to:

  • Review detailed guidance from the ICO
  • Appoint a DPO
  • Update Privacy Policies to include the lawful basis and communicate this to patients
  • Implement protocols to comply with subject access requests (SAR)
  • Carry out a legitimate interest assessment (LIA)
  • Conduct a review of all record cards you hold and destroy those you are no longer required to keep by law
  • Make all staff aware of new practice processes under the new GDPR requirements

The Optical Confederation will be issuing further detailed guidance which we will communicate in due course.  In the meantime if you need further advice please email ABDO Policy Officer Debbie McGill


GDPR for ABDO Members
This guidance applies to ABDO members and their work in practice and with members of the public.

ABDO will be communicating separately with members about protection of members’ data in a letter enclosed in Dispensing Optics.


Act Now has a GDPR Helpline and many webinars to help get small business up to speed! Click on the links to find out more.

Posted in GDPR | Leave a comment

Consent, marketing and those pesky GDPR emails


In recent weeks many companies have been bombarding their customers with emails asking for consent to keep them on a mailing list or even to contact them ever again. We even received one from our regular printer!

Such emails, saying things like “Let’s not say goodbye” or “Don’t leave me this way”, are a misguided attempt at complying with the General Data Protection Regulation (GDPR), which becomes enforceable next Friday (25thMay). The irony is that by trying to comply with one law companies could be falling foul of another.

It’s a myth, which has been busted by the Information Commissioner, that the introduction of GDPR means that the only legal basis for personal data processing (including for marketing) is consent. There are an additional five legal bases set out in Article 6:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

GDPR does not fundamentally change the position set out in the current Data Protection Act 1998 (DPA). A similar list to the one above can be found in schedule 2 of the DPA.

Consequently there is no need to send consent e-mails to regular contacts and existing customers whether or not they are on a mailing list. Often companies will be able to rely on the legitimate interest condition (explained above) to continue to make use of such data even for marketing purposes, subject to compliance with PECR (see later).

Where personal data for marketing purposes has been gathered through consent there is no need to automatically refresh permission in preparation for the GDPR. But it is important to check that existing permissions meet the higher GDPR consent standard.

The GDPR states that consent must be freely given, specific, informed, and there must be an indication signifying agreement. Opt out boxes and pre-ticked opt-in boxes will no longer do. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.

Only where existing permissions do not meet GDPR’s higher standards or are poorly documented, will companies need to seek fresh consent, or identify a different lawful basis for processing. (See also the A29WP29 Guidelines on consent and our blog post here.)

But another equally important law has to be carefully considered. Where organisations are processing personal data to send out direct marketing, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) may also apply. PECR is 15 years old yet many organisations still fall foul of it. Failure to comply could lead to a fine of up to £500,000. When the E Privacy Regulation eventually replaces PECR, the fines will be in line with the GDPR i.e. up to 4% of gross annual turnover or EUR 20,000,000 which ever is higher.

PECR sets out the rules for sending direct unsolicited marketing to individuals and organisations using telephone, text, fax and email. Where such marketing is sent to individual subscribers, companies must get their consent (unless they rely on the so called “soft opt in”, namely that they collect an email address in the course of a sale of goods or services, and give the person the right to opt out of marketing emails at the time and in future communications). There is no such restriction when marketing to corporate subscribers i.e. a company e-mail address, even if it belongs to an individual.

The definition of marketing is very wide under PECR. Even sending an email asking someone to opt-in to receive emails or checking their marketing preferences is in itself a marketing email.

In 2017 Honda was fined £13,000 after the ICO found that it had sent 289,790 emails aiming to clarify customers’ choices for receiving marketing. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn’t provide evidence that the customers’ had ever given consent to receive this type of email, which is a breach of PECR. Flybe was fined £70,000 after it sent an email to 3 million individuals titled “Are your details correct? ” advising them to amend any out of date information and update any marketing preferences.

Personal information on marketing databases and mailing lists is of two types. That which has been gathered through regular contact or consent with the individual and that which as been gathered by other means (including information scraped from the internet or bought). In each case the lawful basis for processing such data under GDPR has to be considered and, where it is being used for direct marketing, the PECR rules have to be complied with. Just firing off emails using standard wording may cause more problems than they will solve.

The final word to Steve, the deputy Information Commissioner:

“We’ve heard stories of email in-boxes bursting with long emails from organisations asking people if they’re still happy to hear from them. Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

Posted in GDPR, Marketing, PECR | 4 Comments

GDPR and Data Protection Impact Assessments: When and How?


Article 35 of GDPR introduces a new obligation on Data Controllers to conduct a Data Protection Impact Assessment (DPIA) before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted.

DPIAs are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles (see Article 5(2)).


Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP) data protection impact assessment guidelinesand the ICO’s DPIA guidance.

When is a DPIA needed?

Carrying out a DPIA is not mandatory for every personal data processing operation. It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).

Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive evaluation of personal aspects relating to an individual  which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
  • a systematic monitoring of a publically accessible area on a large scale

So what other cases will involve “high risk” processing that may require a DPIA? The ICO’s DPIA guidance sates that it requires a Data Controller to do a DPIA if it plans to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

The ICO guidance contains screening checklists to help Data Controllers decide when to do a DPIA. In addition they are advised to think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any new major project involving the use of personal data.

What information should the DPIA contain?

The GDPR sets out the minimum features of a DPIA in Article 35(7) (see also Recitals 84 to  95):

  • A systematic description of the envisaged processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purposes.
  • An assessment of the risks to Data Subjects
  • The measures in place to address the risks, including safeguards and security measures, and to demonstrate that the Data Controller is complying with GDPR.

A DPIA can address more than one project. A sample DPIA template is included with the ICO guidance and number of methodologies are referenced in the A29WP guidance (Annex 2).

When should a DPIA be conducted?

DPIAs should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Designapproach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.

What about current data processing operations?

The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.

The ICO says that Data Controllers should also review their existing processing operations to identify whether they currently do anything that would be considered likely high risk under the GDPR. If so, they have to be confident that they have already adequately assessed and mitigated the risks of that project. If not, they may need to conduct a DPIA now to ensure the processing complies with the GDPR. However, the ICO does not expect Data Controllers to do a new DPIA for established processing where they have already considered relevant risks and safeguards (as part of a formal or informal risk assessment process) – unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.

The ICO recommends that Data Controllers document their review and reasons for not conducting a new DPIA where relevant, to help them demonstrate compliance if challenged.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’sadvice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.

If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the ICO may issue a formal warning not to process the data, or ban the processing altogether.

Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.

What are the risks of non-compliance?

Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

Posted in Data Protection, dpia, DPO, GDPR | Leave a comment

Act Now Launches GDPR Helpline

Classic dial phone

Act Now Training is pleased to announce the launch of its GDPR Helpline.

The General Data Protection Regulation (GDPR) is a complicated piece of legislation not helped by the fact that it has to be read alongside the Data Protection Bill (currently making its way through Parliament) as well as other legislation. Internal legal departments are often over stretched and dedicated Data Protection practitioners are hard to recruit. External legal advice in this area is very expensive and there are few experts in this field with real experience of advising the public sector.

The Act Now GDPR helpline is designed to supplement organisations’ internal DP expertise by acting as a friendly advisor/sounding board for discussing GDPR and data protection issues/requests and helping to avoid attracting the attention of the Information Commissioner. Our data protection experts will guide callers through the relevant legal provisions and make recommendations about how to handle difficult data protection situations.

Ibrahim Hasan, a solicitor and director of Act Now Training, who has 20 years experience of advising and training the public sector, manages the GDPR helpline. It builds on the success of our DPA helpline, which ran for many years and counted a number or local authorities and government agencies amongst its subscribers. More details, including terms and conditions, here.

Act now has also re launched its popular FOI/EIR helpline, which guides subscribers through the maze of information access legislation including the Freedom of Information Act and the Environmental Information Regulations.


Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

Posted in Data Protection, GDPR, Helpline | 4 Comments

GDPR: Updating Privacy Notices


Are you caught in a last minute rush to update your privacy notice to comply with the forthcoming General Data Protection Regulation (GDPR)?

Under the Data Protection Act 1998 (DPA), the requirement to issue privacy notices is tucked way in Schedule 1 Part 2. The GDPR brings privacy notices into the foreground and introduces a more prescriptive framework about the information Data Controllers must provide to Data Subjects as well as the manner and timeframe.

What is the purpose of a privacy notice? In the words of the ICO, “…being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”


Under Article 13 of GDPR, where data is obtained directly from the Data Subject,the following information must be providedat the time the data is obtained:

  • the identity and contact details of the Data Controller and where applicable any representative
  • the contact details of the Data Protection Officerwhere applicable
  • the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))
  • where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;
  • the recipients or categories of recipients for the personal data (if any)
  • details of international transfers and their legal basis

In addition the Data Subject must be given the following information necessary to ensure fair and lawful processing:

  • the period for which the data will be stored or, where this is not possible, the criteria used to determine that period
  • the existence of the Data Subjects’ rights e.g. Data Portability andSubject Access, Rectification, Erasure etc.
  • where the processing is based on consent, the fact that consent can be withdrawn at anytime
  • the right to lodge a complaint with the supervisory authority (the ICO)
  • where the data is collected from the Data Subject due to a statutory or contractual requirement, whether the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data
  • details about automated decision making, including profiling, and the logic and consequences of such processing

Article 14 contains a similar list to the above to be included in a privacy notice to Data Subjects where their data is not collected directly from them.


GDPR (Article 12) states that the privacy notice must be concise, transparent, intelligible, easily accessible and free of charge. It must be written in clear and plain language, particularly if addressed to a child. Information in a privacy notice may be provided orally to a data subject on request e.g. in the form of a pre recorded message. Other ways of providing the information include leaflets, cartoons, info graphics and flowcharts. The mobile phone company, O2, has even produced a video!

So where to start? The Article 29 Working Party (A29WP) has published Guidance on Transparency, whichaddresses privacy notices. The ICO GDPR guidecontains useful checklists and their privacy notices codeis worth a read (though it is primarily drafted with the DPA in mind).


Our consultant, Scott Sammons has produced a sample GDPR privacy notice – read it here. Other examples below:

Transport for London I Essex Council I Halifax Bank I Decoded Legal(law firm)

Age UK (charity) I Act Now Training

The DFE has produced suggested texts  for privacy notices for schools and local authorities to issue to staff, parents and pupils.

There are a number other steps that you should be taking to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine.  As the Information Commissioner  has said, “It’s important that we all understand there is no deadline. 25thMay is not the end. It is the beginning.”

If you need to raise awareness about GDPR, our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificatecourse in London is fully booked. We have 3 places left in Bristol.

Posted in Data Protection, GDPR, Privacy | 4 Comments

GDPR is coming but don’t panic!

GDPR General Data Protection Regulation

The General Data Protection Regulation (GDPR)will come into force in 3 weeks time. 25thMay though is not a cliff edge; nor is it doomsday when the Information Commissioner will start wielding her 20million Euro (fine) stick!

In December, the Commissioner addressed some of the myths being peddled about GDPR:

“I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug…

In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear…”

There are a number of steps that you should be doing to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine. However, to quote the commissioner at the ICO Conference this year, “It’s important that we all understand there is no deadline. 25th May is not the end. It is the beginning.”

  1. Raising awareness about GDPR at all levels. Our GDPR e learning course is ideal for frontline staff.
  2. Carrying out a data audit and reviewing how you address records management and information risk in your organisation.
  3. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. See our policy
  5. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  6. Considering whether you need a Data Protection Officer and if so who is going to do the job. Our GDPR certificate course is ideal for new DPOs.

Done everything? Have a go at the ICO’s GDPR Self Assessment Toolkit. Read the Commissioners full speech here.

Please get in touch if Act Now can help with your GDPR preparations. We provide audits, health checks and can offer a gap analysis, all followed by a step by step action plan!


Posted in Data Protection, EU DP Regulation, GDPR, ICO, Information Security, Privacy, schools, Scotland, Scottish Information Commissioner, Training | 2 Comments