GDPR: The Rise of Information Risk?

canstockphoto25958576

By Scott Sammons

Risk Management is one of the things that many people claim to know about. Often though, their lack of knowledge is exposed when they end up either focusing on the wrong risks or creating some complicated process that educates no one and leads everyone on a merry dance. And truth be told it can be quite difficult to understand; which may explain why people switch off it or create complex processes to support the basic principles of managing risk.

However, the future is here and managing risks to information is about to go from a reasonably unknown practice into a full blown framework and way to help manage your GDPR compliance. (And selfishly as someone that has done Information Risk Management for a few years now I can finally say, “Yippeeee!”).

The General Data Protection Regulation (GDPR) is going to be implemented in May 2018. Throughout the GDPR there are references to the capturing and management of data protection risks. Combine that with the need under GDPR to demonstrate compliance, and therefore demonstrate the management of risks to that compliance, we are likely to see a quick rise in Information Risk as a discipline / practice / skill.

‘Information risk’ up until today has been a varied discipline. If you were to Google the term, or speak to any recruitment agency they would say that Information Risk was the domain of ‘Cyber Security’. Currently, outside of the NHS toolkit, the only other country wide frameworks that make reference to information risk management is ISO27000 and 27001. But not everyone goes for these, or indeed has a need to, so what we are left with, is an information risk management practice that varies greatly in approach and usefulness.

The GDPR doesn’t give you chapter and verse on how to implement it. However, it does in several areas, reference the need to do it and indeed as it starts to become embedded we will start to see further standards on what it should look like.

Firstly, and in the most obvious place, is Article 25 ‘Data Protection by Design and Default’. This article outlines the requirements for embedding Data Protection principles into the very core of new designs and ideas for products and services. Article 25(1) outlines that Data Controllers should implement appropriate technical and organisational measures to mitigate the risks posed against the rights and freedoms of the natural person by the processing proposed. Now, in order to determine what is ‘appropriate’ as a control you need to have first determined the likelihood and impact of that particular threat materialising.

Voila! A risk management process is born.

Similarly Article 35, ‘data protection impact assessment’ (DPIA) talks about a very similar process with regards to risks to Data Protection. In a DPIA, a Data Controller would assess the risks to the rights and freedoms of natural persons by the processing in scope and determine, with the DPO where appropriate, what controls should be put in place that are appropriate to the level of risk. This assessment shall contain at least;

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Or, in other words, everything that you would expect to see in a risk assessment under current risk assessment practices (especially if you already engage in information risk as a discipline).

Article 32 ‘Security of Processing’ goes a little further and states the below;

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  1. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Here we see the familiar areas of Information Security Risk Management, with some little tweaks to make it relevant for GDPR. But again, the principle of knowing what your threats and vulnerabilities are so that you can assess them and then ensure your technical and organisational measures are appropriate to the level of risk. You can’t effectively know one without the other.

Another key area that risk and risk assessments come into play relates to Breach Notification in Article 33 (the Authority) and 34 (the data subject). In both articles the requirement to notify is necessary unless the breach is ‘unlikely to result in a risk to the rights and freedoms of natural persons’.

Please note however that in article 34 wording swaps this around and says the duty to inform the data subject is there if there is a high risk to the rights and freedoms of natural persons.

In other areas that either reference the need to risk manage or instances where as above only become necessary where a risk management process determines it are;

  • Prior Consultation (article 36)
  • Tasks of the Data Protection Officer (article 39)
  • Derogations for specific situations (international data transfers) (article 49)
  • Tasks of the Supervisory Authority (Article 37)
  • Tasks of the Data Protection Board (Article 70)

As we all know the GDPR is long and has the potential to become infinitely complicated depending on what processing you are doing, therefore you cannot possibly hope to comply with 100% of it 100% of the time. Find me someone that can and I’ll show you a magician. Therefore you need to ensure that you have a robust and easy to understand risk management process in place to manage your GDPR risks and determine what areas need more focus and what areas are ‘low risk’.

If you’ve not started your GDPR implementation programme yet, one thing that has worked well for me when determining where on earth to begin with this is to complete a data inventory, which includes why information is being processed, and to do a risk assessment on that inventory. What areas show up as massive gaps in current compliance let alone GDPR and what show up as minor tweaks? Once you have a reasonable level of overview you can then start to prioritise and logically see how things fit into place leading up to 2018. You can also see what areas of risk you can carry forward past May 2018 as currently there is no expectation from any of the supervisory authority that you will have / be 100% compliant by day 1.

Scott Sammons CIPP/E, AMIRMS is an experienced Data Protection & Information Risk practitioner and blogs under the name @privacyminion. He is on the Exam Board for the GDPR Practitioner Certificate.

Read more about the General Data Protection Regulation and attend our full day workshop.

Posted in Data Protection, EU DP Regulation, GDPR, information risk, Information Security | 1 Comment

New GDPR Practitioner Certificate Launched!

2017-gdpr-flyer-001

 New GDPR Practitioner Certificate Launched

Act Now Training Limited is pleased to announce the launch of its new GDPR Practitioner Certificate (GDPR.Cert).

The General Data Protection Regulation (GDPR) is going to be implemented in May 2018 despite the Brexit vote. Indeed the Government has confirmed that GDPR is going to be part of UK law even after the UK leaves the EU. So say hello to Breach Notification, the Right To Be Forgotten, the joys of Privacy Impact Assessments and, in some cases, the mandatory Data Protection Officer.

The GDPR Practitioner Certificate (GDPR.Cert) is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector. This is going to be a challenging role. In November, the new Information Commissioner (Elizabeth Denham) said in a speech at the NADPO annual conference:

“I think the role of DPO can be one of the toughest jobs around. You have to help your organisations deliver, but you have to do it in a privacy responsible and transparent way. That’s really challenging in lots of varied situations.”

This course will teach delegates essential GDPR skills and knowledge. It builds on the success of the Act Now Data Protection Practitioner Certificate (launched in April 2014), which it replaces, by focussing on GDPR. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The course tutor is Tim Turner who says:

“GDPR is the biggest change to Data Protection in a generation. I have looked at every aspect of this revised course to equip Data Protection officers with the knowledge they need to tackle GDPR in a practical way.”

Tim will share his vast experience gained through years of helping organisations comply with their DP obligations. This, together with a comprehensive set of course materials and guidance notes, will mean that delegates will not only be in a position to pass the course assessment but to learn valuable DPO skills which they will be able to apply in their workplaces for years to come.

This new course builds on Act Now’s reputation for delivering high quality practical training at an affordable price:

This new course widens the choice of qualifications for DP practitioners and advisers. Ibrahim Hasan (Director of Act Now Training) said:

“We are pleased be able to launch this new qualification with less than 18 months to go to GDPR implementation. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future Data Protection Officers.”

To learn more please visit our website or download the flyer.

Posted in Brexit, Data Protection, EU DP Regulation, GDPR, ISEB, Privacy | Leave a comment

Practitioner Certificate in FOISA: Another Successful Year

canstockphoto9203213_thumb

Act Now Training is pleased to report that it has completed another successful year of delivering the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. Now in its fourth year the course is the only certificated FOI course specifically designed for Scottish delegates.

Two courses were delivered in 2016 with 22 very strong candidates from a variety of backgrounds including the local government, education, health, government and regulatory sectors. All the delegates passed the course. Of these 3 achieved a distinction and 14 achieved a merit. The delegate feedback has been extremely positive:

“I really enjoyed the course and thought that Tim Turner really brought the subject to life.  He was an excellent tutor and made this subject both interesting and informative with amusing anecdotes throughout.  I would certainly go on another course being delivered by Tim Turner and I would recommend him to my peers.”  LC, Glasgow Kelvin College

“Tim was an excellent tutor. His knowledge of the subject was vast and impressive. I learned a lot.” JM, Fife Council

“This is the most useful course I have participated in for a long time.” JT, Crofting Commission

Read a previous successful candidate’s observations here.

The course is endorsed by the Centre for FOI based at Dundee University. The Chair of the independent Exam Board , Professor Kevin Dunion (formerly the Scottish Information Commissioner and now the Executive Director of the Centre for FOI).

The most recent course was delivered by Frank Rankin who has many years of experience working in the Scottish public sector. Frank said:

 “The Act Now certificate brings together a fantastic cross section of FOISA practitioners from a range of organisations, large and small, across all parts of the public sector. I love sharing ideas and experience with these colleagues, and learning from their campaign stories as well.”

The Act Now Practitioner Certificate in FOISA is now the qualification of choice for FOISA professionals in Scotland. The next course is in February 2017 runs over five weeks and is already filling up. For those who are time poor we also have a one-week intensive option. More details here: http://www.actnow.org.uk/content/113

Following a consultation last year, 1st September 2016 saw FOISA being extended to cover more organisations. Act Now has a full programme of FOISA workshops in Scotland.

Posted in BCS, FOISA, ISEB, Uncategorized | Leave a comment

Have you stopped speeding your car? Insurance companies and data protection.

 

clip_image002I went on a Speed Awareness Course recently. I was not alone as 1,207,570 people did in 2015 and the numbers for 2016 will certainly be higher. There was a wonderful cross section of the population there and two trainers there as well. It was a good course with plenty of information about reading the road, hazards, speed limits quizzes and video.

My first reaction to the Notice of Intended Prosecution was that I’d start accumulating points and points (in car insurance terms) means price hikes so to be offered a course in lieu of points was a fantastic result. The cost of the course (£90) was irrelevant in fact I’d have paid much more to avoid the points. The cost of the Fixed penalty (£100) was also not an issue even though I didn’t pay it. It was the points on my licence that was at the forefront of my mind.

Not everyone is offered a course however

clip_image004

This says in plain English that you may be caught at 35mph but will avoid a prosecution but between 36mph & 42mph you will be offered a course. So just over the limit is OK; medium level speeding means a course but over the top speeding means a prosecution or fixed penalty. That’s why you see lines of executive cars chugging down the motorway with cruise control set at 78mph. This chart effectively raises all speed limits by 10% to 20% and could even be said to be an inducement to ignore posted speed limits but work with the generous grey area speeds the police allow.

While researching this article I found that some countries base the size of a fine for speeding on the income of the speeder. Finland fined a highly paid (£4.7m a year) businessman £50,000. See more detail here http://www.bbc.co.uk/news/blogs-news-from-elsewhere-31709454

And also there are stories of people asking other people to “take’ points in return for money. An interesting concept worth investigating…

http://www.dailymail.co.uk/femail/article-1390586/Would-ask-loved-speeding-points-I-did-I-live-consequences.html

The big question that came up halfway through the course was

“Should I tell my insurers that I’ve been on the course?”

The trainer was clear.

“Your details will be held on a database so other police forces who may catch you speeding will not offer you a course. This will last for 3 years. The Police will not pass this information to anyone else”

Searching the web will find plenty of discussion on this subject. Here’s what the AA (which provides Speed Awareness Courses) says

“Your personal details are protected by the Data Protection Act 1998. If you elect to participate, you agree to your details being checked by us against the ACPO national database to establish if you have completed a similar course within the last 3 years of this offence.

If you complete a “National” course, your details relating to the course will remain on file with the ACPO national database for road safety research purposes for a further 7 years from the date of the offence, after which any personal reference to you will be erased. These details will not be released to any other party apart from other UK Police Forces if they are considering making an offer of a course in the future.”

ACPO has disappeared and NPCC (National Police Chiefs Council) has sprung up but it’s logical to assume that the data is still there but the name of the Data Controller has changed.

Ndors is the national body that oversees the courses. They say

“Once a person has been on the course then no further action will be taken, there is no fine to pay and they will not have any points put onto their licence.”

A generally held point of view is that there is no conviction so no requirement to inform insurance companies. However some insurance companies (largely the Admiral group) have started to ask potential customers if they have been on a Speed Awareness Course as in their view that person although not convicted have shown an inclination to speed and this would affect any insurance premium.

The web has plenty of forums where this issue is discussed and opinions of insurance companies range from infuriated to incensed. A typical comment is

“Insurance companies will use any excuse to weasel out of paying a claim because they are cheating bastards.”

But who is right in this matter? Is there a data protection angle? We think so.

If anyone approached the police database and asked to see if a person was on that database because they had been on a Speed Awareness Course I would expect the answer to be no you’re not getting it – it’s confidential. Even using the Freedom of Information Act would elicit this response and it seems the right response. There are other exemptions that might apply

However the Insurance companies are not going down that route as they know they don’t have a right of access. They are asking people to voluntarily inform them that they have been on such a course so that they can increase their insurance premium. They point to a general catch-all in their small print that customers must inform them of anything that might affect their insurance. Can insurance companies ask this? Can they ask a question that they know the person doesn’t want to answer because it invades their privacy?

  • Do you have cancer?
  • Do you smoke?
  • Do you walk 5,000 steps a day
  • Have you dropped litter and been fined?
  • Have you separated from your partner?

They say that if you withhold such information it may invalidate the policy but they can’t collect it lawfully unless they obtain it from the customer as they have no lawful means of obtaining it. If you have a massive claim and they see a £25,000 payout in prospect they might just use a private investigator to look into the claim and see if they can find some fault with it. He may stray outside the law and find evidence of your course…

But if you voluntarily answer the question that they may not be able to ask you haven’t you consented to giving the answer?

Consent hits the first button in Schedule 2 so the Insurance companies are processing fairly and lawfully. Or are they? If you are asked to consent to a disclosure that will have an adverse effect on your life is that a true consent or an enforced consent?

Consent isn’t defined in the Data Protection Act so it has its ordinary meaning. A quick web search says consent is “permission for something to happen or agreement to do something”. Do you think customers are agreeing that Admiral can hold their Course attendance and increase premiums as a result? Or are they reluctantly disclosing for fear of losing their insurance?

Other parts of Schedule 2 don’t seem to apply except for old faithful paragraph 6 – the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. Whoever inserted the tiny word prejudice here many years ago may have done the nation an immense service. Of course it will prejudice the rights and freedoms of someone who hasn’t been convicted of a speeding offence yet is in danger of being penalised for doing so.

And if you’re thinking of diving into schedule 3 think again. It’s not sensitive data. It’s a training course not a conviction.

So on balance it’s probably unlawful for Insurance companies to ask the question as it’s not a freely given consent; they have no access to the police database of course attendees and if they do set a data hound on the case he probably can’t access the information lawfully either.

But there’s also a left field solution. All seasoned FOI professionals know that there’s a way of answering a request without actually answering it. Yes you’re remembering it now aren’t you – it’s the Neither Confirm nor Deny option.

Section 1(1)(a) of the FOI Act allows this where confirming would in itself disclose sensitive or potentially damaging information that falls under an exemption.

So when the Insurance company asks the question you Neither Confirm nor Deny that you have been on a course. They can’t make any further decisions on your premium. They can’t say “well it’s obvious that he’s done a course” as they have no evidence of it.

Good luck with that one.

Finally if you do find yourself being asked the question and any of the solutions here are a bit too drastic you can always swap insurers to one that doesn’t ask the question. But as you do remember that all the individuals who were coerced into unfairly disclosing Speed Awareness courses to Admiral may find that Admiral shares the data anyway. Big Brother (or Big Insurer) is not far away.

 In the vanguard of forced consent is Admiral. Not content with asking up about speed awareness courses you’ve been on they now want to trawl through your facebook posts to make decisions on what type of person you are so they can adjust premiums of party animals. See http://www.bbc.co.uk/news/business-37847647 Fortunately Facebook has declined to give Admiral access.  But questions have to be asked as to how far Admiral or other insurers will go to into your personal affairs to work out a suitable premium especially for you. A word trending in DP circles as GDPR approaches is Profiling. Maybe it’s time you found out what it will mean for your company in the future.

Image credit http://jimllpaintit.tumblr.com

Act Now has a full programme of Data Protection workshops including full day GDPR workshopsWe also run the Act Now Data Protection Practitioner Certificate which is ideal for those preparing for the role of Data Protection Officer under GDPR.

Posted in Data Protection, Privacy | Tagged , | 2 Comments

GDPR is here to stay but what happens next?

It’s official. The General Data Protection Regulation (GDPR) is here to stay; well beyond April 2019 when the UK is likely to finally leave the European Union.

On 24th October 2016, the Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:

“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Writing on her blog the Information Commissioner (Elizabeth Denham) welcomed this announcement. However it is technically incorrect for her to say:

“The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR).”keep-calm-and-prepare-for-the-gdpr

As I have explained in a previous blog post, the Government has no choice but to implement GDPR as the UK will still be a member of the EU on 25th May 2018 when it comes into force.

This announcement does though put an end to months of uncertainty as Data Controllers waited to see what the Government would do after the UK leaves the EU. Although last month’s announcement of the Great Repeal Bill meant that yesterday’s announcement was not a big surprise.

GDPR will replace the Data Protection Act 1998 (DPA) and represents the biggest change to data protection law for 20 years. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

The ICO’s overview of GDPR is a good place to start. It has also published 12 steps to take towards compliance. We would emphasise:

  1. Raising awareness of GDPR at all levels within the organisation (See our GDPR poster).
  2. Reviewing compliance with the existing law as well as the six new DP Principles.
  3. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. The ICO’s new privacy notices code is a very useful document for this.
  4. Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need? Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.
  5. Reviewing information security polices and procedures in the light of the GDPR’s security obligations particularly breach notification.

Look out also for amendments to Section 40 of the Freedom of Information Act 2000, Section 38 of the Freedom of Information (Scotland) Act 2002, Regulation 13 of the Environmental Information Regulations 2004 and Regulation 11 of the Environmental Information (Scotland) Regulations 2004. All contain exemptions from disclosure of personal data by reference to the DPA.

The ICO will be publishing a revised timeline setting out what areas of guidance it will be prioritising over the next six months. Elisabeth Denham ends her blog with these wise words:

“I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.”

Act Now has a series of blog posts as well as a dedicated GDPR section on its website with detailed guidance on different aspects of the Regulation.

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised workshops as well as to carry out GDPR health checks and audits. 

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

Posted in Data Protection, EU DP Regulation, GDPR, ICO, personal data, Privacy | Tagged , , , , | 5 Comments

New Data Sharing Powers in the Digital Economy Bill

illust_01_e

Much has been written about the complexities of the current legal regime relating to public sector data sharing. Over the years this blog has covered many stops and starts by the government when attempting to make the law clearer.

The Digital Economy Bill is currently making its way through Parliament. It contains provisions, which will give public authorities (including councils) more power to share personal data with each other as well as in some cases the private sector.

The Bill has been a long time coming and is an attempt by the Government to restore some confidence in data sharing after the Care.Data fiasco. It follows a consultation which ended in April with the publication of the responses.

The Bill will give public authorities a legal power to share personal data for four purposes:

  1. To support the well being of individuals and households. The specific objectives for which information can be disclosed under this power will be set out in Regulations (which can be added to from time to time). The objectives in draft regulations so far include identifying and supporting troubled families, identifying vulnerable people who may need help re tuning their televisions after changes to broadcasting bands and providing direct discounts on energy bills for people living in fuel poverty.
  2. For the purpose of debt collection and fraud prevention. Public authorities will be able to set up regular data sharing arrangements for public sector debt collection and fraud prevention but only after such arrangements have been through a business case and government approval process.
  3. Enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died).
  4. Giving the Office for National Statistics access to detailed administrative government data to improve their statistics.

The new measures are supported by statutory Codes of Practice (currently in draft) which provide detail on auditing and enforcement processes and the limitations on how data may be used, as well as best practice in handling data received or used under the provisions relating to public service delivery, civil registration, debt, fraud, sharing for research purposes and statistics. Security and transparency are key themes in all the codes. Adherence to the 7th Data Protection Principle (under Data Protection Act 1998 (DPA)) and the ICO’s Privacy Notices Code (recently revised) will be essential.

A new criminal offence for unlawful disclosure of personal data is introduced by the Bill. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. The prison element will be welcomed by the ICO which has for a while been calling for tougher sentences for people convicted of stealing personal data under the DPA.

The Information Commissioner was consulted over the codes so (hopefully!) there should be no conflict with the ICO Data Sharing Code. The Bill is not without its critics (including Big Brother Watch) , many of whom argue that it is too vague and does not properly safeguard individuals’ privacy.

It is also an oversight on the part of the drafters that it does not mention the new General Data Protection Regulation (GDPR) which will come into force on 25th May 2018. This is much more prescriptive in terms of Data Controllers’ obligations especially on transparency and privacy notices.

These and other Information Sharing developments will be examined in our data protection workshops and forthcoming webinar.

Illustration provided by the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

Posted in Data Protection, Data Sharing, Personal Data | Tagged , , , | 1 Comment

The revised ICO Privacy Notices Code and GDPR

ICO Privacy notice code (4)

Earlier this month the Information Commissioner’s Office (ICO) published its revised Privacy Notices Code of Practice.

Under the Data Protection Act 1998 (DPA), a Data Controller should issue a privacy notice to Data Subjects whenever personal data is gathered from them. This should be done at the point of collection or as soon as reasonably practicable after that. The notice should (at the very least) include:

  • The identity of the Data Controller
  • The purpose, or purposes, for which the information will be processed
  • Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1st DP Principle).

The ICO says that organisations need to do more to explain to service users what they are doing with personal personal data and why. The code includes examples of compliant notices as well as suggested formats for online notices, in apps and even a sample video privacy notice.

As we know the General Data Protection Regulation (GDPR) will be in force in May 2018 (and still relevant despite the Brexit vote). The GDPR specifies further detail to be included in privacy notices. It also requires notices to be issued even where personal data is received from a third party. The code briefly explains these new requirements including a useful table. The ICO says that by following the good practice recommendations in the code, organisations will be well placed to comply with the GDPR regime. Read Scott’s blog post on the new requirements here.

This code has been issued under section 51 of the DPA. The basic legal requirement is to comply with the DPA itself. Organisations may use alternative methods to meet the DPA’s requirements, but if they do nothing then they risk breaking the law. When considering whether or not the DPA has been breached the Information Commissioner can have due regard to the code.

The code includes a helpful checklist, covering key points and tips on how to write a notice.

Privacy Notices need to be regularly reviewed and updated to reflect any changes. The ICO is considering other practical ways of supporting organisations in achieving greater transparency such as the feasibility of a privacy notice generator!

Want to know more about privacy notices under GDPR?  Attend our full day GDPR workshop

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

Posted in Data Protection, Data Sharing, EU DP Regulation, Privacy | Tagged , , , | 3 Comments