GDPR Practitioner Certificate: New Course For Manchester


By popular demand Act Now Training has added an extra course in Manchester for its GDPR Practitioner Certificate.

Autumn 2017 has seen a massive upsurge in bookings for this course leading to every course being fully booked until the end of January 2018. This new Manchester course, starting on 14th November 2017, will give DP practitioners and advisers a chance to complete their training before the end of the year.

Candidate results and feedback so far has been excellent. Our first set of results came out back in May. Since then we have run many courses. Our latest results saw 10 delegates pass of whom 6 achieved a distinction.

The GDPR Practitioner Certificate is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

This course will teach delegates essential GDPR skills and knowledge. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate. Our course now takes account of the provisions of the Data Protection Bill, which was published a few weeks ago.

As the GDPR implementation date gets closer, more organisations are recruiting Data Protection staff. Now is the time to ensure that you are fully up to date with the new law.


More information about our GDPR Practitioner Certificate course as well as other GDPR offerings are on our website. If you would like to have this course delivered at your premised, please get in touch.


Image credits:

Posted in DP Bill, EU DP Regulation, GDPR | Leave a comment

GDPR Practitioner Certificate: Another Set of Great Results

accomplishment, certificate, degree, successful, diploma, graduates, achievement, celebration

Act Now Training would like to congratulate the 10 delegates who have successfully completed our intensive one-week course leading to the GDPR Practitioner Certificate.

The course was delivered by Tim Turner in London in August 2017. All 10 delegates passed with 6 achieving a distinction.  This is an even better than our first set of results back in May.

The GDPR Practitioner Certificate is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

This course will teach delegates essential GDPR skills and knowledge. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The August course delegates represented a diverse range of organisations including councils, universities and government departments from the UK as well as the Isle of Man and the USA(see comment below and at the end of this post). They all enjoyed the course and gave us some very positive feedback about the course and the trainer:

“Thank you very much and this is great news. Close to distinction I was and I am pleased for being the only American in the class. I have a solid foundation on GDPR and look forward to future trainings that will lead to a role as a DPO” Domenic DiLullo, USA

“The course content was comprehensive and the course material have real continuing value back in day-to-day work. The trainer’s expertise and experience was obvious but he also created a really fun, discursive environment to learn in.”  KG, University of London

“I feel well equipped to provide relevant advice and guidance on the GDPR as a result of taking this course. It was well presented with good quality, practical course material and access to a resource lab for articles, webinars and exam practice, all of which proved invaluable.” JD, East Sussex County Council

“Undertaking the Act Now GDPR practitioner course has reinforced my understanding of Data Protection and Privacy.  The training provided by Tim has given me new strategies relating to implementing GDPR and privacy measures, achievable with much more confidence. I can now help my organisation understand, categorise and evidence risks associated with privacy and GDPR in more practical and robust way.” RS, Boston Council

“The course was excellent and well presented. I found Tim approachable and entertaining and he helped to make what could be a dry subject come to life. Pre attendance the admin was excellent and everything went ahead without any glitch at all. Act Now have responded to me really quickly and efficiently every time.” SH, Swansea University

Demand for these courses has been phenomenal as have the testimonials. Due to this demand we have now added some further dates! Book early to avoid disappointment. Course starting on 21st November in Manchester!

Posted in Certificated course, Data Protection, DP Bill, EU DP Regulation, GDPR | 2 Comments

GDPR: Notification and the future of ICO Charges


By Jon Baines

Data Protection law has, since 1984 in the UK (with the first Data Protection Act), and since 1995 across Europe (with the Data Protection Directive), contained a general obligation on those who process personal data to notify the fact to the relevant supervisory authority (the Information Commissioner’s Office, or “ICO”, in the UK) and pay a fee for doing so. For many organisations it has in effect meant the payment of an annual fee in order to deal with people’s personal data.

Currently, in the UK, under the Data Protection Act 1998 (DPA), data controllers (those organisations who determine the purposes for which and the manner in which personal data are processed) pay either £35 or £500, according to their size (data controllers whose annual turnover is £25.9m or more and who have more than 249 staff must, in general, pay the larger amount). There are various exemptions to the general obligation, for instance for some controllers who are not-for-profit and for those who process personal data only for staff administration (including payroll), or advertising, marketing and public relations (in connection with their own business activity), or for accounts and records.

Failure by a controller to make a notification, unless it has an exemption, is a criminal offence under sections 17 and 21 of the DPA, punishable by a fine. However, only one successful prosecution appears to have been brought by the ICO in the last calendar year – a surprisingly low figure, given that, anecdotally, the author is aware of large numbers of controllers failing to make a notification when they should do so.

The General Data Protection Regulation (GDPR) does away with what has often been seen as a fragmented and burdensome notification requirement, substituting for it, at least in part, an accountability principle, under which relevant organisations (“data controllers”) will have to keep internal records of processing activities. As far back as 1997 the Article 29 Working Party, representing data protection authorities across the EU, recognised that excessively bureaucratic requirements in relation to notification not only represent a burden for business but undermine the whole rationale of notification by becoming an excessive burden for the data protection authorities.

And in its impact assessment in 2012, when the GDPR was first proposed, the European Commission explained some of the reasoning behind the removal of the requirement:

“[Notification] imposes costs and cumbersome procedures on business, without delivering any clear corresponding benefit in terms of data protection. All economic stakeholders have confirmed…that the current notification regime is unnecessarily bureaucratic and costly. [Data protection authorities] themselves agree on the need to revise and simplify the current system.”

However, in the UK at least the removal under the GDPR of notification fees would have had a catastrophic effect on the ICO’s existence, because, at the moment, all of the funding for its data protection work comes from fees income – almost £24m last year.

To address this impending shortfall, the government has aimed to provide powers (actually in the form of two pieces of legislation – first the Digital Economy Act and now the recent Data Protection Bill (DP Bill) (presumably the former will fall away given the introduction of the latter) to make regulations to create a domestic scheme for data protection fees. The explanatory notes to the Data Protection Bill state that”

“[Clause 132] provides the Secretary of State with a power to make regulations requiring data controllers to pay a charge to the Commissioner. Those regulations may provide for different charges in different cases and for a discounted charge. In setting the charge the Secretary of State will take into account the desirability of offsetting the amount needed to fund the Commissioner’s data protection and privacy and electronic communications regulatory functions. It also provides that the Secretary of State may make regulations requiring a controller to provide information to the Commissioner to help the Commissioner identify the correct charge.”

A clue as to how the charges might be set has now been provided by means of a questionnaire, sent on behalf of the Department for Digital, Culture, Media and Sport (DCMS) to 300 lucky data controllers, seeking their views on what the fee structure might be. There is nothing on the DCMS, or ICO, website about this, so it’s not clear if it takes the form of a consultation, or, more likely, a scoping exercise. But what it appears to be putting forward for consideration is a three-tier scheme, under which data controllers would pay £55, £80 or £1000, based on the size of the data controller and the number of “customer records” it handles.

As drafted, the questionnaire doesn’t propose any exemptions. One assumes that these would follow, but even so, the proposal to levy a fee for data protection on business, at a time when the European legislature has removed it, must raise questions about how business-friendly this particular piece of law-making will be.

Additionally, it is not clear what the sanction for non-compliance, and what the enforcement regime, would be. As indicated above, the current criminal sanction does not appear to have prevented any number of data controllers from avoiding their legal obligations, with apparent impunity. One presumes, though, that enforcement would be left as a function of the ICO, and, given that Commissioner Elizabeth Denham has said on various occasions that her office needs to grow to cope with the demands of GDPR, it is to be supposed that she will aim to be strict on this matter.

There are estimated to be approximately 5.5 million businesses in the UK. If each of those paid only the bottom tier under the suggested fees structure, this could equate to a potential cost to business of about £3bn per annum. Even if only a proportion of businesses actually end up paying (bearing in mind the likely exemptions, and likely avoidance/ignorance of some – just like now), £55 is a 57% increase on the current lower fee, and, added to the administrative costs of actually making a notification marks a considerable overall burden on UK business and – indeed – other data controllers.

There is no easy answer to the question of how the ICO’s regulatory functions can effectively be funded, and on one view it makes sense to retain a similar arrangement to the existing one, despite the European legislature having determined it is both ineffective and burdensome. However, it would not be a great surprise to see business interests in the UK lobbying against a domestic measure which is in fact more costly for them than the measures of the European Union the UK is planning to leave.

Jon Baines, is chair of NADPO ( and blogs in a personal capacity.

Many of our GDPR workshops are fully booked. We have added a new course on the Data Protection Bill to our programme. 

Posted in Data Protection, DP Bill, EU DP Regulation, GDPR, Personal Data | 2 Comments

The GDPR, the Data Protection Bill and Complaints


By Scott Sammons

The General Data Protection Regulation (GDPR) and the recently announced Data Protection Bill (DP Bill) are bigger pieces of legislation than the old Data Protection Act 1998. We already know that remedies and complaints under the Regulation are more wide ranging and entities, in effect, are now to be seen as guilty until proven innocent (reference the need to be able to ‘demonstrate compliance’ in Article 5(2)).

Both the GDPR and the DP Bill give the Data Subject the right to lodge a complaint with the Information Commissioner if the Data Subject considers that, in connection with personal data relating to him or her, there is an infringement of the GDPR (GDPR Article 57 and DP Bill Section 156).

In Article 38 (4) of the GDPR, it implies that Data Subjects can raise matters (complaints) with the Data Protection Officer but doesn’t explicitly state that Data Subjects can ‘lodge a complaint with the controller or processor’. The GDPR outlines that they can exercise their rights on the controller/processor (some of which, like the right to object to automated decision making, are often only really used if the Data Subject is unhappy about something). Therefore, as with today, you will want to encourage Data Subjects (should they have a concern) to bring it to you directly rather than go to the Information Commissioner. It is likely that the ICO will continue their stance of referring complainants back to the organisation concerned first if they have just gone straight to the ICO, but I wouldn’t rely on this if I was you. The world is changing, and in order to truly embed the transparency and accountability requirements of GDPR it is far better to have a visible complaints process for Data Subjects up front.

Also, neither the GDPR nor the DP Bill explicitly states that the Data Protection Officer should be the one to investigate and resolve GDPR related complaints. They do however, in Article 39 (1)(b) and Section 69 (1)-(3) respectively, state that the DPO should ‘monitor compliance’ with the GDPR and DP Bill. Therefore the DPO should definitely be part of the complaints process, especially for ‘high risk’ complaints, but as for investigating every single complaint, I can’t see an explicit requirement for that. Therefore if you’re the DPO for your organisation reading this or the IG/DP team member that will investigate DP complaints from data subjects then this may be of use to you.

Due to the above, however, this does mean that when investigating complaints and/or accusations of non-compliance with the GDPR (or the DP Bill), you will need to be more thorough and more specific in determining exactly where a ‘breach’ may or may not lie.

For many of you this will be old news and you are most probably already doing this, but to many people formal training in ‘complaint handling’ and investigation is something new. Hopefully you’ll find this useful, and it should follow the same sort of process and standards many organisations (especially those that are regulated) will have in place.

Firstly, many people will accuse you / your organisation of wrong doing and often provide a list of areas where they believe you have gone wrong. Some will be genuine and some will be utter nonsense. But you will need to be thorough to ensure that you can genuinely separate out what is a valid complaint and what is someone’s misunderstandings/ventings/vendettas. Always start from a position of an ‘accusation is not a fact’, regardless of the ICO position of ‘guilty until proven innocent’, any failing in your compliance controls will need evidencing and a thorough complaint investigation will determine that. Each accusation should be taken seriously but it will need to be investigated and evidenced to determine whether or not it is a valid complaint and there is a ‘case’ to be answered.

When investigating the matter at hand start at the very beginning. What started this person down this path to lodge a complaint? What were the interactions with your service? Were things done correctly? Can you evidence that a particular action (either good or bad) was actually carried out or is it a case of a staff member’s word vs the complainants? As you would with a legal case look for evidence to establish facts, the less evidence you have the more likely you are to have a weak case to defend. The more evidence you have the more you can prove one way or another what occurred and if the complaint has merit.

It is likely that during your investigation you’ll determine that x process was not followed or y system failed resulting in the errors causing the complaint. If you are able to come to the conclusion that processes, systems or any controls have indeed failed it may also be worth logging an ‘adverse incident’ on the controls that have failed.

For those that have seen any of my previous post on Information Risk, when you put things in place to prevent your risks from materialising these are referred to as “controls”. These controls can range from policies, procedures, training, technical solutions, and system design to anything really that helps you control that risk. When a control or controls fails this should be recorded as an ‘incident’ so that  you can monitor the effectiveness of your controls and ensure whatever remedy you put in place to stop it re-occurring, actually helps that control (and isn’t just a default response of punish or train the staff member).

But I digress; let us go back to the complaint. Once your investigation is complete and for each aspect of the complaint you can conclude what has and what has not occurred you can start to draft a response and determine what parts of the complaint are ‘upheld’, ‘not upheld’ or ‘partially upheld’. If you imagine the ‘shopping list’ of accusations I referenced above, for each item on that list you should have a position of upheld, not upheld or partially upheld. If at any point:

Upheld is where you agree with the complainant and there is a case to be answered for. It is then up to you how you want to proceed with that complaint based on what standards and approach your organisation takes to resolving complaints. Where a complaint does look like it is to be upheld (and indeed with any ‘high risk’ complaints) you will also need to agree the outcome and actions with the Data Protection Officer.

Partially upheld are, as it says on the tin, areas where there is some merit to their complaint but it didn’t occur as they outline and/or the impacts they describe are heavily inflated / incorrect. This may still be a ‘high risk’ area even though it may only be partially upheld, therefore you may still need to ensure you have DPO sign off before issuing the response.

Not upheld are simply where you cannot evidence that what the complainant says occurs actually occurred or you have evidence to the contrary therefore their complaint is unfounded and can be, for want of a better word, rejected.

When responding back to the complainant you will need to run through each aspect of their complaint and outline your findings and why you have upheld or not upheld that aspect of their complaint. There could, for large complaints, be a mixture of upheld, partially upheld, and not upheld for the various different areas they are claiming you have not complied with the law.

If you can record all of the above, with the supporting evidence, should the complainant indeed then take their complaint to the ICO the majority of your investigative work should be complete. It can then be quickly investigated or even ‘reviewed’ by another party if that’s what your organisation prefers. In any event, if you’re the DPO or the person supporting the DPO in their tasks, this should make it easier to log, track, resolve and learn from complaints if and when you get them. Of course the ideal would be to not get any complaints, but in this world however that is never going to happen.

Life is far too imperfect, but a ‘close to perfect’ complaints and incidents process should help you manage your GDPR compliance and give you useful insight into what is going right and wrong in your organisation.


Scott Sammons FIIM, CIPP/E, AMIRMS is Chair of the Information and Records Management Society (IRMS) and sits on the Exam Board for our GDPR Practitioner Certificate courses (3 out of the next 5 are fully booked).


We have added a new course on the Data Protection Bill to our programme.

Posted in Article 50, Brexit, DP Bill, EU DP Regulation, GDPR, Uncategorized | Leave a comment

The Data Protection Bill: A Summary


By Lynn Wyeth

The text of the new Data Protection Bill has finally been published by the Government and at 218 pages, 194 clauses, 18 schedules and 112 pages of explanatory notes, it is a huge chunk of legalese spaghetti. You can find the main Bill in pdf form here.

As with the 1998 Data Protection Act (DPA98), the Bill is cumbersome and repeatedly refers to clauses within itself. This is compounded this time by references also to the General Data Protection Regulation (GDPR) and other pieces of European legislation. To translate all this and join all the dots you need to flick between many texts and screens, but here’s a quick summary of some of the key issues and where to find them in the Bill:

Structure of the Bill

There’s nothing hugely unexpected in the Bill, as long as you are familiar with the DPA98, additional orders added to the DPA98 over the years, the GPDR and the Law Enforcement Directive (EU) 2016/680! This has all been merged into one large Bill to try and keep what we have now plus any new requirements of GDPR and the Directive. The Bill is set out in Parts, some of which may not be relevant to all organisations.

Part 1 & 2 – Definitions and General Processing

Part 3 – Law Enforcement

Part 4 – Intelligence Services

Part 5 – Information Commissioner’s Office

Part 6 – Enforcement

Part 7 – Miscellaneous!

Law Enforcement 

Part 3 of the Bill deals exclusively with Law Enforcement under Clauses 27 -79. Organisations will only be subject to these clauses if they are

  • a Competent Authority, or
  • processing for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Schedule 7 lists the Competent Authorities and this includes organisations such as Government departments, Police, Fraud Office, Probation, Youth Offending Teams etc. If you don’t meet the criteria above, you don’t need to worry about this large part of the Bill.

There are some differences in Part 3 that organisations do need to be aware of if they fall into the law enforcement category. The Data Protection Officer (DPO) has extra specified tasks in clause 69, namely the ability to assign responsibilities, promote policies, undertake audits and deliver training. There is also an additional requirement to have specific audit trails (clause 60 – logging) on automated processing ensuring a log of who collected, altered, erased and transferred data amongst other things.

Public Authorities

The Bill confirms in clause 6 that where it refers to public authorities or public bodies, it means those organisations that are currently subject to Freedom of Information Act provisions. Interestingly it means any organisations brought under FOI in the future may need to consider issues such as DPOs and use of legitimate interests in future too. Housing associations and companies delivering public contracts may need to watch the FoI Private Member’s Bill going through parliament next year or the ICO’s push for extending FOI through its reports to Parliament.

Data Protection Officers

For those organisations not involved in law enforcement, their DPO will only have to undertake the tasks set out in GDPR, not the additional ones set out in clause 69. There are no extra surprises here and the Article 29 Working Party guidance on this is comprehensive about when one is required by law, the tasks it carries out and on the issue of conflict of interest. Senior managers, SIROs, Caldicott Guardians, Heads of IT or HR… none of them can be the DPO.

 Data Breaches

As expected in order to implement the GDPR requirements, any personal data breaches must be reported to the Information Commissioner’s Office (ICO), where there is a risk to an individual, within 72 hours unless there is reasoned justification (breach notification). The potential derogation for public authorities has not been taken advantage of and they, like all other organisations, could face Civil Monetary Penalties (CMPs) of up to £17m or 4% of the equivalent of annual global turnover (although the ICO can change this – perhaps due to currency fluctuation or after Brexit). The reality is that the ICO, as stated in its myth busting blog, will continue to use CMPs as a last resort and they will be proportionate.


The Bill also confirms that in the UK the child’s age in relation to information society services will apply if the child is under 13 years old rather than 16 years old. Providers of such services will have to take reasonable steps to get the consent of a parent or guardian to offer a child under 13 years the service. The definition of information society services can be found in the E-Commerce Directive and it should be noted this specific age of consent is only for this type of service. For all other data protection issues, children can make their own decisions if they have capacity or Gillick competency. Data Protection practitioners in Scotland have the added complexity in clause 187 of separate rules for age of consent for Scottish children to reflect the existing provision there now that “a person aged 12 or over is to be presumed to be of sufficient age and maturity to have such understanding, unless the contrary is shown”.


As previously discussed on this blog, GDPR removes the obligation for data controllers to notify with the ICO. The ICO had expressed concerns about this and the loss of income if they could not continue with notification fees (currently £500 per annum for large organisations, £35 per annum for smaller data controllers). The Data Protection Bill therefore makes provision for the ICO to continue to require a form of notification fees under clause 129. In fact, the Bill looks like it allows the ICO to charge fees for other services too. The ICO will have to publish these fees and have them agreed by the Secretary of State. The DCMS is currently consulting on a 3-tier system with the top tier (businesses with over 250 staff) having to pay up to £1000 (with a direct marketing top up of £20).

 Conditions for processing

 The ICO has already stressed in its myth busting blog that consent is not the only condition for processing despite misleading stories elsewhere. As before, the Bill lists several conditions for processing non-sensitive personal data and sensitive (now called special category in GDPR) personal data. As we already knew from GDPR, Public Authorities can no longer rely on legitimate interests but all of the other conditions from the existing DPA98 have been brought across e.g. counselling, insurance. There’s even one explicitly for anti-doping in sport. Schedule 1 lists all of these conditions for processing special category data.

 Complaints and compensation

Clause 157 sets out what individuals can expect if they submit a complaint to the ICO and the ICO fails to address it adequately, and how the Tribunal can then become involved. Clause 159 provides for compensation claims for ‘damage’ and that can include financial loss, distress and other adverse effects. Consumer support groups are disappointed that they are not able take class actions and seek redress without the data subject’s consent, as the Government has decided against the use of that derogation.

 New Criminal Offences

There will be a new criminal offence under the Bill where anyone uses anonymised data “knowingly or recklessly to re-identify information that is de-identified personal data”. Researchers and IT testers will need to be careful that they can demonstrate anything accidently re-identified or deliberately tested is done in the public interest and doesn’t trigger this offence. Data theft will also be a recordable offence on the national police computer, as will unlawfully obtaining personal data and altering personal data in a way to prevent it being disclosed.


Clause 16 allows for the accreditation of certification providers. The only organisations that can award certification are the ICO and the National Accreditation Body (which looks set to be UKAS). No organisation has been awarded certification yet so beware of organisations claiming they can make you a ‘certified’ GDPR practitioner at this time!


 All of the familiar exemptions have been brought across from the current DPA98 e.g. crime and taxation, journalism, references, examination marks, honours, parliamentary privilege, management forecasts, legal professional privilege and negotiations. Also added is immigration, and clarity is given on archiving and research. They can all be found in Schedules 2-4, with Schedule 3 focussing on detail on health and social care, and schedule 4 on education, child abuse and adoption.

Subject Access Requests

The Bill confirms the requirements in the GDPR. You cannot charge for a Subject Access Request unless repeated or manifestly unfounded or excessive, and you must answer in one month (unless it’s excessive and it can be extended for another two months).

 What happens next?

The 2nd reading of the Bill will take place in the House of Lords on October 10th 2017. Its passage through Parliament can be tracked here. There may be some amendments made as it works its way through the parliamentary process. Several Regulations will also need to be made by the Secretary of State to implement some parts of the Bill.

Want to know more? Attend our new Data Protection Bill workshop.

Lynn Wyeth is the Head of the Information Governance function of a large unitary public authority and has over 10 years’ experience as a Data Protection and FOI practitioner. She also delivers some of our external GDPR and GDPR Practitioner Certificate courses.

Posted in Brexit, Data Protection, DP Bill, EU DP Regulation, GDPR | 5 Comments

The Data Protection Bill: It’s not what you think it is!


Yesterday the DCMS published the long awaited Data Protection Bill 2017. Accompanying the 203 pages of the Bill there are 112 pages of explanatory notes, a 4-page factsheet and a 5-page impact assessment. With detailed cross referencing to the provisions of the General Data Protection Regulation (GDPR), this Bill is a gift to purveyors of highlighters and sticky notes!

The Bill has many aims (see below). It does not though, contrary to popular belief, incorporate the GDPR into UK law. GDPR is a Regulation and so directly applicable when it comes into force on 25th May 2018. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit the GDPR will still be the law because of the provisions of the European Union (Withdrawal) Bill (previously the Great Repeal Bill.) Paragraph 6 of the explanatory notes confirms this:

“While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament.”

So why do we need a Data Protection Bill? Section 1 explains:

To fill in some of the gaps in GDPR – what are known as “derogations”; where Members states are allowed to make their own rules. The Bill mirrors the Government’s Statement of Intent which was published a few weeks ago. Amongst many other things, we are now clearer on the minimum age at which a child can consent to certain types of data processing, the definition of a public authority/public body, new offences, rules on automated decision making and exemptions (including for research and freedom of expression in the media.)

To make provision for a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Article 2(2)) including the processing of unstructured, manual data held by an FOI public authority.

To implement Directive (EU) 2016/680 (the Law Enforcement Directive) on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Unlike the GDPR, the Law Enforcement Directive is not directly applicable EU law; accordingly Part 3 of the Bill, amongst other things, transposes the provisions of the Directive into UK law.

To make provision for the processing of personal data by the Intelligence Services

To make provisions about the role of the Information Commissioner

To make provisions for the enforcement of data protection legislation

The second reading of the Bill will be on 10th October. Its passage through Parliament can be tracked here.

Want to know more? Attend our Data Protection Bill workshop.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate courses are filling up fast.

We also offer a GDPR health check service.

Posted in Brexit, Data Protection, DP Bill, EU DP Regulation, GDPR | Tagged , , | 4 Comments

What impact will GDPR have on your CCTV systems?


There are now less that nine months to go before the General Data Protection Regulation (GDPR) comes into force replacing the Data Protection Act 1998 (DPA).

So what should operators and controllers of CCTV and video systems be doing now? The short answer is, ensure you are complying with the current law and don’t believe the doom merchants:

“The GDPR will require a wholesale reassessment of data protection for the UK’s millions of CCTV cameras, which so far have gained from relatively light touch regulation.”


Overt CCTV camera systems are regulated by the DPA. The Information Commissioner’s Office (ICO) revised its CCTV Code of Practice in 2015 to:

  • reflect the developments in existing technologies that have taken place in the last six years,
  • discuss the emergence of new surveillance technologies and the issues they present (e.g. drones and body worn cameras etc.)
  • reflect further policy development in areas such as privacy impact assessments,
  • explain the impact that new case law has had on the area of surveillance systems
  • reflect the wider regulatory environment that exists when using surveillance systems.

The ICO has produced a CCTV self-assessment tool that will help you assess your compliance with its code.

Jonathan Bamford, then the Head of Strategic Liaison at the ICO, emphasised in his blog post at the time of the consultation in to the new CCTV code that the that the underlying principles remain the same.  And the same can be said about GDPR’s impact on CCTV systems. All the familiar provisions found in the DPA are there in the GDPR including the need for transparency, security, respect for individuals’ rights etc.

Data Protection Impact Assessment

One area, which needs particular consideration, is whether a Data Protection Impact Assessment (DPIA) needs to be undertaken before setting up a new CCTV system. DPIAs (also known as Privacy Impact Assessments) are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will allow Data Controllers to identify and fix problems at an early stage, reducing the associated costs and damage to reputation that might otherwise occur.

A DPIA is required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1) of GDPR). Such processing, according to Article 35(3)), includes “large scale, systematic monitoring of public areas (CCTV)”.

Even where your CCTV does fall into this category it may still be deemed to be “high risk.” The Article 29 Working Party’s data protection impact assessment guidelines set out the criteria for assessing whether processing is high risk. This includes systematic monitoring of individuals.

For its part the CCTV code emphasises the importance of conducting a privacy impact assessment before undertaking surveillance using CCTV, especially when fitted to drones e.g. broadcasters seeking to gather footage for production purposes, police forces conducting surveillance on suspects, or construction companies monitoring job progress.

For more on DPIAs including how it should be conducted and by whom, please read our DPIA blog post. Other points to consider in relation to CCTV systems include:

If a CCTV system is being used for employee monitoring, then other aspects of GDPR will come into play as well as, in some cases, Part 2 of the Regulation of Investigatory Powers Act (RIPA). For more on this topic see our blog post and forthcoming webinar.

The PoFA Surveillance Camera Code

Just to complicate things a bit more, some organisations also have to comply the Surveillance Camera Code (PoFA code). Made in 2013, pursuant to the Protection of Freedoms Act 2012 (PoFA), this code governs the use of CCTV and ANPR systems by local authorities and policing authorities in England and Wales.

The Surveillance Camera Commissioner (in charge of the PoFA code) has set up a voluntary certification scheme. He says on his website:

“Over the coming weeks and months we will look at what else will be useful or necessary to support those using surveillance cameras on their journey to compliance. At the same time I can reassure you that we are working hard with certification bodies to adjust our independent third party certification scheme to ensure that if you or your organisation acquire that standard it is very likely that you will measure up to the new requirements under GDPR. Many police forces, local authorities, large retailers and transport networks sit within that category and I aim to broaden that base – outward reassurance to the public concerning inward compliance!”

GDPR will have an impact on CCTV and other video recording systems. But there is not going to be a revolution. If time is spent on complying with the current law by making use of existing resources (as explained above), there will be no need for a big jump into GDPR land.

Learn more about GDPR on our full day workshop. We also offer a GDPR health check service. 5 out of our next 7 GDPR Practitioner Certificate courses are fully booked. Be prepared and book your place now. 

Posted in CCTV, Data Protection, EU DP Regulation, GDPR | Leave a comment