GDPR: Updating Privacy Notices


Are you caught in a last minute rush to update your privacy notice to comply with the forthcoming General Data Protection Regulation (GDPR)?

Under the Data Protection Act 1998 (DPA), the requirement to issue privacy notices is tucked way in Schedule 1 Part 2. The GDPR brings privacy notices into the foreground and introduces a more prescriptive framework about the information Data Controllers must provide to Data Subjects as well as the manner and timeframe.

What is the purpose of a privacy notice? In the words of the ICO, “…being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”


Under Article 13 of GDPR, where data is obtained directly from the Data Subject,the following information must be providedat the time the data is obtained:

  • the identity and contact details of the Data Controller and where applicable any representative
  • the contact details of the Data Protection Officerwhere applicable
  • the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))
  • where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;
  • the recipients or categories of recipients for the personal data (if any)
  • details of international transfers and their legal basis

In addition the Data Subject must be given the following information necessary to ensure fair and lawful processing:

  • the period for which the data will be stored or, where this is not possible, the criteria used to determine that period
  • the existence of the Data Subjects’ rights e.g. Data Portability andSubject Access, Rectification, Erasure etc.
  • where the processing is based on consent, the fact that consent can be withdrawn at anytime
  • the right to lodge a complaint with the supervisory authority (the ICO)
  • where the data is collected from the Data Subject due to a statutory or contractual requirement, whether the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data
  • details about automated decision making, including profiling, and the logic and consequences of such processing

Article 14 contains a similar list to the above to be included in a privacy notice to Data Subjects where their data is not collected directly from them.


GDPR (Article 12) states that the privacy notice must be concise, transparent, intelligible, easily accessible and free of charge. It must be written in clear and plain language, particularly if addressed to a child. Information in a privacy notice may be provided orally to a data subject on request e.g. in the form of a pre recorded message. Other ways of providing the information include leaflets, cartoons, info graphics and flowcharts. The mobile phone company, O2, has even produced a video!

So where to start? The Article 29 Working Party (A29WP) has published Guidance on Transparency, whichaddresses privacy notices. The ICO GDPR guidecontains useful checklists and their privacy notices codeis worth a read (though it is primarily drafted with the DPA in mind).


Our consultant, Scott Sammons has produced a sample GDPR privacy notice – read it here. Other examples below:

Transport for London I Essex Council I Halifax Bank I Decoded Legal(law firm)

Age UK (charity) I Act Now Training

The DFE has produced suggested texts  for privacy notices for schools and local authorities to issue to staff, parents and pupils.

There are a number other steps that you should be taking to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine.  As the Information Commissioner  has said, “It’s important that we all understand there is no deadline. 25thMay is not the end. It is the beginning.”

If you need to raise awareness about GDPR, our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificatecourse in London is fully booked. We have 3 places left in Bristol.

Posted in Data Protection, GDPR, Privacy | 4 Comments

GDPR is coming but don’t panic!

GDPR General Data Protection Regulation

The General Data Protection Regulation (GDPR)will come into force in 3 weeks time. 25thMay though is not a cliff edge; nor is it doomsday when the Information Commissioner will start wielding her 20million Euro (fine) stick!

In December, the Commissioner addressed some of the myths being peddled about GDPR:

“I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug…

In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear…”

There are a number of steps that you should be doing to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine. However, to quote the commissioner at the ICO Conference this year, “It’s important that we all understand there is no deadline. 25th May is not the end. It is the beginning.”

  1. Raising awareness about GDPR at all levels. Our GDPR e learning course is ideal for frontline staff.
  2. Carrying out a data audit and reviewing how you address records management and information risk in your organisation.
  3. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. See our policy
  5. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  6. Considering whether you need a Data Protection Officer and if so who is going to do the job. Our GDPR certificate course is ideal for new DPOs.

Done everything? Have a go at the ICO’s GDPR Self Assessment Toolkit. Read the Commissioners full speech here.

Please get in touch if Act Now can help with your GDPR preparations. We provide audits, health checks and can offer a gap analysis, all followed by a step by step action plan!


Posted in Data Protection, EU DP Regulation, GDPR, ICO, Information Security, Privacy, schools, Scotland, Scottish Information Commissioner, Training | 2 Comments

Gill Smith Joins Act Now’s GDPR Team

Gill Smith - DP Assist 

Act Now Training is pleased to announce that Gill Smith has joined its team of consultants.

Gill is a specialist consultant and trainer in the practical implementation of Data Protection legislation (including GDPR) and has been involved in managing and assisting organisations with compliance management since 1988. During that time she worked in local government for 15 years managing and administering Data Protection and Security compliance.

Since 2003, Gill has assisted public and private sector organisations as an independent consultant and trainer. This includes the provision of seminars and workshops on Data Protection and Freedom of Information implementation for practitioners, as well as providing in-house training for employees of businesses, local authorities, charities, and government organisations in England and Northern Ireland.

Gill will be delivering some of our existing programme of courses and developing new ones. She will also be servicing our in house training clients in FOI and GDPR.

Ibrahim Hasan said:

“ I am very pleased that Gill has decided to joined our team. She is a well-known and well-respected name in the field of information governance with a proven track record of delivering high quality jargon free training. Her experience will help us deliver more courses across the country and satisfy growing client demand. ”


There is still time to raise awareness of GDPR before 25thMay. See our programme of public courses. If you need to train frontline staff, our  e learning courseis ideal.

Posted in GDPR | Leave a comment

Information Rights Expert joins Act Now GDPR Team

BioPic - Scott Sammons 

Act Now Training is pleased to announce that Scott Sammons has joined its team of consultants.

Scott is an experienced information governance practitioner having worked in both the public and private sector for 10 years, most recently as the GDPR implementation lead for Essex County Council. With certificates in Data Protection and Freedom of Information, his experience and expertise makes him a great addition to our team.

Scott’s GDPR experience includes:

  • Implementation of GDPR in a local authority
  • ROPA deployment
  • Information Mapping & risk assessment
  • Consent & Marketing workshops
  • GDPR awareness sessions for the private sector

Currently Scott also volunteers for the IRMS. The IRMS is one of the leading professional bodies for those that work in information governance and information management.

Scott contributes frequently to guidance and awareness of information related matters via blogging as well as volunteering for the IRMS running events and developing materials for information professionals.

Scott said :

“I am really pleased to be joining the Act Now team. I hope to assist in delivering Act Now’s range of information rights courses as well as developing new ones. My public and private sector experience will I believe stand me in good stead to assist Act Now’s clients with their information rights workload.”

Ibrahim Hasan said:

“I am pleased the Scott has become a part of our growing and wonderful team of vastly experienced trainers. His real-world experience and knowledge of information rights will help us expand our services and deliver even more courses to our client base. We have become well known for the trainers we have with their fantastic skill and experience but also for their ability to deliver a difficult subject for many, in a simple and plain speaking way. ”

Act Now Training is growing rapidly and with over 15 years experience in this sector, we have the grounding to help your organisation with their information rights needs. We offer a full range of training and consultancy services including health checks to gauge your preparedness for GDPR and audits as well offering full certificate courses.

Act Now Recently launched its brand new E-Learning Package specifically aimed at frontline staff. It has been a huge success with hundreds of people having signed up. Click here to find out more!

Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require this or any other course delivered at your premises, tailored to your needs, please get in touch and we would be happy to deliver it for you.



Posted in Consultancy, Data Protection, DPO, e-learning, GDPR, Training | Leave a comment

Book Review: Blackstone’s’ Guide to the Investigatory Powers Act 2016 by Simon McKay (@simonmckay)

Screen Shot 2018-02-28 at 12.09.50

The Investigatory Powers Act received Royal Assent on 29 November 2016.

Nicknamed “the Snoopers’ Charter”, the Act provides that communications service providers may be required by the Secretary of State to retain communications data, for up to 12 months, where it is considered necessary and proportionate to do so and where that decision has been approved by a Judicial Commissioner.

Specified public authorities, including the police, the security and intelligence agencies as well as local authorities, may acquire communications data from a telecommunications operator or postal operator where it is both necessary and proportionate to do so, for specified purposes.

The Government says that retention of, and ability to access, communications data is an essential tool for law enforcement and national security investigations. It is used to investigate crime, keep children safe, support or disprove alibis and link a suspect to a particular crime scene, amongst many other purposes. Sometimes communications data is the only way to identify offenders, particularly where offences are committed online, such as child sexual exploitation or fraud.

However, there have been concerns around the balance between privacy and security in the Act. In January 2018 a Court of Appeal ruling found the Data Retention and Investigatory Powers Act (DRIPA) – a previous law covering state surveillance, which has been expanded upon with the Investigatory Powers Act – is unlawful.

The court ruled that the legislation violated UK citizens’ human rights (Article 8 of the European Convention on Human Rights)  by collecting internet activity and phone records and letting public bodies grant themselves access to these personal details with no suspicion of serious crime and no independent sign-off. The court said that the Act will have to be “urgently changed” as a result.

Fresh amendments were also proposed by the government in November 2017 following a European court ruling which said that the “general and indiscriminate retention” of personal communications data by police and security services “cannot be considered justified within a democratic society”.

Blackstone’s’ Guide to the Investigatory Powers Act 2016 is written by Simon Mckay, a barrister and surveillance law expert. It is is an excellent guide to this complicated piece of legislation.

It starts with a very useful chapter on the history and background to the Act, which is important to read, in order to understand where the Government is coming from with this controversial legislation. Subsequent chapters discuss in detail, amongst other things, the processes and pitfalls in relation to the interception of communications, access to communications data and retention of data and equipment interference. Each chapter does not just refer the reader to the Act but also discusses other relevant legislation as well as caselaw from UK and European courts.

Part 1, Chapter 2 of the Regulation of Investigatory Powers Act (RIPA),  provided a framework for the lawful acquisition and disclosure of communications data by law enforcement agencies as well as other public bodies including councils. This part of RIPA has now been replaced by Part 3 of the Investigatory Powers Act. Chapter 4 of the book explains the process in detail and the familiar RIPA concepts of notices and authorisations.

Section 73-75 of the Act places restrictions on local authorities’ ability to acquire communications and data. Experienced practitioners, with a knowledge of RIPA, will not be surprised by the restrictions which include a need for high-level internal authorisation and magistrates’ approval. Of course with the new Act there are now new oversight arrangements, which are explained in Chapter 9.

If you are involved in advising or training on surveillance and investigations law, this book will be a valuable addition to your library. It also contains a copy of the Act.

Posted in Investigatory powers act, Privacy, Surveillance | Leave a comment

GDPR: The New ICO Fees Regime


25th May 2018, when the General Data Protection Regulation (GDPR) comes into force, will see the end of the current Notification regime under the Data Protection Act 1998.

Until recently, Data Controllers looked set to save a little money and the Information Commissioner’s Office (ICO) a lot of money. The ICO is currently funded partly from the annual Notification fees. In 2016 it collected more than 17 million pounds.

As predicted on this blog last year, the Government has now announced a new charging structure for Data Controllers to ensure the continued funding of the ICO. The Data Protection (Charges and Information) Regulations 2018 were laid before Parliament on 20th February 2018 and will come into effect on 25 May 2018, to coincide with the GDPR. The new regulations are made under a power contained in the Digital Economy Act 2017 (which is itself a controversial piece of legislation due to the wide ranging provisions about data sharing.) Data Processors do not have to pay any fee to the ICO but then many will be Data Controllers in their own right.

In summary there are three different tiers of fee and Data Controllers are expected to pay between £40 and £2,900 depending on the number of staff they employ and their annual turnover:

Tier 1 – Micro Organisations will pay £40

Applies to Data Controllers who have a maximum turnover of £632,000 for their financial year or no more than 10 members of staff.

Tier 2 – Small and Medium Organisations will pay £60

Applies to DataControllers who have a maximum turnover of £36 million for their financial year or no more than 250 members of staff.

Tier 3 – Large organisations will pay £2900

Applies to Data Controllers who do not meet the criteria for tier 1 or tier 2 above.

Data Controllers who currently have a registration (or notification) under the 1998 Act,  will not need to pay the new data protection fee until their registration expires. The ICO will write to them before this happens to explain what they need to do next. With regards to Data Controllers who are already registered, the ICO will decide what tier they come under based on the information it has but Controllers will always be able to challenge this. The good news is that Data Controllers choosing to pay the fee by direct debit, will receive an automatic discount of £5 at the point of payment. Every little helps!

The 2018 regulations make it clear that public authorities (e.g. councils) should categorise themselves according to staff numbers only. They do not need to take turnover into account. Furthermore, charities that are not otherwise subject to an exemption, will only be liable to pay the tier 1 fee, regardless of size or turnover.

A Data Controller processing personal data only for one or more of the following purposes is not required to pay a fee:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not for profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

To help Data Controllers understand the new fee regime, the ICO has produced a Guide to the Data Protection Fee.

STOP PRESS (25th May 218)

The Data Protection (Charges and Information) Regulations 2018  came into force today which give effect to the above.

Act Now can help you prepare for GDPR. Our 2018 course programme contains many more GDPR workshops and live webinars.

 Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require these courses delivered at your premises, tailored to your needs, please get in touch.

Finally for frontline staff our one hour GDPR E Learning Course is ideal.

Posted in Fees, GDPR, ICO, Information Security | 3 Comments

Act Now Launches New Certificate in IG for Health and Social Care

Act Now Certificate in Information Governance

Today ANT launched a new style of certificate course. It’s not a one day course, it’s not a practitioner certificate – it fits in between the two and is intended as a primer in all aspects of information law for the Health and Social Care sector.

The course runs for a period 3 months and uses blended learning. Students can work online and in their own time (either at home or at work) by submitting written assignments and doing online tests. There is no final exam. The course uses continuous assessment to determine the award.

There are 3 teaching days which are each followed by an online knowledge check and an assignment. Subjects covered include Data Protection (GDPR), Freedom of Information, Records Management, Cyber Security, Incident Management, Training in IG and demonstrating compliance. A detailed course structure is available on our website.

The course was developed after consultation with Blackpool Victoria Hospital and a well known NHS expert and consultant, Paul Couldrey, who will be delivering the training. Victoria Hospital have made a significant contribution to the syllabus from a user perspective.

Paul is seen as an NHS leader in Information Governance compliance.  He is the former Head of IG for NHS Central Midlands Commissioning Support Unit (CMCSU), which supports over 10 CCG and overseas health authorities to comply with legislation. He is qualified in information law at Masters level, and has spoken at numerous national conferences about information governance.  He was also the Black Country contributor to the Caldicott Review published in June 2013.

We expect demand for this course to be high. IG in the health sector places a heavy workload on IG teams. Newcomers in the sector need to be brought up to speed as quickly and effectively as possible. This course provides that opportunity and also a certificate to demonstrate competence. The first public course starts in late April with the teaching days in Manchester in May, June and July. The course can also be delivered in house.

Take a look at the new IG cert on our website.

Act Now Training runs many courses in all aspects Information Governance. With courses starting from as little as £20, we have a range to suit all requirements. From e-learning, full hour webinars, all the way up to expert level Practitioner courses that are accredited, we have something to suit your requirements. All our courses are flexible and can be delivered in house at your premises. Please get in touch for a bespoke quote.


Posted in GDPR, IG Health, Local Authorities | Leave a comment