background preloader


Facebook Twitter

If you hold or use personal information about your clients, employees or other people, you are legally obliged to protect that information. This toolkit helps you with what you need to know, and do.

Under the Data Protection Act 1998 (DPA) you must:

use personal information fairly and lawfully;
collect only the information necessary for a specific purpose(s);
ensure it is relevant, accurate and up to date;
only hold as much as you need, and only for as long as you need it;
allow the subject of the information to see it on request; and
keep it secure. Overview of the General Data Protection Regulation (GDPR) Introduction This overview highlights the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. It is for those who have day-to-day responsibility for data protection.

This is a living document and we are working to expand it in key areas. The GDPR will apply in the UK from 25 May 2018. The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals. Who does the GDPR apply to? The GDPR applies to ‘controllers’ and ‘processors’. What information does the GDPR apply to? Personal data Sensitive personal data. UK and BREXIT Perspective for GDPR. Data sharing. Accountability and governance. In brief… The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.

You are expected to put into place comprehensive but proportionate governance measures. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. In more detail… What is the accountability principle? The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. How can I demonstrate that I comply?

You must: Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. You can also: Adhere to approved codes of conduct and/or certification schemes. What do I need to record? You must ensure that: Data protection self assessment toolkit. ICO. Car rental employees fined for conspiring to steal personal information Former employees of Enterprise-Rent-A-Car have been sentenced for conspiring to steal customer information that accident claims companies could use to make nuisance calls and sell on as personal injury claims. Andrew Minty, Jamie Leong and Michelle Craddock all pleaded guilty at Winchester Crown Court on 4 January to conspiracy to commit offences under the Data Protection Act. Minty was fined £7,500 which he has to pay within two years or face three months custody. More details of the other fines are available on our website. GDPR guidance from Europe’s Article 29 Working Party The latest guidelines from the Article 29 Working Party in preparation for the GDPR have been adopted.

The first topics are data portability, the role of Data Protection Officers, and identifying lead supervisory authorities. Being held to ransom? UK businesses are reportedly being forced to shut down after being held hostage by ransomware. DP Minister: Government will consult on GDPR derogations - Privacy Laws & Business. Speaking in Parliament on 12 December, Data Protection Minister, Matt Hancock, confirmed that the government is now working on the overall approach and the details of EU Data Protection Regulation (GDPR) implementation. “Details of any new legislation in this area will be made [public] in due course,” Hancock said.

“We plan to consult with stakeholders on key measures where we have the opportunity to apply flexibilities in the regulation to maximise and to protect our domestic interests and to get the balance right between delivering the protection that people need and ensuring that the regulation operates in a way that ensures that the UK’s data economy can be highly successful. For example, one measure will be on what the age of consent should be for children who wish to access information services. We want a data protection framework that works best for the UK and meets our needs. Those consultations will be forthcoming.” GDPR and accountability. IntroductionIt’s a pleasure to be here talking about privacy regulation in the digital age. As those of you who have come across us before will know, the ICO is one of the main regulators in the digital space. We’re the independent UK regulator enforcing the laws that govern privacy. If you’re using personal data, including for direct marketing, we’re here to help you get it right.It’s a big job.

We took almost 200,000 calls on our helpline last year. And on the other side of our role, we issued more than £1million of fines to organisations that got it wrong.And it’s a job that’s getting tougher.However fast regulation moves, technology moves faster.Especially as far as data is concerned.Companies today are using data in ways that were unimaginable when the current Data Protection Act was being drafted.We’re talking about an era of no Google. UK ICO recommends personal liability of directors for breaches of data protection law | White & Case LLP International Law Firm, Global Law Practice. White & Case Technology Newsflash At a recent Parliamentary meeting to discuss the draft Digital Economy Bill, the UK Information Commissioner recommended imposing personal liability and accountability upon company directors.

If such liability is imposed, it will mark a radical departure from the current law, under which directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies. On 13 October 2016, the Information Commissioner, Elizabeth Denham, (the "Commissioner") gave evidence to a House of Commons Public Bill Committee (the "Committee") regarding the ICO's recommendations for the Digital Economy Bill (the "Bill").

The Commissioner expressed support for making directors personally liable for breaches of data protection law by their companies. The ICO recently imposed a fine of £400,000 – its largest ever fine for a breach of data protection law. The Digital Economy Bill Consequences for businesses. UK ICO recommends personal liability of directors for breaches of data protection law | White & Case LLP. Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources.

Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy. Information Collection and Use by JD Supra JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

Email Choice/Opt-out. How the ICO will be supporting the implementation of the GDPR | ICO Blog. By Elizabeth Denham, Information Commissioner. The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR). The Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” I see this as good news for the UK. Citizens want the benefits of these digital services but they want privacy rights and strong protections too.

The major shift with the implementation of the GDPR will be in giving people greater control over their data. The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Like this: Like Loading... The GDPR and You. Cyber Security: Protection of Personal Data Online: Information Commissioner’s Response to the Committee’s First Report of Session 2016–17 - Culture Media and Sport. Cyber Security: Protection of Personal Data Online: Information Commissioner’s Response to the Committee’s First Report of Session 2016–17 The Culture, Media and Sport Committee published its First Report of Session 2016–17, on Cyber Security: Protection of Personal Data Online, HC 148 on 20 June 2016. The Information Commissioner’s response was received on 12 October 2016 and is appended to this report. 1.The Information Commissioner welcomes the Culture, Media and Sport Committee (“the Committee”) report into cyber security and the protection of personal data online.

Ensuring organisations have appropriate security in place to protect the personal data they hold from theft, loss or accidental destruction is a key principle of data protection law, serving to ensure the public can transact safely and access public services with confidence. 2.The Committee heard evidence prior to the United Kingdom voting to leave the European Union. 4.Recommendation 1 9.Recommendation 5 16.Recommendation 8. ICO code of practice on privacy notices – are you confident you are complying? - Data protection and privacy global insights.

By Tughan Thuraisingam Follow @tughanTT Earlier this month, the Information Commissioner’s Office (the “ICO”) published a code of practice on communicating privacy information to individuals (the “Code”). What does the Code say? The Code appreciates that when obtaining personal data as part of a simple transaction, developing a clear and effective “single document” privacy notice would be sufficient to comply with the Data Protection Act 1998 (the “DPA”). However, the Code firmly buries the notion that a privacy policy is simply a tick-box exercise. Just because you have one, does not necessarily mean you comply and nor does it mean that you have developed a meaningful and effective privacy notice that accurately reflects your data processing activities. The UK regulator for data protection emphasises the need to “develop a blended approach, using a number of techniques to present privacy information to individuals”. Why should organisations take this Code seriously?

Information Commissioner sets out plans for GDPR guidance. Following last month’s publication of the final text of the General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) recently set out its plans for issuing updated guidance to organisations under the GDPR. Phase 1 – priority actions The first phase of the ICO’s programme, covering the next six months, focusses on ensuring that organisations are familiar with the key changes being introduced by the GDPR and have the building blocks in place to develop their compliance strategies. Outputs will include: An overview of the GDPR Guidance on individual rights Contracts Consent the updated Privacy notices code of practice The ICO will also be contributing to EU wide guidance on the following areas, which the Article 29 Working Party has identified as priority areas: Phases 2 – identifying areas for review/developing toolkits As part of phase 2 the ICO will review and map its current guidance against the GDPR and prioritise key areas for action.

Practical Tips for GDPR From UK ICO. GDPR still relevant for the UK | ICO Blog. By Steve Wood, Interim Deputy Commissioner. It’s just a few weeks since we set out what guidance organisations could expect and when around a General Data Protection Regulation (GDPR) that was on track to come into force in the UK on 25 May 2018. The result of the 23 June 2016 referendum on membership of the EU now means that the Government needs to consider the impact on the GDPR. As Baroness Neville-Rolfe said at the Privacy, Laws and Business conference this week, the future will be more uncertain.

But she was right to add that while the detailed future may be different from what was envisaged 10 days ago, the underlying reality on which policy is based has not changed all that much. We’ve been working hard on producing a set of guidance on GDPR, with an overview of the law being the first substantive part of that. Similarly the plan of what guidance to expect and when remains useful. Like this: Like Loading... Overview of the gdpr 1 0. BREXIT: UK data protection laws should develop 'on an evolutionary basis' post-Brexit, says new information commissioner.

In her first speech since taking office, Denham suggested that it was likely that the new EU General Data Protection Regulation (GDPR) would apply in the UK before the UK leaves the EU. She said, however, that if that is not the case or if the UK government decides to apply alternative rules to those in the GDPR post-Brexit, the UK rules would "still need to be deemed adequate or essentially equivalent" to the GDPR.

The GDPR will have effect from 25 May 2018. Denham said it looks like the UK will formally exit the EU in 2019 or later. "We know it’s up to government what happens here, both in that middle period from May 2018 to whenever the UK formally leaves the EU, and beyond," Denham said in her speech in London. "The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow. "We don’t want to talk legislative minutiae, but to look at the key principles that should underpin the future of privacy law in the UK," Denham said. Overview of the General Data Protection Regulation (GDPR)

Guidance: what to expect and when. Consistent feedback from stakeholders is that our advice around the Data Protection Act has been invaluable to organisations. Whilst more guidance will need to be developed at European level, we will be offering similar detailed support around the new law. Below we set out what organisations can expect, and when. Our priorities will be in three areas, all of which will be started (and some completed) within the next six months: ICO guidanceEuropean level guidance (in the form of Article 29 Working Party guidelines)Policy outputs (to inform future ICO and European guidance) We will regularly review and adjust our priorities in light of developments with ongoing dependencies.

Phase 1 – familiarisation and key building blocks In this phase we will focus on producing guidance to assist organisations to get to grips with the key differences in the new legislation and to implement their preparation. In the next six months priority outputs will be as follows: ICO guidance European guidance ICO outputs.