Category: International

Act Now Partners with Middlesex
University Dubai for UAE’s first
Executive Certificate in DP Law

Act Now Training, in collaboration with Middlesex University Dubai, is excited to announce the launch of the UAE’s first Data Protection Executive training programme. This qualification is ideal as a foundation for businesses and organisations aiming to comply with the UAE Federal Data Protection Law.

This practical course focusses on developing a data protection framework and ensuring compliance with the UAE Data Protection Law’s strict requirements. This is particularly relevant given the recent advancements in Data Protection law in the Middle East, including the UAE’s first comprehensive national data protection law, Federal Decree Law No. 45/2021. 

This law regulates personal data processing, emphasising transparency, accountability, and data subject rights. It applies to all organisations processing personal data within the UAE and abroad for UAE residents.

The importance of understanding this law is paramount for every business and organisation, as it necessitates a thorough reassessment of personal data handling practices. Non-compliance can lead to severe penalties and reputational damage.

The Executive Certificate in UAE DP Law is a practical qualification delivered over 5-weeks in two half day sessions per week and offers numerous benefits:

  1. Expertise in Cutting-Edge Legislation: Gain in-depth knowledge of the UAE’s data protection law, essential for professionals at the forefront of data protection practices.

  2. Professional Development: This knowledge enhances your resume, especially for roles in compliance, legal, and IT sectors, showing a commitment to legal reforms.

  3. Practical Application: The course’s structured format allows gradual learning and practical application of complex legal concepts, ensuring a deep understanding of the law.

  4. Risk Mitigation: Understanding the law aids in helping organisations avoid penalties and reputational harm due to non-compliance.

  5. Networking Opportunities: The course provides valuable connections in the field of data protection and law.

  6. Empowerment of Data Subjects: Delegates gain insights into their rights as data subjects, empowering them to protect their personal data effectively.

Delegates will receive extensive support, including expert instruction, comprehensive materials, interactive sessions, practical exercises, group collaboration, ongoing assessment, and additional resources for further learning. Personal tutor support is also provided throughout the course.

This program is highly recommended for officers in organisations both inside and outside the UAE that conduct business in the region or have customers, agents, and employees there. 

Act Now will be delivering and has designed the curriculum. Act Now Training is the UK’s premier provider of information governance training and consultancy, serving government organisations, multinational corporations, financial institutions, and corporate law firms.   

With a history of delivering practical, high-quality training since 2002.
Act Now’s skills-based training approach has led to numerous awards including most recently the Supplier of Year Award 2022-23 by the Information and Records Management Society in the UK. 

Our associates have decades of hands-on global Information Governance experience and thus are able to break down this complex area with real world examples making it easy to understand, apply and even fun!

Middlesex University Dubai is a 5 star rated KHDA university and one of three global campuses including London and Mauritius. It is the largest UK University in the UAE with over 5000 student enrolments from over 120 nationalities.

For more information and to register your interest, visit Middlesex University Dubai’s website. Alternatively you can Click Here.

US Data Transfers and Privacy Shield 2.0 

On 14th December 2022, the European Commission published a draft ‘adequacy decision’, under Article 47 of the GDPR, endorsing a new legal framework for transferring personal data from the EU to the USA. Subject to approval by other EU institutions, the decision paves the way for “Privacy Shield 2.0” to be in effect by Spring 2023.

The Background

In July 2020, the European Court of Justice (ECJ) in “Schrems II”, ruled that organisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework as a legal transfer tool as it failed to protect the rights of EU data subjects when their data was accessed by U.S. public authorities. In particular, the ECJ found that US surveillance programs are not limited to what is strictly necessary and proportionate as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights. Secondly, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the USA, as required by Article 47 of the EU Charter.

The ECJ stated that organisations transferring personal data to the USA can still use the Article 49 GDPR derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporter to make a complex assessment  about the recipient country’s data protection legislation (a Transfer Impact Assessment or TIA), and to put in place “additional measures” to those included in the SCCs. 

Despite the Schrems II judgment, many organisations have continued to transfer personal data to the USA hoping that regulators will wait for a new Transatlantic data deal before enforcing the judgement.  Whilst the UK Information Commissioner’s Office (ICO) seems to have adopted a “wait and see” approach, other regulators have now started to take action. In February 2022, the French Data Protection Regulator, CNIL, ruled that the use of Google Analytics was a breach of GDPR due to the data being transferred to the USA without appropriate safeguards. This followed a similar decision by the Austrian Data Protection Authority in January. 

The Road to Adequacy

Since the Schrems ruling, replacing the Privacy Shield has been a priority for EU and US officials. In March 2022, it was announced that a new Trans-Atlantic Data Privacy Framework had been agreed in principle. In October, the US President signed an executive order giving effect to the US commitments in the framework. These include commitments to limit US authorities’ access to data exported from the EU to what is necessary and proportionate under surveillance legislation, to provide data subjects with rights of redress relating to how their data is handled under the framework regardless of their nationality, and to establish a Data Protection Review Court for determining the outcome of complaints.

Schrems III?

The privacy campaign group, noyb, of which Max Schrems is Honorary Chairman, is not impressed by the draft adequacy decision. It said in a statement:

“…the changes in US law seem rather minimal. Certain amendments, such as the introduction of the proportionality principle or the establishment of a Court, sound promising – but on closer examination, it becomes obvious that the Executive Order oversells and underperforms when it comes to the protection of non-US persons. It seems obvious that any EU “adequacy decision” that is based on Executive Order 14086 will likely not satisfy the CJEU. This would mean that the third deal between the US Government and the European Commission may fail.”

Max Schrems said: 

… As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights.”

The draft adequacy decision will now be reviewed by the European Data Protection Board (EDPB) and the European Member States. From the above statements it seems that if Privacy Shield 2.0 is finalised, a legal challenge against it is inevitable.

UK to US Data Transfers 

Personal data transfers are also a live issue for most UK Data Controllers including public authorities. Whether using an online meeting app, cloud storage solution or a simple text messaging service, all often involve a transfer of personal data to the US. At present use of such services usually involves a complicated TRA and execution of standard contractual clauses. A new UK international data transfer agreement (IDTA) came into force on 21st March 2022 but it still requires a TRA as well as supplementary measures where privacy risks are identified. 

Good news may be round the corner for UK data exporters. The UK Government is also in the process of making an adequacy decision for the US. We suspect it will strike a similar deal once the EU/US one is finalised.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. 

Our next online GDPR Practitioner Certificate course, starting on 10th January, is fully booked. We have places on the course starting on 19th January. 

New US-EU Data Transfer Announcement: Time to celebrate?

On 25th March 2022, the European Commission and the United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. The final agreement will replace the Privacy Shield Framework as a mechanism for lawfully transferring personal data from the EEA to the US in compliance with Article 44 of the GDPR. As for UK/US data transfers and compliance with the UK GDPR is concerned, it is expected that the UK Government will strike a similar deal once the EU/US one is finalised.

The need for a “Privacy Shield 2.0” arose two years ago, following the judgment of the European Court of Justice (ECJ) in “Schrems II” which stated that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool. They must consider using the Article 49 derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment  about the recipient country’s data protection legislation (a Transfer Impact Assessment or TIA), and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).

Despite the Schrems II judgment, many organisations have continued to transfer personal data to the US hoping that regulators will wait for a new deal before enforcing Article 44.  Whilst the UK Information Commissioner’s Office (ICO) seems to still have a “wait and see” approach, others have started to enforce. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR due to the data being transferred to the US without appropriate safeguards. This followed a similar decision by Austrian Data Protection Authority in January. 

Personal data transfers are also a live issue for most UK Data Controllers including public authorities. Whether using an online meeting app, cloud storage solution or a simple text messaging service, which one does not involve a transfer of personal data to the US? At present use of such services usually involves a complicated TRA and execution of standard contractual clauses. In the UK, a new international data transfer agreement (IDTA) came into force on 21st March 2022 but it still requires a TRA as well as supplementary measures where privacy risks are identified. 

Has the Trans-Atlantic Data Privacy Framework saved DPOs hours of work? But before you break open the bubbly, it is important to understand that this is just an agreement in principle. The parties will now need to draft legal documents to reflect the agreed principles. This will take at least a few months and will then have to be reviewed by the European Data Protection Board (EDPB) adding more time. And of course there is the strong possibility of a legal challenge especially if the ECJ’s concerns about US surveillance laws are not addressed. Max Schrems said in a statement:

We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.” 

“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.

“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

What should organisations do in the meantime? Our view is, if you have any choice in the matter, stick to personal data transfers to adequate countries i.e. those which have been deemed adequate by the UK/EU under Article 45. This will save a lot of time and head scratching conducting TRAs and executing SCCs. Where a US/non-adequate country transfer is unavoidable, a suitable transfer mechanisms has to be used as per Article 45. Of course for genuine one-off transfers the provisions of Article 49 derogations are worth considering. 

Only 2 places left on our Advanced Certificate in GDPR Practice course starting in April. We have also just announced three new GDPR workshops for experienced practitioners.

The New Saudi Arabian Federal Data Protection Law 

The Middle East is fast catching up with Europe when it comes to data protection law. The Kingdom of Saudi Arabia(KSA) has enacted its first comprehensive national data protection law to regulate the processing of personal data. This is an important development alongside the passing of the new UAE Federal DP law. It also opens up opportunities for UK and EU Data Protection professionals especially as these new laws are closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR

The KSA Personal Data Protection Law (PDPL) was passed by Royal Decree M/19 of 9/2/1443H on 16 September 2021, approving Resolution No. 98 dated 7/2/1443H (14 September 2021). The detailed Executive Regulations are expected to be published soon and will give more details about the new law. It will be effective from 23rd March 2022 following which there will be a one year implementation period.

Enforcement 

PDPL will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA).The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. Expect large fines for non-compliance alongside other sanctions. PDPL could mirror the GDPR which allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. PDPL also contains criminal offences which carry a term of imprisonment up to 2 years and/or a fine of up to 3 million Saudi Royals (approximately £566,000). Affected parties may also be able to claim compensation.

Territorial Scope

PDPL applies to all organisations that are processing personal data in the KSA irrespective of whether the data relates to Data Subjects living in the KSA. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the KSA. Interestingly, unlike the UAE Federal DP law, PDPL does not exempt government authorities from its application although there are various exemptions from certain obligations where the data processing relates to national security, crime detection, statutory purposes etc.

Notable Provisions

PDPL mirrors GDPR’s underlying principles of transparency and accountability and empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions including links to previous GDPR blog posts for readers wanting more detail, although more information about the finer points of the new law will be included in the forthcoming Executive Regulations. 

  • Personal Data – PDPL applies to the processing of personal data which is defined very broadly to include any data which identifies a living individual. However, unlike GDPR, Article 2 of PDPL includes within its scope, the data of a deceased person if it identifies them or a family member.
  • Registration  Article 23 requires Data Controllers (organisations that collect personal data and determine the purpose for which it is used and the method of processing) to register on an electronic portal that will form a national record of controllers. 
  • Lawful Bases – Like the UAE Federal DP law, PDPL makes consent the primary legal basis for processing personal data. There are exceptions including, amongst others, if the processing achieves a “definite interest” of the Data Subject and it is impossible or difficult to contact the Data Subject.
  • Rights – Data Subjects are granted various rights in Articles 4,5 and 7 of the PDPL which will be familiar to GDPR practitioners. These include the right to information (similar to Art 13 of GDPR), rectification, erasure and  Subject Access. All these rights are subject to similar exemptions found in Article 23 of GDPR.
  • Impact Assessments – Article 22 requires (what GDPR Practitioners call) “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
  • Breach Notification – Article 20 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
  • Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 3 to keep records similar to a Record of Processing Activities(ROPA) under GDPR.
  • International Transfers – Like other data protection regimes PDPL  imposes limitations on the international transfer of personal data outside of the KSA. . There are exceptions; further details will be set out in the Executive Regulations.
  • Data Protection Officers – Organisations (both controllers and processors) will need to appoint at least one officer to be responsible for compliance with PDPL. The DPO can be an employee or an independent service provider and does not need to be located in the KSA. 
  • Training – After 23 March 2022, Data Controllers will be required to hold seminars for their employees to familiarise them with the new law.

Practical Steps

Organisations operating in the KSA, as well as those who are processing the personal data of KSA residents, need to assess the impact of PDPL on their data processing activities. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:

  1. Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes. 
  2. Training staff at all levels to understand PDPL at how it will impact on their role.
  3. Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
  4. Reviewing how records management and information risk  is addressed within the organisation.
  5. Drafting Privacy Notices to ensure they set out the minimum information that should be included.
  6. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
  7. Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
  8. Appointing and training a  Data Protection Officer.

Act Now Training can help your organisation prepare for PDPL. We are running a webinar on this topic soon and can also deliver more detailed in house training. Please get in touch to discuss you training needs. We are in Dubai and Abu Dhabi from 16th to 21st January 2022 and would be happy to arrange a meeting.

The New UAE Federal Data Protection Law

The United Arab Emirates has enacted its first comprehensive national data protection law to regulate the collection and processing of personal data. Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) was published by the Cabinet Office on 27th November 2021 as part of a legal reform programme in advance of the UAE’s Golden Jubilee. The detailed Executive Regulations are expected to be published on 20th  March 2022 with the new law becoming fully enforceable six months later.

The UAE is no stranger to data protection laws. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 became enforceable in October 2020. However, it only applies companies under the jurisdiction of the DIFC as well as those processing personal data on their behalf.  In February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021 with the same limited applicability.  There are also a number of other sector specific laws in the UAE which address personal privacy and data security. 

Applicability

PDPL applies to all organisations that are processing personal data in the UAE irrespective of whether the data relates to Data Subjects living in the UAE. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the UAE. PDPL does not apply to government data, government authorities that control or process personal data and personal data held by security and judicial authorities. Health data, credit data and banking data are also excluded as they are protected by other laws.

Key Provisions

PDPL is closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR. It mirrors their underlying principles of transparency and accountability and, like them, empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions. We have included links to previous GDPR blog posts useful for readers wanting more detail:

  • Lawful Bases – Article 4 states that personal data can only be processed with the consent of the Data Subject. Exceptions include, amongst others, if the processing is: necessary to execute a contract to which the Data Subject is a party; required to protect interests of the public; relates to data already in the public domain; necessary to comply with other laws. Interestingly, PDPL does not include “legitimate interests” as a lawful basis for processing, as is found in GDPR.
  • Consent – Where consent is used as the lawful basis for processing personal data, it should be obtained from Data Subjects in a specific, clear and unambiguous form and should be freely given through a clear affirmative statement or action (Article 6). Consent can be withdrawn at any time.
  • Rights – Data Subjects are granted various rights in Articles 14-18 of the PDPL which will be familiar to GDPR practitioners. These include  Subject AccessData Portability, rectification or erasure of personal data, restriction on processing, objection to automated decision making and the right to stop processing.
  • Data Protection Impact Assessments – Article 21 requires, what GDPR Practitioners call, “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
  • Breach Notification – Article 9 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
  • Data Processors – PDPL imposes direct compliance obligations on Data Processors in Article 8 and obligations on Data Controllers when engaging them, similar to Article 28 of GDPR e.g. contracts.
  • Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 7 to “keep a register of Personal Data” similar to a Record of Processing Activities(ROPA) under GDPR.
  • International Transfers – Article 22  imposes limitations on the international transfer of personal data outside of the UAE.  Similar to the concept of the “adequacy” under the GDPR, the regulator is expected to approve certain countries as having “sufficient provisions, measures, controls, requirements and rules” for protecting privacy and confidentiality of personal data. Article 23 sets out exceptions although further details will be set out in the Executive Regulations.
  • Data Protection Officers – Organisations (both controllers and processors) will need to appoint a Data Protection Officer (DPO) in certain circumstances, set out in Article 10, including where the processing creates a high-level risk due to the use of new technology or the volume of the personal data; processing includes an assessment of sensitive personal data as part of profiling or automated processing; or where large volumes of sensitive personal data are processed. The DPO can be an employee or an independent service provider and does not need to be located in the UAE. Articles 11 set out the responsibilities of the DPO and it is interesting to note that, just like under the GDPR, the PDPL gives the role protected status i.e. they cannot be dismissed for doing their job.

Enforcement 

PDPL will be enforced by the UAE’s Data Office. The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. They could mirror current laws, such as the DIFC DP Law, where the maximum fine for a breach is $100,000. Organisations may also be required to pay compensation directly to Data Subjects or be sued by them. Alongside other sanctions, GDPR allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. It will be interesting to see if PDPL follows GDPR.

Practical Steps

PDPL is likely to become fully enforceable by the end of September 2022. Organisations operating in the UAE need to assess the impact on their data processing activities. Systems and processes need to be put in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:

  • Training staff at all levels to understand PDPL at how it will impact on their role.
  • Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
  • Reviewing how records management and information risk  is addressed within the organisation.
  • Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
  • Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
  • Appointing and training a  Data Protection Officer.

Act Now Training, in collaboration with Middlesex University Dubai, is excited to announce the launch of the UAE’s first Data Protection Executive training programme. This qualification is ideal as a foundation for businesses and organisations aiming to comply with the UAE Federal Data Protection Law. More Information: https://actnowtraining.blog/2023/12/13/act-now-partners-with-middlesex-university-dubai-for-uaes-first-executive-certificate-in-dp-law/

International Transfers under the UK GDPR: What next?

In August, the Information Commissioner’s Office (ICO) launched a public consultation on its much anticipated draft guidance for international transfers of personal data and associated transfer tools. The aim of the consultation is to explore how to address the realities of the UK’s post Brexit data protection regime.

Chapter 5 of the UK GDPR mirrors the international transfer arrangements of the EU GDPR. There is a general prohibition on organisations transferring personal data to a country outside the UK, unless they ensure that data subjects’ rights are protected. This means that, if there is no adequacy decision in respect of the receiving country, one of the safeguards set out in Article 46 of the UK GDPR must be built into the arrangement. These include standard contractual clauses (SCCs) and binding corporate rules. The former need to be included in a contract between the parties (data exporter and importer) and impose certain data protection obligations on both.

The Current Transfer Regime

Until recently, many UK organisations were using the EU’s approved SCCs with a few ICO suggested amendments to fit the UK context. This was despite the fact that they needed updating in the light of the binding judgment of the European Court of Justice(ECJ) in a case commonly known as “Schrems II”. 

In this case the ECJ concluded that organisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework. They must now consider using the Article 49 derogations or SCCs. If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the SCCs. 

In the light of the above, the new EU SCCs were published in June. The European Data Protection Board has also published its guidance on the aforementioned required assessment entitled “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”.

The Proposed UK Transfer Regime

Following Brexit, the UK is no longer part of the EU. Consequently, the UK has to develop its own international data transfer regime, including SCCs. The ICO is consulting on new guidance as well as a series of proposed international data transfer materials including:

A Transfer Risk Assessment (TRA) – Equivalent to the European Transfer Impact Assessment, this is designed to assist organisations to conduct risk assessments of their international personal data transfers, following the requirements set out in Schrems. The TRA is not mandatory, as organisations are also free to use their own methods to assess risk but does indicate the ICO’s expectations.

An International Data Transfer Agreement – Equivalent to the European SCCs, this a contract that organisations can use when transferring data to countries not covered by adequacy decisions.

The Addendum – This is designed to be used alongside the European Commission SCCs, to allow them to be used to safeguard a transfer under the UK GDPR, instead of the IDTA. It makes limited amendments to the EU SCCs to make them work in a UK context. 

The deadline for responses to the consultation is 5.00pm on Thursday 7th October 2021. The ICO will then review the responses before issuing  the finalised materials (on a date yet to be announced).  Whatever the result of the consultation, organisations need to consider now which of their international data transfers will be affected and what resources will be required to implement the new regime.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop and international transfers webinar.

Our next online GDPR Practitioner Certificate course start in October. We also have a classroom course starting in November in Manchester. 

Viva Las Vegas

Welcome to fabulous Las Vegas sign

Act Now is pleased to announce that Ibrahim Hasan has accepted an invitation to address the 21st Annual NAPCP Commercial Card and Payment Conference in Las Vegas, April 6-9 2020.

high_rez_NAPCP all black with url

The NAPCP is a membership-based professional association committed to advancing Commercial Card and Payment professionals and industry practices globally, with timely research and resources, peer networking and events serving a community of almost 20,000 individuals worldwide. The NAPCP is a respected voice in the industry and an impartial resource for members at all experience levels in the public and private sectors.

In a session entitled “Complying with the GDPR and United States Privacy Legislation” Ibrahim will examine the impact of GDPR and the California Consumer Privacy Act (CCPA) on the Payment Card industry. He will also be presenting webinars pre and post conference on these subjects to the NAPCP community.

The NAPCP Annual Conference is the can’t-miss event for the industry, bringing together 600 professionals from around the world to share perspectives on all Commercial Card and Payment vehicles, including Purchasing Card, Travel Card, Fleet Card, Ghost Card, Declining Balance Card, ePayables and other electronic payment options. Experts and practitioners share case studies, successes and thought-provoking ideas in almost 80 breakout sessions, all with an eye for trends and innovation across sectors.

Diane McGuire, CPCP, MBA, Managing Director of the NACP, said:

“I am really pleased that Ibrahim has accepted our invitation to join us in Las Vegas. As legislators and governments globally are starting to wake up to the implications of the digital revolution on individuals’ rights, our conference delegates will benefit from his GDPR and privacy expertise in what is sure to be a thought-provoking session.”

This is one of a number of international projects that Act Now has worked on in recent years. In June 2018 we delivered a GDPR workshop in Dubai for Middle East businesses and their advisers. In 2015 Ibrahim went to Brunei to conduct data protection audit training for government staff.

Ibrahim Hasan said:

“I am really pleased to address the NACP conference in Las Vegas. Our GDPR expertise is now being recognised abroad. The United States is the latest addition to our increasing international portfolio. We hope to use the conference as a platform to showcase our expertise to the US Data Controllers.”

Regular registration is now open for the event. Head over to this link to confirm registration.

NAPCPConferenceLogo_2020-high rez

Act Now’s forthcoming live and interactive CCPA webinar will cover the main obligations and rights in CCPA and practical steps to compliance. This webinar is ideal for data protection officers and advisers in UK and US businesses.

Act Now Launches GDPR Handbook

We all know that the General Data Protection Regulation (GDPR) cannot be read in isolation.

In September, the DCMS published the Data Protection Bill. Amongst other things, it sets out how the UK Government intends to exercise its GDPR “derogations”; where Members states are allowed to make their own rules.

There are also a number of guidance documents from the Information Commissioner’s Office as well as the Article 29 Working Party on different aspects of GDPR. Wouldn’t it be useful to have one version of the GDPR containing clear signposts to the relevant provisions of the Bill and official guidance under each Article/Recital?

Act Now is pleased to announce the launch of its GDPR Handbook. This is a B5 size colour document. It is designed for data protection practitioners who want a single printed resource on the GDPR. It contains the full text of the GDPR together with:

  • Corresponding GDPR Recitals under each Article
  • Notes on the relevant provisions of Data Protection Bill
  • Links to official guidance and useful blog posts
  • Relevant extracts of the Data Protection Bill (in the Appendices).

A lot of the useful explanation of the provisions (Articles) is contained in the Recitals, which are at the front of the official text of the GDPR. Consequently, the reader has to constantly flick back and forth between the two. By placing the corresponding Recitals under each Article, the Act Now GDPR Handbook allows a more natural readying of the GDPR.

The Act Now GDPR Handbook is currently on sale at the special introductory price of £29.99. There is a 33% discount for the public sector and charities.

This will be a very useful document for those acting as Data Protection Officer under GDPR as well as data protection lawyers and advisers.

CHARITY DONATION

In recent weeks, half a million people, mostly Rohingya women and children, have fled violence in Myanmar’s (Burma) Rakhine state. They are seeking refuge in Bangladesh, where they urgently need food, water, shelter and medical care.

For each copy of the GDPR handbook you order, Act Now Training will donate £1 to the Disasters Emergency Committee’s Emergency Appeal.

By popular demand, we have added an extra course in Manchester for our GDPR Practitioner Certificate. Our first workshop on the Data Protection Bill course is fully booked. We have places left in London and Manchester.

Act Now in Brunei

Act Now is pleased to announce that it has recently won a contract to deliver data protection consultancy services to the Government of Brunei.

Mosque canstockphoto4493457

Negara Brunei Darussalam, to give Brunei its full name, is a small country located in Southeast Asia. It is surrounded by Malaysia and has two parts physically separated by Malaysia. For those (like us) who have never been to Brunei, here is a quick guide.

Amongst other things, Act Now’s work for the Brunei Government will involve developing a Data Protection Audit manual based on the Data Protection Policy released by the Brunei Government. This will include guidance on DP audit planning, preparation and the use of DP audit templates. In time we hope to be training government officials on the developed Audit Manual and procedure.

Act Now has been delivering information governance consultancy services to the UK public sector for many years. This includes preparing for audits, designing standard documents and policies and carrying out DP and FOI health checks. We have also developed a number of off-the-shelf products.

The Brunei project will be led by Ibrahim Hasan and Tim Turner, well known experts and trainers in this field. Commenting on the award of the contract, Ibrahim Hasan said:

“I am very pleased that our good work in the UK has now been recognised internationally. This project will give us an opportunity to showcase our expertise to an international audience. As more countries enact data protection legislation, we hope to be at the forefront of developing products and services that will enable those working in this field to develop their skills.”

If you would like to know more about how Act Now can help you please get in touch by e mail.