The Data Protection and Digital Information Bill, which makes changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), will enter the Report stage in the House of Lords on 10th June (scheduled for two days). Whilst amendments can still be made, none have been tabled so far.
The Bill as amended by the Grand Committee can be read here. The Keeling Schedules, showing changes to the UK GDPR, might be more useful, though they were published in March before the Grand Committee stage.
The Bill still needs to go through the Third Reading stage in the House of Lords but it now seems very likely that it will receive Royal Assent before the Parliamentary Summer Recess begins on 23rd July 2024. Some of the provisions of the Bill will come into force as soon as it is passed. Most others will require regulations to be bring them into force which could also include a transition phase.
Yesterday, Rachel Cunliffe, Associate Political Editor of the New Statesman, reported that she had received an email from the Conservative Campaign Headquarters (CCHQ) about their forthcoming conference. However she could also see the other 344 recipients as they were all listed in the “To” box, along with their email addresses. CCHQ had made the classic mistake of failing to use blind carbon copy (BCC) and thus, by exposing the personal data of recipients, breached the UK GDPR.
Failure to use BCC correctly in emails is one of the top data breaches reported to the ICO every year. But this incident is not just about exposing some email addresses. Recipients of the CCHQ email will be able to make assumptions about the political affiliations of their fellow recipients. Even if these assumptions are wrong, the emails can be classed as Special Category Data under the UK GDPR and thus more sensitive than other personal data.
So can the CCHQ expect a knock on the door from the ICO? Will they be fined? Whatever your political persuasion, you may think this error from those who run the Government, deserves the strongest sanction. As Cunliffe writes:
“If you can’t trust the Conservatives with your email address, why should you trust them with anything else.”
Inadvertent disclosure of personal data email, by failing to use BCC, has been the subject of a number of GDPR enforcement actions by the ICO in the past few years. Just last December, the Ministry of Defence (MoD) was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. In October 2021, HIV Scotland was issued with a £10,000 fine when it sent an email to 105 people which included patient advocates representing people living with HIV. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk; also Special Category Data.
The ICO could follow the above examples and issue a fine; although in two recent cases it has gone for a softer option. Last year the Patient and Client Council (PCC) and the Executive Office were the subject of ICO reprimands for disclosing personal data in the same way.
In statement issued on X, the ICO said:
“The Conservative Party has made us aware of this incident and we are assessing the information provided.”
The Conservative Party has form when it comes to GDPR non-compliance. Recently we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from users of its online tax calculator. But this latest data breach is about more than GDPR compliance. To quote Rachel Cunliffe again:
“This is such a basic error, so easily avoided, it inevitably sets alarm bells ringing. If CCHQ doesn’t have the staff and training procedures to prevent a classic email-sharing error, what does that say about their resilience as a whole? How are their cybersecurity defences? What else is getting missed?”
The breach came on the day Rishi Sunakgave a speech to the Policy Exchange about the power of technology and how he, rather than Keir Starmer, could keep us safe. You can watch Sunak’s speech here although we prefer comedian Matt Green’s brilliant satirical take on it here.
Within the health and social care sector, new technologies that use large amounts of personal data are being used to support both direct care and secondary purposes, such as planning and research. An example is the the use of AI to provide automated diagnoses based on medical imaging data from patients.
Transparency is a key principle of UK Data Protection legislation. Compliance with the first data protection principle and Article 13 and 14 of the UK GDPR ensures that data subjects are aware of how their personal data is used, allowing them to make informed choices about who they disclose their data to and how to exercise their data rights.
On Monday the Information Commissioner’s Office (ICO) published new guidance to assist health and social care organisations to comply with their transparency obligations under the UK GDPR. It supplements existing ICO guidance on the principle of transparency and the right to be informed.
The guidance is aimed at all organisations, including from the private and third sector, who deliver health and social care services or process health and social care information. This includes local authorities, suppliers to the health and social care sector, universities using health information for research purposes and others (e.g. fire service, police and education) that use health information for their own purposes. The guidance will help them to understand the definition of transparency and assess appropriate levels of transparency, as well as providing practical steps to developing effective transparency information.
In 2022, Act Now Training teamed up with Damar to support their delivery of the new Data Protection and Information Governance Practitioner Apprenticeship. The aim is to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address future IG challenges. Two years on, over 130 apprentices are currently on the programme with the first cohort about to undertake the end point assessment.
Data Protection and Information Governance Apprentice, Natasha Lock, is an integral part of the Governance and Compliance team at the University of Lincoln. With the Data Protection and Digital Information (No.2) Bill set to make changes to the UK data protection regime, Natasha talks to us about why this is a great area to work in and how the apprenticeship route has been particularly beneficial for her.
How did you get onto the apprenticeship?
“I was already working at the university as an Information Compliance Officer when the opportunity for a staff apprenticeship came up.
“The process was swift and straightforward, and I was enrolled on the Data Protection and Information Governance Apprenticeship within three months of enquiring.”
How has the apprenticeship helped you?
“I started with a good understanding of the UK Data Protection legislation but my knowledge has grown significantly, and now I’m coming to the end of my level 4 apprenticeship, I’ve gained so much more insight and my confidence has grown.
“As a university, we hold vast amounts of data. My apprenticeship is allowing me to solve the challenge of data retention and implement better measures to retain, destroy and archive information. I have developed a greater understanding of the legislative requirements we must adhere to as a public sector institute and how to reduce and assess data protection risks.
“I love the fact that I can study whilst still doing my job. The flexibility works for me because I can go through course materials at my own pace. I really feel like I have a brilliant work/life/study balance.
“The University of Lincoln and Damar Training have been fantastic in supporting me. I get along with my coach, Tracey, so well. She is very friendly and personable and has enabled my creativity to flow.
“The course is very interactive, and I’ve found the forums with other apprentices to be a very useful way of sharing knowledge, ideas and stories.
“I’m enjoying it so much and people have noticed that my confidence has grown. I wouldn’t have had that without doing this apprenticeship. I’ve now got my sights on doing a law degree or law apprenticeship in the future.”
Abi Slater, Information Compliance Manager at Lincoln University, said: “It has been great to see how much Natasha has developed over the course of the apprenticeship. I believe the apprenticeship has provided Natasha with the knowledge and skills required to advance in her data protection career and the support from her coach at Damar Training has been excellent.
“I would encourage anyone with an interest in data protection and information governance to consider this apprenticeship.”
Tracey Coetzee, Coach at Damar Training said: “The Data Protection and Information Governance Apprenticeship was only approved by the Institute of Apprenticeships in 2022, and its delightful to see apprentices flourishing on the programme.
“From cyber security to managing data protection risks, this programme is upskilling participants and adding value to both private and public sector organisations and we’re thrilled to see the first cohort, including Natasha, approach the completion of their training.”
If you are interested in the DP and IG Apprenticeship, please see our website for more details and get in touch to discuss further.
Kate Middleton seems to be at the centre of much media (and social media) attention at present. In addition to speculation about her health and whereabouts, there has been much focus and analysis of the now famous photoshopped Mother’s Day photo.
This week it was reported that employees at the private London Clinic in Marylebone, where Kate was a patient following abdominal surgery in January, attempted to view her medical records. Reportedly three employees have now been suspended.
The Health Minister, Maria Caulfield, told Sky News it was “pretty severe and serious stuff to be accessing notes that you don’t have permission to”. She also said police had been “asked to look at” whether staff at the clinic attempted to access the princess’s private medical records.
If the reports are true and individuals are proven to have been “snooping”, what are the consequences? Firstly, this would normally be a matter for the Information Commissioner’s Office (ICO) to investigate rather than the police. Section 170 of the Data Protection Act 2018 makes it a criminal offence for a person to knowingly or recklessly:
(a) obtain or disclose personal data without the consent of the controller,
(b) procure the disclosure of personal data to another person without the consent of the controller, or
(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
Section 170 is similar to the offence under section 55 of the old Data Protection Act 1998 which was often used to prosecute employees who had accessed healthcare and financial records without a legitimate reason. In June 2023, the ICO disclosed that since 1st June 2018, 92 cases involving Section 170 offences were investigated by its Criminal Investigations Team.
Consequences
Section 170 is only punishable by way of a fine; perpetrators cannot be sent to prison. Although there is now no cap on the maximum fine, prosecutions have resulted in relatively low fines compared to the harm caused.
Two recent prosecutions have involved employees accessing medical records. In November 2023, Loretta Alborghetti, was fined for illegally accessing the medical records of over 150 people. The offence took place whilst she worked as a medical secretary at Worcestershire Acute Hospitals NHS Trust. She was ordered to pay a total of £648.
In August 2022, Christopher O’Brien, a former health adviser at the South Warwickshire NHS Foundation Trust, pleaded guilty to accessing medical records of patients without a valid legal reason. An ICO investigation found that he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. One of the victims said the breach left them worried and anxious about O’Brien having access to their health records, with another victim saying it put them off from going to their doctor. O’Brien was ordered to pay £250 compensation to 12 patients, totalling £3,000.
Computer Misuse Act
A Section 170 prosecution would have a much greater deterrent effect if the sanctions included a custodial sentence. Successive Information Commissioners have argued for this but to no avail.
The relatively low fines have led to some cases being prosecuted under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment. In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of people’s personal information from vehicle repair garages to generate potential leads for personal injury claims.
The ICO has now confirmed that it has a personal data breach report from The London Clinic. If its investigation, finds the Clinic did not comply with its security obligations under the Article 5(1)(f)) and Article 32 of the UK GDPR, it faces a possible maximum Monetary Penalty Notice of £17.5m or 4% of gross annual turnover (whichever is higher). This case highlights the importance of organisations ensuring adequate security measures around sensitive personal data especially where the data relates to high profile individuals.
This and other data protection developments will be discussed in detail on our forthcoming GDPR Update workshop. There are only 3 places left on our next GDPR Practitioner Certificate.
Last week the BBC reported that police officers made offensive comments about an assault victim while watching body camera footage of her exposed body.
The woman had been arrested by Thames Valley Police and placed in leg restraints before being recorded on body-worn cameras. While being transported to Newbury police station, she suffered a seizure which resulted in her chest and groin being exposed. A day later she was released without charge.
A female officer later reviewed the body camera footage, which the force told Metro.co.uk was for ‘evidential purposes’ and ‘standard practice’. The BBC reports that three male colleagues joined her and made offensive comments about the victim. The comments were brought to the attention of senior police officers by a student officer, who reported his colleagues for covering up the incident. The student officer was later dismissed; though the police said this was unrelated to the report.
The policing regulator says Thames Valley Police should have reported the case for independent scrutiny. The force has now done so, following the BBC investigation.
This is not the first time the BBC has highlighted such an issue. In September 2023 it revealed the findings of a two-year investigation. It obtained reports of misuse from Freedom of Information requests, police sources, misconduct hearings and regulator reports. It found more than 150 camera misuse reports with cases to answer over misconduct, recommendations for learning or where complaints were upheld. (You can watch Bodycam cops uncovered on BBC iPlayer)
The most serious allegations include:
Cases in seven forces where officers shared camera footage with colleagues or friends – either in person, via WhatsApp or on social media
Images of a naked person being shared between officers on email and cameras used to covertly record conversations
Footage being lost, deleted or not marked as evidence, including video, filmed by Bedfordshire Police, of a vulnerable woman alleging she had been raped by an inspector – the force later blamed an “administrative error”
Switching off cameras during incidents, for which some officers faced no sanctions – one force said an officer may have been “confused”
Body worn cameras are used widely these days by not just police but also council officers, train guards, security staff, and parking attendance (to name a few).
There is no all-encompassing law regulating body worn cameras. Of course they are used to collect and process personal data therefore will be subject to the UK GDPR. Where used covertly they also be subject to Regulation of Investigatory Powers Act 2000.
The Information Commissioner’s Office (ICO) provides comprehensive guidelines on the use of CCTV, which are largely considered to extend to body worn cameras(BWCs) for security officers. There is a useful checklist on its website which recommends:
Conducting a Data Protection Impact Assessment (DPIA) that fully addresses use of BWCs, and addresses any impact on the rights and freedoms of individuals whose personal data are captured.
Providing a privacy information to individuals using BWCs, such as clear signage, verbal announcements or lights/indicators on the device itself and having readily available privacy policies.
Training staff using BWV to inform individuals that recording may take place if it is not obvious to individuals in the circumstances.
Having appropriate retention and disposal policies in place for any footage that is collected.
Having efficient governance procedures in place to be able to retrieve stored footage and process it for subject access requests or onward disclosures where required.
Using technology which has the ability to efficiently and effectively blur or mask footage, if redaction is required to protect the rights and freedoms of any third parties.
Our one-day CCTV workshop will teach you how to plan and implement a CCTV/BWC project including key skills such as completing a DPIA and assessing camera evidence. Our expert trainer will answer all your questions including when you can use CCTV/BWC, when it can be covert and how to deal with a request for images.
This workshop is suitable for anyone involved in the operation of CCTV, BWCs and drones including DPOs, investigators, CCTV operators, enforcement officers, estate managers and security personnel.
The UK government’s anti-radicalisation program, Prevent, is reportedly sharing the personal details of thousands of individuals more extensively than previously known. This sharing includes not just counter-terrorism units, but also airports, ports, immigration services, and officials at the Home Office and the Foreign, Commonwealth and Development Office (FCDO). Critics argue that such widespread data sharing could be illegal, as it involves moving sensitive personal data between databases without the consent of the individuals.
A Metropolitan police document titled “Prevent case management guidance” indicates that Prevent details are also shared with the ports authority watchlist. This raises concerns that individuals may face increased scrutiny at airports or be subjected to counter-terrorism powers without reasonable suspicion. The document also mentions that foreign nationals may have their backgrounds checked by the FCDO and immigration services for any overseas convictions or intelligence.
Furthermore, the Acro Criminal Records Office, which manages UK criminal records, is notified about individuals referred to Prevent, despite the program dealing with individuals who haven’t necessarily engaged in criminal behaviour. Counter-terror police emphasise their careful approach to data sharing, which aims to protect vulnerable individuals.
Prevent’s goal is to divert people from terrorism before they offend, and most people are unaware of their referral to the program. 95% of referrals result in no further action. A secret database, the National Police Prevent Case Management database, was previously disclosed in 2019, revealing the storage of details of those referred to Prevent.
Newly disclosed information, obtained through a freedom of information request by the Open Rights Group (ORG), reveals that Prevent data is shared across various police databases, including the Police National Computer, specialised counter-terrorism and local intelligence systems, and the National Crime Agency.
The sharing of this data was accidentally revealed due to a redaction error in a heavily edited Met document. Despite its sensitive nature, the ORG decided to make the document public. Sophia Akram of the ORG expressed concerns over the extent of the data sharing and potential harms, suggesting that it could be unfair and possibly unlawful.
The guidance also indicates that data is retained and used even in cases where no further action is taken. There are concerns about the impact on young people’s educational opportunities, as Prevent requires public bodies like schools and the police to identify individuals at risk of extremism.
Recent figures show thousands of referrals to Prevent, predominantly from educational institutions. From April 2022 to March 2023, a total of 6,817 individuals were directed to the Prevent program. Within this group, educational institutions were responsible for 2,684 referrals. Breaking down the referrals by age, there were 2,203 adolescents between the ages of 15 and 20, and 2,119 referrals involved children aged 14 or younger.
There are worries about the long-term consequences for children and young people referred to the program. Several cases have highlighted the intrusive nature of this data sharing and its potential impact on individuals’ lives. Cases in which students have missed gaining a place at a sixth form college and other cases involving children as young as four years old.
Prevent Watch, an organisation monitoring the program, has raised alarms about the data sharing, particularly its effect on young children. The FoI disclosures challenge the notion that Prevent is non-criminalising, as data on individuals, even those marked as ‘no further action’, can be stored on criminal databases and flagged on watchlists.
Counter-terrorism policing spokespeople defend the program, emphasising its multi-agency nature and focus on protecting people from harm. They assert that data sharing is carefully managed and legally compliant, aiming to safeguard vulnerable individuals from joining terror groups or entering conflict zones.
Learn more about data sharing with our UK GDPR Practitioner Certificate. Dive into the issues discussed in this blog and secure your spot now.
In a stark reminder of the persistent threat of cybercrime, the British Library has confirmed a data breach incident that has led to the exposure of sensitive personal data, with materials purportedly up for auction online. An October intrusion by a notorious cybercrime group targeted the library, which is home to an extensive collection, including over 14 million books.
Recently, the ransomware group Rhysida claimed responsibility, publicly displaying snippets of sensitive data, and announcing the sale of this information for a significant sum of around £600k to be paid in cryptocurrency.
While the group boasts about the data’s exclusivity and sets a firm bidding deadline (today 27th November 2023), the library has only acknowledged a leak of what seems to be internal human resources documents. It has not verified the identity of the attackers nor the authenticity of the sale items. The cyber attack has significantly disrupted the library’s operations, leading to service interruptions expected to span several months.
In response, the library has strengthened its digital defenses, sought expert cybersecurity assistance, and urged its patrons to update their login credentials as a protective measure. The library is working closely with the National Cyber Security Centre and law enforcement to investigate, but details remain confidential due to the ongoing inquiry.
The consequences of the attack have necessitated a temporary shutdown of the library’s online presence. Physical locations, however, remain accessible. Updates can be found the British Library’s X (née twitter) feed. The risk posed by Rhysida has drawn attention from international agencies, with recent advisories from the FBI and US cybersecurity authorities. The group has been active globally, with attacks on various sectors and institutions.
The British Library’s leadership has expressed appreciation for the support and patience from its community as it navigates the aftermath of the cyber attack.
What is a Ransomware Attack?
A ransomware attack is a type of malicious cyber operation where hackers infiltrate a computer system to encrypt data, effectively locking out the rightful users. The attackers then demand payment, often in cryptocurrency, for the decryption key. These attacks can paralyse organisations, leading to significant data loss and disruption of operations.
Who is Rhysida?
The Rhysida ransomware group first came to the fore in May of 2023, following the emergence of their victim support chat portal hosted via the TOR browser. The group identifies as a “cybersecurity team” who highlight security flaws by targeting victims’ systems and spotlighting the supposed potential ramifications of the involved security issues.
How to prevent a Ransomware Attack?
Hackers are becoming more and more sophisticated in ways they target our personal data. We have seen this with banking scams recently. However there are some measures we can implement personally and within our organisations to prevent a ransomware attack.
Avoid Unverified Links: Refrain from clicking on links in spam emails or unfamiliar websites. Hackers frequently disseminate ransomware via such links, which, when clicked, can initiate the download of malware. This malware can then encrypt your data and hold it for ransom.
Safeguard Personal Information: It’s crucial to never disclose personal information such as addresses, NI numbers, login details, or banking information online, especially in response to unsolicited communications.
Educate Employees: Increasing awareness among employees can be a strong defence. Training should focus on identifying and handling suspicious emails, attachments, and links. Additionally, having a contingency plan in the event of a ransomware infection is important.
Implement a Firewall: A robust firewall can act as a first line of defence, monitoring incoming and outgoing traffic for threats and signs of malicious activity. This should be complemented with proactive measures such as threat hunting and active tagging of workloads.
Regular Backups: Maintain up-to-date backups of all critical data. In the event of a ransomware attack, having these backups means you can restore your systems to a previous, unencrypted state without having to consider ransom demands.
Create Inventories of Assets and Data: Having inventories of the data and assets you hold allows you to have an immediate knowledge of what has been compromised in the event of an attack whilst also allowing you to update security protocols for sensitive data over time.
Multi-Factor Authentication: Identifying legitimate users in more than one way ensures that you are only granting access to those intended.
These are some strategies organisations can use as part of a more comprehensive cybersecurity protocol which will significantly reduce the risk of falling victim to a ransomware attack.
An investigation by The Observer has uncovered that the UK Biobank, a repository of health data from half a million UK citizens, has been sharing information with insurance companies. This development contravenes the Biobank’s initial pledge to keep this sensitive data out of the hands of insurers, a promise that was instrumental in garnering public trust at the outset. UK Biobank has since come out and responded to the article calling it “disingenuous” and “extremely misleading”.
A Promise Made, Then Modified
The UK Biobank was set up in 2006 as a goldmine for scientific discovery, offering researchers access to a treasure trove of biological samples and associated health data. With costs for access set between £3,000 and £9,000, the research derived from this data has been nothing short of revolutionary. However, the foundations of this scientific jewel are now being questioned.
When the project was first announced, clear assurances were given that data would not be made available to insurance companies, mitigating fears that genetic predispositions could be used discriminatorily in insurance assessments. These assurances appeared in the Biobank’s FAQs and were echoed in parliamentary discussions.
Changing Terms Amidst Grey Areas
The Biobank contends that while it does strictly regulate data access, allowing only verified researchers to delve into its database, this includes commercial entities such as insurance firms if the research is deemed to be in the public interest. The boundaries of what constitutes “health-related” and “public interest” are now under scrutiny.
However, according to the Observer investigation, evidence suggests that this nuance—commercial entities conducting health-related research—was not clearly communicated to participants, especially given the categorical assurances given previously although the UK Biobank categorically denies this and shared its consent form and information leaflet.
Data Sharing: The Ethical Quandary
This breach of the original promise has raised the ire of experts in genetics and data privacy, with Prof Yves Moreau highlighting the severity of the breach of trust. The concern is not just about the sharing of data but about the integrity of consent given by participants. The Biobank’s response indicates that the commitments made were outdated and that the current policy, which includes sharing anonymised data for health-related research, was made clear to participants upon enrolment.
The Ripple Effect of Biobank’s Data Policies
Further complicating matters is the nature of the companies granted access. Among them are ReMark International, a global insurance consultancy, Lydia.ai, a Canadian “insurtech” firm that wants to give people “personalised and predictive health scores”, and Club Vita, a longevity data analytics company. These companies have utilised Biobank data for projects ranging from disease prediction algorithms to assessing longevity risk factors. The question that is raised is how can one ensure that this is in fact in the Public Interest, do we take a commercial entities word for this? UK Biobank says all research conducted is “consistent with being health-related and in the public interest” and it has an expert data access committee who decide on any complex issues but the who checks the ethics of the ethics committee? The issues with this self-regulation are axiomatic.
The Fallout and the Future
This situation has led to a broader conversation about the ethical use of volunteered health data and the responsibility of custodians like the UK Biobank to uphold public trust. As technology evolves and the appetite for data grows across industries, the mechanisms of consent and transparency may need to be revisited. The Information Commissioner’s Office is now considering the case, spotlighting the crucial need for clarity and accuracy in how organisations manage and utilise sensitive personal information.
As the UK Biobank navigates these turbulent waters, the focus shifts to how institutions like it can maintain the delicate balance between facilitating scientific progress and safeguarding the privacy rights of individuals who contribute their personal data for the greater good. For the UK Biobank, regaining the trust of its participants and the public is now an urgent task, one that will require more than just a careful review of policies but a reaffirmation of its commitment to ethical stewardship of the data entrusted to it.
Take a look at our highly popular Data Ethics Course. Places fill up fast so if you would like learn more in this fascinating area, book your place now.
Today (14th September 2023), Saudi Arabia’s first ever data protection law comes into force. Organisations doing business in the Middle East need to carefully consider the impact of the new law on their personal data processing activities. They have until 13th September 2024 to prepare and become fully compliant.
Background
The Personal Data Protection Law (PDPL) of Saudi Arabia was implemented by Royal Decree on 14th September 2021. It aims to regulate the collection, handling, disclosure and use of personal data. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) which has published the aforementioned regulations. PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments which were passed after public consultation.
Following a consultation period, we also now have the final versions of the Implementing Regulations and the Personal Data Transfer Regulations; both expand on the general principles and obligations outlined in the PDPL (as amended in March 2023) and introduce new compliance requirements for data controllers.
13th September 2024 is not far away. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so could lead to enforcement action and also reputational damage. The following should be part of an action plan for compliance:
Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes.
Training staff at all levels to understand PDPL at how it will impact their role.
Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
Act Now Training can help your businesses prepare for the new law. We have delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. We have experience in helping organisations in territories where a new law of this type has been implemented.
To help deliver this and other courses, Suzanne Ballabás, an experienced middle-east based data protection specialist, recently joined our team of associates. We can deliver Online or Face to Face training. All of our training starts with a FREE analysis call to ensure you have the right level and most appropriate content for your organisations needs. Please get in touch to discuss your training or consultancy needs.
Click on the Link Below to see our full Saudi Privacy Programme.
