Act Now Training has teamed up with Damar Training on materials and expertise underpinning its new Data Protection and Information Governance Practitioner Level 4 Apprenticeship.
The apprenticeship will help develop the skills of those working in the increasingly important fields of data protection and information governance.
With the rapid advancement of technology, there is a huge amount of personal data being processed by organisations, which is the subject of important decisions affecting every aspect of people’s lives. This poses significant legal and ethical challenges, as well as the risk of incurring considerable fines from regulators for non compliance.
This apprenticeship aims to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address these challenges.
If you know someone who you think would benefit from doing an apprenticeship in DP and IG, then this may be the perfect solution for them. Places are limited for each cohort. Cohorts start in September, January and May.
Last week, the Government signalled its plans to reform the UK Data Protection regime by publishing its response to the consultation launched in September last year. In “Data: A New Direction” the Government said it intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Time will tell whether the proposed changes set out it in the response will achieve this aim.
The Government has avoided the temptation to change the title of the UK GDPR to something more post Brexit which says “see, we told you Brexit would bring benefits”. No DPA 2022, however the UK GDPR will be amended as will the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Privacy Management Programmes
The main proposed change will be to the UK GDPR’s accountability framework. This proposal would require an organisation to develop and implement a risk-based privacy management programme that reflects the volume and sensitivity of the personal information it handles, and the type(s) of data processing it carries out. A privacy management programme would include the appropriate personal information policies and processes for the protection of personal information.
To support the implementation of the new accountability framework, the Government intends to remove the requirement to :
Designate a Data Protection Officer under Article 37. This will be replaced by the need to appoint a suitable individual to oversee the organisation’s DP compliance. A DPO by another name?
Undertake a Data Protection Impact Assessment under Article 35. Under the new privacy management programme, organisations will still be required to identify and manage risks, but they will be granted greater flexibility as to how to meet these requirements.
Maintain a Record of Processing Activity (ROPA) under Article 30. Organisations will still need to have personal data inventories as part of their privacy management programme which describe what and where personal data is held, why it has been collected and how sensitive it is, but they will not be required to do so in the way prescribed by the requirements set out in Article 30.
Consult the ICO, under Article 36, in relation to high-risk personal data processing that cannot be mitigated
Some commentators have likened these proposals to “the Emperor’s new clothes.” There is a lot of tinkering and changing of names but the bottom line (no pun intended) remains the same. Those who take data protection seriously will continue to do what they have always done (e.g. DPIAs and having a DPO) whist those who see data protection as a burden will consider the proposals as an excuse to do the absolute minimum.
Subject Access Costs
The Government, in its response to the consultation, recognises the burden subject access requests can place on some organisations. However, despite there being a proposal in the consultation, it does not plan to reintroduce a fee for a subject access request; nor will there be a cost ceiling for responding to a request like under the Freedom of Information Act. However, in the future, “vexatious or excessive” requests will be able to be refused under Article 12. Query the difference between this and the current wording of “manifestly unfounded or excessive”.
PECR and Marketing
The government also consulted on possible changes to PECR which regulates, amongst other things, cookie rules and unsolicited direct marketing communications. The main changes to expect include:
Permitting organisations to use analytics cookies and similar technologies without a users’ consent.
Permittingorganisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
Extending “the soft opt-in” to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription including political parties and non-commercial entities.
Making it easier for political groups to use data for “political engagement”.
Increasing the PECR fines to GDPR levels.
There are many more proposals, including to change the structure and governance of the ICO, helpfully summarised in Annex A of the Government’s response. The big question now is how the proposed changes will be viewed by the European Commission. Will it be prompted to review the UK’s current “adequacy status” allowing free transfer of personal data between the UK and the EU? Let us know your thoughts in the comment field below.
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September.
Act Now Training has teamed up with Damar Training on materials and expertise underpinning its new Data Protection and Information Governance Practitioner Level 4 Apprenticeship.
The apprenticeship, which received final approval in March, will help develop the skills of those working in the increasingly important fields of data protection and information governance.
With the rapid advancement of technology, there is a huge amount of personal data being processed by organisations, which is the subject of important decisions affecting every aspect of people’s lives. This poses significant legal and ethical challenges, as well as the risk of incurring considerable fines from regulators for non compliance.
This apprenticeship aims to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address these challenges.
Ibrahim Hasan, Director of Act Now, said:
“We are excited to be working Damar Training to help deliver this much needed apprenticeship. We are committed to developing the IG sector and encouraging a diverse range of entrants to the IG profession. We have looked at every aspect of the IG Apprenticeship standard to ensure the training materials equip budding IG officers with the knowledge and skills they need to implement the full range of IG legislation in a practical way.”
Damar’s managing director, Jonathan Bourne, added:
“We want apprenticeships to create real, long-term value for apprentices and organisations. It is vital therefore that we work with partners who really understand not only the technical detail but also the needs of employers.
Act Now Training are acknowledged as leaders in the field, having recently won the Information and Records Management Society (IRMS) Supplier of the Year award for the second consecutive year. I am delighted therefore that we are able to bring together their 20 years of deep sector expertise with Damar’s 40+ year record of delivering apprenticeship in business and professional services.”
This apprenticeship has already sparked significant interest, particularly among large public and private sector organisations and professional services firms. Damar has also assembled an employer reference group that is feeding into the design process in real time to ensure that the programme works for employers.
The employer reference group met for the first time on May 25. It included industry professionals across a variety of sectors including private and public health care, financial services, local and national government, education, IT and data consultancy, some of whom were part of the apprenticeship trailblazer group.
If your organisation is interested in the apprenticeship please get in touch with us to discuss further.
Act Now Training is proud to announce that it has won the Information and Records Management Society (IRMS) Supplier of the year award for 2022-23. This is the second consecutive year we have won this award.
The awards ceremony took place on Monday night at the IRMS Conference in Glasgow. Act Now was also nominated for two others awards including Innovation of the Year for our Advanced Certificate in GDPR Practice.
Ibrahim Hasan said:
“I would like to thank the IRMS for a great event and the members for voting for us. It feels really special to be recognised by fellow IG practitioners. We are proud to deliver great courses that meet the needs of IRMS members. This award also recognises the hard work of our colleagues who are focussed on fantastic customer service as well as our experienced associates who deliver great practical content and go the extra mile for our delegates. Congratulations to all the other IRMS awards winners.”
It has been another fantastic year for Act Now. We have launched some great new courses and products. We have exciting new courses planned for 2023. Watch this space!
BTW – Act Now also won the best elevator pitch prize at the conference vendor showcase. Click here to watch Ibrahim’s pitch.
Prince Charles has outlined the government’s priorities for the year ahead, as he delivered the Queen’s Speech. The speech highlighted some of the 38 laws that ministers intend to pass in the coming year. This includes a new Data Protection Reform Bill which is predicted to make sweeping changes to the UK GDPR. The draft bill will published this summer but you don’t have to look too far back for clues about its contents.
On 10th September 2021, the UK Government launched a consultation entitled “Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union.
Back in May, the Prime Ministerial Taskforce on Innovation, Growth, and Regulatory Reform (TIGRR) published a 130-page report setting out a “new regulatory framework” for the UK. Saying that the current data protection regime contained too many onerous compliance requirements, it suggested that the government:
“Replace the UK GDPR with a new, more proportionate, UK Framework of Citizen Data Rights to give people greater control of their data while allowing data to flow more freely and drive growth across healthcare, public services and the digital economy.”
Many of the recommendations made in the TIGRR Report can be found in the latest consultation document. The government believes the reforms will benefit the U.K. economy, but should the reforms go too far, they could risk the U.K.’s adequacy status with the EU.
So what can we expect in the Data Reform Bill? Page 57 of the press briefing accompany the Queen’s Speech sets out the main elements of the Bill are:
Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.
Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.
At the very least we can expect the Accountability requirements to be relaxed as has been trailed in the Consultation document. The Government wants to allow data controllers to implementing a more “flexible and risk-based accountability framework”, which is based on privacy management programmes, that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out. To support the implementation of the new accountability framework we think the government will, amongst other things, remove the requirement to:
This new course is specially designed for Data Protection Officers and privacy practitioners, based in the EU and internationally, whose role involves advising on the EU GDPR and associated privacy legislation. The content of the course has been developed after analysing all the knowledge, practical skills and competencies required for the EU DPO to successfully navigate the European data protection landscape.
This course builds on Act Now’s very popular UK GDPR Practitioner certificate course which has been attended by hundreds of DPOs throughout the UK and abroad since its launch in 2017. Our teaching style is based on practical and engaging workshops covering theory alongside hands-on application using case studies that equip delegates with knowledge and skills that can be used immediately. Personal tutor support throughout the course will ensure the best opportunity for success. Delegates will also receive a comprehensive set of course materials, including our very popular EU GDPR Handbook (RRP £34.99), as well as access to our online Resource Lab, which includes over 20 hours of videos on key aspects of the syllabus.
The EU GDPR Practitioner Certificate course takes place over four days (one day per week) and involves workshops, case studies and exercises. This is followed by a written assessment. Delegates are then required to complete a practical project (in their own time) to achieve the certificate. Whether delivered online or in the classroom, delegates will receive all the fantastic features of the course specifically tailored for each learning environment.
The EU GDPR Practitioner Certificate course builds on Act Now’s track record for delivering innovative and high quality practical training for information governance professionals:
In April 2014 we launched the highly successful Data Protection Practitioner Certificate, the first course to teach essential knowledge and practical DPO skills.
In May 2016 we launched the Foundation Certificate in Information Governance. This was the first fully online certificated course covering data protection, information security, freedom of information and records management.
In December 2018, we launched the FOI Practitioner Certificate, the first such course to use modern assessment methods rather than rote learning.
In April 2020, at the start of the Pandemic, we launched our new online GDPR Practitioner Certificateto enable DPOs working from home to gain a qualification.
In November 2020, we launched of the Advanced Certificate in GDPR Practice which is the first advanced qualification specifically designed for DPOs.
In November 2021 we won the Information and Records Management Society (IRMS) Supplier of the year award.
“We have looked at every aspect of this course to ensure it equips EU Data Protection Officers with the knowledge and skills they need to implement the EU GDPR in a practical way. Because of its emphasis on practical skills, and the success of our UK GDPR Practitioner certificate course, we are confident that this course will become the qualification of choice for current and future EU Data Protection Officers.”
On 10th March the Information Commissioner’s Office (ICO) announced that it had fined Tuckers Solicitors LLP £98,000 for a breach of GDPR.
The fine follows a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles. 60 of those were exfiltrated by the attacker and released on the dark web. Some of the files included Special Category Data. Clearly this was a personal data breach, not just for the fact that data was released on the dark web, but because of the unavailability of personal data (though encryption by the attacker) which is also cover by the definition in Article 4 GDPR. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media.
The ICO found that between 25th May 2018 (the date the GDPR came into force) and 25th August 2020 (the date on which the Tuckers reported the personal data breach), Tuckers had contravened Article 5(1)(f) of the GDPR (the sixth Data Protection Principle, Security) as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The ICO found its starting point for calculating the breach to be 3.25 per cent of Tuckers’ turnover for 30 June 2020. It could have been worse; the maximum for a breach of the Data Protection Principles is 4% of gross annual turnover.
In reaching its conclusions, the Commissioner gave consideration to Article 32 GDPR, which requires a Data Controller, when implementing appropriate security measures, to consider:
“…the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.
What does “state of the art” mean? In this case the ICO considered, in the context of “state of the art”, relevant industry standards of good practice including the ISO27000 series, the National Institutes of Standards and Technology (“NIST”), the various guidance from the ICO itself, the National Cyber Security Centre (“NCSC”), the Solicitors Regulatory Authority, Lexcel and NCSC Cyber Essentials.
The ICO concluded that there are a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate in the following respects:
Lack of Multi-Factor Authentication (“MFA”)
MFA is an authentication method that requires the user to provide two or more verification factors to gain access to an online resource. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack e.g. a code from a fob or text message. Tuckers had not used MFA on its remote access solution despite its own GDPR policy requiring it to be used where available.
Patch Management
Tuckers told the ICO that part of the reason for the attack was the late application of a software patch to fix a vulnerability. In January 2020 this patch was rated as “critical” by the NCSC and others. However Tuckers only installed it 4 months later.
Failure to Encrypt Personal data
The personal data stored on the archive server, that was subject to this attack, had not been encrypted. The ICO accepted that encryption may not have prevented the ransomware attack. However, it would have mitigated some of the risks the attack posed to the affected data subjects especially given the sensitive nature of the data.
Action Points
Ransomware is on the rise. Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place:
Conduct a cyber security risk assessment and consider an external accreditation through Cyber Essentials. The ICO noted that in October 2019, Tuckers was assessed against the Cyber Essentials criteria and found to have failed to meet crucial aspects. The fact that some 10 months later it had still not resolved this issue was, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.
Making sure everyone in your organisation knows the risks of malware/ransomware and follows good security practice. Our GDPR Essentials e learning solution contains a module on keeping data safe.
More useful advice in the ICO’s guidance note on ransomeware and DP compliance.
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.
Last week the Act Now team returned from a trip to the United Arab Emirates to promote our Middle East training programme. It was a great opportunity to better understand the UAE privacy framework and the needs of businesses faced with the challenge of implementing new laws (as well as get some sun!)
The Middle East is fast catching up with Europe when it comes to data protection law. The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are a number of sector specific laws in the UAE which address personal privacy and data security. Saudi Arabia, Bahrain and Qatar also now have comprehensive data protection laws.
Whilst in Dubai we met with a number of potential clients, consultancies and law firms specialising in data protection. It was a great opportunity to discuss the changing privacy landscape and how Act Now can assist in developing the understanding of the legislation and its practical implementation. We had some interesting discussions about the changing privacy attitudes around the world, the power of Big Tech and increasing use of AI.
We also had meetings with data protection regulators in Dubai and Abu Dhabi. We were impressed by their commitment to educating businesses about the new laws and their practical advice to reduce the burden of implementation. They emphasised the importance of embedding a privacy culture in organisations and an understanding of the UAE laws as standalone privacy laws and not just “importing of GDPR”. A special thank you to Lori Baker at the DIFC and Sayid Madar at the ADGM for taking time out of their busy schedules to meet us.
During our last trip to Dubai in 2018 there was very little awareness of data protection law amongst businesses and compliance seemed to be geared around GDPR. This time on our travels (and shopping trips) we certainly noticed a more serious attitude amongst larger businesses to try and get data protection right. We saw privacy notices in most official forms, CCTV signs in malls and even a privacy notice recording when ringing our hotel.
The introduction and/or revision of privacy law in the Middle East is an important development which further proves that data protection is a truly global issue. Many organisations may need to appoint a Data Protection Officer as part of the new legal framework. Even where they do not need a DPO they will certainly need someone to drive forward compliance and liaise with regulators. This opens up opportunities for UK and EU Data Protection professionals especially as the new laws have some alignment with the EU General Data Protection Regulation (GDPR) and the UK GDPR.
These are exciting times for data protection professionals. For those seeking a fresh new challenge and the opportunity to spread the data protection message to new jurisdictions, now is the time to brush up on Middle East data protection laws. See photos of our trip below. Sun, sea and subject access awaits!
The United Arab Emirates has enacted its first comprehensive national data protection law to regulate the collection and processing of personal data. Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) was published by the Cabinet Office on 27th November 2021 as part of a legal reform programme in advance of the UAE’s Golden Jubilee. The detailed Executive Regulations are expected to be published on 20th March 2022 with the new law becoming fully enforceable six months later.
The UAE is no stranger to data protection laws. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 became enforceable in October 2020. However, it only applies companies under the jurisdiction of the DIFC as well as those processing personal data on their behalf. In February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021 with the same limited applicability. There are also a number of other sector specific laws in the UAE which address personal privacy and data security.
Applicability
PDPL applies to all organisations that are processing personal data in the UAE irrespective of whether the data relates to Data Subjects living in the UAE. It also has an “extra-territorial” reach by applying to organisations based abroad who are processing personal data of Data Subjects resident in the UAE. PDPL does not apply to government data, government authorities that control or process personal data and personal data held by security and judicial authorities. Health data, credit data and banking data are also excluded as they are protected by other laws.
Key Provisions
PDPL is closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR. It mirrors their underlying principles of transparency and accountability and, like them, empowers Data Subjects by giving them rights in relation to their personal data. We set out below the notable provisions. We have included links to previous GDPR blog posts useful for readers wanting more detail:
Lawful Bases – Article 4 states that personal data can only be processed with the consent of the Data Subject. Exceptions include, amongst others, if the processing is: necessary to execute a contract to which the Data Subject is a party; required to protect interests of the public; relates to data already in the public domain; necessary to comply with other laws. Interestingly, PDPL does not include “legitimate interests” as a lawful basis for processing, as is found in GDPR.
Consent – Where consent is used as the lawful basis for processing personal data, it should be obtained from Data Subjects in a specific, clear and unambiguous form and should be freely given through a clear affirmative statement or action (Article 6). Consent can be withdrawn at any time.
Rights – Data Subjects are granted various rights in Articles 14-18 of the PDPL which will be familiar to GDPR practitioners. These include Subject Access, Data Portability, rectification or erasure of personal data, restriction on processing, objection to automated decision making and the right to stop processing.
Data Protection Impact Assessments – Article 21 requires, what GDPR Practitioners call, “DPIAs” to be undertaken in relation to any new high risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of Data Subjects, especially their privacy and confidentiality.
Breach Notification – Article 9 requires organisations to notify the regulator, as well as a Data Subjects, if they suffer a personal data breach which compromises Data Subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
Data Processors – PDPL imposes direct compliance obligations on Data Processors in Article 8 and obligations on Data Controllers when engaging them, similar to Article 28 of GDPR e.g. contracts.
Records Management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 7 to “keep a register of Personal Data” similar to a Record of Processing Activities(ROPA) under GDPR.
International Transfers – Article 22 imposes limitations on the international transfer of personal data outside of the UAE. Similar to the concept of the “adequacy” under the GDPR, the regulator is expected to approve certain countries as having “sufficient provisions, measures, controls, requirements and rules” for protecting privacy and confidentiality of personal data. Article 23 sets out exceptions although further details will be set out in the Executive Regulations.
Data Protection Officers – Organisations (both controllers and processors) will need to appoint a Data Protection Officer (DPO) in certain circumstances, set out in Article 10, including where the processing creates a high-level risk due to the use of new technology or the volume of the personal data; processing includes an assessment of sensitive personal data as part of profiling or automated processing; or where large volumes of sensitive personal data are processed. The DPO can be an employee or an independent service provider and does not need to be located in the UAE. Articles 11 set out the responsibilities of the DPO and it is interesting to note that, just like under the GDPR, the PDPL gives the role protected status i.e. they cannot be dismissed for doing their job.
Enforcement
PDPL will be enforced by the UAE’s Data Office. The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. They could mirror current laws, such as the DIFC DP Law, where the maximum fine for a breach is $100,000. Organisations may also be required to pay compensation directly to Data Subjects or be sued by them. Alongside other sanctions, GDPR allows the regulator to impose a fine of up to 20 million Euros or 4% of gross annual turnover, whichever is higher. It will be interesting to see if PDPL follows GDPR.
Practical Steps
PDPL is likely to become fully enforceable by the end of September 2022. Organisations operating in the UAE need to assess the impact on their data processing activities. Systems and processes need to be put in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage. The following should be part of an action plan for compliance:
Training staff at all levels to understand PDPL at how it will impact on their role.
Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
Appointing and training a Data Protection Officer.
Act Now Training can help your organisation prepare for PDPL by training your staff and the all-important Data Protection Officer. We have delivered training to UAE businesses using our UAE specific training courses. This includes our very popular DPO Certificate course customised for the UAE. We can also deliver customised in house training both online and face to face.
Please get in touch to discuss you training needs. We are in Dubai from 16th to 21st January 2022 and would be happy to arrange a meeting.
On Tuesday there was an interesting story in the media about a group of footballers threatening legal action and seeking compensation for the trade in their personal data.
The use of data is widespread in every sport. It is not just used by clubs to manage player performance but by others such as betting companies to help them set match odds. Some of the information may be sold by clubs whilst other information may be collected by companies using public sources including the media.
Do footballers have rights in relation to this data? Can they use the GDPR to seek compensation for the use of their data?
On Tuesday, Ibrahim Hasan gave an interview to BBC Radio 4’s (PM programme) about this story. You can listen below:
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in November.
