After 18 months of development, working with industry experts, Act Now Training is pleased to announce the completion of its first ever Advanced Certificate in GDPR Practice course. Congratulations to all the delegates who successfully completed the course. It has been a fantastic four month journey, from the first masterclass through to results day.
The Advanced Certificate in GDPR Practice course is the the first of its kind and is proving very popular amongst practitioners. It builds on the knowledge and skills of data protection practitioners by focussing on analysing and evaluating complex data protection issues. These skills are designed to help them interpret the legislation with greater understanding, equipping them with a skillset to tackle tricky data protection issues.
The first group consisted of a great set of delegates, from both the public and private sector, who were fully engaged and pushed themselves. The feedback shows that they really enjoyed the innovative format and the skills being taught:
“There is no doubt that this course has pushed me and got me out of my comfort zone, but in a very positive way, I genuinely feel I have improved both my skillset and understanding of data protection on this course.” Michael Pennington, Head of Operations & Security at Health Intelligence
“ I would wholeheartedly recommend the Advanced Certificate in GDPR Practice as it is a very different course. I definitely feel more informed and confident in my role with knowledge and techniques I have learned. But perhaps more importantly I have explored new avenues of learning with the enforcement notices and watching the training videos, whilst engaging with some industry leaders in data protection and some of my peers.” Zara Harrington, Data Protection Manager and DPO, Leaders Romans Group
“The course has reignited my passion for data-protection.” Neil Murphy, Governance and Data Protection Manager, North Star Community Trust
“The format of the learning also gave me a safe space to practice new skills, to analyse the legislation and to have robust conversations with my fellow students.” Gill Rust, People’s Postcode Lottery
“Despite the hard work, the training has been enjoyable – helped hugely by the great group of DPOs who were open to listening and challenging opinions and of course, Ibrahim and Susan who were supportive throughout.”
The syllabus has been designed in consultation with experienced data protection practitioners from both the public and private sectors. The Advanced Certificate in GDPR Practice is one of the reasons why we have been nominated for this year’s IRMS awards; Supplier of the Year and Innovation of the Year.
Ibrahim Hasan, solicitor and course director said:
“We are delighted to see the first group complete the course and with such fantastic results! They were a pleasure to teach and their enthusiasm was encouraging. I am glad that their hard work has paid off. Their feedback has really helped us to further improve the course for the next cohorts. ”
The first five courses have been fully booked. We have added more course dates in Autumn. More information here.
So much has happened in the world of data protection recently. Where to start?
International Transfers
In April, the European Data Protection Board’s (EDPB) opinions (GDPR and Law Enforcement Directive (LED)) on UK adequacy were adopted. The EDPB has looked at the draft EU adequacy decisions. It acknowledge that there is alignment between the EU and UK laws but also expressed some concerns. It has though issued a non-binding opinion recommending their acceptance. If accepted the two adequacy decisions will run for an initial period of four years. More here.
Last month saw the ICO’s annual data protection conference go online due to the pandemic. Whilst not the same as a face to face conference, it was still a good event with lots of nuggets for data protection professionals including the news that the ICO is working on bespoke UK standard contractual clauses (SCCs) for international data transfers. Deputy Commissioner Steve Wood said:
“I think we recognise that standard contractual clauses are one of the most heavily used transfer tools in the UK GDPR. We’ve always sought to help organisations use them effectively with our guidance. The ICO is working on bespoke UK standard clauses for international transfers, and we intend to go out for consultation on those in the summer. We’re also considering the value to the UK for us to recognise transfer tools from other countries, so standard data transfer agreements, so that would include the EU’s standard contractual clauses as well.”
Lloyd v Google
The much-anticipated Supreme Court hearing in the case of Lloyd v Google LLC took place at the end of April. The case concerns the legality of Google’s collection and use of browser generated data from more than 4 million+ iPhone users during 2011-12 without their consent. Following the two-day hearing, the Supreme Court will now decide, amongst other things, whether, under the DPA 1998, damages are recoverable for ‘loss of control’ of data without needing to identify any specific financial loss and whether a claimant can bring a representative action on behalf of a group on the basis that the group have the ‘same interest’ in the claim and are identifiable. The decision is likely to have wide ranging implications for representative actions, what damages can be awarded for and the level of damages in data protection cases. Watch this space!
Ticketmaster Appeal
In November 2020, the ICO fined Ticketmaster £1.25m for a breach of Articles 5(1)(f) and 32 GPDR (security). Ticketmaster appealed the penalty notice on the basis that there had been no breach of the GDPR; alternatively that it was inappropriate to impose a penalty, and that in any event the sum was excessive. The appeal has now been stayed by the First-Tier Tribunal until 28 days after the pending judgment in a damages claim brought against Ticketmaster by 795 customers: Collins & Others v Ticketmaster UK Ltd (BL-2019-LIV-000007).
Age Appropriate Design Code
This code came into force on 2 September 2020, with a 12 month transition period. The Code sets out 15 standards organisations must meet to ensure that children’s data is protected online. It applies to all the major online services used by children in the UK and includes measures such as providing default settings which ensure that children have the best possible access to online services whilst minimising data collection and use.
With less than four months to go (2 September 2021) the ICO is urging organisations and businesses to make the necessary changes to their online services and products. We are planning a webinar on the code. Get in touch if interested.
AI and Automated Decision Making
Article 22 of GDPR provides protection for individuals against purely automated decisions with a legal or significant impact. In February, the Court of Amsterdam ordered Uber, the ride-hailing app, to reinstate six drivers who it was claimed were unfairly dismissed “by algorithmic means.” The court also ordered Uber to pay the compensation to the sacked drivers.
In April EU Commission published a proposal for a harmonised framework on AI. The framework seeks to impose obligations on both providers and users of AI. Like the GDPR the proposal includes fine levels and an extra-territorial effect. (Readers may be interested in our new webinar on AI and Machine Learning.)
Publicly Available Information
Just because information is publicly available it does not provide a free pass for companies to use it without consequences. Data protection laws have to be complied with. In November 2020, the ICO ordered the credit reference agency Experian Limited to make fundamental changes to how it handles personal data within its direct marketing services. The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. Experian has lodged an appeal against the Enforcement Notice.
Interesting that recently the Spanish regulator has fined another credit reference agency, Equifax, €1m for several failures under the GDPR. Individuals complained about Equifax’s use of their personal data which was publicly available. Equifax had also failed to provide the individuals with a privacy notice.
Data Protection by Design
The Irish data protection regulator issued its largest domestic fine recently. Irish Credit Bureau (ICB) was fined €90,000 following a change in the ICB’s computer code in 2018 resulted in 15,000 accounts having incorrect details recorded about their loans before the mistake was noticed. Amongst other things, the decision found that the ICB infringed Article 25(1) of the GDPR by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects (aka DP by design and by default).
Data Sharing
The ICO’s Data Sharing Code of Practice provides organisations with a practical guide on how to share personal data in line with data protection law. Building on the code, the ICO recently outlined its plans to update its guidance on anonymisation and pseudonymisation, and to explore the role that privacy enhancing technologies might play in enabling safe and lawful data sharing.
UK GDPR Handbook
The UK GDPR Handbook is proving very popular among data protection professionals.
It sets out the full text of the UK GDPR laid out in a clear and easy to read format. It cross references the EU GDPR recitals, which also now form part of the UK GDPR, allowing for a more logical reading. The handbook uses a unique colour coding system that allows users to easily identify amendments, insertions and deletions from the EU GDPR. Relevant provisions of the amended DPA 2018 have been included where they supplement the UK GDPR. To assist users in interpreting the legislation, guidance from the Information Commissioner’s Office, Article 29 Working Party and the European Data Protection Board is also signposted. Read what others have said:
“A very useful, timely, and professional handbook. Highly recommended.”
“What I’m liking so far is that this is “just” the text (beautifully collated together and cross-referenced Articles / Recital etc.), rather than a pundits interpretation of it (useful as those interpretations are on many occasions in other books).”
“Great resource, love the tabs. Logical and easy to follow.”
Each year the IRMS recognises excellence in the field of information management with their prestigious Industry Awards. These highly sought-after awards are presented at a glittering ceremony at the annual Conference following the Gala Dinner.
Act Now has been nominated for the Supplier of the Year award. In 2020, during the Coronavirus Pandemic, we have been at the forefront of helping the IG/DP community stay abreast of developments and rise to the challenges of working from home and continuing to learn. We ran a number of free webinars on a range of topics including cyber security, risk management and the CCPA.
During the Pandemic, we developed our online courses from the ground up to ensure they provide the same interaction and quality as classroom workshops. Our flagship GDPR Practitioner Certificate course has been redesigned for the online learning environment but still maintains the focus on delegate interaction, engagement and tutor support. Since April 2020, we have run fifteen of these courses all of which have been fully booked. It is probably one of the most popular GDPR certificate courses.
Throughout 2020, Act Now has promoted information law/information governance beyond these shores. We have trained professionals in the financial sector for the NAPCP conference in Las Vegas and launched our US CCPA and Dubai privacy programmes. This has helped raise the profile of our profession.
We have also continued to raise the media profile of Information Governance in 2020. Ibrahim Hasan, director and solicitor, was interviewed twice by the BBC regarding the NHS Test and Trace app. He also worked with the BBC to help ensure that care home records were removed from a site to prevent harm to patients and relatives.
Act Now has also been nominated for the Innovation of the Year award for our new Advanced Certificate in GDPR Practice. This course is for data protection practitioners who wish to advance their GDPR practice and knowledge. The syllabus has been designed in consultation with experienced data protection practitioners from both the public and private sectors. It consists of a series of challenging masterclasses in which delegates analyse and evaluate thought-provoking case studies designed to help them interpret complex data protection issues.
This is the only advanced GDPR certificate course on the market and is proving very popular amongst practitioners. Our first three courses are fully booked. More information here.
All IRMS members are eligible to vote in the IRMS awards. The deadline is 2nd April 2021. Vote now for your favourite training company.
Our new UK GDPR Handbook is still available to pre order at a special discounted price.
So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.
Internation Transfers
On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.
The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.
These and other GDPR developments will be discussed in detail in our online GDPR update workshop.
Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our GDPR Essentials e learning course can help you do this in less than 45 minutes.
Data Protection law is about protecting peoples’ human rights. When organisations fail to comply, it can have a big impact on peoples’ lives. I was proud to work with the BBC on a recent story which highlights the importance of protecting the personal data of some of the most vulnerable in society.
Thanks to tenacious journalism by Ben Moore and Tobey Wadey, piles of patient data which were left unsecured in an abandoned care home, more than four years after it was shut down, were finally removed. It included care plans, bank details and photos of injuries we well as information about relatives. The Information Commissioner is now on the case.
You can watch the BBC report, which includes an interview with me here.
Act Now Training is pleased to announce the launch of the Advanced Certificate in GDPR Practice. It comes following 12 months of development and as a result of the success of our GDPR Practitioner Certificate which, over the last few years, has cemented its position as the gold standard for data protection qualifications.
Our courses are practical and jargon free. We focus on teaching the skills and knowledge to help delegates do their job every day. Our aim is to help delegates become the most complete DPO for the ever-changing privacy landscape.
“The training provided practical guidance with useful examples to help inform my application of GDPR in the workplace. The focus was on how to use it rather than learning all the legal minutiae, and from the first session I was able to go away and use what I’d learnt in my Information Governance role.” EG, Hampshire CC
“A highly informative and interactive course which helped to join the dots together and add layers to my understanding of a complex area. I had some reservations as to how it would be possible to achieve an effective course remotely and would it be as engaging as a classroom-based alternative. Frank managed all this and more, he was approachable, highly knowledgeable and made sure the participants were understanding the content. I would not hesitate to recommend to colleagues.” SW, Harrogate BC
Having trained over 1500 data protection professionals on our GDPR Practitioner Certificate, we have now answered their call for a more advanced GDPR qualification to help them enhance their skills and knowledge.
The new Advanced Certificate in GDPR Practice consists of a series of challenging masterclasses in which delegates will analyse and evaluate thought-provoking case studies designed to help them deconstruct and interpret complex GDPR issues. This will help them gain a deeper understanding of the GDPR and further their ability to navigate the legislation and its application.
The course is set over three days; approximately one masterclass per month and will take a total of 12 weeks to complete. Delegates should expect to do at least five hours of self-study prior to each masterclass. A practical project will be required to be submitted at the end of the course.
This course has been designed and will be delivered by our senior associate, Susan Wolf, and our director, Ibrahim Hasan. Susan has over ten years’ experience teaching practitioners on the LLM Information Rights Law at Practice at Northumbria University. She has also designed our very popular FOI Practitioner Certificate course. Ibrahim has been designing and delivering practical data protection courses for over 20 years.
Ibrahim said:
“I am really looking forward to teaching this course. I hope to challenge, inspire and provoke delegates into thinking about advanced GDPR concepts and their application. It will be hard work for the delegates (and the tutor) but worth it!
These together with a series of practical tasks is sure to enthuse and excite delegates on their way to advancing their skills.”
This advanced course is exclusively available to those who have completed the Act Now GDPR Practitioner Certificate as it builds on the knowledge and skills developed in that course. There is an application process for places which are limited to 8 per course.
The course has a special introductory price of £2,150 plus vat, which is £500 off the RRP. Application forms are available on our website. If you wish to discuss your suitability for this course before applying, please get in touch and we will be happy to help.
The last week has been really busy day for our managing director and data protection expert, Ibrahim Hasan, with a frenzy of media interviews. Well not quite a “frenzy” but three is a start!
Ibrahim was first interviewed on BBC Radio 5 live’s Drive programme by Anna Foster. He spoke about the rules requiring restaurants and pubs to keep contact details of customers and the GDPR/DPA consequences if things go wrong. He emphasised the important of business owners complying with data protection laws and educating their staff on their responsibilities.
You can listen again here (14.35 onwards). More on customer contact tracing data in our blog.
Later in the day, Ibrahim had his first live television interview which was broadcast on BBC News 24 and BBC News Worldwide. He was asked about the new NHS Contact Tracing App and the privacy implications. He also talked about the consequences of misusing personal data. We are waiting to receive the recording of this interview. In the meantime you can read the feedback on our social media channels (LinkedIn and Twitter). You can also read more about the previous version of the NHS contact Tracing App in our blog.
Finally, on 18th September, Ibrahim appeared on BBC Radio Berkshire to talk about the same issue. This followed a lady who was contacted by a bus driver for a date using her T and T details!
In July 2019, the Information Commissioner’s Office (ICO) signalled its intention to use its powers to issue to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR). Two Notices of Intent were issued with much fanfare.
One of the Notices was issued to British Airways for the eye watering some of £183 Million. This was the result of names, email addresses and credit card information being stolen by hackers from the BA website. According to the statement from the ICO at the time 500,000 customers were compromised in this incident.
Remember that this was a Notice of Intent and not a fine. After many months of delays and the coronavirus lockdown, we are now in a position to hazard a good guess as to the amount of the actual fine. Thanks to the reporting requirements for listed companies it is very likely that British Airways will be fined much less than the £184 million announced a year ago, and could be as little as 10% of that amount.
On 31st July, IAG ( British Airways parent company) issued its Interim Management Report for the six months ended June 30, 2020 which states:
“The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018. The process is ongoing and no final penalty notice has been issued“.
It will be interesting to see what happens to the other Notice of Intent, relating to Marriott Hotels for £99 Million, as well as the ICO’s investigation into the more recent EasyJet data breach. Watch this space!
This and other GDPR developments will be covered in our new online GDPR update workshop. The Lockdown is the perfect time to train your staff about GDPR and keeping data safe. With GDPR Essentials e learning course they can do this from the comfort of their own home.
Even with the best data protection training and awareness programme, mistakes can and do happen when organisations process personal data of a sensitive nature. Personal data can be lost or simply sent to the wrong person. Two recent Hight Court cases involve local authorities seeking injunctions in an attempt to limit the impact caused by inadvertent disclosures.
In Redbridge LBC v Jennings [2020] 5 WLUK 122 (to the best of our knowledge, only reported on Westlaw) the London Borough of Redbridge was granted an injunction to prevent X from publishing highly sensitive information about another family, that the Council had inadvertently sent to X. London Borough of Lambeth v Anthony Amaebi Harry [2020] EWHC 1458 (QB) was partly about a Breach of Confidence action by Lambeth Council against the Respondent who had also received third-party personal data. Let’s consider both cases and what we can learn from them.
The Disclosures
In the Redbridge case, a council employee wrote to X regarding her family. However the employee inadvertently included documents, containing highly sensitive information about another family (Family A), in the envelope. When X received the documents, she realised that she should not have seen them and so she returned them to the council. However, it later transpired that X had taken copies of the documents and that she planned to visit Family A to inform them about the council’s error. X also indicated that she would not destroy the copies that she had retained but she would give them to her solicitor. It is clear that X understood the confidential nature of the documents, and that she did not intend to share them with anybody else. However, it appears that she intended to retain the documents (in the hands of her solicitor) for the purpose of pursuing her own data protection claim against the council. X alleged that information about her family had been sent to a third-party who had “knocked on her door to return the documents”. At the time of writing it is uncertain whether X has brought such an action.
In the Lambeth case, Mr Harry made a subject access request (in November 2018) to the Council seeking information held about his child. It appears that another person (HJ) had made allegations to the Council about the care that Mr Harry and his wife were providing for their child. Lambeth Council provided the information to Mr Harry by electronic means. However it turned out that Mr Harry was able to manipulate the data (by removing the redactions that the Council had made) and was able to identify HJ, who had made the initial allegations. He commenced legal proceedings against HJ for defamation.
Lambeth Council sued Mr Harry for Breach of Confidence. It claimed that the information was provided to Mr Harry in circumstances where he knew it was confidential and that he had breached that confidentiality by “unredacting” the data, retaining it and using it as evidence to start court proceedings against HJ. The Council’s rationale for bringing the Breach of Confidence action was that informants have an expectation of confidentiality. The Council obtained an interim injunction in February 2019 to restrain Mr Harry from using the information he had acquired.
A Notifiable Data Breach
Both cases involve a personal data breach as defined by GDPR Article 4 (12):
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Article 33 of GDPR requires a Data Controller to notify the Information Commissioner’s Office (ICO) about a personal data breach “without delay and where feasible, not later than 72 hours after becoming aware of it”. Notification is not required if the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Disclosing highly sensitive information about one family to another is likely to be a notifiable breach. A failure to adequately redact the name of a person who makes confidential allegations is also likely to have the same result.
The problem with inadvertent and accidental disclosures is the Data Controller may not necessarily be aware of them for some time. In the Redbridge Council case, X told the Council she had received the documents by mistake. According to the Article 29 Data Protection Working Party Guidelines on Personal Data Breach Notification under Regulation 2016/67, when a third party informs a Data Controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure, the Data Controller has become “aware” of the personal data breach. Where a Data Controller has been presented with clear evidence of a confidentiality breach then there can be no doubt that it has become “aware”. In the Redbridge case the Council took a decision to self-refer to the Information Commissioner’s Office; although interestingly the facts suggest that this happened prior to the GDPR coming into force.
In the Lambeth Case it is not entirely clear when or how the Council became aware that Mr Harry had been able to manipulate the data. However the facts, as recorded in the judgement, suggest that it became aware sometime in late 2018 when the ICO investigated complaints made by Mr Harry about the Council’s handling of his subject access request. In other words, it does not look like the Council was aware of the breach until the ICO investigated, although this is not certain from the limited factual information in the judgment.
When a Data Controller becomes aware that personal data has been unlawfully disclosed to a third party, it needs to contain the incident and assess the risk that could result from it. One way of doing this is to request the recipient to either return the information or to securely destroy it. However the Article 29 Guidelines make it clear that the Data Controller must “trust” the recipient to do this. In both cases it was quite clear that the recipients had no intention of safely destroying the personal data or returning it to the respective councils. In both cases the recipients intended to use the data as evidence in their own legal claims. In both cases the Councils sought an injunction to prevent the recipients from misusing private information and/or a Breach of Confidence.
Injunctions and Offences
Before granting an injunction, the High Court is required to consider whether an injunction would affect a person’s right to freedom of expression; for example his/her right to publish the information online or via the press. It can only grant an injunction if it is satisfied that publication should not be allowed.
In the Redbridge case the Court considered that the information was highly sensitive and that there would be a breach of confidentiality if the documents were either revealed to the press or published on-line. It therefore granted the injunction. In the Lambeth case the Court granted an interim injunction but the case concerning the Breach of Confidence has been listed for trial in July 2020 where Mr Harry will argue that he has a public interest defence.
In April 2020 the ICO decided to prosecute Mr Harry (in the Lambeth case) for the two offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the Data Controller, contrary to under s.171(1) of the Data Protection Act 2018 (“the DPA”) and the offence of knowingly or recklessly processing re-identified personal data, without the consent of the data controller, contrary to the S.171(5). There are no further details about this prosecution at this moment in time.
Lessons Learnt
The incidents in the cases referred to above were not major cyber-attacks or large-scale disclosures. In one case personal data was inadvertently put into an envelope. In another personal data was not properly redacted. But the consequences were potentially severe and could have had significant and adverse consequences for the data subjects concerned.
Both cases show that, although breach notification goes a long way towards addressing issues of awareness and accountability, Data Controllers may need to take further legal action, in the form of an injunction, to prevent collateral damage from an accidental disclosure. The ICO can use its enforcement powers under the DPA 2018 to prosecute people who unlawfully reidentify personal data and seek to process it, but this may come too late if the damage is already done.
GDPR is going global! Ibrahim Hasan is delivering a webinar which will give you a whistle-stop tour of data protection laws around the world. Want a GDPR qualification Our next online GDPR Practitioner Certificate course is fully booked. There are a few places remaining on the course starting at the end of August.
Data Protection is going global!1st of July 2020 is a key date in the development of data protection law around the world. The California Consumer Privacy Act (CCPA) became fully enforceable on this date following a six month grace period. The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. All international businesseshave to consider the application of CCPA to their data processing activities.
1st July 2020 is also the date when a new data protection law came into effect in Dubai, although it will not be enforced until 1st October 2020. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 regulates the collection, handling, disclosure and use of personal data and includes enhanced governance and transparency obligations. It applies to all businesses based in the DIFC as well as those processing personal data on their behalf.
GDPR style data protection laws have also been enacted in Africa, South America, Asia and the Far East. Many other countries have new privacy laws in the pipeline.What impact will this have on your business? What are the career development opportunities for Data Protection Officers and lawyers?
Ibrahim Hasan is delivering a webinar which will give you a whistle-stop tour of data protection laws around the world. He will focus on the recently enacted California Consumer Privacy Act (CCPA) and the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 as well as other GDPR style laws in force now and coming up in the future.
