Data Protection

Table top cube calendar dated 25 May

GDPR six months on……

It’s been six months since GDPR came into effect on 25th May. Despite the Y2K like panic in the run up to May, the world did not come crashing down and despite some high profile data breaches, the ICO is yet to issue its first fine under the new regime.

But what has happened in the last 6 months and what is still to come?

ICO updates

Over the last six months the ICO have made several updates to their online guidance, including:

  • A more comprehensive and in-depth analysis of what constitutes personal data has been added to the online guide and also a separate detailed publication – here
  • Individual sections on each core principle including guidance and practical examples – here
  • A significantly expanded section on international transfers – here
  • A significantly expanded section on the exemptions, including those in schedules 2-4 of the Data Protection Act 2018 – here
  • Updated security guidance – here
  • New guidance on encryption and passwords for online services – here

The ICO have also updated their guidance on the right of erasure in respect of backups. They have confirmed that the right is also applicable to data held in backups and the updated guidance emphasises the need to ensure erasure from backup systems as well as from live systems. For delayed erasure for backups they maintain the position that it is important to put the data ‘beyond use’. They’ve also finalised the detailed guidance on children and the GDPR.

The ICO have confirmed that the number of self-reported data breaches for the first half of 2018 was more that for the whole of 2017. As a result, the ICO have issued an update to remind organisations that reports only have to be made where the breach is likely to threaten an individual’s security. Organisations are encouraged to call the ICO helpline before making a report – and remember if you are in any doubt you can always ask Teal Compliance who are always on hand to help!


On 12th November 2018, the ICO issued it’s consultation on the new proposed Direct Marketing Code.

The Data Protection Act 2018 required the Commissioner to produce an improved code which provides practical guidance and promotes good practice. The new code will only cover the rules under PECR and will only be updated once the new E-Privacy Directive is finalised. The consultation is open until 24th December.

The ICO is also asking parents, carers, and those who work with children to give their views on the draft Age Appropriate Design Code which set the standards which must be followed by those who provide online services and apps for children – this consultation is open until 5th December 2018.

Fines/court cases

Whilst we are yet to see the first ‘GDPR’ fine, there have been a number of high profile ICO enforcement actions and some high profile Court cases in the last six months.

WM Morrisons Supermarkets Plc v Various

The Court of Appeal ruled that the supermarket must pay compensation to thousands of employees who were victims of a data beach in 2014. The High Court ruled in 2017 that the supermarket was vicariously liable for this breach so Morrisons took the claim to the Court of Appeal. Morrisons had argued that they should not be liable for this breach because they had safeguards in place to protect the data. This stance was challenged by more than 5,000 past and current staff. Morrisons have indicated that they will now take the decision to the Supreme Court. This is a stark warning to employers that they can be held viciously liable for data breaches caused by employees even if they have appropriate safeguards in place.

Lloyd v Google LLC

The High Court has refused to grant leave to serve a claim form on Google Inc outside the English Jurisdiction in relation to the ‘Safari workaround’ which involved Google allegedly using cookie technology on the iPhone safari browser to obtain browser-generated information about iPhone users between 2011-2012 without their knowledge.

ICO Prosecution under the Computer Misuse Act 1990

A motor industry employee has received a six month prison sentence following the first prosecution to be brought by the ICO under the Computer Misuse Act 1990. The worker, who was employed by Nationwide Accident Repair Services accessed thousands of customer records containing personal data without permission, using his colleagues’ log-on details to access the Audatex system. He then continued to do this when he changed employer. Confiscation proceedings under the Proceeds of Crime Act are in progress to recover any benefit obtained as a result of the offending.

Enforcement Decisions

  • Metropolitan Police 16th November 2018 – issued an enforcement notice on concerns relating to the Gangs Matrix
  • Facebook Ireland Ltd – 24th October 2018 – £500,000 fine for breaches of data protection law
  • Heathrow Airport – 8th October 2018 – £120,000 fine for failing to ensure the security of personal data
  • Equifax Ltd – 20th September 2018 – £500,000 fine for failing to protect personal data relating to a cyber attack in 2017
  • Bupa Insurance Services Ltd – 28th September 2018 – £175,000 for failing to have effective security measures in place

In addition, there have been a number of fines relating to nuisance emails/calls –

  • Secure Home Systems £80,000 (for 84,347 nuisance calls to TPS subscribers)
  • ACT Response Ltd £140,000 (for 496,455 nuisance calls to TPS subscribers)
  • Boost Finance Ltd £90,000 (for nuisance emails about pre-paid funeral plans)
  • Oaklands Assist UK Ltd £150,000 for nuisance direct marketing calls

All of these cases highlight that ICO will act where it becomes aware of a data breach or due to breaches of PECR, so it’s more important than even to make sure that your processes are up to date being used by your employees AND just as importantly that you have all the documentation you need to demonstrate accountability just in case the ICO do get in touch with you.

E-Privacy update

The controversial update to PECR is experiencing further delays and is now not expected to be ready until Spring 2020. Keep an eye on our website for the latest updates.

Get in touch

Contact our experts at Teal Compliance if you have any data compliance related questions. An initial call is always free.

GDPR six months on…… Read More »

European Union flag

The impact of ‘Brexit’ on data transfers

With just over six months to go until the UK exits the European Union, the Government has started to issue guidance on what will happen if there is ‘no deal’ by the 29th March 2019.

As we all know, the current data transfer rules are set out at European level in the General Data Protection Regulations (GDPR) which came into force on 25th May 2018.  Under the current rules, transfers within the EEA are permitted BUT, on 29th March 2019 the UK will become a ‘third country’ for the purpose of the applicable legislation.

So, what does this mean?

The Data Protection Act 2018 will remain in force and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside the domestic legislation.

UK-EU Transfers

The Government has recognised the ‘unprecedented degree of alignment’ between the UK and EU data protection regimes and has confirmed that at the point of exit they will allow the free flow of personal data from UK to the EU (this will be kept under review).

EU-UK Transfers

These transfers become more complicated as the UK will be deemed a ‘third country’.  Under the GDPR, transfers to a ‘third country’ can only take place in defined circumstances –

  • There is an ‘adequacy decision’ in place; or

  • There are appropriate safeguards in place.

Adequacy decisions are currently in place for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.  The adequacy finding for Canada only covers data subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the finding for the US is for transfers covered by the EU-US Privacy Shield Framework (currently subject to challenge by the EU Commission).

Appropriate safeguards are –

  • A legally binding and enforceable instrument between public authorities or bodies;

  • Binding corporate rules (BCRs);

  • Standard data protection clauses adopted by the Commission;

  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission;

  • An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;

  • Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;

  • Contractual clauses authorised by a supervisory authority.

So, how does this impact me and what do I need to do?

The UK Government has expressed its intention to apply for an adequacy decision but the EU has stated that the process cannot be started until after 29th March 2019 and obtaining a decision can be a lengthy process. This means that EU-UK transfers will need to have appropriate safeguards in place.

If your organisation transfers data from the EU to the UK, or if you are an organisation in the UK that receives data from EU then you should look to implement standard contractual clauses as a matter of urgency – the latest approved version can be found on the EU Commission’s website.  It’s important to note that the current version was approved pre-GDPR and should be updated.

UK organisations who offer goods and services to data subjects within the EU will need to appoint a representative within the EU.

You can find out more here through these links:

Get in touch

If you’d like to discuss our data protection services, then contact one of our helpful experts today.

The impact of ‘Brexit’ on data transfers Read More »

digital lock with the CFA logo

Cyber Essentials – Affordable Security

Guest blog from Centre for Assessment Ltd

The Cyber Essentials Scheme has been around for a number of years now, and more and more businesses are finding the demand for this is increasing when it comes to working with particular clients and qualifying for tenders/contracts. The core values of Cyber Essentials offers both clients and supply chains peace of mind, knowing that basic cyber hygiene measures are being adhered to, and the essential elements of the IT infrastructure are running effectively.

The core values of Cyber Essentials are built around 5 main controls: firewalls, secure configuration, access control, malware protection and patch management. The combination of these controls ensure that the risk of cyber-attacks is kept to a minimum, and that companies are showing a commitment to both staff and clients, ensuring data is handled and stored safely and securely.

There are two different levels of cover available through the scheme which are ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.

Cyber Essentials is a self-assessment driven audit, which allows businesses interested in the scheme to be able to evidence their basic conformance to the scheme rules within an application document. Once completed this is then reviewed by a registered certification body for assessment. Decisions on conformance can be made within as little as 48 hours.

Cyber Essentials Plus includes all of the self-assessment elements of the basic Cyber Essentials.  Additionally, it entails a vulnerability scan, on-site testing and a much more comprehensive assessment process verified by independent experts to help further ensure that the IT infrastructure is as secure as possible. This level of assessment represents a much larger commitment to the overall IT welfare of any business and helps in leading the war against cyber-crime within the UK.

These types of assessments are a step in the right direction for any business looking to bolster their IT security within any industry. Cyber Crime is forever evolving and adapting to try and appeal to victims via a range of different means. This can be something as simple as a link in an email or sending updates with ‘URGENT’ in the subject, to try and instil fear and panic usually leading to a knee jerk reaction, which can cost victims dearly.

The legal sector is no stranger to cyber-crime and its devastation, with 62% of law firms estimated to be the victim of a cyber-attack in the last year. Law firms are considered to be 7th most vulnerable industry for malware according to Cisco, with 4.5% of all UK data breaches occurring within the legal sector. Practices are starting to take note of the devastation this causes and are beginning to take steps towards a scheme like Cyber Essentials, to help in the fight against cyber-crime and to re-assure clients.

We are even starting to see schemes like Cyber Essentials incorporated into other standards within the legal sector. In July 2018, a new version of Lexcel, The Law Society’s Legal Practice Quality Mark, was announced, and within some of the policies and procedures there is a direct reference to the scheme stating, “Practices must have an information management and security policy and should be accredited against Cyber Essentials.” This is helping to further enforce the importance of the scheme and general cyber awareness within the legal sector.

Get in touch

Cyber Essentials is available through the Centre for Assessment.  To find out more, visit their website, or telephone them on  0161 237 4080

If you’d like to know more about Teal’s data protection services can help you, get in touch with one of our experts today.

Cyber Essentials – Affordable Security Read More »

Someone typing on a dark laptop

ePrivacy Regulation Update – What’s the latest?

For some time now, the EU Commission has been planning an update to the current ePrivacy Directive (which was implemented in the UK through the Privacy and Electronic Communication Regulations, or PECR for short).  The ePrivacy Regulation will replace the current rules on issues like the use of cookies and electronic marketing and was originally meant to be implemented alongside GDPR but the final text was not ready in time.  So, what’s the latest update?

After significant delays in moving towards a final text for the Regulation, the EU Commission issued an update on 12 June 2018 following policy debates on 8th June and it would appear that further changes have been proposed.


Currently websites display cookie banners informing visitors that the website uses cookies for the purposes of data analytics – if you don’t want cookies dropping on your device then the only option is to stop using the website.  The EU Commission had already indicated that under the new rules, internet browsing companies should design functionality to allow individuals to give specific consent for cookies (in fact a small number of organisations have already made this change on their websites).  Following the debate, the options for cookies now include banning the use of cookie walls (claiming it is disproportionate for public authorities to make their websites conditional on the use of cookies) or changing the recitals to clarify the requirements around consent.

B2B Marketing

Currently a large proportion of B2B marketing is carried out on a soft opt-in basis.  This is where the email address has been obtained through the sale (or negotiation for the sale) of a product or service, the individual was told that their email address would be used for unrequested marketing and was given the chance to opt-out at the time of collection, the marketing relates to similar products and services, and each email gives the recipient the chance to opt-out.  The draft Regulation indicates that the EU Commission may seek to bring B2B marketing in line with the requirements for B2C marketing, meaning that the current soft opt-in option will be reversed so that communications can only be sent where the individual has given prior consent.

The updated draft text also allows member states to set a time limit under which organisations may contact individuals for direct marketing purposes. The DMA is continuing to argue against these changes which could cause significant issues for businesses.


It is now anticipated that the Regulations will be passed towards the end of 2018 or Spring of 2019 with one year for implementation.

What actions can I take now?

It’s important to document what marketing your business undertakes, your legal basis for the processing and how you obtain contact details.  If you don’t rely on consent, then you may want to start to consider what implications the Regulations will have on your business if they are passed in the current format.

Start to talk to your website provider about the options around cookies now BUT don’t make any major changes until the Regulations are finalised.

Watch this space!  With 3-6 months to go before the Regulation is passed it’s inevitable that further amendments will be made.

Get in touch

If you need any help in the meantime with regulatory compliance, then feel free to get in touch.  An initial chat with one of our associates is always free.

ePrivacy Regulation Update – What’s the latest? Read More »

Man taking notes whilst looking at laptop

What do I have to provide when I receive a subject access request?

With conflicting advice still available on the ICO website there seems to be a lot of confusion around exactly what a data subject is entitled to when they exercise their right of access under GDPR.

Many data subjects still seem to think that this right entitles them to receive a full copy of their file free of charge, when actually that will not be the case 99.9% of the time.

The Right to Be Informed

Individuals have the right to be informed about the collection and use of their personal data, including-

  • The purpose for processing the data and how you will process the data

  • The retention periods you will apply

  • Who you will share the data with.

You provide this information in your privacy notice which should be given at the point of collection and you will provide a link to the information on your website.

The Right of Access

Individuals have the right to access their data, and can make a ‘subject access request’ verbally, in writing or even via social media (don’t forget to check your tweets!).

You now have one calendar month instead of 40 days to respond to the request and you can no longer charge a fee.

The data subject is entitled to –

  • Confirmation that you are processing their data

  • A copy of their ‘personal data’ (we will come back to this in a minute!)

  • Other ‘supplementary’ information which is basically the information you provide in your privacy notice.

But what exactly does ‘a copy of the data’ mean?  You will be pleased to know that by and large this does not mean that they are entitled to a copy of the entire file of papers.  A ‘copy of the data’ is basically that, a list of the data fields that you process, which can identify the data subject (name, address, date of birth etc.).

Where it becomes slightly complicated is if it is possible to identify the data subject from the information you are processing then that information may also be personal data.  In a recent ICO live chat I was given the example of where you hold on file an email from an individual complaining about the data subject.  Whilst I did engage in a long debate with the representative about whether this would be appropriate for a law firm to disclose, or potentially for an employer to disclose where an investigation was being carried out for example, the conclusion from the ICO was that I would need to consider this type of document carefully and make a decision about whether there was a valid reason to withhold the document or not.

In situations where you are simply instructing a third party, for example a letter to an expert which sets out the name, address and contact details of the data subject, but is then just a business to business email giving instructions on work to be carried out, then a copy of this letter would not need to be provided.

General Points

  • Review the types of communications you will have on your files – if any of them ‘could’ fall within the definition of personal data then make sure your staff are aware to consider these and flag them to the DPO for confirmation of whether they need to be included in the response of not.

  • Data subjects can only be given a copy of their own data – an individual cannot request information on behalf of a partner for example.

  • If a data subject requests something specific, for example a copy of a specific email by date or a copy of a specific call recording then you should look to provide this.

  • You should ensure your staff are trained to recognise a request (remember social media!).

  • You should have a documented process and should keep a log of all requests.

  • The ICO’s Subject Access Request Code of Practice has not been updated for GDPR yet.

Get in touch

99% of the requests you receive will be straight forward but for that 1% which you maybe aren’t so sure about, remember you can use our ‘Ask Teal’ service, or simply contact one of our experts today.

What do I have to provide when I receive a subject access request? Read More »

Red mug with a red and white calendar of May 2018 with the date 26th circled

GDPR – What happens on May 26th?

GDPR 25th May….  It’s the date we have all been working towards, some of us for many months. But what happens on 26th May, and the day after that?

Well, initially we all have a well-deserved rest over a bank holiday weekend, and then it’s business as usual from Tuesday 29th May.  But what is ‘business as usual’?

For those who have not been able to complete their GDPR preparations prior to 25th May, you should have an action plan to take you through the following weeks and month on the journey to compliance with the principles of the GDPR and to demonstrate ongoing accountability.

But if you have completed your preparations it doesn’t mean that you don’t have any ongoing work to do.  In order to demonstrate accountability, you will need to test your processes, test your staff and create an audit programme.

1.  Test your processes

You have created a lovely shiny process to be followed if a data subject exercises one of their rights; but does it work? You may not receive a request straight away so why not run a workshop on the basis that you have received a request and work out the steps you need to follow to comply with the 30 day timescale – use the outcome to refine your process where necessary.

2.  Test your staff

You have trained your staff but how much have they actually understood? Are your policies and procedures embedded? Test them. Send in a ‘dummy request’ and see what happens. Don’t forget to also test from a cyber security point of view – simulated phishing email tests are a useful exercise.

3.  Create an audit programme

How will you demonstrate ongoing compliance? DPOs should consider regular spot checks, especially if your business has more than one site – are the team keeping paper that you think has been destroyed? Are visitor processes being followed – turn up unannounced and you will find out!  Don’t forget that root cause analysis of complaints and data breaches will provide you with valuable insight on how well your GDPR programme has been embedded. Check your websites on a regular basis to make sure they haven’t reverted back to old versions of any of your policies. Monitor social media for mentions of your business, which can be an early indicator of a data breach.

4.  Keep up to date

The draft Data Protection Bill had a provisional report stage on 9th May and as progress continues to be slow, it may not be enacted before 25th May. The E-Privacy Directive is also still stalled and could arrive at any time in the coming months so it’s definitely one to watch, and it’s always worth checking in with the ICO’s website to see updates on how they intend to enforce GDPR and what they will be looking at in the coming months.

Get in touch

Here at Teal we will of course keep you up to date through our blogs and our experts are always available to offer advice or even to come in and test your processes for you.  Find out more about our data protection services or simply get in touch with one of our experts.

GDPR – What happens on May 26th? Read More »

Multi-coloured data entry on a black screen

14-day countdown to GDPR

With just 14 days left to go until GDPR implementation day, what should you be focusing on?

At our conference on 26th April, 57% of those attending said they had nearly completed all of the changes they needed to make in advance of 25th May, 4% stated that they were ready. So, what about the 22% who said they had only just started, or the 17% who didn’t know what GDPR was??  The key is DO NOT panic. It’s not Y2K all over again, the world will not end if you haven’t completed all of your preparations by 25th May.

What you do need is a plan……

Transparency is the key – prioritise those documents which tell your clients/customers what you will do with their personal data – how do you collect it, how do you process it, who do you share it with, how long do you keep it and how do you delete it?

Policies – get your key documents in order – data protection policy, data retention policy, privacy notices, cookies policy etc – make sure they are fully updated and available on your website.

Data processors – make sure you have full contractual arrangements in place with anyone who processes personal data on your behalf.

Data subject rights – how can your customers/clients exercise their rights under GDPR?  Make sure this is clearly signposted in your privacy notices, data protection policy and on your website – something simple, quick and easy. Make sure your staff know who to refer any requests to.

Don’t forget your employees! They will need a privacy notice that covers the use of their data for employment purposes and they will need to know where to refer any GDPR questions they either have themselves or receive from clients/customers.

Security – do you have robust security measures in place for both your electronic data and any paper data you store in filing cabinets?

Beyond this, and perhaps beyond 25th May, you will need to refine your processes for responding to data subject requests, ensure you have a full training programme in place (if you haven’t done training already) and consider what spot checks and audits you need to have in place to ensure ongoing compliance and accountability.

Get in touch

Don’t forget, here at Teal we are available to offer support for all your data protection needs. Simply contact us today for more information.

14-day countdown to GDPR Read More »

Old court building

Practical GDPR tips for barristers

I recently presented at a GDPR and Cybercrime training session for a wonderful group of Fee Earners, who are members of a Barristers Chambers. During training I was asked some very interesting questions and as a group these issues were openly discussed. I was so impressed with the healthy discussions, I thought I would share some of the scenarios and the suggested solutions.

Scenario one

Article 5(1)(f) of the GDPR requires that personal data shall be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”

Very often barristers will take a bundle to Court containing evidence, case management paperwork (e.g. application forms and directions), statements, expert reports and documents relating to a case. Unless the court has specifically directed otherwise, a bundle will normally be contained in one A4 size ring binder or lever arch file limited to no more than 350 sheets of A4 paper.

The file is usually transported by hand by Counsel to the hearing. Quite often Counsel will travel by train and the file is usually kept in a bag and needs to be placed in the luggage compartment quite a way from the reserved seat they have been allocated, especially on a busy train. How can Counsel protect that bag and the contents in this situation?

There are various options you may want to consider:

  • If there is no option but to take a court bundle in a paper file (which will inevitably contain personal data), book a seat with extra leg room, these seats are allocated directly next to the luggage compartments. That way the bag is your view all the time.

  • Ensure the bag is lockable – should the worst happen, and it is stolen, you are protecting the contents as far as you can.

  • Consider taking an electronic copy of the bundle, perhaps on an encrypted USB stick which is password protected for access.

Scenario two

Article 5(1)(a) of the GDPR requires that personal data shall be:

“processed lawfully, fairly and in a transparent manner in relation to individuals”

Privacy notices describe all the privacy information that you make available or provide to individuals when you collect information about them. They help with building confidence with individuals in what you are doing with their personal information. Privacy notices should include:

  • who you are;

  • what you are going to do with their information; and

  • who it will be shared with.

Very often a barrister will have their own ICO number, however, they rarely have a website on which to publish a privacy policy. In practice if they do receive a Subject Access Request from an individual exercising their rights, this will normally be coordinated through Chambers.

The question was asked whether the privacy notice of the chambers could be updated to publish all individual barrister ICO numbers, provide individuals with details of the processing and how to request a SAR and how the Chambers will deal with it?

I have to say this is a very practical approach given most Barristers use Chambers for their administrative duties. Provided you have covered the points listed above and detailed any data sharing activity you may conduct, practically this may be useful way of managing data privacy and ensuring obligatory time limits are met.

Scenario three

The accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

One of the ways you can demonstrate compliance is to record your assessment of risks in relation to data security and your processes to mitigate that risk. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

Often Barristers are asked to take on students for work experience for college or sixth form students looking to work in the legal field. The question posed was whether the same obligations imposed on employees are applicable to someone who is onsite for work experience?

Whether the individual is a work experience student, a casual member of staff, an employed Clerk or a Barrister, there should be no distinction. The obligation to ensure they have understood the importance of keeping data subject information safe/confidential and what to do if a data breach has occurred applies to everyone.

Ensure you have carried out adequate due diligence on the work experience student, and consider a confidentiality agreement. Allocate enough time during induction for the student to digest and understand your data privacy policies and procedures and most of all don’t forget to mention in the privacy notice that data is shared with work experience students.

Get in touch

See how Teal can help with your data protection needs. Alternatively, contact our experts today for advice.

Practical GDPR tips for barristers Read More »

Hands typing on a laptop on a desk

Do I need consent for direct marketing?


With less than 50 working days until GDPR takes effect on 25th May 2018, many businesses are starting to consider the ‘hot topic’ of whether their marketing lists will still be valid.  But it’s not just GDPR that needs to be considered……

Current Rules (up until 25th May 2018)

Data Protection Act 1998 (DPA98)

Privacy and Electronic Communications Regulations 2003 (PECR)

After 25th May 2018

General Data Protection Regulation (GDPR)

Privacy and Electronic Communications Regulations 2003 (PECR) BUT only until the Regulation on E-Privacy and Electronic Communications (the E-Privacy Regulation) comes into force

General Principles

Under DPA98 “An individual is entitled at any time by notice in writing ……to require the data controller…to cease, or not to begin processing for the purposes of direct marketing….”

Whilst referenced in DPA98, the majority of the rules around direct marketing can actually be found in PECR.  Take a look at the ICO’s current direct marketing guidance, based on PECR.

Direct marketing can currently be carried out following a variety of opt-ins or opt-outs but under GDPR the rules become more challenging because giving consent (or opting in) to direct marketing has specific requirements.

GDPR says:

“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time….”

“Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

As we all know, under GDPR, organisations can only process personal data if they have a lawful basis for doing so (GDPR Article 5 clause 1).  The test for ‘lawfulness of processing’ includes that the data subject has given consent for the processing, but this does not automatically mean that you need consent to carry out direct marketing (or any other type of processing).

Legitimate Interests

Recital 47 of the GDPR states “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Even the ICO acknowledge that obtaining valid consent under GDPR (Art 7) will be challenging and they urge businesses to consider whether consent is the correct lawful basis for the processing of any data.

But when deciding whether the sending of direct marketing can be done as a legitimate interest, an organisation still needs to consider the rules under PECR.

Postal marketing – not covered by PECR so as long as the organisation identifies itself, offers an opt-out and screens addresses against the mail preference service then it’s ok to send first party marketing (about your own products and services) as long as the client has not previously opted out.  If they haven’t previously opted out but have registered with the mail preference service then you need to leave them alone.

Email/SMS marketing – you must follow the rules in PECR which require an opt-in unless you have obtained the contact details of the individual during the course of a sale (or negotiations of the sale) of a product or service.  The marketing must be of a similar product or service and the individual must have been given the opportunity to opt-out.

Telephone Marketing – for live marketing calls, the rules say you can contact anyone as long as they have not previously opted out and are not registered with the telephone preference service.  You must not make automated calls to anyone unless they have specifically opted in to receive this type of call from you.

So what do you need to do?

  • Consider whether consent is the most appropriate lawful basis for processing – can you use legitimate interests instead?

  • Make sure your privacy notice covers direct marketing if you will be sending it to clients

  • Ensure that there is an easy way for clients to opt-out of marketing and that your system can record the opt-out

  • Ensure your marketing teams screen all marketing data against both the telephone preference service and mail preference service

  • If you do need (or want to rely on consent) then review your current opt-in’s, if they don’t meet the requirements of Article 7 then you will need to ask your clients to opt-in again

  • Keep an eye out for our updates on the E-Privacy Regulation – it was supposed to be ready for 25th May 2018 but this is looking increasingly unlikely as the text is yet to be finalised

Get in touch

We will be talking about the practicalities of GDPR at our upcoming conference in London on 26th April.  However, if you’d like to discuss data protection and GDPR with one of our experts, simply contact us today.

Do I need consent for direct marketing? Read More »

Big Ben and the House of Commons

The Data Protection Bill – What do I need to know?


The draft Data Protection Bill [HL] 2017-19 will get it’s second reading in the House of Commons today, Monday 5th March 2018, moving one step closer to receiving Royal Assent.  In preparation for the second reading, the House of Commons issued a 60-page briefing paper which includes a summary of the Bill and the House of Lords debates[1].

In May 2018, as we all know, there will be some changes to the EU’s data protection framework – the General Data Protection Regulation (GDPR) will apply from 25th May and as it is a Regulation it does not need to be transposed into domestic law.  But prior to that, the Police and Criminal Justice Directive, also known as the Law Enforcement Directive (LED), needs to be transposed into UK law by 6 May.


GDPR widens the scope of the previous Data Protection Directive, (which was the EU legislation that unpinned the Data Protection Act 1998), to provide data subjects with greater protection for their personal data and also extends data subject rights.  The Regulation reduces the principles from 8 to 6, but introduces 8 data subject rights, some of which are a continuation of rights under previous legislation, (like subject access requests), but some are new.  Data controllers must be able to demonstrate compliance with all the principles (accountability) and there are new obligations for data processors.


The LED will apply to both the cross-border and domestic processing of personal data for law enforcement purposes and repeals the previous 2008 Framework Decision.  The Directive is designed to protect the personal data of individuals involved in criminal proceedings, whether they are witnesses, victims or suspects.  In addition, it is anticipated that the LED will “facilitate a smoother exchange of information between Member States’ police and judicial authorities, thereby improving cooperation in the fight against terrorism and other serious crime in Europe.[2]

An overview of the LED can be found here.

Council of Europe Convention on Processing Personal Data

The Council of Europe is not an EU institution and the UK will continue to be a member after Brexit.  The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No108) was the first binding instrument on data protection.  The UK ratified the Convention in August 1987 and it entered into force on 1 December 1987:

“[The Convention]…protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the trans frontier flow of personal data.”[3]

The Convention will be modernised and will reflect the same principles as GDPR.  A draft version is available online

The Draft Bill

The draft Data Protection Bill (‘the Bill’) has a number of purposes:

  • It sets out how the UK would apply the derogations available under GDPR

  • It will bring the Law Enforcement Directive (LED) into UK law

  • It updates the laws governing personal data processing by the intelligence services

  • It aims to ensure that the UK would be able to freely exchange data with the EU post-Brexit

  • It will repeal the Data Protection Act 1998

The Bill was originally introduced into the House of Lords on 13th September 2017, but it’s passage has been slow due to a number of concerns around the age of consent for children to have access to information society services, immigration control and freedom of expression in journalism.

GDPR allows Member States a limited number of derogations, and following consultations in 2017, the Government confirmed it would exercise those derogations in the following areas:

  • The age of consent for children to access information society services

  • Processing criminal conviction and offence data

  • Automated individual decision-making

  • Freedom of expression in the media

  • Research

The Bill was introduced to the House of Lords on 13th September 2017 and following much debate it was introduced to the House of Commons on 18th January 2018.

The Department for Digital, Culture, Media and Sport (DCMS) factsheet provides a succinct summary of what the Bill will do –

The Bill is split into seven Parts and eighteen schedules:

  • Part 1: Bill overview and definition of key terms
  • Part 2: General data processing in line with GDPR and other general data processing in areas outside the scope of EU law
  • Part 3: LED and law enforcement processing
  • Part 4: Nation Security Processing through a modernised Council of Europe Convention
  • Part 5: Functions and Duties of the Information Commissioner – including requirement to publish codes of practice of data sharing, direct marketing, age appropriate design for online services likely to be accessed by children
  • Part 6: Enforcement regime and ICO Powers
  • Part 7: Various issues including regulation to be made under the Act, penalties for offences and the Act’s territorial application

The Briefing Paper also includes a summary of the House of Lords debates for those who are interested in reading more which the full debate transcripts are available of the House of Lords website.

So, for those of you using the 80 days (inc weekends and bank holidays) to prepare for GDPR what does this mean?  Well, if you don’t carry out any national security or law enforcement processing then your GDPR preparations will stand you in good stead, although you may want to glance at the draft Bill and specifically the section around the Information Commissioner and Enforcement.  If you do carry out national security or law enforcement processing, then you have probably already been preparing for the changes under the LED but you will need to familiarise yourself with the Parts of the Act that are relevant to you.  Everyone will need to monitor the Governments Brexit negotiations, as once we leave the EU the UK will be a ‘Third Country’ and there may be additional requirements to enable the transfer of data between the EU and member states.

Get in touch

If you need further advice, find out more about our Ask Teal service, or simply contact one of our helpful experts today.




[2] European Commission, Questions and Answers – Data protection reform packages, 24 May 2017 –


The Data Protection Bill – What do I need to know? Read More »