Certain information must be provided to data subject under the GDPR.

Laws on Using Personal Information Are Changing. Are You Ready?

The Current Situation

As many of us will already know, if we use personal information we are likely to be subject to data protection laws that govern the way in which we are able to use that information.  Whether we have a simple contacts and appointments book as a self-employed or freelance worker, post pictures on social media promoting our business or charity, or have many thousands of individual client records within a large business, we are likely to be required to comply with the Data Protection Act 1998.

While some organisations have excellent standards of compliance, I think it would be fairly safe to say that many remain unaware of their obligations under the legislation and, perhaps for some, even that the law exists or that it applies to them.  Arguably that has been due, at least in part, to the minimal risks facing most from non-compliance.  The Information Commissioner’s Office (ICO) can and does issue fairly significant fines, and we have recently seen Talk Talk given a record £400k fine for failing to appropriately secure personal information.  However, for many, the circumstances that give rise to these headline-grabbing penalties are likely to seem a world away from their own operations.

What is Changing?

personal information
Significant changes to the way in which you need to manage personal information are on their way.

Every organisation that uses personal information should be aware that the most significant change to data protection law in decades is on the horizon.  After a time of uncertainty, the way forward for the implementation of the General Data Protection Regulation (GDPR) seems to be emerging.  The new EU Regulation on data protection was adopted earlier this year, becoming effective in all EU member states in May 2018.

Being an EU Regulation, naturally there was some confusion (and, perhaps for some, wishful thinking!) about whether it would actually come into force following the Brexit vote.  However, we now have confirmation that the ICO considers the Regulation as being in force (just not in effect), as well as the widely reported proposal from the UK Government that all existing EU legislation will be transposed into domestic legislation by the Great Repeal Bill.

The UK Government may chose to amend some aspects of certain EU Regulations although in the case of GDPR, most are unlikely to be in a position where they can afford to wait and see what happens.  With fines in the new legislation of up to an eye-watering 4% of annual global turnover or €20M, there can now be little doubt that it is definitely time to get started with changes required to implement the new standards.  We also need to remember that the Regulation (in its current form) is highly likely to come fully into force before we leave the EU.

What Does My Organisation Need To Do?

This blog will help you prepare for the new data protection legislation and manage key risks to your organisations.

We will be issuing a regular blog that looks at the practicalities of implementing new requirements, draws together any relevant advice and guidance that has been issued, and keeps you informed on the meaning of any legislative change that could effect implementation.  Topics that will be covered will specifically discuss some of the new GDPR requirements and will include:

  • Implementing a breach reporting procedure that informs the ICO and people where their data has been put at risk;
  • The practical implications of the “right to be forgotten”.  Individuals can request, at any time, that information you hold about them is deleted and you must be able to comply with this request unless there are legitimate grounds to continue holding it, for example, for tax purposes.  By implication, you will need to know what information you are holding, how long you need to hold it for, when you are able to destroy it, and provide confirmation it has been destroyed, which is arguably already a requirement under existing legislation;
  • The meaning of “data protection by design and default”.  Adequate controls to safeguard personal information must be integrated into systems and procedures from the planning stages, and in some cases will require a privacy impact assessment;
  • Understanding the legal basis for processing personal information, which means you are able to justify, in terms of the legislation, why you are processing personal information.  While this may sound like legal jargon, it is going to be an area that organisations will need to familiarise themselves with in order to comply and we will try to break this down into simple tasks.  People will have a right to this information, and it will also need to be included in privacy notices;
  • Following on from above, consent is one of the conditions for processing that you may be currently using the rules for the use of consent are changing.  Again this is likely to be a major task for some organisations.  Our blog will look at what procedures may require change and ways of integrating the obtaining of consent into existing processes that comply with the new legislation;
  • Some organisations will require a data protection officer and we will look at their role and how that should facilitate compliance.

 Key Action Points

Regardless of size, organisations need to start their preparations for the data protection legislationThere is some information available from the ICO’s data protection reform site and all organisations should start by reviewing the 12 steps for preparing for GDPR.  At the very least, organisations should be looking at their compliance with the current legislation and taking action to address gaps.  Building on the ICO’s guidance, two key tasks to get started on are to:

  • Identify what personal data you hold, where it was obtained from and who it is shared with.  As discussed above, you should also understand why you are
    holding it (the purpose), how long you need to retain it for, and ensure it can be destroyed when it is no longer required;
  • Raise awareness of the new legislation within your organisation.  Change is likely to require resources and senior management buy-in which will be supported by key people in your organisation fully understanding the risks.

As always, feedback and requests for topics are always welcome.


Liz has worked with data protection for nearly 20 years and helps organisation with managing their information as well as practical compliance with information-related legislation.

The material contained in this site and in this blog constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained in this site without first taking professional advice appropriate to their particular circumstances.

Updated – Publishing CCTV Images – Don’t Be Tempted!

15886618 - cctv security camera on white background 3dWith the recent publicity surrounding Virgin Trains, empty seats and Jeremy Corbyn, it would seem that organisations remain unaware of the data protection implications when using CCTV images.

There was an interesting story that was reported in the press on 31 December 2015 about a restaurant who posted an image from their CCTV on Facebook of a group of 4 people that had allegedly left the restaurant without paying their bill.  I am sure there will have been a significant number of people who read the reports and thought this was a highly effective way of addressing this particular issue.

Much of the discussion that followed centred on whether or not this was an appropriate course of action for the restaurant to take from a customer service perspective.  The comments that were reported suggested the majority of people felt it was a social media blunder although there was also some support for the action taken by the restaurant.

However, leaving that particular argument to one side, what did not seem to be mentioned in any of the reports was the fact that posting CCTV images of people on-line is likely to be unlawful in the vast majority of situations including both of those mentioned above.  The consequences and potential penalties of unlawful processing could be far greater than the cost of a meal for 4 that was quoted in the press.  In fact, there have already been investigations into exactly this type of information disclosure where an organisation streamed CCTV footage to the YouTube website and was required to enter into an Undertaking with the regulatory body, the Information Commissioner’s Office (ICO), to address breaches of the Data Protection Act 1998 (the Act).

CCTV images will usually be considered personal data, and in this particular case will definitely fall within data protection legislation as the people were clearly identifiable.  Assuming the restaurant is using CCTV lawfully in the first instance (they have notified the ICO and have the relevant and appropriate data processing notices), it is still difficult to imagine any circumstances in which most businesses can lawfully publish CCTV images.

All personal data, including images, must be obtained for a legitimate business purpose, which must be a legitimate business activity of the organisation collecting the data.   Once obtained, the data can only be used for that purpose and should also be processed in a way in that ensures compliance will all 8 Principles of the Act.

Most businesses will report the use of CCTV as being used legitimately for crime prevention and detection although the need for CCTV should be demonstrated through the necessary risk assessments and privacy impact assessments.

When it comes to investigating crime rather than preventing or detecting crime, there are very few organisations that will be able to report this as a legitimate business activity, with the obvious exception being law enforcement agencies.  Therefore any processing by organisations for the purposes of investigating or solving “crime” that are not law enforcement agencies is likely to be unlawful.  I have used “” for the word crime as I am not sure from a legal perspective whether there is technically any evidence to suggest a crime had actually been committed by one or more of the party of 4 in this case.  Media coverage suggests the incident had not been reported to the police at that time the image was published.

Furthermore, the ICO makes it quite clear in their CCTV Code of Practice that the identification of individuals from CCTV should only be carried out by law enforcement agencies and goes on to state:

 “…it can be appropriate to disclose surveillance information to a law enforcement agency when the purpose of the system is to prevent and detect crime, but it would not be appropriate to place them on the internet …”

Therefore, in answer to the question in the title, my view is that it is quite clear CCTV images should not be published anywhere, including on the internet, and it may even be unlawful.

From the information reported in the media, there is potentially a whole catalogue of breaches of the law.  The case also calls into question whether the necessary risk and impact assessments had been carried out.  The penalties could be significant if any follow-up action is taken by the ICO.  Furthermore, action could be taken by any of people identified in the CCTV who may have grounds to make a legitimate complaint due to the unlawful disclosure of their personal data and, in some circumstances, seek compensation for damages.  It should be noted the restaurant subsequently removed the post.

If you have CCTV you need to ensure its use is justified and the data being collected is being processed in accordance with the relevant legislation.  Comprehensive guidance is available from the ICO and, as always, please contact me to discuss training requirements or for help with impact or risk assessments.

Make sure your e-mail marketing is compliant with data protection laws

Using E-mail for Direct Marketing: Do You Know the Rules?

I was recently attending a training session and a discussion started late in the afternoon about e-mail marketing and making the most of customer lists. There wasn’t much of the day left and after a brief chat, we made a joint decision it would be an ideal first topic for my blog.  So a big thank you to everyone for the inspiration to get started!

Connecting with customers is hugely important for all kinds of organisations.  Most of us receive lots of e-mails every day for a wide range of purposes including marketing as e-mail is quick, easy to use and can be a highly effective promotional tool.

Using e-mail for direct marketing activities is governed in the UK by the Privacy and Electronic Communications Regulations (the Regulations), regulated by the Information Commissioner (ICO).  He is able to impose fines of up to £500,000 for breaching the rules, meaning that getting it wrong can be costly both in monetary terms and irritating your customers.

This blog has some hints and tips on staying compliant although exact practical requirements for your organisation will depend on your circumstances. Therefore it is essential that you read the ICO’s guidance and contact me for further help if required.

In terms of the legislation, marketing is not just the promotion of goods and services by commercial organisations. It also encompasses the communication of aims and ideals, and covers charities and not-for-profit organisations.

Most organisations are likely to undertake solicited and unsolicited marketing. Solicited marketing is where a customer has specifically requested information such as completing an on-line form to request further details about a particular product.  The Regulations generally don’t apply here although remember there will almost certainly be other data protection obligations that are relevant.

Unsolicited marketing is where you send marketing material to people, who are perhaps on a client list or in a customer database, when they haven’t specifically asked for it. This will be covered by the Regulations and requires those that you are targeting to have given their permission to use their contact details (in this case their e-mail address) for marketing purposes.

The way in which you obtain consent is likely to depend upon how you are interacting with a customer. Best practice is to have what is called an “opt in” box, where customers have to take positive action (in this case, tick the box) to indicate they are consenting to receiving information.  An example of text that could be used alongside an tick box would be:

“Tick this box if you would like to receive information about our goods and services by e-mail.”

The Regulations do not require explicit consent and therefore you can use “implied consent”, meaning it is reasonable from the context to assume people want to receive information.   However, bear in mind that there are new EU regulations on the horizon and implied consent is unlikely to be compliant if they come into force in their current form.  Note that implied consent is not considered to be the same as opting out, discussed below.

The next option is the “soft opt-in”. This is for existing customers in the following circumstances:

  •  Contact details have been obtained during the course of a sale;
  • You are only marketing your own similar products or services; and
  • People are given an opportunity to opt out of marketing both when details where first collected and in every message after that.

Again, it is questionable whether the soft opt in will comply with the proposed regulations once they come into force, therefore you may wish to consider changing your procedures to opt in if you are currently relying on the soft opt in.

The final option is an “opt out” box. An example of text alongside an opt out box would be:

“Tick this box if you do not wish to receive information about our products and services.”

It is generally recommended that this option is only used as part of a soft opt in. Relying solely on an opt out is unlikely to meet your legal obligations as not ticking a box does not necessarily indicate a person is consenting to receiving marketing information.

There are other requirements when using e-mails for marketing purposes. In every communication you must always tell people who you are, provide contact details, and a mechanism for people to unsubscribe from your marketing communications.

Also don’t forget about your other types of marketing, for example, by post, telephone (recorded or live), and fax, all of which are covered to some extent by the Regulations and may require consent.

Note that the Regulations only apply when sending marketing communication to personal e-mails although this includes sole traders and partnerships. To stay compliant, you may wish to consider having one policy for all e-mail marketing that follows best practice for personal e-mails.  This will be particularly important for business to business marketing where organisational structure may be unclear from an e-mail address.

Further Information
As always, you can contact me if you require further consultancy and advice on the practical implementation of data protection requirements.

There may be additional factors that you need to consider in your particular circumstances and a PDF guide is available from the ICO together with a checklist summary.