ICO 2017-18 Annual Report: Data protection complaints and breach reports up

ICO annual report increase

  The Information Commissioner’s Office has published their 2017-2018 Annual Report (covering the 12 months leading up to 31st March 2018) highlighting an increase in activities and some challenging activities. The report is the ICO’s annual report to parliament as required by the Data Protection Act 1998. Bearing in mind that it covers the year in the lead up to the GDPR deadline (25th May) and so doesn’t cover any impact (initial or long term), it still presents some interesting […]

EU and Japan agree data protection adequacy

Japan EU Adequacy

  This week the EU and Japan have agreed to recognise each others data protection regulations as “adequate” meaning that once the formalities are completed (later this year), Japan will be added to the list of non-EU countries who have adequate data protection regimes. The GDPR and the Data Protection Directive before it, puts in place restrictions on the transfer of personal data outside the EU. Transfer only being allowed when the country where the data will be processed: Has […]

DCMS consults on data protection fee exemptions


The Department for Culture, Media and Sport (DCMS) has published a consultation on exemptions under the Data Protection Act 2018 from paying a registration fee to the ICO. Under the old Data Protection Act 1998 there were obligations to notify the ICO if you process data, unless an exemption applied. Under the GDPR, which the new (2018) Act implements there are no such conditions for registration, but the new Data Protection (Charges and Information) Regulations, which came into force on […]

Is this the end of US Privacy Shield?

EU-US Privacy Shield

Last week the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) called on the EU Commission to suspend the EU-US Privacy Shield agreement, saying Privacy Shield doesn’t provide enough protection for EU citizens’ data. What’s Privacy Shield? Privacy Shield was adopted in 2016, replacing the previous agreement (Safe Harbor) which had been determined in 2015, to be inadequate in meeting EU standards of data protection. In essence the Privacy Shield provides the grounds by which US businesses can […]

And so, a new era in data protection begins

GDPR is here

It’s a date that’s been in everyone’s minds for some time whether it’s because you’re a business targeting it as the deadline to complete your GDPR compliance project, or a consumer being bombarded by “we need to re-seek your consent” emails. The 25th May is here – the day the EU’s General Data Protection Regulation (GDPR) comes into force. It impacts any business or organisation operating in the UK that is processing personal data, and updates the previous EU Data […]

Data Protection Bill to receive Royal Assent 23rd May


According to the Parliament website both the House of Commons and House of Lords have agreed on the text of the Data Protection Bill which now awaits Royal Assent, which is scheduled for tomorrow (23rd May 2018). The Bill will become the Data Protection Act 2018. It’s main aims are to: implement the GDPR into UK law set out how the UK applies the derogations available under the GDPR bring the Law Enforcement Directive into UK law update the laws […]

ICO publish consent guidance and update cookie consent rules

consent and cookies

We’ve been waiting for some time, for the Information Commissioner’s Office (ICO) to publish it’s final consent guidance. It’s been in draft since March last year and waiting on the Article 29 Working Party’s own guidance. Last week however, they published their final guidance. You can read it here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/. There’s not many differences from the original draft from last year other than the removal of the time limit on how long consent lasts – they were indicating probably around 2 […]

Legitimate Interest guidance published

legitimate interest

The Information Commissioners’ Office (ICO) has published detailed guidance on the use of legitimate interests as the lawful basis for processing. The guidance sets out details about legitimate interest, when you can use it and how to use a legitimate interest impact assessment (LIA) to determine whether it is lawful for you to process data as a legitimate interest. Fundamentally there is little change under GDPR in terms of legitimate interest but the GDPR’s principles of transparency and accountability mean […]

ICO Publishes DPIA Guidance consultation

GDPR transparency

The ICO has published draft guidance on the use of Data Protection Impact Assessments (DPIA), a tool used to assess the risks of processing personal data. The UK has had Privacy Impact Assessments (PIA) for some time as best practice but the GDPR enforces the need for DPIA in certain circumstances. The draft guidance: Covers what’s expected when you carry out a DPIA as well as information about what they are and in what circumstances you would use them How […]

Draft Data Protection (Charges and Information) Regulations 2018


Draft Regulations on the ICO registration fees were laid before Parliament on the 20th February. These draft regulations will come into force on 25th May (to coincide with the General Data Protection Regulation (GDPR)). The new Regulations set out the ICO registration fee scheme including the fee structure: Tier 1 – micro organisations You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40. Tier […]