The document discusses several legal issues facing education providers, including data protection law changes and contracting requirements for apprenticeships under the new regime. It provides guidance on implementing publication schemes required under freedom of information laws. It also offers advice on properly documenting third party use of education facilities to avoid legal risks. Key points covered include the need for education providers to comply with new GDPR data protection standards by May 2018, and ensuring apprenticeship contracts and subcontracts meet ESFA funding rule requirements.
The document summarizes key aspects of the General Data Protection Regulation (GDPR) taking effect in May 2018 and recommendations for organizations to comply. It outlines the GDPR's 5 main duties: rights of EU data subjects, security of personal data, lawfulness and consent, accountability of compliance, and data protection by design and default. The document recommends organizations assess risks, identify necessary policies, processes, and technologies, and leverage IBM's solutions framework and experience helping clients in various industries prepare for the GDPR.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
With General Data Protection Regulation (GDPR) a legal requirement for all UK companies from May 2018, there have been numerous articles written either demonstrating the confusion surrounding the new regulations, or detailing the downsides of the legislation.
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
Brexit Data Protection Update: The EU, US and UK PerspectiveTrustArc
On 31 January 2020, the United Kingdom left the European Union. For the first time since its creation, a member state has decided to leave the common market, and for now, it is uncertain what the future holds for current privacy legislation. The new relationship between the UK and the EU will be negotiated in the course of this year, with the agreed transition period ending on 31 December. During this period, GDPR will apply as if nothing has changed. But what will happen after?
This webinar will discuss the following topics:
-What does Brexit mean from a data protection perspective?
-What does it mean for the UK itself and for the position of the Information Commissioner’s Office?
-What will be the impact of Brexit for data flows to and from the remaining 27 EU Member States and the countries of the European Economic Area?
-And will there be any impact on the UK-US data flows?
If the UK leaves the EU and EEA, will it be "adequate" for data transfers from the EU? Evidemnce suggests not, especially following the passing of the IP Act and the Tele2/Watson CJEU decision.
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
*** N.B. For full working paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3505921 ***
This paper argues that Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.
What is GDPR, the EU’s new facts protection law? What is the GDPR? Europe’s new information privateness and safety regulation consist of heaps of pages’ really worth of new necessities for companies around the world. This GDPR summary can help you understand the law and determine what components of it follow to you. The General information Protection Regulation (GDPR) is the toughest privacy and safety regulation in the world.
Data Protection and Academic Research: The New GDPR FrameworkDavid Erdos
These slides provide an overview of the new data protection framework for academic research under the GDPR, situating this within the broader context of ethical review. After outlining the broad scope and default duties of the GDPR, the slides look at the critical issue of distinguishing processing for “academic purposes” - common in humanities and social studies – from processing only for “research” – common in the biomedical and other “hard” sciences. Whilst the former is subject to wide and liberal derogations akin to journalism, the latter is subject to mandatory safeguards and limited (and often further safeguarded) derogations. The implications of all this for ensuring lawful processing is outlined focusing on purposes specification, transparency, legal vires, data export and discipline duties as regards processors and co-controllers. It is finally noted that article 23 of the GDPR could permit further flexibility in future through secondary legislation.
The document summarizes key aspects of the General Data Protection Regulation (GDPR) taking effect in May 2018 and recommendations for organizations to comply. It outlines the GDPR's 5 main duties: rights of EU data subjects, security of personal data, lawfulness and consent, accountability of compliance, and data protection by design and default. The document recommends organizations assess risks, identify necessary policies, processes, and technologies, and leverage IBM's solutions framework and experience helping clients in various industries prepare for the GDPR.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
With General Data Protection Regulation (GDPR) a legal requirement for all UK companies from May 2018, there have been numerous articles written either demonstrating the confusion surrounding the new regulations, or detailing the downsides of the legislation.
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
Brexit Data Protection Update: The EU, US and UK PerspectiveTrustArc
On 31 January 2020, the United Kingdom left the European Union. For the first time since its creation, a member state has decided to leave the common market, and for now, it is uncertain what the future holds for current privacy legislation. The new relationship between the UK and the EU will be negotiated in the course of this year, with the agreed transition period ending on 31 December. During this period, GDPR will apply as if nothing has changed. But what will happen after?
This webinar will discuss the following topics:
-What does Brexit mean from a data protection perspective?
-What does it mean for the UK itself and for the position of the Information Commissioner’s Office?
-What will be the impact of Brexit for data flows to and from the remaining 27 EU Member States and the countries of the European Economic Area?
-And will there be any impact on the UK-US data flows?
If the UK leaves the EU and EEA, will it be "adequate" for data transfers from the EU? Evidemnce suggests not, especially following the passing of the IP Act and the Tele2/Watson CJEU decision.
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
*** N.B. For full working paper see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3505921 ***
This paper argues that Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.
What is GDPR, the EU’s new facts protection law? What is the GDPR? Europe’s new information privateness and safety regulation consist of heaps of pages’ really worth of new necessities for companies around the world. This GDPR summary can help you understand the law and determine what components of it follow to you. The General information Protection Regulation (GDPR) is the toughest privacy and safety regulation in the world.
Data Protection and Academic Research: The New GDPR FrameworkDavid Erdos
These slides provide an overview of the new data protection framework for academic research under the GDPR, situating this within the broader context of ethical review. After outlining the broad scope and default duties of the GDPR, the slides look at the critical issue of distinguishing processing for “academic purposes” - common in humanities and social studies – from processing only for “research” – common in the biomedical and other “hard” sciences. Whilst the former is subject to wide and liberal derogations akin to journalism, the latter is subject to mandatory safeguards and limited (and often further safeguarded) derogations. The implications of all this for ensuring lawful processing is outlined focusing on purposes specification, transparency, legal vires, data export and discipline duties as regards processors and co-controllers. It is finally noted that article 23 of the GDPR could permit further flexibility in future through secondary legislation.
European Data Protection and Social NetworkingDavid Erdos
These slides explore significant issues arising under data protection for both users and platforms as a result of the publication of third party personal data on such sites. Although the GDPR’s new wording of the household exemption could potentially exclude non-intrusive processing (e.g. sharing innocuous pictures taken in public), the Court of Justice of the EU (CJEU) is increasingly insistent that users acquire responsibilities when the publish such data to an indeterminate number. In principle, most EU Data Protection Authorities (DPAs) accept this although others including the UK and Irish have been very resistant. Many users could therefore have weighty data protection obligations here, although if contributing to a collective public debate they may be covered by the journalistic/special expression derogation and in any case there is a need for a balance with freedom of expression. CJEU ʻjoint controllerʼ case law also points to social networking sites have their own duties here, a proposition which has been backed by Working Party, the UK DPA and the UK courts. Whilst the e-Commerce ʻhostʼ shield should significantly limit ex ante responsibility here, this must be tempered by the ʻduty of careʼ which is inherent in being a ʻcontrollerʼ under data protection. In sum, data protection in principle remains central to the regulation of ʻonline harmsʼ here although ensuring effective and well-balanced regulation in practice remains a formidable challenge.
See further:
“Intermediary Publishers and European data protection: Delimiting the ambit of responsibility for third-party rights through a synthetic interpretation of the EU acquis”, International Journal of Law and Information Technology (Vol. 26(3), pp. 189-225) (2018) - https://academic.oup.com/ijlit/article/26/3/189/5033541
“Beyond ʻHaving a Domesticʼ? Regulatory Interpretation of European Data Protection Law and Individual Publication”, Computer Law and Security Review (Vol. 33 (3), pp. 275-297) (2017) - Pre-print https://www.repository.cam.ac.uk/handle/1810/263883
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Helena Wootton looks at the things you need to do to get prepared for the new data protection regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Legal & General Surveying Services have published an article in their magazine Perspective on The General Data Protection Regulation (GDPR), due April of next year, which will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act.
This document provides a preview of key privacy and data security trends and issues that organizations should prepare for in 2017. It highlights major developments and challenges, such as the implementation of the EU's General Data Protection Regulation (GDPR), uncertainty around the EU-US Privacy Shield agreement, growing momentum to regulate privacy in internet-connected devices, and increasing privacy litigation and cyber threats. The document advises organizations to undertake assessments, update policies and procedures, and budget adequately to strengthen compliance and mitigate risks arising from these evolving laws, regulations and technologies.
The GDPR Compliance Primer has been prepared by the members of the IAB Europe GDPR Implementation Wroking Group, under the leadership of Improve Digital.
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
The European Union’s proposed new data protection regulation aims to update Europe’s data protection laws and to provide a more consistent data protection framework across the Continent.
But the new regulation, which replaces the EU’s existing data protection directive and member states’ data protection laws, will put some new demands on organisations holding personal data. Breach disclosure and “the right to be forgotten” will force businesses to update their data protection and retention policies.
This presentation will:
- Review the current EU laws, and contrast them with laws in other parts of the world;
- Examine the arguments for strengthening data protection in Europe, and the likely outcomes;
- Look at what security teams should already be doing to put themselves ahead of legislative changes;
- Outline strategies and technologies organisations need to meet current and future data protection requirements
- Help infosecurity teams to explain the changes – and their consequences – to their boards
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
The document discusses the challenges facing public sector organizations in the EU in adopting cloud solutions due to concerns over privacy and data protection. Recent legal changes like the invalidation of the Safe Harbor agreement and the passage of CISA in the US have increased worries that personal data of EU citizens could be accessed by US intelligence agencies. The upcoming GDPR will also broaden the definition of personal data and increase responsibilities of organizations. To address these risks, the document proposes a "franchise" model where a local EU entity acts as the data processor and is contractually separated from the non-EU cloud provider to ensure data remains outside of US jurisdiction.
The document discusses key priorities for boards to consider regarding implementation of the General Data Protection Regulation (GDPR). It provides an overview of the new requirements under GDPR, including expanded individual data rights for EU citizens, increased fines for noncompliance, and broader territorial scope. The document advises boards to ensure proper oversight of their organization's GDPR compliance programs, including regular reporting on status, audits, investigations and market developments. Directors could face liability for failing to oversee GDPR compliance risks.
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
This second output of the GIG focuses on the definition of Personal Data under the GDPR, explaining how it will affect companies in the online advertising space.
The GDPR will directly apply across the EU from May 2018, replacing the previous data protection directive. It expands the scope of regulations and increases accountability for organizations. Individual rights are also enhanced, including rights to access, rectify, and erase personal data. Non-compliance can result in fines of up to 20 million euros or 4% of annual global turnover. Organizations should begin compliance projects now to assess risks, strengthen policies, and appoint data protection officers. The GDPR aims to harmonize data protection and modernize rules for an increasingly digital world.
The Data Protection Act (2018) and General Data Protection Regulation (2016) establish rules for processing and handling personal data. The acts require consent for data use and sharing, ensure data accuracy, require secure data storage, and appoint a data protection officer for compliance. They protect individual privacy and require notifications for data breaches. The GDPR covers EU law while the DPA covers UK law, and both currently apply as the UK remains in the EU.
The third output of the GDPR Implementation Group focuses on the topic of consent, and its implications as for online advertising companies when used as a legal basis for processing.
The document provides guidance to companies on becoming compliant with the General Data Protection Regulation (GDPR). It explains what GDPR is and how it strengthens data protection rules in the EU. It then outlines the key changes under GDPR and presents a process flow for how a company can achieve compliance, including awareness campaigns, assessing risks and current state, implementing changes, updating policies and notices, and ongoing training. It identifies areas companies should analyze like marketing, IT, legal, and provides questions they should ask to validate compliance. The deadline for compliance is May 25, 2018.
Data Protection Reform: What Businesses Need to know About GDPR and its Impac...MediaPost
General Data Protection Regulation (“GDPR”) kicks in next year, and brands will be expected to comply with these consumer privacy rules. In this session, Claire Stockill, Solicitor at Irwin Mitchell LLP will explain what these rules mean for B2C email marketers. The presentation will explore the effects GDPR will have on consent, the need for increased transparency, fines associated with non-compliance and a look at the results of a recent YouGov survey on GDPR readiness.
20121016 letter google-article-29-finalGreg Sterling
The Article 29 Working Party, an advisory body made up of European data protection regulators, investigated changes to Google's privacy policy implemented in March 2012. The investigation found that Google's new policy provided insufficient information to users about what data is collected and how it is used. It also allowed broad combination of user data across Google services without appropriate controls. The Working Party made recommendations for Google to improve transparency around its data practices and give users more control over the combination of their data. Google was asked to respond with plans to update its privacy policy and practices.
This presentation reviews GDPR at a high level, and presents the core philosophy behind GDPR as well as the key concepts and key elements to consider in your data protection program.
“The European Union data privacy landscape is about to undergo dramatic change, with lasting enterprise wide implications for the way that organisations handle, protect and use the personal data of EU individuals.
Organisations of all sizes, across all industries, and geographies that process personal data of EU residents need to take steps now to comply with the new EU General Data Protection Regulation by 2018, to satisfy management fiduciary duties
and avoid potentially costly penalties.”
The document discusses the EU General Data Protection Regulation (GDPR), which took effect in May 2018. It provides the following key points:
- The GDPR replaced the previous EU data protection directive and directly applies across all EU member states. It aims to give individuals more control over their personal data.
- Key aspects of the GDPR include expanded territorial reach, requirements for data protection officers, increased accountability and privacy by design principles, strengthened rights for data subjects, and larger maximum fines for noncompliance.
- Companies need to review their data processing activities, legal bases for processing, consent mechanisms, security, breach response plans, and privacy notices to ensure compliance with the extensive new obligations and standards introduced by the GD
GDPR- Get the facts and prepare your businessMark Baker
The GDPR will become law on May 25, 2018 and requires any organization that collects or processes personal data from EU citizens to comply with new privacy regulations. It mandates breach reporting within 72 hours of discovery and fines of up to 20 million euros for noncompliance. It also introduces the principle of "data protection by design" which requires privacy to be built into new systems and processes from the start. To prepare, organizations need to review technologies and processes for breach detection and reporting, and make privacy protections a fundamental part of their operations and systems.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
The document discusses the General Data Protection Regulation (GDPR) which regulates how companies handle personal data of EU citizens. It provides an overview of GDPR including key events leading to its adoption and how it strengthens data protection rights. It highlights some notable differences between GDPR and the previous UK Data Protection Act. The document also outlines an approach for companies to become GDPR compliant including conducting a data assessment, updating policies and processes, and appointing a data protection officer if needed. It notes both the penalties for non-compliance and opportunities that GDPR presents organizations.
European Data Protection and Social NetworkingDavid Erdos
These slides explore significant issues arising under data protection for both users and platforms as a result of the publication of third party personal data on such sites. Although the GDPR’s new wording of the household exemption could potentially exclude non-intrusive processing (e.g. sharing innocuous pictures taken in public), the Court of Justice of the EU (CJEU) is increasingly insistent that users acquire responsibilities when the publish such data to an indeterminate number. In principle, most EU Data Protection Authorities (DPAs) accept this although others including the UK and Irish have been very resistant. Many users could therefore have weighty data protection obligations here, although if contributing to a collective public debate they may be covered by the journalistic/special expression derogation and in any case there is a need for a balance with freedom of expression. CJEU ʻjoint controllerʼ case law also points to social networking sites have their own duties here, a proposition which has been backed by Working Party, the UK DPA and the UK courts. Whilst the e-Commerce ʻhostʼ shield should significantly limit ex ante responsibility here, this must be tempered by the ʻduty of careʼ which is inherent in being a ʻcontrollerʼ under data protection. In sum, data protection in principle remains central to the regulation of ʻonline harmsʼ here although ensuring effective and well-balanced regulation in practice remains a formidable challenge.
See further:
“Intermediary Publishers and European data protection: Delimiting the ambit of responsibility for third-party rights through a synthetic interpretation of the EU acquis”, International Journal of Law and Information Technology (Vol. 26(3), pp. 189-225) (2018) - https://academic.oup.com/ijlit/article/26/3/189/5033541
“Beyond ʻHaving a Domesticʼ? Regulatory Interpretation of European Data Protection Law and Individual Publication”, Computer Law and Security Review (Vol. 33 (3), pp. 275-297) (2017) - Pre-print https://www.repository.cam.ac.uk/handle/1810/263883
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Helena Wootton looks at the things you need to do to get prepared for the new data protection regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Legal & General Surveying Services have published an article in their magazine Perspective on The General Data Protection Regulation (GDPR), due April of next year, which will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act.
This document provides a preview of key privacy and data security trends and issues that organizations should prepare for in 2017. It highlights major developments and challenges, such as the implementation of the EU's General Data Protection Regulation (GDPR), uncertainty around the EU-US Privacy Shield agreement, growing momentum to regulate privacy in internet-connected devices, and increasing privacy litigation and cyber threats. The document advises organizations to undertake assessments, update policies and procedures, and budget adequately to strengthen compliance and mitigate risks arising from these evolving laws, regulations and technologies.
The GDPR Compliance Primer has been prepared by the members of the IAB Europe GDPR Implementation Wroking Group, under the leadership of Improve Digital.
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
The European Union’s proposed new data protection regulation aims to update Europe’s data protection laws and to provide a more consistent data protection framework across the Continent.
But the new regulation, which replaces the EU’s existing data protection directive and member states’ data protection laws, will put some new demands on organisations holding personal data. Breach disclosure and “the right to be forgotten” will force businesses to update their data protection and retention policies.
This presentation will:
- Review the current EU laws, and contrast them with laws in other parts of the world;
- Examine the arguments for strengthening data protection in Europe, and the likely outcomes;
- Look at what security teams should already be doing to put themselves ahead of legislative changes;
- Outline strategies and technologies organisations need to meet current and future data protection requirements
- Help infosecurity teams to explain the changes – and their consequences – to their boards
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
The document discusses the challenges facing public sector organizations in the EU in adopting cloud solutions due to concerns over privacy and data protection. Recent legal changes like the invalidation of the Safe Harbor agreement and the passage of CISA in the US have increased worries that personal data of EU citizens could be accessed by US intelligence agencies. The upcoming GDPR will also broaden the definition of personal data and increase responsibilities of organizations. To address these risks, the document proposes a "franchise" model where a local EU entity acts as the data processor and is contractually separated from the non-EU cloud provider to ensure data remains outside of US jurisdiction.
The document discusses key priorities for boards to consider regarding implementation of the General Data Protection Regulation (GDPR). It provides an overview of the new requirements under GDPR, including expanded individual data rights for EU citizens, increased fines for noncompliance, and broader territorial scope. The document advises boards to ensure proper oversight of their organization's GDPR compliance programs, including regular reporting on status, audits, investigations and market developments. Directors could face liability for failing to oversee GDPR compliance risks.
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
This second output of the GIG focuses on the definition of Personal Data under the GDPR, explaining how it will affect companies in the online advertising space.
The GDPR will directly apply across the EU from May 2018, replacing the previous data protection directive. It expands the scope of regulations and increases accountability for organizations. Individual rights are also enhanced, including rights to access, rectify, and erase personal data. Non-compliance can result in fines of up to 20 million euros or 4% of annual global turnover. Organizations should begin compliance projects now to assess risks, strengthen policies, and appoint data protection officers. The GDPR aims to harmonize data protection and modernize rules for an increasingly digital world.
The Data Protection Act (2018) and General Data Protection Regulation (2016) establish rules for processing and handling personal data. The acts require consent for data use and sharing, ensure data accuracy, require secure data storage, and appoint a data protection officer for compliance. They protect individual privacy and require notifications for data breaches. The GDPR covers EU law while the DPA covers UK law, and both currently apply as the UK remains in the EU.
The third output of the GDPR Implementation Group focuses on the topic of consent, and its implications as for online advertising companies when used as a legal basis for processing.
The document provides guidance to companies on becoming compliant with the General Data Protection Regulation (GDPR). It explains what GDPR is and how it strengthens data protection rules in the EU. It then outlines the key changes under GDPR and presents a process flow for how a company can achieve compliance, including awareness campaigns, assessing risks and current state, implementing changes, updating policies and notices, and ongoing training. It identifies areas companies should analyze like marketing, IT, legal, and provides questions they should ask to validate compliance. The deadline for compliance is May 25, 2018.
Data Protection Reform: What Businesses Need to know About GDPR and its Impac...MediaPost
General Data Protection Regulation (“GDPR”) kicks in next year, and brands will be expected to comply with these consumer privacy rules. In this session, Claire Stockill, Solicitor at Irwin Mitchell LLP will explain what these rules mean for B2C email marketers. The presentation will explore the effects GDPR will have on consent, the need for increased transparency, fines associated with non-compliance and a look at the results of a recent YouGov survey on GDPR readiness.
20121016 letter google-article-29-finalGreg Sterling
The Article 29 Working Party, an advisory body made up of European data protection regulators, investigated changes to Google's privacy policy implemented in March 2012. The investigation found that Google's new policy provided insufficient information to users about what data is collected and how it is used. It also allowed broad combination of user data across Google services without appropriate controls. The Working Party made recommendations for Google to improve transparency around its data practices and give users more control over the combination of their data. Google was asked to respond with plans to update its privacy policy and practices.
This presentation reviews GDPR at a high level, and presents the core philosophy behind GDPR as well as the key concepts and key elements to consider in your data protection program.
“The European Union data privacy landscape is about to undergo dramatic change, with lasting enterprise wide implications for the way that organisations handle, protect and use the personal data of EU individuals.
Organisations of all sizes, across all industries, and geographies that process personal data of EU residents need to take steps now to comply with the new EU General Data Protection Regulation by 2018, to satisfy management fiduciary duties
and avoid potentially costly penalties.”
The document discusses the EU General Data Protection Regulation (GDPR), which took effect in May 2018. It provides the following key points:
- The GDPR replaced the previous EU data protection directive and directly applies across all EU member states. It aims to give individuals more control over their personal data.
- Key aspects of the GDPR include expanded territorial reach, requirements for data protection officers, increased accountability and privacy by design principles, strengthened rights for data subjects, and larger maximum fines for noncompliance.
- Companies need to review their data processing activities, legal bases for processing, consent mechanisms, security, breach response plans, and privacy notices to ensure compliance with the extensive new obligations and standards introduced by the GD
GDPR- Get the facts and prepare your businessMark Baker
The GDPR will become law on May 25, 2018 and requires any organization that collects or processes personal data from EU citizens to comply with new privacy regulations. It mandates breach reporting within 72 hours of discovery and fines of up to 20 million euros for noncompliance. It also introduces the principle of "data protection by design" which requires privacy to be built into new systems and processes from the start. To prepare, organizations need to review technologies and processes for breach detection and reporting, and make privacy protections a fundamental part of their operations and systems.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
The document discusses the General Data Protection Regulation (GDPR) which regulates how companies handle personal data of EU citizens. It provides an overview of GDPR including key events leading to its adoption and how it strengthens data protection rights. It highlights some notable differences between GDPR and the previous UK Data Protection Act. The document also outlines an approach for companies to become GDPR compliant including conducting a data assessment, updating policies and processes, and appointing a data protection officer if needed. It notes both the penalties for non-compliance and opportunities that GDPR presents organizations.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Cognizant business consulting the impacts of gdpraudrey miguel
GDPR will fundamentally change the approach to personal data protection in Europe beginning in May 2018. It aims to give individuals greater control over their personal data and places more responsibility on organizations to demonstrate appropriate consent and data usage. While Swiss law already protects personal data, recent updates to Switzerland's Federal Act on Data Protection are intended to closely align it with GDPR. Organizations need to start implementing programs now to assess their compliance and address new requirements around data usage, security, individual rights and oversight.
This article discusses Binding Corporate Rules (BCRs) which allow multinational companies to transfer personal data outside the European Union in compliance with EU data protection laws. It provides three key points:
1) BCRs operate as an intra-group code of conduct that sets privacy principles and rules for processing personal data. They must be legally binding on group entities.
2) There are two types of BCRs - one for data controllers and one for data processors. Over 60 BCRs have been approved to date.
3) BCRs can help prepare companies for the upcoming EU General Data Protection Regulation by already requiring accountability standards that will be mandated under the new law, such as documentation obligations
The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to review their data protection practices and ensure they are prepared to comply with GDPR requirements that take effect in May 2018.
The document provides a summary of the key aspects of the General Data Protection Regulation (GDPR) in 3 pages. It discusses the basic principles of GDPR, how it may impact technology systems, and software tools that can help with compliance. Some of the main topics covered include the definition of personal and sensitive data, data subject rights, privacy by design, security requirements, and obligations for controllers and processors. The summary emphasizes the need for businesses to focus on compliance given the enhanced penalties and wider scope of GDPR.
The General Data Protection Regulation (GDPR) is a new EU data protection law that takes effect in May 2018. It places greater obligations on organizations to protect personal data and privacy. The GDPR expands the definition of personal data, increases requirements for consent and transparency, strengthens individual rights, and imposes tougher fines for non-compliance. Businesses need to review their data protection practices, identify any risks, and make changes to policies and procedures to ensure compliance with the new law. Failure to comply could result in significant fines of up to 4% of global revenue.
The European Union will introduce the new General Data Protection Regulation for implementation May 2018. This makes it a legal requirement on all businesses owners to comply with the new regulations or face heavy fines. This will still apply to UK companies after Brexit.
The document discusses California's new privacy law called the California Consumer Privacy Act (CCPA) which gives California residents the right to access information about what personal data companies have collected about them and how it is shared. It was inspired by Europe's GDPR law. While similar to GDPR, CCPA has some differences in terms of what entities it covers, penalties for non-compliance, and consumer rights. The document advises companies to proactively prepare for CCPA compliance now rather than waiting, as it will require significant changes to their data practices and procedures. A multi-stage process for compliance preparation is outlined that includes assessing current data use and policies, building consumer access and consent tools, and finalizing the compliance
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
1) The GDPR grants EU citizens various personal data rights and requires organizations to respond to data requests within 72 hours or face penalties up to 4% of global revenues.
2) To assess GDPR risk, companies should consider if they have any interaction with EU citizens through business activities, employees, investors, or incidental data collection that could include EU personal data.
3) If any risk is found, companies must establish a written GDPR compliance structure that defines responsible parties for data controller, processor, and protection officer roles to oversee personal data processing, storage, and deletion according to GDPR requirements.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
The document discusses the new EU General Data Protection Regulation (GDPR) which introduces more stringent data protection rules and fines of up to 4% of global annual revenue. It will apply from 2018, replacing the previous directive. Organizations need to review their compliance and determine what investments are needed to address the new requirements regarding rights for individuals, accountability, security, and more. The GDPR will have a significant impact and those unprepared risk substantial fines.
This document summarizes a presentation on getting to grips with the General Data Protection Regulation (GDPR). It discusses the challenges organizations face in complying with GDPR, which takes effect in May 2018. The presentation provides tips on where to get help with GDPR compliance, how to conduct an audit of personal data holdings, and the top 10 actions organizations should take now to prepare, such as forming an implementation task force and reviewing privacy policies and consent procedures. It emphasizes that May 25, 2018 marks the beginning of GDPR compliance obligations.
The document provides an overview of the General Data Protection Regulation (GDPR) that goes into effect in the European Union on May 25, 2018. Some key points:
- GDPR strengthens data protection rights for EU citizens and applies to any organization that collects data from EU individuals, regardless of location.
- It establishes high fines for noncompliance (up to 4% of global revenue or 20 million euros) and requires clear and easy-to-withdraw consent for data collection and use.
- Individuals have new rights regarding their data, including rights to access, correct, and delete personal data, and object to automated decision making. Organizations must also notify about data breaches.
- While
Similar to Rollits Education Focus Summer 2017 (20)
The document provides guidance for schools on managing relationships with connected non-charity organizations, such as trading subsidiaries. It summarizes key points from a Charity Commission guidance publication on this topic. The Charity Commission guidance stresses the importance of trustees understanding the non-charitable organization's business and managing the relationship effectively to avoid risks to the charity. Trustees must also ensure conflicts of interest are avoided and the charity and non-charity remain distinct entities. Academies are advised to familiarize themselves with the full Charity Commission guidance.
Rollits' Planning & Property Development Newsletter Autumn 2019Pat Coyle
Legal newsletter for the planning & property development sector including articles on town & village greens, overage agreements and Permitted Development Rights
Rollits' Agricultural Law Update - July 2019Pat Coyle
Legal newsletter for the agricultural sector including articles on diversification, permitted development rights on agricultural land and Health & Safety law
Rollits Private Client newsletter - May 2019Pat Coyle
This document provides an overview of Rollits' specialist Private Capital team and the services they offer related to private client matters such as wills, tax planning, trusts, and estates. It introduces the team members and notes their qualifications. It also discusses recent increases to probate application fees and provides tips for buying a house, including being realistic about budgets, understanding hidden costs, clarifying ownership intentions, and using agreements to protect cohabiting couples' financial interests.
Rollits Planning Law and Policy Newsletter - February 2019 Pat Coyle
Legal newsletter covering topics such as permitted development rights on agricultural land, Class A permitted development rights, CIL and a planning policy update.
Rollits Regulatory Review - November 2018Pat Coyle
The document discusses regulatory issues that businesses may face, including criminal and civil liability for directors and managers. It provides an overview of various regulatory areas like health and safety, environmental regulations, consumer protection, and advertising. It also summarizes some recent cases involving regulatory prosecutions, such as a company being fined for a mouse infestation and a director being fined for health and safety violations. Additionally, it discusses the new sentencing guidelines for manslaughter offenses which can apply to gross negligence cases in the workplace.
Rollits Agricultural Law Update July 2018Pat Coyle
Legal newsletter for the Agriculture Sector including articles on permitted development rights available for agricultural buildings, Estate planning for the agricultural sector and a Health and Safety Executive spotlight on the agricultural sector.
Legal newsletter for the Charity, Voluntary and Not-for-Profit Sector with guidance on Automatic disqualification rule changes for trustees and senior managers of charities
The document discusses the government's response to a technical consultation on implementing the new college insolvency regime in England and Wales. Key points include:
- The government estimates over 100 colleges will need to familiarize themselves with the new insolvency rules as they are at elevated risk.
- The 14 day notice period for insolvency procedures cannot be modified as it is set in primary legislation.
- Guidance for college governors is still lacking, creating uncertainty around recruitment and retention of effective governors.
- The new rules are aimed to come into force by late 2018 or end of March 2019 when related support programs close.
The Law Commission published a report on technical issues in charity law on September 14, 2017. The report makes 43 recommendations and includes a draft bill to implement the recommended reforms. Some key recommendations include allowing unincorporated charities to more easily amend governing documents, expanding the circumstances in which small donations can be applied cy-pres without contacting donors, and giving trustees more flexibility when borrowing from or spending permanent endowment funds. The government is expected to respond to the report within the next 6-12 months but may lack resources to implement many reforms due to Brexit.
The document summarizes a judicial review case brought by the Durand Academy Trust against Ofsted regarding Ofsted's complaints procedure. The court found Ofsted's complaints procedure to be unfair because it did not allow for substantive challenges to inspection reports that found a school to require special measures. As a result, the court quashed the Ofsted report for the Durand Academy Trust. The outcome means Ofsted will need to revisit its complaints procedure to address the court's findings and avoid future challenges regarding the fairness of inspections.
Legal newsletter for the education sector. In this edition we summarise key issues raised in a letter sent to academy trust Chairs by Lord Agnew; highlight a recent decision of the Advertising Standards Authority in relation to unproven claims made by universities in their advertising; take a look at the continuing impact of the Bribery Act on the education sector; and explain a revised Memorandum of Understanding which has been entered into between the Department for Education and the Charity Commission. To kick off, here are a few updates on the GDPR, the Apprenticeship Levy, the college insolvency regime and a recent study which considered the post 16 Area Review process.
Legal newsletter focussing on employment matters including articles on worker status and the implications of the gig economy and shared parental leave
and grandparental leave.
This document discusses restrictive covenants and their implications for landowners. It begins by explaining what a restrictive covenant is, which is a promise made in an agreement that restricts the use of land for the benefit of another property. It then provides examples of common types of restrictive covenants and notes that they can affect current or future use of owned or acquired land. The document emphasizes the importance of being aware of any restrictive covenants, as they are legally binding for subsequent owners and non-compliance can result in costly injunctions or damages. It also outlines some options for dealing with restrictive covenant breaches.
The document discusses several major policy changes impacting the education sector in the UK, including guidance on implementing recommendations from Area Reviews of further education colleges, the Apprenticeship Levy being introduced in April 2017, and a proposed new insolvency regime for colleges. It provides an overview of the key implications and risks for education providers, such as extensive due diligence requirements, potential payment delays from employers, and pressure to lower prices. The article emphasizes the importance of strong contractual agreements and due diligence of employers to help providers mitigate risks from the Apprenticeship Levy.
Legal newsletter for owners, directors and HR professionals with updates on current employment law. In this issue: Also in this issue: The National Minimum Wage / National Living Wage; Family Friendly Rights; Current rates and limits for unfair dismissal and redundancy; pulling a sickie
Legal Newsletter for the construction industry highlighting Collateral Warranties, New JCT 2016 Edition of contracts, apprenticeships and the health & safety revolution
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Assessment and Planning in Educational technology.pptxKavitha Krishnan
In an education system, it is understood that assessment is only for the students, but on the other hand, the Assessment of teachers is also an important aspect of the education system that ensures teachers are providing high-quality instruction to students. The assessment process can be used to provide feedback and support for professional development, to inform decisions about teacher retention or promotion, or to evaluate teacher effectiveness for accountability purposes.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
Physiology and chemistry of skin and pigmentation, hairs, scalp, lips and nail, Cleansing cream, Lotions, Face powders, Face packs, Lipsticks, Bath products, soaps and baby product,
Preparation and standardization of the following : Tonic, Bleaches, Dentifrices and Mouth washes & Tooth Pastes, Cosmetics for Nails.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
Thinking of getting a dog? Be aware that breeds like Pit Bulls, Rottweilers, and German Shepherds can be loyal and dangerous. Proper training and socialization are crucial to preventing aggressive behaviors. Ensure safety by understanding their needs and always supervising interactions. Stay safe, and enjoy your furry friends!
1. With that said, there are some legal
issues where a clearer picture is
emerging. The ESFA’s procurement
process for non-levy apprenticeships is
in tatters, but the new apprenticeship
regime is now in force and we have
some initial observations which are
shared on page 4. The legislation
behind the college insolvency regime
was passed before the Parliament
was dissolved and we now await
implementing regulations which are
currently expected to take effect in the
second half of 2018. With a programme
of training sessions already underway
we will keep monitoring the detail
and publishing further commentary as
matters evolve.
With all of this change happening it
would be easy to miss some of the
wider changes in legislation coming
our way. A very significant change
which affects all providers is the
General Data Protection Regulation
(known as the “GDPR”). It stems from
legislative change in Europe and was
given specific attention in the Queen’s
Speech. There is much to do for all
providers before the new legislative
framework comes into full force in May.
We have a Q&A on this topic overleaf
and we are putting in place a series of
events to try to raise awareness for what
is an important raising of the bar when
it comes to the compliance standards
expected of all providers.
Tom Morrison
Education Focus
As we approach the Summer break and the full impact of the outcome of the General Election is
still to be felt, schools, colleges and universities continue to face uncertainty on a number of fronts.
Education policy is clearly still evolving in the wake of the loss of the previous Government’s majority
in the Commons. Whilst uncertainty makes it ever harder for providers to plan ahead, it does at
least bring opportunity for those who are able to be more nimble. As ever the education sector
will demonstrate its resilience and deal with whatever comes its way, but let us hope that in what is
undoubtedly going to be an unsettled period for the Country there is some recognition that stable
education policy is in itself a good thing.
Looking for clarity
in uncertain times
rollits.com
Summer 2017
2. How is the data protection law change
being implemented and when will it
take place?
The General Data Protection
Regulation (“GDPR”) takes the form
of a Regulation which is already in
force in all EU member states without
implementation of national legislation.
Full enforcement of the GDPR begins
on 25 May 2018 and the UK’s current
legislation – the Data Protection Act
1998 (“DPA”) – continues in force until
that date.
Won’t the proposed changes just fall
away when Brexit is complete?
No. Although, post-Brexit, the GDPR
will no longer automatically apply in
the UK, the UK will need to ensure
that its data protection laws provide
an adequate level of protection
for personal data by EU standards.
This means that the UK will have to
implement appropriate data protection
legislation, or transpose the GDPR into
national legislation on the day Brexit
occurs so that the GDPR effectively
continues to apply. The recent Queen’s
Speech recognises the importance of
the GDPR and both the Government
and the ICO have been clear that one
way or another the UK will need to be in
a position to trade with the EU and that
personal information will need to be
able to flow freely and lawfully.
What are the key changes?
The overarching objective of the
GDPR is the same as the DPA: to
protect individuals’ personal data.
The GDPR does, however, strengthen
the protection granted to EU citizens
in respect of their personal data in a
number of ways. For example:
• The conditions for obtaining consent
to process personal data have been
strengthened and the controller will
need to be able to demonstrate that
such consent was “freely given, specific,
informed and unambiguous”.
• Controllers and processors are
required to demonstrate that they
comply with the data protection
principles. That means they must
implement appropriate technical
and organisational measures to
demonstrate that data protection has
been considered in respect of any
processing activities (for example,
by implementing appropriate data
protection policies, staff training,
internal audits and reviews of HR
policies). Some organisations will be
under an obligation to appoint a data
protection officer, and data protection
impact assessments are compulsory in
certain circumstances.
• The GDPR strengthens individuals’ data
rights and creates new rights which
organisations will need to familiarise
themselves with and act on, such as
the right to data portability, the right
to erasure and the right to object to
processing. Organisations can no
longer charge a fee for responding
to a subject access request and must
respond in a shorter timeframe (without
delay and no later than one month
after receipt).
• The GDPR introduces direct,
statutory data protection obligations
on processors. Under the DPA,
processors are generally not subject
to direct obligations, fines or other
penalties and so this represents a
significant change.
What are the risks arising from a
breach of the GDPR?
Under the DPA the maximum fine that
can be imposed for a data protection
breach in the UK is £500,000. The GDPR
significantly increases this. Under the
GDPR the ICO can impose a fine of up
QA
David White is a Senior Solicitor in Rollits’ Commercial IP Team
and advises education providers on data protection and freedom
of information issues. In this QA David sets out some of his early
thoughts on the new data protection regime which comes into
force in May, known as the General Data Protection Regulation –
or GDPR for short.
The new law on data protection
Page 2
Education Focus
Summer 2017
3. to 4% of annual worldwide turnover
for the preceding financial year or €20
million (whichever is greater) for certain
data protection breaches. Furthermore,
organisations are required to report
“notifiable breaches” to the relevant
supervisory authority (the Information
Commissioner’s Office in the UK) within
72 hours. In some cases the individual
concerned must be notified as well.
Beyond this there are clear non-legal
risks such as damage to reputation.
Will the changes have any effect on
personal data that we obtain prior to
25 May 2018?
Yes. The GDPR will apply to all
personal data held by an organisation
irrespective of when that data was
obtained. Organisations should be
looking now at what personal data they
process and on what lawful basis that
data is processed (and whether it will
still be considered lawful on 25 May
2018). For example, if an organisation
processes personal data based on the
individual’s consent, but the consent
obtained from the individual does not
meet the higher standards imposed
by the GDPR, the consent will not be
valid once the GDPR comes into force.
In such circumstances the organisation
should obtain fresh consent from
the individual which meets the
requirements of the GDPR before 25
May 2018 to ensure that it can process
that individual’s personal data lawfully
once the GDPR comes into force.
Will there be any transitional
‘bedding in’ period within which to
achieve compliance?
No – full compliance will be required
from 25 May 2018. It is therefore
imperative that data controllers (if they
have not done so already) ensure that
they review their existing policies and
procedures to ensure they comply with
the new laws and make any necessary
updates – such as to methods of
obtaining consent. Staff should be
trained and educated in the new laws
and any related changes to the data
controller’s existing procedures.
What does all this mean for
education providers?
The GDPR impacts most upon those
organisations which hold information
about lots of people – such as staff and
customers. Education is a staff-intensive
business and education providers
nationwide serve a large number of
customers (in the form of pupils and
students). The sector needs to be ready
for what is a significant change and we
are in the process of conducting an
awareness campaign to help support
that. May 2018 will be here before we
know it.
Model publication schemes are available
on the Information Commissioner’s
Office’s (“ICO”) website. The Information
Commissioner expects public authorities
to adopt model publication schemes
without modification.
As part of its publication scheme, a
public authority is also expected to
produce a “guide to information” which
specifies what information the authority
publishes and how it is available (for
example, online or in hard copy).
The Information Commissioner has
published a “definition document” for
each type of education provider which
sets out the types of information the
Information Commissioner expects
the provider to publish. There is also
a template ‘Guide to information
available’ on the ICO’s website to
assist smaller schools (and in particular
primary and nursery schools). The model
publication scheme recommends that
information should be made available
on a website wherever possible.
It addition to the above, all providers
covered by FOIA should adopt a
policy to review periodically what
information they publish pursuant to
their publication scheme to ensure that
any newly created information that falls
within the scope of the publication
scheme is made available promptly.
Providers should take steps to adopt
and implement a publication scheme
if they have not done so already.
Whilst publication can sometimes be
a time consuming process, there are
mandatory legal requirements under
FOIA and publication schemes can be
used a tool for ultimately reducing the
workload associated with responding
to requests for information (because
if the information requested is readily
available through the publication
scheme, for example, as a download, it
is sufficient to direct the applicant to the
relevant web page).
David White
The Freedom of Information Act 2000 (“FOIA”) imposes an obligation
on public authorities – which includes local authority maintained
schools, academies and further and higher education institutions
– to adopt and maintain a publication scheme approved by the
Information Commissioner and to routinely publish information to the
public pursuant to that scheme.
Publication schemes
4. Page 4
Education Focus
Summer 2017
The contract for services is key
Under the Education Skills Funding
Agency’s (“ESFA”) apprenticeship
funding rules, education providers are
required to have a written ‘contract
for services’ with employers for each
apprenticeship which covers a variety
of issues that the funding rules stipulate
must be covered by those contracts.
Those providers who have not done so
already, should put in place a contract for
services which makes for a reasonable
allocation of risk between the provider
and the employer. We have found
some providers to have been required
to sign up to the employer’s standard
contract for services, which is inevitably
drafted so as to be more favourable to
the employer. We have also seen some
templates in circulation which in our view
are less than optimal from a provider’s
perspective and can be cumbersome to
use. The key is putting in place a contract
that works well for both parties and is
easy to use.
Can the same contract for
services cover multiple learners?
As each learner’s apprenticeship journey
is different and each learner must enter
into an individual commitment statement
with the provider and the employer,
we consider it to be sensible for each
Contract for Services to work on a
learner-by-learner basis too. Whilst there
is nothing in the funding rules which
prohibits the same Contract for Services
being used to cover multiple learners,
we consider that any potential savings in
administration time at the beginning of
the arrangement could be dwarfed by
the resulting complications that could
arise in documenting any variations to
the arrangement.
For example, if there are three learners
and one completes on time, another
withdraws and another has a break in
learning, this will require the Contract
for Services to be varied in relation to
one learner and terminated in respect
of another. Documenting all of these
changes would be convoluted and
keeping track of the Contract for Services
could become a difficult process. Having
one Contract for Services per learner
would remove this layer of complexity.
There are ways to achieve this that ensure
there is minimal friction for the employer
and learner and administrative burden is
kept to a minimum.
Can we enter into a contract for
services where the learner has
not yet been identified?
In a word, no. In order for a Contract
for Services to be legally binding and
enforceable, the parties will need to
have agreed upon the specific details
of the contract – this includes the
apprenticeship programme concerned,
the price payable by the employer
and a specification of the services
to be delivered by the provider. As
the specification of the services to
be delivered by the provider are very
much going to be determined by
the characteristics of the individual
learner, it will not be possible for the
specification to be finalised until the
learner has been identified.
We have found this position to be of
concern to some providers, who wish to
enter into at least some form of written
commitment with the employer before
the learner is identified – for example, if
the provider is going to be assisting the
employer in learner recruitment as part
of the provider’s value added service. In
such circumstances, a good way forward
is for the provider and employer to
enter into a written letter of intent or
memorandum of understanding – which
would not be legally binding but, if
signed by both parties, can give each
party comfort that the other party is
serious about entering the arrangement
without scaring either off. The document
could also attach a copy of the form of
Contract for Services that will apply if
and when the parties do agree upon the
identity of any learner(s).
Existing ESFA-funded
subcontract templates may
require amending for post-levy
apprenticeship subcontractors
Whilst many of the key themes in
providers’ existing subcontracts will
remain relevant to apprenticeship
subcontractors under the new regime,
the ESFA’s funding rules refer to some
additional requirements that providers
will need to ensure are covered off in their
subcontracts for apprenticeship delivery.
In practice we have helped several
providers to achieve this by adapting
their existing subcontract templates into
an ‘apprenticeship-specific’ subcontract
template for use with apprenticeship
subcontractors only. The changes are
not extensive, but they are important to
ensure funding rules compliance.
James Peel
We have over recent months been advising a range of providers in relation to their contractual
arrangements under the new apprenticeship levy regime. In many ways it is a brave new world for
everybody, where new issues are still surfacing, but we have several observations already which we
felt would be useful to share.
Post-levy apprenticeship contracting
Our observations so far…
5. Page 5
Education Focus
Summer 2017
When advising education providers
on property matters one of the most
common issues to arise is how to deal
with third party occupiers on the site.
Providers will often allow third parties,
such as sports clubs and local community
groups, to use buildings and facilities
at a site on an informal basis with no
agreement in writing in place. This
places the provider at risk of a potential
claim by the third party occupier, who
could claim they have an interest in the
site. This could have severe implications
for the provider if, for example, the
provider wanted to develop the land
occupied by the third party or if it
wanted to terminate the occupation due
to the conduct of the occupier.
There are three main types of agreement
which can be used to document the
occupational arrangement: lease;
licence; and tenancy. The label on the
document itself does not determine
what the agreement is, so the underlying
arrangement needs to be assessed to
establish the true nature of occupation.
Lease
A lease grants exclusive possession to
an occupier of land and/or buildings (or
rooms) for a specified term at a reserved
rent and grants an interest in land during
the term. Exclusive possession means
that the third party has the sole right
to use the demised property to the
exclusion of all other persons, including
the landlord. A lease also grants security
of tenure to the tenant, unless such rights
are specifically excluded through a set
statutory procedure (which the property
owner would usually want). Once a lease
has been granted, the tenant has a right
to occupy the property for the term and
the lease can only be brought to an end
in pre-agreed circumstances, such as in
the event of a breach of the lease or upon
the insolvency of the tenant.
A lease would therefore only be suitable
for longer term arrangements where it is
intended that the third party will be the
only person entitled to use the land, for
example in the case of a sub-station lease
to a utility company or a youth centre.
Licence
A licence grants consent to the occupier
to use property for particular purposes.
The licence is personal to the occupier
and the occupier does not have
exclusive possession which means that
other parties (including the owner of the
property) can also use the property.
A licence would therefore be suitable
for arrangements with sports clubs and
community groups, who would like to
use a building or sports facility during a
specified period each week, as multiple
licences could be granted to different
clubs and groups in relation to the same
building or facility. A licence does not
create an interest in land and so it can
be terminated on notice if the property
owner wants to remove an occupier
from the property.
Tenancy
A tenancy is an agreement whereby
a property can be used solely by
an occupier on a rolling basis, until
either party determines the tenancy.
There are different types of tenancy,
including tenancies at will which can
be terminated immediately at any time
by either party, and periodic tenancies.
Tenancies also grant an interest in land
to the occupier.
A tenancy is suitable where a provider
wants to grant an interest in land to an
occupier, but does not want to specify a
term. A tenancy is therefore suitable for
shorter term arrangements such as with a
community group.
If a school converts to an academy
and there are third party occupiers
at a site, then it will be a prerequisite
of the Department for Education
to the granting of consent to the
conversion that any occupation is
formally documented in writing. In any
event, we would always advise that any
arrangement is documented in writing
so there is no uncertainty to as to the
agreed terms, the nature of the interest
granted and the mechanism to bring the
arrangement to an end.
Libby Clarkson
In this series of articles we are discussing some of the major property issues which come to light when
advising education providers on property matters including academy conversions, mergers, the sale of land
and the potential development of a property. We are also highlighting practical pre-emptive action which
can be taken to deal with each of these issues in order to prevent the issue having any major implications.
Series on property and estate management
Third party occupation
Part2
6. Page 6
Education Focus
Summer 2017
Information
If you have any queries on any issues raised
in this newsletter, or any education matters
in general please contact Tom Morrison on
01482 337310.
This newsletter is for the use of clients and
will be supplied to others on request. It
is for general guidance only. It provides
useful information in a concise form.
Action should not be taken without
obtaining specific advice.
We hope you have found this newsletter
useful. If, however, you do not wish to
receive further mailings from us, please
write to Pat Coyle, Rollits, Citadel House,
58 High Street, Hull HU1 1QE.
The law is stated as at 10 July 2017.
Hull Office
Citadel House, 58 High Street,
Hull HU1 1QE
Tel +44 (0)1482 323239
York Office
Forsyth House, Alpha Court,
Monks Cross, York YO32 9WN
Tel +44 (0)1904 625790
rollits.com
Authorised and Regulated by the Solicitors
Regulation Authority under number 524629
Rollits is a trading name of Rollits LLP.
Rollits LLP is a limited liability partnership,
registered in England and Wales,
registered number OC 348965, registered
office Citadel House, 58 High Street, Hull
HU1 1QE
A list of members’ names is available for
inspection at our offices. We use the term
‘partner’ to denote members of Rollits LLP.
Since April 2017 all education
providers are affected by the
IR35 rules which relate to tax and
National Insurance contributions.
These rules relate to workers who are
paid through an intermediary. These
workers will need to be assessed by
the provider to determine whether or
not IR35 applies. An intermediary may
be the worker’s own limited company,
a service or personal service company
or a partnership. In IR35 applicable
situations, the education provider (who
will be deemed to be the client) must
pay PAYE and NI. A worker placed by
an employment agency does not attract
IR35 although the provider is responsible
for ensuring that the agency has put
IR35 in place. This is a hot topic in the
sector at the moment and we have
seen a marked increase in queries from
education clients, especially in relation to
tutors, assessors and interim executives.
It is a technical area of law and taxation
and, given the potential consequences,
we would recommend that any provider
in doubt as to a worker’s status should
seek specific advice.
Ed Jenneson
Well, fast forward a few months
and Ofsted has indeed updated its
policies, which several of those same
commentators consider to include a
significant ‘U-turn’ on Ofsted’s part. Not
only has the ‘Outstanding Provider’ logo
been revamped, but Ofsted has also
introduced a new ‘Good Provider’ logo
which may be used by those education
providers who were awarded an overall
judgement of ‘Good’ in their most
recent Ofsted inspection.
This development will be welcomed by
‘Good’ providers who were officially –
until now – unable to use the Ofsted
logo to promote their achievements.
However, they will also need to
familiarise themselves and comply with
Ofsted’s related logo terms of use.
‘Outstanding’ providers will also need
to be careful to ensure that they update
their stationery and signage with Ofsted’s
new logo, as continued use of the old
logo could (ironically) result in them
falling foul with Ofsted.
James Peel
IR35
We reported in the Autumn 2016 edition of Education Focus on a
clampdown by Ofsted on education providers adapting Ofsted’s
‘Outstanding Provider’ logo into a ‘Good Provider’ logo for use on
stationery and signage. Ofsted’s actions were criticised at the time by
some commentators for being too heavy-handed, and it was hoped
that Ofsted were going to review their logo policies internally.
Ofsted logo update