Data protection (under current DPA) appeal cases

Just catching up on my tweets and found an interesting post curated by “The Data Chain” an online paper (setup by me).

This interesting post: “Data protection in the Court of Appeal & the right to be forgotten” – not #GDPR-related – but will be significant post-GDPR era (from 25th May 2018 onwards).
The appeal cases extracted from the post are:

- DB v General Medical Council (application of mixed data provisions in s. 7 DPA) – due to be heard in March 2018,
- TLT v Home Office (accidental online disclosure of information relating to asylum seekers) – due to be heard in April 2018 – (note, the appeal does not address the quantum of the awards made in that case but instead focuses on the question of whether compensation ought in principle to have been awarded to individuals who were not referred to by name in the disclosed spreadsheet but who were nonetheless affected by the disclosure);
- Stunt v Associated Newspapers (challenge to the stay mechanism under s. 32 DPA) – due to be heard in June 2018 and, last but most certainly not least,
- Various Claimants v WM Morrison Supermarket PLC (group litigation data breach case) – due to be heard by the Court of Appeal before the end of 2018.

The UK Data Protection Bill [HL]

The published Bill- 218 pages.

Will review the Bill soon…

data breach reporting – 5th, 6th, 7th & 8th busting myths from the ICO

What is ‘high risk’ in the context of data breach reporting or notification under the GDPR?
According to the ICO’s website on breach notification:

When do individuals have to be notified?

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.

A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

However, note the ‘fact’ for ‘myth #5′ on the breach reporting blog:

And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.

So, in essence, organisations will need to assess the ‘no risk, risk and high risk’ to people’s rights and freedoms. This assumes or requires organisations to somehow get to grips with what constitutes ‘people’s rights and freedoms’. Rights and freedoms (privacy?) are not easy to identify..

The ICO acknowledges this by stating in their blog:
Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.

UK Data Protection Bill

The Data Protection Bill (HL Bill 66) was introduced into the House of Lords on 13 September 2017.
The published Bill.
The press release from the Department for Digital, Culture, Media & Sport.

The Bill implements the EU General Data Protection Regulation (GDPR) and will replace the Data Protection Act 1998.

4th busting myths from the ICO

Here’s the 4th myths from the ICO.

Myth #4

GDPR is an unnecessary burden on organisations.


The new regime is an evolution in data protection, not a revolution.

Read the ICO blog on GDPR is an evolution in data protection, not a burdensome revolution

Consent for GDPR compliance?

2nd and 3rd busting myths from the ICO

Myth #2

You must have consent if you want to process personal data.


The GDPR is raising the bar to a higher standard for consent.

Myth #3

I can’t start planning for new consent rules until the ICO’s formal guidance is published.


I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.

The ICO’s blog on consent is not the silver bullet for GDPR compliance

Busting Myths & Fake (GDPR & data protection & privacy) news – from ICO

Keeping up with ICO’s activities over the coming weeks, months & years!

UK DP Bill – GDPR into UK

GDPR fines

I’ve posted some GDPR stuff on

My high-level map of GDPR fines (pdf)

Although my PhD research is not on GDPR fines, the outcome from my research should help organisations to be better prepared to respond to data breach incidents.

Not notifying affected data subjects when ordered by the data authority (ICO) fall under the high 1st level of fines i.e. 4% or EUR20M. However, failure to notify the data breach to the data authority (ICO) and to data subjects exposed organisations to the 2nd level of fines i.e. 2% or EUR10M. In essence be prepared to be fined when you failed to comply with the breach notification requirements, Art 33 and Art 34.

Note that when organisations have a security breach i.e. failure to comply with the data processing principles Art 5 (1)(f) (failure to use appropriate technical or organisational measures), this falls under the high 1st level of fines

So..there’s no way to avoid the fines unless you can totally avoid security breaches or avoid falling foul to the data processing principles.

Article 29 Working Party newsroom

EU’s newsroom site where various info on & from the Article 20 Working Party.

Currently, the guidelines:

Guidelines on the right to “data portability”, wp242rev.01 pdf

Guidelines on Data Protection Officers (‘DPOs’), wp243rev.01 pdf

Guidelines on The Lead Supervisory Authority, wp244rev.01 pdf

Guidelines on Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA), wp248_enpdf

More to add…