Five steps to Compliance

As we entered the ground rush zone for the GDPR a number of organisations issued numbered guidance documents in preparation. I joined in and published a blog article on my linkedin blog called “Beyond Adequate Protection”. This had my five point list of tasks to be GDPR compliant. I summarise them here,

  1. Know and document your personal data catalogue and its lawful purpose
  2. Create an identity solution for your data subjects, so subject access requests can be fulfilled
  3. Build a record keeping solution
  4. Ensure that your incident management solutions are compliant
  5. Implement changes to the software development Life Cycle(SDLC) to include privacy impact assessments

The original article deals with these in a bit more detail but I finish by saying that it’s only this easy if your organisation already meets the need to provide adequate technical and organisational protection.


A coach and horses through privacy rights

A coach and horses through privacy rights

I have just been approached by a Trade Union member who wanted to know how to complain about his employer’s record keeping. The short answer is to complain to the Information Commissioner’s Office. It reminded me that the ORG are campaigning to change the current Data Protection Bill to allow non-profits to represent complainants; this reminds me that Trade Unions might also want to benefit from this legislative protection, but I was horrified by the Government’s proposed exemption of immigration data from the remit of the Data Protection law and thus the GDPR.  …

Working Title

Today, I wrote to Labour List and proposed to write an article for them.

I’ll take help on the title but currently working with “Privacy Law, canvassing and registered supporters”

Next year, 28th May, the EU’s General Data Protection Regulation comes into force. Among other things it will prohibit the storage and processing of canvass returns without freely given, informed and explicit consent. We will have to prove that consent has been obtained and be able to tell electors everything we know about them.

The simplest answer to these new compliance requirements is to extend the registered supporter arrangement, make it an ongoing contract so that the agreement can include privacy clauses. The ambition would be to extend the scheme to high proportions of our voter base. For this purpose, the fee would need to be low, nearer £3 than £25.


I should add that without some form of reform, the retention of the Registered Supporters data in the membership system is in my mind questionably legal, as it breaks the storage limitation principle. When compliance ruled that Registered Supporters could not be invited to member’s meetings, they made the sole purpose of holding the data the leadership election. This purpose was confirmed when the NEC required re-registration of the registered supporters at £25 in 2016; the consequence of such a decision to my mind negated the purpose of the original registrations. …

One long year

I am documenting my CPD’s and reviewing the contents of my LinkedIn blog and came across this, “The GDPR will become British law”, published last year where I predicted that the GDPR would be grandfathered into British Law via the proposed “Great Repeal Bill”.

What a difference a year and a general election makes.

I did not predict that since the GDPR has member state derogations and that the Government would bring a Data Protection Bill to Parliament. The fact they’ve lost their majority and are now frightened of loosing votes in Parliament is another motivation for sticking a big complex bill into the time table; iit burns time and one would hope that it can be uncontroversial so there’s no chance of loosing a vote, and even if they do, who cares, apart from people like me.

This could of course be a complete waste of time as it’s the courts which will decide what the law means and if we should leave then the issues raised here … will apply. …

The Data Flow implications of Brexit

The Data Flow implications of Brexit

Project Fear or Project Reality about Brexit continues and while risks to banking, air travel, radio-therapy and the pan-European integrated manufacturing supply chains are all making the headlines, there is also a serious problem with maintaining data flows particularly of personal data, which underpins both secondary & tertiary sector industries.  This article looks at the threat to trade involving data flows posed by Brexit and looks at the likely shape of US/EU data flow and privacy regulation. …

On the GDPR

The week before last, I attended the BCS legal day and have finally published my notes on this blog. The priority was the coming General Data Protection Regulation. I prefer to write in a style recognising those who have informed me or changed my mind but the notes have been anonymised as I believe that the day was held under Chatham House rules,  The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement.  The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement. …


Are the ICO waking up? It has fined Flybe and Honda. There are two stories here, two large firms wanted to confirm that they had consents and so wrote to their list to ask if the consents remain in place …. they have been fined; the ICO considered this to be an un-consented bulk email. I wonder if it’s possible to perform this check legally. …


Just looking at my notes from the BCS Legal Day and while some are still hanging on for Brexit saving them from the GDPR, which it won’t, it becomes necessary to understand the wiggle room left by the GDPR.

Firstly, there is the competency limitations of Union itself, it cannot legislate for national & public security nor for the criminal justice system, these exclusions are stated in Article 23 Restrictions and also include (or exclude if that’s how you see it), the management of professions and the pursuit of civil justice. The Restrictions clause does however require the member state to act proportionately and respect the Charter of Fundamental Rights. In addition, there is room for national, member state, variances on the protection of employee data and the definition of public sector, impacting the need for a DPO. …