For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 1

www.regulatorystrategies.co.uk

Headlines this month:

Data Protection Bill

ICO Guidance

UK is a 3rd country for data transfers from 30 March 2019

E-Privacy update – marketing and the ‘soft opt-in’

GDPR and the Credit Industry

ICO announces it will take proportionate approach to GDPR fines

Commission releases Communication on GDPR

Regulatory Strategies announces two GDPR events – places are still

available – details and registration form attached

Commentary:

Data Protection Bill

On 17 January, the Data Protection Bill received its Third Reading in the House of Lords

and will now be considered by the House of Commons.

Schedule 1, Part 3 of the Bill specifies the additional conditions that must be met in

order for personal data relating to criminal convictions to be processed otherwise than

under the control of official authority, which was a national derogation permitted under

article 10 of the GDPR.

A number of amendments were made by peers, including those tabled by the

Government on automated processing to make it consistent with the GDPR which was

helpful.

Opposition amendments to open up the manual elements of the automated decision-

making process were defeated. A version of the Bill after Report Stage, but before the

Third Reading, can be viewed here.

DDaattaa

PPrrootteeccttiioonn

NNeewwsslleetttteerr

February / March 2018

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 2

ICO Guidance

The ICO has published an updated Guide to the GPDR. The sections on Lawful basis for

processing and Rights related to automated individual decision making including

profiling contain new expanded guidance.

The ICO has expanded the page on Personal data breaches and updated the section

on Documentation with additional guidance and documentation templates.

The ICO has also added new sections on legitimate interests, special category data and

criminal offence data, and updated the section on consent.

UK is a 3rd country for data transfers from 30 March 2019

In a notice issued on 9 January, the EU Commission makes clear that 'in view of the

considerable uncertainties, in particular concerning the content of a possible

withdrawal agreement, all stakeholders processing personal data are reminded of legal

repercussions, which need to be considered when the United Kingdom becomes a third

country.'

'Subject to any transitional arrangement that may be contained in a possible withdrawal

agreement, as of the withdrawal date, the EU rules for transfer of personal data to third

countries apply.'

The Commission states that aside from an "adequacy decision", there are additional

options under the GDPR, such as using Binding Corporate Rules, contractual clauses,

codes of conduct or certification mechanisms. The Commission is working with

interested parties and data protection authorities to make the best use of these new

instruments.

The Commission makes no comment on the UK's possible adequacy in this notice. The

UK Data Protection Minister, Matt Hancock, (promoted on 8 January in the same

Department to become the Cabinet level Secretary of State), has said that the UK aims at

achieving an adequacy decision but we must wait until the Brexit negotiations have

reached the point in which data protection issues are included.

E-Privacy Update

On 10 January 2017, the European Commission published the proposed text for a new

E-Privacy Regulation (the draft regulation). When adopted, the draft regulation will

replace the current E-Privacy Directive (2002/58/EC) (the Directive) – PECR in the UK.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 3

Since the Directive's last update, there has been a revolution in the electronic

communications sector, with the use of over-the-top (OTT) communications service

providers overtaking more established forms of electronic communications.

The legislative aim is that the draft regulation will bring OTT services into scope and, as

it is a regulation rather than a directive, harmonise the legal approach in this area

across EU member states in the same way that GDPR will do. This should reduce

compliance costs for companies in the long term.

The original draft:

applies to ‘over the top’ service providers such as WhatsApp, Facebook, Gmail

and Skype and not just to telecommunications service providers;

takes the form of a Regulation rather than a Directive;

covers both content and metadata derived from electronic communications –

both will need to be anonymised or deleted if users have not given consent,

unless required for billing purposes;

gives traditional telecommunications providers more scope to use data and

provide additional services subject to obtaining appropriate consent;

streamlines rules on cookies – consent to cookies will be able to be given through

browser settings and consent will not be needed for non-privacy intrusive

cookies improving internet experience and cookies set to count visitors to a

website;

bans unsolicited electronic communication by any means including phone calls if

users have not given consent;

allows Member States to require that marketing callers display their phone

number or use a special prefix; and

enhances enforcement, including by bringing penalties for non-compliance in

line with those under the GDPR.

Both the EDPS and the Article 29 Working Party expressed concerns that the draft did

not dovetail properly with the GDPR. There has also been considerable debate on

whether or not legitimate interests should be included as a justification for processing.

Publishers around Europe are particularly concerned about plans to allow users to

block third party cookies.

In November, the way was paved for trilogues to begin after the European Parliament

adopted a privacy-friendly version of the Regulation.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 4

The EP’s proposal requires high levels of protection from unauthorised access to

electronic communications, including safety of transmission means or use of end to end

encryption. Decryption is prohibited and consent in line with the GDPR is the basis for

lawful processing.

The European Parliament calls for a ban on cookie walls (which prevent access to a

website where cookies are refused), and tracking without consent, including through

public hotspots or shopping centre wifi networks. It also wants a restriction on

snooping on personal devices via software updates. Meta data should be treated as

confidential and privacy by default should become standard for all software used for

electronic communications.

Where does this leave the marketing ‘soft opt-in’?

There is an exception under PECR for signifying consent with a positive action called the

‘soft opt-in’. This means that consent is not required if you are sending marketing

messages about similar products and services to your customers/clients or those you

have negotiated with to provide products or services, as long as:

You give them the opportunity to opt-out when you receive their contact

information; and

You give them the opportunity to opt-out when you send them subsequent

messages.

This processing is not based on consent, but rather the legitimate interests processing

condition and can only be relied up on by the organisation that collected the contact

details.

The definition of consent under the ePrivacy Regulation will be the same as the

definition under the GDPR.

In relation to the soft opt-in, that will still be available under the ePrivacy Regulation as

currently drafted but there is a significant difference.

Consent will not be required to send customers/clients direct marketing using their

email address etc in the context of a sale of a product or service. Entering into

negotiations, however will not allow the provider to send marketing messages without

consent.

This may change but at the moment it appears that the soft opt-in may be reduced in

scope to where a sale is concluded.

We would recommend that a policy of positive opt in is adopted across all channels to

avoid the potential for this becoming an issue and to have a consistent and ‘highest

common denominator’ approach to customer / client acquisition and management.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 5

From experience we have seen that very often the inertia factor – a customer failing to

opt out of marketing – results in issues later and does nothing to create a high response

/ high conversion marketing database. Offering preferences and positive opt-ins – with

well worded explanations of what the customer is agreeing to can lead to more targeted

marketing and fewer customer complaints.

The ‘double opt-in’

The so-called ‘double opt-in’ has been raised by a number of clients. However it is

important to put this into context.

A double opt-in email list is like any email-based newsletter or e-course where people

can sign-up through the Internet either on a webpage or sending an email to mailing list

management software. What makes an email list “double opt-in” is that any person who

subscribes must confirm their request twice.

The first time is when the user submits their email address to the web-based form.

After the initial request is received by the email list software a special confirmation

email is sent to the address the person input into the form. This is the second opt-in. The

email contains a link which the recipient must click to confirm their subscription

request. Once they have done this they have “double opted-in”.

We consider that this rather cumbersome approach to evidencing consent does not add

value – either commercially or form a compliance perspective - when email addresses

are captured legitimately in the context of doing business.

There may be an application in the case of bought-in lists but we would urge the use of

warranties and indemnities to offer commercial protection and compliance mitigation

should an email address prove to be non-permission based.

There is no legal requirement for a double opt-in.

Timing

We now know that the e-privacy Regulation is not ready to coincide with GDPR

implementation.

It is hoped that the Trilogue on the EU e-privacy Regulation will start after the summer

recess, although The Council is trying to reach a joint position by June.

GDPR and the Credit Industry

With the introduction of the General Data Protection Regulation from 25 May 2018,

lenders will need to review the Fair Processing Notices provided to customers, which

set out how customers’ data will be used and processed.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 6

The Credit Reference Agencies (CRAs) have worked together to produce a standard

Credit Reference Agency Information Notice (‘CRAIN’), which sets out how data will be

processed by the three CRAs – Callcredit, Equifax and Experian. The CRAIN has been

drafted to comply with GDPR and seeks to inform consumers in much more detail than

has previously been the case. It has been shared with the Information Commissioner’s

Office (ICO), which is comfortable with the approach taken.

Over 500 firms currently share data via the CRAs and so it is important that a

consistent approach is adopted when informing customers about data processing. The

CRAIN seeks to deliver this consistency and it covers data processing over the life of a

credit agreement. CRAs will be unable to share data with lenders who do not adopt the

CRAIN in its current format.

A layered approach

The CRAIN adopts a layered approach:

Lender Layer – This is where lenders will inform customers how their data will be used

and shared – and with whom, for example, via CRAs, CIFAS and other organisations. The

information will not be prescriptive but it must include a link to the CRAIN.

Experian: www.experian.co.uk/crain

Equifax: www.equifax.co.uk/crain

Callcredit: www.callcredit.co.uk/crain

CRAIN Layer – The CRAIN is around 24 pages long and provides a comprehensive

summary of how data is shared by the CRAs and covers additional issues such as Subject

Access Rights. It is in a standard format across all three CRAs and the text must not be

changed. In non-digital transactions, the ICO has indicated that a copy of the CRAIN

should be available to the customer should they want to see a copy.

In on-line applications, a link to the CRAIN can be readily provided allowing customers

to access the relevant information. However in face-to-face and telephone transactions

lenders will need to consider how the CRAIN can be provided at point of application,

should the customer want to read the information in full.

A customer must be given the opportunity (even if they choose not to take the

opportunity) to access and read the CRAIN at the point of application.

Face-to-face applications: (for example, in a retailer or motor dealership).

The lender’s FPN must be provided. In addition, paper copies (or a medium

suitable to the customer’s circumstances) of the CRAIN must be available at the

point of application. In some cases, it might be possible to show the customer a

copy of the CRAIN on a screen as part of the application process.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 7

Online applications: Customers must be referred to the lender’s FPN, which

includes a link to the CRAIN. They should be given the opportunity, if they

chose to do so, to click on the link and read the CRAIN. Giving consumers a link

which they can access at a later date is unlikely to be sufficient. If customers

choose not to access until a later date, that’s their prerogative, but the facility

must be available when they apply.

Telephone applications: The lender’s FPN should be read out to the customer

at the point of application. The customer must also have access to the CRAIN.

If the customer has access to the internet, a link could be provided for the

customer to access. If the customer wants to read the CRAIN, this would need

to be accommodated before the application could proceed.

CRA Layer – This is where CRAs will include other Notices which relate to specific

processing they are involved in respect of different products and services, which may

not be reflected across the other CRAs.

Processing Grounds

The CRAs are basing their processing on the ‘legitimate interest’ ground – which has

been in place for many years and is recognised by the ICO. Lenders will need to look at

which ground is best suited to their own use of customer data, however lenders must

not infer that any other ground apart from legitimate interest applies to data shared via

the CRAs.

Rights to Object and Data Erasure

CRAs expect to receive requests from consumers for the erasure of CRA data under

Article 17 and objections to CRA processing under Article 21. CRAs believe that in the

majority of these cases it will not be consistent with the GDPR for these

requests/objections to be upheld because of the existence of the ‘overriding legitimate

grounds’ under Article 17(1) ( c) or ‘compelling legitimate grounds’ under Articles 21

(1) for the processing to continue. However the ICO will expect each case to be

considered on an individual basis.

Subject Access Requests

Clause 12 of the UK Data Protection Bill provides that where consumers raise a Subject

Access Request with a CRA, this can be fulfilled by the CRA providing the consumer with

a copy of their credit report. The Bill has still to complete the parliamentary process,

but this approach is not expected to change.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 8

Restrictions on processing

The CRAs have expressed concern that consumers could try to interpret Article 18 (2)

on the basis that if they challenge the accuracy of the data on their credit file, then the

CRAs should restrict all processing of flagged credit file bureau data from receipt of the

subject access request. The CRAIN sets out that under Article 18 (2), such data could

continue to be processed if there is a strong cases for doing so.

Automated Individual Decision Making

The ICO (and Article 29 Working Party) have recently published regulatory guidance on

profiling and automated decision-making. The CRAs believe that there is nothing in the

Article 29 Working Party guidance which seeks to prohibit lender scoring activities but

that it will be for each lender to assess the guidance in line with its own contracts and

processes.

Retention Periods

There are currently no plans to move away from the current data retention period of 6

years. This period is also included in the ICO’s Credit Explained publication. However,

this issue is likely to be subject to further discussion over time.

Implementation

The CRAs have suggested that firms look to implement the required changes well in

advance of the GDPR May 2018 deadline, to ensure a seamless transition and the

continuation of data sharing.

ICO announces it will take proportionate approach to GDPR fines

The ICO is not planning to issue fines in every circumstance when it detects a breach of

the GDPR (or implementing legislation), ICO's Steve Eckersley said at the CDPD

conference in Brussels. Eckersley stated that the ICO will also have other options

including the opportunity to issue warnings or demand an audit. He said that in many

cases the reputational damage will have a greater impact than any fine.

The ICO is now recruiting an additional 100-150 people to work on GDPR aspects and

cyber security.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 9

Commission releases Communication on GDPR

The European Commission has issued a communication to the European Parliament and

the Council on the direct application of the GDPR. The Communication outlines

remaining steps for successful GDPR preparation, and gives the measures the European

Commission intends to take up to 25th May 2018. Among the measures, there is new

online guidance from the Commission. The Communication also reveals that one year

after the GDPR enters into application, the Commission will gather feedback from

stakeholders on implementing the GDPR to feed into its evaluation and review of the

GDPR by May 2020.

Recent Data Protection Act Breaches

Record fines for company involved in illegal trade in personal information

A firm of loss adjusters in the UK has been fined £50,000 by a UK court for unlawfully

disclosing personal data that were obtained illegally by senior employees and rogue

private investigators.

The prosecution was part of an ongoing ICO investigation into allegations of a criminal

trade in confidential personal information involving corporate clients suspected of

using the services of rogue private investigators. A director and a senior member of staff

were also sentenced to record financial penalties, along with the private investigators

involved.

Elizabeth Denham, Information Commissioner, said: "The illegal trade in personal

information is not only a criminal offence but a serious erosion of the privacy rights of

UK citizens. As well as these record fines, the organisations and individuals involved

also face serious reputational damage as a result of being prosecuted by the ICO."

Carphone Warehouse fined £400,000 after serious security failings

One of the largest mobile phone retailers in the UK has been dealt a significant fine from

the ICO after one of its computer systems was compromised as a result of a cyber-attack

in 2015.

The company's failure to secure the system allowed unauthorised access to the personal

data of over three million customers and 1,000 employees. The compromised customer

data included names, addresses, phone numbers, dates of birth, marital status and, for

more than 18,000 customers, historical payment card details.

The ICO identified multiple inadequacies in Carphone Warehouse's approach to data

security, including the company's use of out of date software and its failure to carry out

routine security testing. £400,000 is the joint largest monetary penalty ever to have

been imposed by the UK regulator.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 10

Four companies fined over spam texts

Four companies responsible for 44 million spam emails, 15 million nuisance calls and

one million spam texts have been fined a total of £600,000 by the Information

Commissioner's Office. Barrington Claims Limited was fined £250,000 for making over

15 million automated calls, Newday Limited was fined £230,000 for sending over 44

million spam emails, Goody Market UK Limited was fined £40,000 for 111,367 spam

texts and Macclesfield-based TFLI Limited was fined £80,000 for over 1.19 million spam

texts.

Director of accident claims company fined in UK

The director of an accident claims company has been fined for inventing a crash in order

to trace the owner of a private number plate he wanted to buy.

Miles Savory, 40, a director of Bristol-based Accident Claims Handlers Ltd, sent official

forms to the Drivers & Vehicles Licensing Authority requesting the identity of the

registered keeper of a 4x4 which he claimed had been involved in a collision in the city.

Mr Savory was fined £335, ordered to pay £364.08 costs and a victim surcharge of £33.

Police body signs Undertaking to comply with law in UK

West Midlands Police has signed an Undertaking with the ICO to comply with the Data

Protection Act.

The Undertaking commits the police force to a raft of security measures, including risk

assessments, improved documenting of procedures related to the distribution of

information, mandatory new staff training and refreshed data protection training.

Company which made 75 million nuisance automated calls in four months fined

A company which made 75 million nuisance calls in four months has been fined

£350,000 by the Information Commissioner’s Office (ICO).

Miss-sold Products UK Ltd made the automated marketing calls between 16 November

2015 and 7 March 2016. The calls contained recorded messages, primarily promoting

PPI compensation claims, but the company did not have the recipients’ consent for

making marketing calls, which is against the law.

It also broke the law by failing to identify the organisation making the calls, while it

used so-called ‘added value’ numbers that generate revenue when an individual calls

the number, which is then apportioned and passed to associated companies and the

network carrier.

For further information contact Mike Bradford or Helen Lordconsultancy@regulatorystrategies.co.uk 11

The ICO received 146 complaints from the public about Miss-sold Products. Some

people were called on multiple occasions. Others said they were unable to opt out of

receiving the calls. Some expressed further distress as they were concerned that calls

late at night may have been from family members or those to whom they provided care.

Man prosecuted and police force given undertaking after sensitive data leak on

Twitter

A Kent man who posted sensitive police information on Twitter has appeared in court

after he admitted breaking the Data Protection Act.

William Godfrey, 30, of Bull Lane, Bethersden, had previously been in a relationship

with a probationary officer, and came into possession of a USB stick containing the data.

In July 2016, he tweeted the name and address of a vulnerable adult, along with details

of their health and sexual life, to the accounts of the Information Commissioner’s Office

(ICO), the Independent Police Complaints Commission and Surrey Police.

That same day, he emailed the ICO threatening to publish a 40-page document

containing personal data, which included the details of a victim of a sexual offence, and

became involved in a Twitter exchange with an independent user who saw his tweet

and warned him that he was breaking the law.

It later emerged that a separate account, operated by Godfrey, had tweeted Surrey

Police two days earlier, disclosing the details of one named individual and the fact that

they had been searched by police in relation to an offence.

The ICO contacted him to ask him not to publish the material. Godfrey later failed to

attend a meeting to hand over the USB stick and Surrey Police eventually had to take out

an injunction to retrieve it.

Godfrey admitted two offences of unlawfully disclosing personal data in breach of s55 of

the Data Protection Act when he appeared at Maidstone Crown Court, on Wednesday 17

January 2018.

He was sentenced to a 12-month conditional discharge, in part because he had been

placed on stringent bail conditions, including an electronic tag, before the hearing.

Surrey Police has also signed an undertaking to improve its procedures as a result of

this case.

Regulatory Strategies Limited Registered Office: 14 London Road Newark Nottinghamshire NG24 1TW UKRegistered in England and Wales no. 6869459 VAT no. 970 2142 43

COMPLYING WITH GDPRA PRACTICAL APPROACH

ARE YOU READY…?

“Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25May 2018 there will be no ‘grace’ period – there has been two years toprepare and we will be regulating from this date.” Elizabeth Denham, Information Commissioner

Over the last two years Regulatory Strategies (www.regulatorystrategies.co.uk)has been advising clients on the impact of GDPRand ensuring they are ready for these newregulations. And our track record of helping clientswith practical business solutions goes back to 2009– and even further from our plc background.

We are now offering you the opportunity to benefit from this experience andcheck that you have everything in place for 25th May.

Our one-day sessions (10.30am to 2.30pm) will explain the keychanges and what you need to do to meet your new obligationsand give you the chance to ask any questions. The event willhelp you create a toolkit to comply with the new regulationswhilst also taking into account your commercial realities.

Monday 5th March at the Queens Hotel, LeedsFriday 9th March at the Wesley Hotel, Euston, London

Your discounted fee is £395 plus VAT per delegate (total £474) (normal fee£495 plus VAT) which includes a buffet lunch; copies of all the slides; acomprehensive check list of what is required to meet the requirements ofcomplying with the GDPR; a list of the Policy Documentation that you will needto have in place; and a complimentary copy of our latest Newsletter withsections on what GDPR means in the credit data sharing world and formarketing.

Please complete the attached Registration Form and send it toconsultancy@regulatorystrategies.co.uk

COMPLYING WITH GDPRA PRACTICAL APPROACH

REGISTRATION FORM

PLEASE COMPLETE ALL SECTIONS AND RETURN TOconsultancy@regulatorystrategies.co.uk

Forename

Surname

Email

Telephone

Company name

Address line 1

Address line 2

Address line 3

City / Town

Postcode

Preferred venue(please tick)

Monday 5th MarchQueens Hotel, City Square,

Leeds LS1 1PJ

Friday 9th MarchWesley Hotel, 81-103 Euston St, Kings Cross,

London NW1 2EZ

Please tick here if you would like attendat either venue if your preferred choice

is over-subscribed

Terms andConditions

1. Cancellation by you up to 21 days before your chosen event will incur acancellation fee of 50% of the full fee

2. Cancellation within 21 days of your chosen event will incur a cancellationfee of 100% of the full fee

3. Any cancellation by Regulatory Strategies will result in full repayment ofany fees paid

Privacy 1. The information provided will only be used for the purposes ofadministration for this event.

2. Our event organisers are Credit Strategies Ltd(www.creditstrategies.uk.com) and follow up correspondence about yourattendance will come from Credit Strategies Ltd.

Payment detailsPlease make yourpayment by BACSto the accountshown oppositeFull payment isdue at the time ofbooking

Your discounted fee is £395 plus VAT - £474.00 – due now

Regulatory Strategies LtdBank: TSB Bank plcSort code: 30-18-98Account Number: 01279581

Please quote “GDPR + Initials and Surname” as your PaymentReference

Regulatory Strategies Limited Registered Office: 14 London Road Newark Nottinghamshire NG24 1TW UKRegistered in England and Wales no. 6869459 VAT no. 970 2142 43