The need for alignment with the European data protection framework, particularly in respect of law enforcement purposes, was emphasised by the Prime Minister recently. In her speech in Munich on 17th February, Theresa May referred to the UK’s high standards of data protection and the importance of creating stability and confidence for citizens. While much has to be decided and achieved, it is clear that compliance with the principles, aims and objectives of the forthcoming legislation, as a minimum, is required.
Yorkshire Cyber Project – Book your place on our Cyber Resilience events now!
As part of the Yorkshire Cyber Project, we have arranged events across Yorkshire and Humberside that are aimed at helping you to understand some of the risks you and your business face from an insecure cyber infrastructure or lack or cyber security planning.
At the events we will use scenarios that are based on real experiences of real businesses through which you will be able to test yourself and your organisation in tackling a multitude of problems. Some will be fairly simple, for example losing data either by a mislaid device such as a laptop, or something more immediate such as a ransomware attack.
Using a new interactive platform you will participate in an immersive experience to help you appreciate what you need to do back in the workplace to make your business safer online. The scenarios will be delivered through the platform allowing discussion and debate with colleagues.
We will have a team of experienced staff to help your learn and better protect yourselves.
All of the events are designed to help you learn and are not assessments, likewise the discussions amongst the participants are to help you learn about cyber security through credible experiences and case studies. You will also be able to speak to key stakeholders and have informative updates from a range of agencies.
Does this sound of interest to you? If so, sign up at our Eventbrite page now!!
These FREE events will be held in Barnsley, Beverley, Halifax, Harrogate, Scarborough and Shipley across April, May and June 2018.
Further information can also be found on our website or follow us on twitter.
Guidelines on breach notifications
The Article 29 Working Party (WP29) is an independent body that advises the European Commission about data protection matters. Established under Article 29 of the Data Protection Directive (95/46/EC), the party is composed of:
- Representatives of the national supervisory authorities in the Member States;
- Representative of the European Data Protection Supervisor (EDPS);
- Representative of the European Commission.
The party issue opinions, guidelines and other documents that, although not legally binding, are regarded as official guidance and an indication of the approach of the European Commission. Under the GDPR, the WP29 will become the European Data Protection Board (EDPB).
The WP29 have just published their Guidelines on Personal data breach notification under Regulation 2016/679. The guidelines set out requirements and provide advice on topics such as how, when and what information to provide to data subjects, assessing risks, accountability and record-keeping. The use of examples and clear language make this an accessible and comprehensive guide.
Data breach notification requirements under the GDPR represent a significant change from the current law, with strict time limits and specific actions. It could be said that this requirement encapsulates the essence of the GDPR by strengthening data subjects’ rights and increasing the accountability of controllers.
Updated guidelines on profiling
The Article 29 Working Party (WP29) is an independent body that advises the European Commission about data protection matters. Established under Article 29 of the Data Protection Directive (95/46/EC), the party is composed of:
- Representatives of the national supervisory authorities in the Member States;
- Representative of the European Data Protection Supervisor (EDPS);
- Representative of the European Commission.
The party issue opinions, guidelines and other documents that, although not legally binding, are regarded as official guidance and an indication of the approach of the European Commission. Under the GDPR, the WP29 will become the European Data Protection Board (EDPB).
The WP29 have just published their Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, which is the GDPR. The guidelines clarify the definition of profiling and provide examples and advice on compliance with the new Regulation in this respect.
Communication from the European Commission
The European commission issued a document on 24 January 2018, which provides a useful overview of what has been achieved so far in terms of preparing for GDPR compliance. It also sets out what is yet to be achieved by 25 May 2018.
Paragraph 3.4 of the Communication addresses the need for businesses, public administrations and other organisations processing data, to get ready for the application of the new rules.
Specifically referred to are carrying out Data Protection Impact Assessments and thorough reviews of data policy cycles, to identify the data held, for what purpose and on what legal basis. Also emphasised is the need to assess current contracts, appoint a Data Protection Officer and adopt Privacy by Design and Default principles.
For further details, see the document here.
Privacy hits the headlines
Privacy and data protection issues are big news, particularly since the Snowden revelations in 2013. Actions by individuals and privacy action groups over the past few years have not only increased public awareness and sensitivity but have literally changed the law. Examples include:
Invalidation of the Data Retention Directive;
Invalidation of the Safe Harbour Agreement;
Introduction of the Right to be Forgotten principle.
The latest significant judgment occurred on 30 January 2018, with the Court of Appeal declaring the Data Retention and Investigatory Powers Act (DRIPA) 2014 contrary to EU law. Although DRIPA is no longer in force, the Investigatory Powers Act (IPA) 2016, which superseded it and contains many of the same provisions, must now be reviewed. The IPA is also the subject of a separate challenge, led by Liberty and funded by the public.
Although this case concerns privacy in relation to criminal investigations, it is nevertheless a real indication of the strength of public feeling around these matters and the importance of GDPR compliance by public authorities.
European Commission website guidance
The European Commission has just launched a website for the purpose of providing clarity and support for GDPR compliance. The sections on the website range from reiterating the aims and objectives of the new legislation, to providing explanatory documents aimed at the various stakeholders. Of particular interest is the guidance: ‘Public administrations and data protection’. Each link on the main page of the website takes the reader to further information on a chosen topic, presenting an overall library of credible, reliable information on all aspects of the GDPR …..straight from the horse’s mouth. Many of these topics will be covered in the CENTRIC GDPR Supplementary Materials, coming soon.
Launch of new Yorkshire Cyber Project
We are excited to announce the launch of a new Yorkshire Cyber project. Yorkshire Cyber is a collaboration between CENTRIC and Stuart Hyde Associates to develop cyber resilience for SMEs across the Yorkshire and Humberside region.
Yorkshire Cyber, recognises that cyber-security support is often aimed at larger companies with conferences and events held in city centres. This reduces the opportunities for SMEs in smaller and more remote locations to receive the support and information that would assist them in building effective cyber resilience. Yorkshire Cyber will reach out to SMEs in a range of towns across Yorkshire by holding immersive, interactive events, using innovative technology, designed by CENTRIC, in order to fill this gap and extend the reach of essential support.
The project will engage directly with a number of SMEs from six locations across Yorkshire by:
- Sharing information on cyber-security such as prevention of cyber-attacks, loss of data and misuse of network as well as awareness-raising of indirect impact such as data protection liability;
- Interactive workshop events: a scenario simulation platform will enable business participants to experience and learn about attacks and consequences. Multi-way communication and knowledge exchange between participants and organisers will bring an interactive discussion element to the event.
- Disseminating proactive awareness campaign material.
This is a small-scale, short-term project that involves CENTRIC and Stuart Hyde Associates Ltd. The Yorkshire and Humberside Regional Organised Crime Unit are actively supporting the project and will, along with local police cyber units, be involved with the events. The impact of the project will be maximised by linking with other cyber-security bodies and organisations; this is currently being developed.
Yorkshire Cyber has received Higher Education Innovation Funding (HEIF), which supports and develops knowledge-based interactions between universities / colleges and the wider world and which results in economic and social benefit to the UK. The project began in December 2017 and will conclude in June 2018.

Would you like to find out more about the project? visit the Yorkshire Cyber website or follow us @YorkshireCyber.
Procurement Policy Notice published by UK Government
The Government has published a Procurement Policy Notice (PPN) that sets out compliance requirements for the forthcoming GDPR in this respect. Although aimed particularly at central government, it may also be relevant to other public bodies. Guidance is provided in respect of reviewing existing contracts, ascertaining duties and obligations and suggested clauses are included, which may be of use.
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/669655/17.docx__1_.pdf
This topic will be covered in the forthcoming CENTRIC Supplementary Guide ‘Controller and Processor Relationships’.
Survey results indicate importance of transparency
A recent survey carried out for the Information Commissioner’s Office indicates a lack of trust and confidence on the part of the public when it comes to businesses and organisations processing their personal data. However, the survey does show that public bodies are more trusted than private organisations with 53% having trust in the police and 49% in government departments and organisations. The statistics reveal that there is certainly room for improvement; compliance measures in respect of the GDPR are a valuable opportunity to make this happen.