Latest Articles

Direct marketing has been a focus of the UK data protection regulator, the Information Commissioner’s Office (ICO), for the last several years. Direct marketing for these purposes includes promotional messages that are sent directly to an individual recipient electronically (email or text), by post or communicated by phone. Such messages are considered to be unsolicited communications, as opposed to marketing messages that were specifically requested by individuals.…
The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as related to obtaining consent from competition participants. For further information on the forthcoming update to the CAP Code and its…
Back in May this year, the Committee of Advertising Practice (CAP), which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (the CAP Code), launched a consultation (the Consultation) on changes that may be required to the CAP Code on the issue of administration of prize promotions. This followed the introduction of the General Data Protection Regulation (GDPR). The Consultation was completed on 19 June 2018. Following the Consultation, CAP has agreed…
Happy New Year!  With 2018 off to a rapid start, companies now have fewer than five months to become GDPR-compliant. Although the basic principles and obligations enshrined in the GDPR are not new, the GDPR contains a complex, interlinked series of requirements whose practical application to real world situations is often very unclear.  The Article 29 Working Party, a body consisting of EU national data protection authorities, has issued several important opinions and guidelines intended…
In line with the EU General Data Protection Regulation (GDPR), the UK has now published a Data Protection Bill, which is intended to “make our data protection laws fit for the digital age…” The Overview Factsheet for this Bill may be found here.  This legislative initiative parallels that of several other EU Member States that have introduced similar bills to implement the GDPR. What does this mean for data protection laws in the UK…
On 13 September 2017, the UK Information Commissioner’s Office (ICO) published draft guidance on contracts and liabilities between controllers and processors under the GDPR. The draft guidance does not add substantial detail to the provisions of the GDPR but is a useful reminder of the key points. For example, it highlights the requirement for a written contract between the controller and any of its processors and summarises the provisions that the GDPR states must be…
In anticipation of the coming into force of the General Data Protection Regulation (GDPR) exactly a year from today, we are initiating a series of blog posts looking at the practical implications for employers. This post looks at individual employees’ right of access to their personal data and takes the form of a Q&A addressing key changes to this right that will be brought about by the GDPR. Given the ambiguous wording of the GDPR,…
On 04 April 2017, the Article 29 Working Party (WP29) issued its much-anticipated draft Guidelines on Data Protection Impact Assessments (DPIAs), which will be required under Article 35 of the EU General Data Protection Regulation (GDPR). The draft Guidelines are open for comment from the public until 23 May 2017, after which the final Guidelines will be published. The DPIA Guidelines will be complemented by the WP29 Guidelines on Profiling, a draft of which is…
On 6th April, the European Parliament adopted a resolution on the “Adequacy of the Protection afforded by the EU-US Privacy Shield”. The resolution draws attention to previously identified and new concerns about the Privacy Shield framework and considers what the focus should be during the upcoming joint annual review of the Privacy Shield. The resolution states that there has been a lack of clarity in terms of the commitment of the new US administration to…
On 14 March 2017, the European Data Protection Supervisor (EDPS) issued its Opinion on the protection of personal data when it is used in lieu of payment for “free” online services.  The EDPS is an independent EU body responsible for advising the EU institutions on data protection matters. The Opinion was issued following a request by the EU Council in regard to a package of legislative proposals on contracts for the supply of digital services…