The Committee of Advertising Practice (CAP) recently published changes to its CAP Code. These changes were in response to a recent consultation, to ensure the code was aligned with the GDPR and covered data protection issues most relevant to marketing practices.
Last week, the Information Commissioner’s Office (ICO) – the UK data protection authority – brought proceedings against a motor industry employee who had been accessing personal information from customers without permission. The resulting sentence was six months in prison.
By virtue of Article 22 of the GDPR, individuals have “the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” In this e-update we explore this provision and consider the potential implications for your business.
This week, the ICO has fined Heathrow Airport Limited £120,000 for serious breaches of the Data Protection Act 1998. Whilst this decision is under the “old” data protection rules, it provides some helpful guidance from the ICO on what organisations should be doing to avoid such action by the ICO in the future.
The ICO has issued has issued its first enforcement action under the GDPR. Unusually, the ICO did not report this case on the “enforcement action” page of its website and therefore this notice has been overlooked by many, despite being issued in July. Instead it was attached to the Commissioner’s Report “Investigation into the use of data analytics in political campaigns.” Despite being missed by many, this case is particularly notable as not only is it the first enforcement notice to be issued under GDPR, but it is also the first cease processing order to be taken by the ICO against a company based outside of the UK.
Well, the 2018 Social Enterprise World Forum in Edinburgh is now upon us and in the past month or so I have ventured through the development of the social enterprise spectrum over the last 10 years, from out-and-out regulated charities involved in trading and through various forms of social enterprise structure that “lock in” or “partially lock in” the benefits of trading for a stated social purpose. I said I would finish up having a look at the “out-and-out business” end of the spectrum, and here I am.
We take the security of your data extremely seriously.
Do you recognise this phrase?
On 5th July 2018, the European Parliament adopted a resolution which calls for the EU-US Privacy Shield to be suspended on 1 September 2018 if the US does not ensure a GDPR level of protection for the data of EU citizens. We explore the issues with the EU-US Privacy Shield and whether it is likely to be struck down as an adequate measure for EU-US data transfers.
Location data is a tool useful for marketers to reach mobile app users with targeted, specific advertising. For example, you are scrolling through your favourite social media site while walking down Oxford Street and an advert pops up about a sale in Topshop – perfect! Location based marketing is on the increase, however the technology has received scrutiny in France and, last week, the French Data Protection Authority – Commission Nationale de l’Informatique et des Libertés (CNIL) issued formal warnings to two companies relating to the GDPR standard of consent where they used geo-location data for the purposes of targeted advertising via a mobile app but didn’t comply with consent under GDPR. Just over two months after GDPR came into force, this latest action shows that national data protection authorities are keen to assert the GDPR standards on national companies. This case gives some guidance on how other regulators may interpret “consent” in this context.