Changes in the data protection legislative landscape

By David Hendry

The Outsourced DPO has been having a green January utilising the under-used Esk Valley Railway for his daily commute to Leeds.  This has meant more time for reading – which is a good thing given the changes in the data protection legislative landscape around the world.

It was 5 or so years ago that one of the Outsourced DPO’s favourite clients raised a support case enquiring about data protection in Russia.  One of their customers had asked them to provide a data collection service in Russia and they needed to know more about the Russian rules.  The Outsourced DPO therefore noted with interest a couple of weeks ago that the fines had dramatically increased for not complying with the Russian data localization law which require physically locating data processing activities and facilities (e.g. servers) within the Russia Federation for processing the personal data of Russian citizens – now approximately £75,000 for one-off violations and £225,000 for repeated offences.

Last week it was announced that revised privacy legislation is being introduced for consideration in the state of Virginia in the USA.  The proposed Virginia Privacy Act has some similarities to the new California Consumer Privacy Act (CCPA) such as notice requirements, and affords data subjects rights similar to those set out in the GDPR.  However it only applies to certain entities with thresholds on things like data volumes and turnover and would require data controllers to perform and document a privacy risk assessment for every processing activity it undertakes.

The Outsourced DPO isn’t sure how relevant the proposed Virginia Privacy Act and CCPA is to UK-based organisations but keeping track of the ever-evolving privacy law across the globe is a challenge.  That’s one of the benefits of contracting out some or all data protection compliance management responsibilities to specialists who not only live and breathe this – they also relish the opportunity of getting stuck into some technical reading as they wend their merry way along the beautiful Esk Valley.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021