Outsourced DPO: Data Protection World Forum!

By Philip Brining

Another interesting week as an Outsourced DPO including two days at the Data Protection World Forum, a letter from the ICO, and more proactive regulation in Germany.

A day in the life of a DPO

I attended the two-day Data Protection World Forum in London’s ExCel this week both as an exhibitor and also a delegate. It was a good event and the Data Protection People (DPP) stand was busy with a constant stream of enquiries – in fact we had just short of 100 enquiries. What struck me most was that at least 50% of the exhibitors were selling software solutions – either those that mine/explore data, or those, like our own DataWise established way back in 2009, which provide a compliance management database/platform.

When we built DataWise it was the only system of its kind. Three-years ago there were maybe 4 or 5 data protection compliance management systems available but now there seem to be hundreds and deciding which system to use if any, is quite a challenge for a busy DPO. From our point of view, more people in the market is only a good thing as there are now probably a hundred times more marketing dollars against compliance software in the UK than this time last year 😊!

However, before I had even attended the event I was offered the attendance list for my own marketing purposes by two separate vendors. Big mistake I thought! I told the second company that I’d already bought it from a different vendor to shake them off, but I did make enquiries as to the price, data sets, and legitimacy of the data of the first vendor. The 5,000-strong database can be bought for £750 and includes names, email addresses, mobile phone numbers and company name of all the attendees.

I asked whether they could supply me a list of which stands and sessions each individual had attended (which they were not), and, for a bit of fun was tempted to ask if they were tracking individuals around the exhibition hall but thought that might blow my cover.

Anyway, I was assured that there is nothing at all to worry about because the data has been collected fairly and lawfully and I am perfectly entitled to use it – despite there being no privacy notice on the Data Protection World Forum registration page, confirmation email, or event information! I look forward to seeing how this plays out and whether any of the attendees or exhibitors is daft enough to buy and use it.

Trouble at t’ mill

I usually like reading information notices and other documents from the ICO as they provide a really good insight into how they approach certain issues – particularly the greyer areas of the law – but we received a letter this week from the ICO relating to a school I’ve been advising about a complaint they received from the ICO a few weeks ago regarding data retention. The ICO wrote that, “the School sates that the information is retained for the purposes of School development, alumni relations management, which includes; marketing and promotion of the School; holding alumni events and fundraising events. It is our view that these are not legitimate interests.” Wow! Now personally I think that is on the harsh side.

Unsurprisingly the ICO was critical of the wealth screening processes the school operates to identify alumni who may be a good target to approach for bursaries and I did advise the school to expect a bumpy ride regarding wealth screening. The ICO wrote, “Processing personal data for wealth screening isn’t necessary and therefore wealth screening cannot be included as part of your legitimate interests. It appears the School has not considered the privacy intrusion in wealth screening as an individual may not want their personal data analysed and profiled.” The last sentence is not true of course as the school has undertaken a legitimate test and found the wealth screen activities to be both fair and lawful. Anyhow, I have a meeting at the school next week to plan implementing changes that incorporate the ICO’s opinions.

What big eyes you have … what big teeth you have!

Earlier this month the data protection authority of Bavaria (BayLDA) issued a press release stating that it would be intensifying its GDPR compliance monitoring[1]. We have a few clients with German operations although none are within the jurisdiction of Bavaria, so the Outsourced DPO sat up and took notice.

The BayLDA is the supervisory authority for monitoring compliance with data protection regulations in non-public sectors in Bavaria. Being pretty pro-active as a regulator, they carry out regular checks through targeted tests such as personal on-the-spot checks of individual businesses, automated online audits for thousands of companies and large-scale multi-page questionnaires, to establish the extent to which companies, associations and freelancers comply with their legal obligations.

The press release states that the BayLDA will focus on cybersecurity vulnerabilities of online shops and doctors’ practices following an increase in incidents in both of these sectors and that it also intends to focus on application of the accountability principle bemoaning the fact that in practice, it is not easy for it to recognise whether companies actually implement relevant data protection controls without undertaking spot-checks. Finally, the press release sets out that it will examine the use of processors and sub-processors in the coming weeks and data retention and deletion in SAP systems.

I’ve always been interested in this proactive approach as the UK’s ICO has never really gone on the offensive and tends to respond to complaints and breaches which, to be honest, has led to an overly relaxed attitude to data protection compliance in the UK in my opinion.

A gazillion data breaches

For a bit of fun (that’s the way the Outsourced DPO get its kicks) I googled “data breach this week” which returned over 61 million results!

Office day

Today (Friday) is my office day. I’ve got a call to run through a DPIA I’m doing for a large FMCG client, a meeting to review the progress of a compliance project with an international transportation provider and a bunch of internal meetings. The day kicked off with a fire drill at Data Protection Towers which set me off on my normal rant about, “you quite rightly regularly test that your health and safety systems are working – when did you last test the security of your data systems?”

27th November 2018

A blog written by Phil Brining, director of Data Protection People and Data Protection Officer for several organisations.

[1] https://www.lda.bayern.de/media/pm2018_17_de.pdf

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021