Data protection principles meaning

This Checklist summarises guidance on pursuing a ‘UK GDPR claim’. It draws on the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), together with the Data Protection Act 2018 (DPA 2018) legislation. Where the EU has jurisdiction, proceedings are governed by the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR). UK data protection rules—most notably Assimilated Regulation (EU) 2016/679 (UK GDPR)—originate to a large extent from EEA data protection frameworks and, as a result, generally rest on comparable principles, although some provisions differ slightly in detail. In the UK, ‘assimilated law’ denotes retained EU law (REUL) that continues to have effect after the end of 2023 and remains in force, for example the UK GDPR legislation. Re-labelling REUL (and related terminology) as assimilated law signals a shift in its status and handling in UK law, in practice, meaning it is now generally construed by reference to ordinary domestic legal standards and principles...

This Checklist outlines the main factors a controller would ordinarily consider when undertaking an audit with a view to assessing whether a potential or current processor of personal data is suitable under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). For more detail about controllers’ obligations and engaging processors within the UK GDPR regime, see the following Practice Notes: The UK General Data Protection Regulation (UK GDPR) Key definitions under UK data protection law Supply chains under data protection law—arrangements between controllers and processors Audits of processors Although processors subject to the UK GDPR have distinct duties under the legislation, controllers remain accountable for a processor’s handling of personal data carried out under their instructions and on their behalf. Under the accountability principle of the UK GDPR, the controller is responsible for, and must be able to demonstrate, compliance with the data protection principles in Article 5(1) UK GDPR—which include lawfulness, fairness and transparency; purpose limitation;...

This Practice Note draws on the information and guidance that are currently available to date, and will be revised to reflect the new ICO guidance once it has been finalised. Responsibility for recruitment If the employer lacks a dedicated personnel or HR team within the organisation: who will oversee and manage the recruitment process, and who will participate at the different stages of selection? are they fully familiar with the principles of sound recruitment practice, in particular concerning discrimination and other prohibited conduct under the Equality Act 2010, and with data protection under Assimilated Regulation (EU) 2016/679, UK GDPR and DPA 2018, or do they require training? Ensure intended HR staff, line managers and supervisors who will be involved in the recruitment process are available, and that provisional dates, eg for shortlisting and interviews, are diarised in good time as necessary Job description and person specification How has...

In this issue: Advertising, marketing and sponsorship Consumer protection Contracts Data protection Sale and supply of goods Supplier management LexTalk®Commercial: a Lexis®Nexis community Daily and weekly news alerts New and updated content Dates for your diary Trackers ASA rulings—6 November 2024 The Advertising Standards Authority (ASA) received two complaints about CurrencyWave and Eurostar. Complainants said CurrencyWave’s ad wrongly implied Financial Conduct Authority regulation and used inaccurate price comparisons. For Eurostar, concerns were that Instagram and Facebook ads overstated the availability of £39 fares and omitted key information. The ASA upheld both. See: LNB News 06/11/2024 51. ASA publishes its Vaping Project Review on vaping ads targeted at under-18s The ASA has issued its Vaping Project Review, detailing outcomes from investigations, tech-assisted monitoring, enforcement, stakeholder engagement and advisory work on ads aimed at under-18s since June 2023. It found influencers, companies, agencies and vaping brands posting paid and organic content, plus brand...

In this issue: Information technology Internet Media Advertising, marketing and sponsorship Reputation management Telecommunications LexTalk®TMT: a Lexis®Nexis community Daily and weekly news alerts New and updated content Dates for your diary Trackers Useful information Information technology Commission consults on draft Guidance on EU Cyber Resilience Act The European Commission has opened a consultation on a draft Communication offering direction on how to interpret and apply in practice Regulation (EU) 2024/2847, the EU Cyber Resilience Act (EU CRA). In line with Article 26(1) EU CRA, this non-binding guidance seeks to support manufacturers, developers and other stakeholders in understanding their obligations and fostering a harmonised approach across the EU, with a particular emphasis on helping microenterprises and small and medium-sized enterprises meet compliance needs. the scope of the EU CRA, including free and open-source software and what constitutes a substantial modification; support period obligations; designation of important and...

Risk & Compliance weekly highlights—24 October 2024 In this issue: Data protection and cyber security Financial sanctions AML, CTF & counter-proliferation financing Other financial crime Other Risk & Compliance updates this week Question of the week Daily and weekly news alerts Trackers New and updated content Latest Q&A Data protection and cyber security EAC outlines proposals on the future of UK-EU data adequacy The House of Lords European Affairs Committee (EAC) has sent a letter to the Secretary of State for Science, Innovation and Technology, capturing the Committee’s key findings and recommendations arising from its inquiry into UK-EU data adequacy. See: LNB News 22/10/2024 111. NCSC publishes advice on communicating during a cyber security incident The National Cyber Security Centre (NCSC) has issued guidance for organisations on managing communications before, during and after a cyber security incident. It identifies three essential principles: prepare a communications plan in advance; communicate clearly...

This Practice Note serves as a practical ‘how to’ for delivering a compliant B2C telephone and print direct marketing campaign, and points you to relevant materials. It distils the key principles and legal rules governing direct marketing, and explains how they affect print and telephone activity. It also offers hands-on advice on the steps and issues to weigh up before dispatching marketing mailings or placing marketing calls to consumers. Given the variety of routes available for a direct marketing initiative, different legal considerations may arise depending on the campaign’s design, the copy used, the exact media chosen and the jurisdictions in scope. This Practice Note does not cover digital forms of direct marketing, such as social media advertising, mobile and virtual advertising. For a ‘how to’ on running a compliant direct marketing campaign in a digital setting, see Practice Note: How to run a compliant direct marketing campaign—digital. What is direct marketing? ‘Direct marketing’ means the communication, by any method, of advertising or marketing material directed at...

As of 31 January 2020, the UK left the EU and the EEA. This Practice Note introduces: the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) framework (which applied within UK law up to the end of the Brexit implementation period—11 pm UK time on 31 December 2020—and continues to operate across the EEA; therefore, any references in this Practice Note to EEA or EU states should be read as also covering the UK until that period concluded) the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) framework (which applies under UK law from the end of the Brexit implementation period) Where there is no need to draw a distinction, this Practice Note refers to both as ‘GDPR’ for ease. When looking at the routine processing of personal data, the UK GDPR and the Data Protection Act 2018 (DPA 2018) should be consulted together, as both sets of provisions have direct effect. Practitioners will generally...

What is a hackathon? A hackathon is usually a 12–48-hour sprint where multidisciplinary teams—coders, developers, strategists, data scientists, subject-matter specialists and innovators—work intensively to tackle a defined problem in a short window. The aim is to generate fresh concepts, tools or platforms, often ending with a functional prototype or a concept pitch. They trace their lineage to tech culture: the first officially recognised hackathon took place in 1999 in Calgary, though collaborative meet-ups go back to the 1970s with groups such as the Homebrew Computer Group, where the first Apple computer was unveiled. Today, hackathons cut across many sectors and goals, and are not exclusively technology-focused. The author once ran an inspiring game jam—a game development focussed hackathon—designed to speed up cancer cures by turning cancer data analysis into gameplay, delivering scientifically robust outputs thanks to watertight algorithms. Whatever the topic, the core principles and structure are largely consistent. In law, they are increasingly used to drive innovation, widen access to justice, and connect with legal...

Precedent presentation This Precedent presentation acts as a resource to upskill your staff in the fundamental principles of data protection and in managing them within the workplace. The Precedent is generally applicable, yet integrates the requirements of the UK General Data Protection Regulation (UK GDPR) wherever pertinent as and when needed...

Rules of the [ insert name of company granting EMI options ] enterprise management incentives Scheme FORTHCOMING CHANGE: On 26 November 2025, within Budget 2025, it was confirmed that from 6 April 2026 a number of EMI limits will be uplifted: The gross assets threshold will rise from £30 million to £120 million. The cap on full-time equivalent employees will increase from 250 to 500. The overall limit on the value of unexercised EMI options that a company or group can have at any time will go from £3 million to £6 million. The permitted exercise period will also extend from 10 to 15 years. Existing EMI options can be varied to adopt this longer exercise window without forfeiting tax advantages, so long as the changes comply with legislation to be included in Finance Bill 2025-26. In addition, from April 2027 the requirement to notify HMRC of EMI option grants for them to qualify will be abolished, with this measure to...

1 Introduction 1.1 We regard the safeguarding of confidentiality and information security as of utmost importance across the organisation at all times. 1.2 This policy aims to: 1.2.1 guard against possible confidentiality breaches and lapses in the integrity or availability of information; 1.2.2 ensure our information assets and IT resources are shielded from damage, loss, or misuse; 1.2.3 reinforce our data protection policy by making certain all staff know and follow relevant law and our internal procedures governing the processing of personal data; 1.2.4 raise firm-wide awareness and understanding of information security requirements and the duty of staff to safeguard the information they handle. 2 Roles and responsibilities 2.1 Information security is relevant to every member of staff. Nevertheless, the [ state who ] holds overall accountability for the firm’s information management and security matters, which includes: 2.1.1 overseeing and applying this policy; 2.1.2 tracking prospective and confirmed security breaches; 2.1.3 ensuring staff...