Handley Gill
LEGAL, REGULATORY & COMPLIANCE CONSULTANTS

Handley Gill Limited

Our expert consultants at Handley Gill share their knowledge and advice on emerging data protection, privacy, content regulation, reputation management, cyber security, and information access issues in our blog.

Posts tagged Data Controller
You Shall EU
You Shall EU

Handley Gill's specialist data protection consultants consider the status of CJEU judgments in UK law after the Labour government intervened to prevent section 6 Retained EU Law (Revocation and Reform) Act 2023 from coming into force and amending the European Union (Withdrawal) Act 2018, and consider several CJEU judgments addressing the processing of special category personal data, the interaction between data protection and competition law, the conduct and balancing of legitimate interests assessments, data minimisation and the status of supervisory authority decisions.

Read More
Nicola CainData Protection, GDPR, EU GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Retained EU Law, Retained EU Law (Revocation and Reform) Act 2023, European Union (Withdrawal) Act 2018, Section 6 European Union (Withdrawal) Act 2018, section 6 Retained EU Law (Revocation and Reform) Act 2023, Assimilated Law, BREXIT, CJEU, Data Controller, Data Minimisation, Supervisory Authority, Health Data, Article 9(1) GDPR, Article 9 GDPR, Article 9 UK GDPR, Article 9(1) UK GDPR, Legitimate Interests, Legitimate Interests Assessment, LIA, Article 6(1)(f) UK GDPR, Article 6(1)(f) GDPR, Commercial Interests, Advertising, MARKETING, Targeted Advertising, Behavioural Advertising, Personalised Advertising, Data Sharing, Necessity, C-446/21, C-621/22, C-21/23, C-200/23, SPECIAL CATEGORY PERSONAL DATA, Special Category Data, Sexual Orientation, Article 9(2)(a) GDPR, Article 9(2)(a) UK GDPR, Article 9(2)(e) GDPR, Article 9(2)(e) UK GDPR, Article 5(1)(c) GDPR, Article 5(1)(c) UK GDPR, Data Retention, C-507/23, Compensation, Damages, Article 82 GDPR, Article 82(1) GDPR, ApologyComment
A problem shared...
A problem shared...

As Iceland boss Richard Walker decried data protection and human rights laws for allegedly preventing him and his staff from sharing information with other retailers in order tackle the scourge of shoplifting, Handley Gill’s specialist data protection consultants consider how these and other laws apply to retailers and shopping centre operators and identify the steps retailers can take to lawfully share personal data for the purposes of preventing or detecting crime.

Read More
Nicola CainData Protection, Personal Data, GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Controller, Data Sharing, Data Sharing Agreement, Criminal Conviction & Offence Data, Article 10 UK GDPR, Section 11 Data Protection Act 2018, s.11 DPA 2018, Section 11(2) Data Protection Act 2018, s.11(2) DPA 2018, Section 10 Data Protection Act 2018, S.10 DPA 2018, Section 10(5) Data Protection Act 2018, s.10(5) DPA 2018, Retail, Retail Crime, Theft, Shoplifting, Data Protection Offences, Data protection impact assessment, DPIA, Appropriate Policy Document, Schedule 1 Data Protection Act 2018, Public Domain, Manifestly Made Public, NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), Data Privacy, Misuse of Private Information, Article 8 ECHR, Article 8 European Convention on Human Rights, Rehabilitation of Offenders Act 1974, Retention Schedule, Data Retention, Section 170 Data Protection Act 2018, Prevention or detection of crime, Crime prevention, Crime detection, Human Rights Act 1998, Reputation Management, Defamation, Libel, SlanderComment
Holiday packing list
Holiday packing list

With the summer holiday season in full swing, Handley Gill Limited’s specialist data protection and cyber resilience consultants consider the data protection and information security risks of staff taking data and devices used for business purposes overseas and the practical measures that organisations can take to safeguard data subject to border control powers.

Read More
Nicola CainData Protection, PERSONAL DATA, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, Cyber Security, Information Security, Data Controller, Data Processor, Overseas Travel, Data Transfer, Personal Data Transfer, Personal Data Export, Data Security, Border Control, Schedule 7 Terrorism Act 2000, Section 78(2) Customs and Excise Management Act 1979, Search, Seizure, Password protection, Encryption, Confidential Information, Confidentiality, Privacy, Digital PrivacyComment
Security guaranteed?
Security guaranteed?

To coincide with London Tech Week 2024, one of the key themes of which is ‘The Future of Security and Data’, and following the revelation in the DSIT Cyber Security Breaches Survey 2024 that few organisations are conducting supply chain risk assessments, Handley Gill’s specialist consultants have published their Helping Hand checklist on conducting data processor / supply chain information security risk assessments which is informed by NCSC guidance.

Read More
Nicola CainData Protection, Personal Data, UK GDPR, GDPR, General Data Protection Regulation, UK GENERAL DATA PROTECTION REGULATION, Information Security, Cyber Security, Information Security Risk Assessment, Cyber Security Risk Assessment, Cyber Attack, Cyber Incident, Data Breach, Data Controller, Data Processor, Article 28 UK GDPR, Article 28 GDPR, Article 28(1) UK GDPR, Article 28(1) GDPR, Cyber Security Breaches Survey 2024, Department for Science Innovation & Technology, National Cyber Security Centre, NCSC, Supply Chain Risk, Supply Chain Security, Vendor Management, Supplier Management, ICO, Information Commissioner, Information Commissioner's Office, Data Security Incident Trends Report, London Tech Week 2024, LTW, LTW 2024, The Future of Security and Data, Cyber Resilience, Online HarmsComment
Data Protection Day 2024
Data Protection Day 2024

This Data Protection Day 2024 - aka Data Privacy Day 2024 - on 28 January, Handley Gill Limited’s specialist data protection consultants identify the ways that both data subjects and data controllers can ‘Take Control of Your Data’.

Read More
Nicola CainData Protection Day, Data Protection Day 2024, Data Privacy Day, Data Privacy Day 2024, Data Protection, Data Privacy, Personal Data, GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Protection Act 2018, DPA 2018, PECR, Privacy and Electronic Communications Regulations, Data Protection and Digital Information Bill, Data Subjects, Data Subject Rights, Data Controller, the Council of Europe Convention 108, the Council of Europe’s Convention 108, Convention for the Protection of Individuals with regard to Automatic Processing of Personal DataComment
Britain's Got Talent's Got Problems
Britain's Got Talent's Got Problems

Handley Gill Ltd’s specialist consultants provide initial comment and analysis on The Sun’s report of David Walliams’ data protection claim against one of the co-producers of ITV’s Britain’s Got Talent, Fremantle Media, including the nature of the claim, potential defences and the sums being claimed. The claim arises from the the leak of a transcript of comments made by Walliams on set to The Guardian in November 2022.

Read More
Nicola CainData Protection, Personal Data, Data Protection Act 1998, GDPR, General Data Protection Regulation, DATA PROTECTION ACT 2018, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Breach, Data Litigation, Sensitive Personal Data, SPECIAL CATEGORY PERSONAL DATA, S.2 Data Protection Act 1998, S.32 Data Protection Act 1998, Special Purposes Processing, Special Purposes Exemption, Journalism Art or Literature, Article 9 GDPR, Article 9 UK GDPR, Data Protection Offences, s.170 Data Protection Act 2018, S.170 DPA 2018, Right to Erasure, Right to be Forgotten, Article 17 GDPR, Article 17 UK GDPR, WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB), Sir Cliff Richard v (1) BBC and (2) Chief Constable of South Yorkshire Police [2017] EWHC 1291 (Ch), Article 33 GDPR, Article 33 UK GDPR, Personal Data Breach Record, Breach Log, Data protection impact assessment, DPIA, Legitimate Interests Assessment, LIA, Retention Schedule, Privacy Notice, Data Controller, Vicarious LiabilityComment
Sifting Out Data Protection Rights?
Sifting Out Data Protection Rights?

The Government has prepared a draft statutory instrument, The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023, to amend the UK GDPR and Data Protection Act 2018, and laid it before the Sifting Committees. The SI would re-define post-Brexit the definition of fundamental rights and freedoms in data protection legislation. Handley Gill’s specialist data protection consultants consider the implications of the SI for the enforcement of data protection rights across the UK.

Read More
Nicola CainDepartment for Science Innovation & Technology, DSIT, Data Protection, Personal Data, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Protection Act 2018, Brexit, Retained EU Law (Revocation and Reform) Bill, European Union (Withdrawal) Act 2018, The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023, European Convention on Human Rights, ECHR, Human Rights, Human Rights Act 1998, Fundamental Rights & Freedoms, Convention Rights, Article 8 European Convention on Human Rights, Article 8 ECHR, Right to Private and Family Life, Right to respect for private and family life, Article 8 European Charter of Fundamental Freedoms, Charter of Fundamental Rights of the European Union, (1) Satakunnan Markkinapörssi Oy and (2) Satamedia Oy v Finland, Information Commissioner, Privacy, Data Controller, REUL (Revocation and Reform) Act 2023, REUL (Revocation and Reform) Act 2023 Statutory Instruments, Retained EU Law (Revocation and Reform) Act 2023Comment
Certify...certify me!
Certify...certify me!

Handley Gill’s specialist data protection consultants consider the options and certification requirements for US entities importing personal data from the EEA following the adoption of the European Commission’s adequacy decision in respect of the Trans-Atlantic EU-US Data Privacy Framework, providing a lawful basis for transferring personal data to the US under the GDPR.

Read More
Nicola CainData Protection, Data Privacy, PERSONAL DATA, GDPR, General Data Protection Regulation, GENERAL DATA PROTECTION REGULATION, Regulation (EU) 2016/679, Data Transfer, Restricted International Data Transfers, Restricted Data Transfer, International Transfers, International data transfers, US Data Transfers, EU-US DPF, EU-US Data Privacy Framework, SCCs, Modernised SCCs, Supplementary Measures, Transatlantic Data Privacy Framework, Trans-Atlantic Data Privacy Framework, Transfer Risk Assessment, Transfer Impact Assessment, Transfer Risk Assessment Tool, Data transfer agreement, TADPF, Trans-Atlantic EU-US Data Privacy Framework, Trans-Atlantic EU-US Data Privacy Framework Principles, DPF Principles, Privacy Shield, Privacy Shield Principles, EU-US DPF Certification, Privacy Shield Certification, Privacy Shield Self-Certification, Schrems II, Personal Data Transfer, Personal Data Export, Data exporter, Data Importer, Safe Harbor, Chapter 5 GDPR, Article 44 GDPR, Article 45 GDPR, Adequacy Decision, US Adequacy Decision, EUROPEAN COMMISSION, C(2023) 4745, TADPF Certification, Data Controller, Data Processor, Data ExporterComment
Freedom from the tyranny of supplementary measures
Freedom from the tyranny of supplementary measures

Handley Gill Limited’s specialist data protection consultants consider the impact of the European Commission’s adequacy decision in respect of the Trans-Atlantic EU-US Data Privacy Framework and the steps controllers and processors should take in relation to transfers of personal data from the EEA and UK to the USA.

Read More
Nicola CainData Protection, Personal Data, GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Transfer, Personal Data Transfer, International Transfers, International data transfers, Safe Harbor, Privacy Shield, EU-US Data Privacy Framework, Transatlantic Data Privacy Framework, Trans-Atlantic Data Privacy Framework, Chapter 5 GDPR, Chapter 5 UK GDPR, Article 44 GDPR, Article 44 UK GDPR, Article 45 GDPR, Article 45 UK GDPR, Article 45(2) GDPR, Article 45(2) UK GDPR, Adequacy Decision, Schrems II, Adequacy Regulations, Section 17A Data Protection Act 2018, S.17A Data Protection Act 2018, S.17A DPA 2018, DPA 2018, Data Protection Act 2018, Standard contractual clauses, Standard data protection clauses, Supplementary Measures, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Transfer Risk Assessment, Transfer Impact Assessment, International Data Transfer Agreement, International Data Transfer Addendum, IDTA, SCCs, Modernised SCCs, Modernised Standard Contractual Clauses, Executive Order 14086, Qualifying State, TADPF, US Data Transfers, UK-US Data Bridge, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, FISA 702, Prism, Upstream, EU-US DPF, Data Controller, Data Processor, Data exporter, Data ImporterComment
Pride 2023: Take pride in your processing
Pride 2023: Take pride in your processing

Effective data protection compliance measures can promote, empower and protect the LGBTQIA+ community and can not only assist organisations in identifying and eliminating discrimination, but also in supporting LGBTQIA+ individuals and enabling them to have their gender identity and sexual orientation recognised.

Read More
Nicola CainDATA PROTECTION, PERSONAL DATA, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, GDPR, GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, DPA 2018, SPECIAL CATEGORY PERSONAL DATA, SENSITIVE PERSONAL DATA, SEX LIFE, SEXUAL ORIENTATION, GENDER, PRIDE, LGBTQIA+, Inferred personal data, Data protection impact assessment, DPIA, Article 4(1) UK GDPR, Article 4(1) GDPR, Article 9(1) UK GDPR, Article 9(1) GDPR, Section 10 Data Protection Act 2018, S.10 Data Protection Act 2018, S.10 DPA 2018, Schedule 1 Data Protection Act 2018, Schedule 1 Part 2 paragraph 8 Data Protection Act 2018, Schedule 1 Part 2 paragraph 16 Data Protection Act 2018, Schedule 1 Part 2 paragraph 17 Data Protection Act 2018, Article 5(1)(d) UK GDPR, Article 5(1)(d) GDPR, Article 17 UK GDPR, Article 17 GDPR, Right to be Forgotten, Article 21 UK GDPR, Article 21 GDPR, Article 25 UK GDPR, Article 25 GDPR, Article 5(1)(c) UK GDPR, Article 5(1)(c) GDPR, Appropriate Policy Document, Data ControllerComment
A bridge to nowhere?
A bridge to nowhere?

A commitment to establishing a UK-US data bridge, which would take the form of adequacy regulations being issued by the Secretary of State pursuant to section 17A Data Protection Act 2018, has been announced. Since this bridge is likely to be contingent on the European Commission issuing its own adequacy decision, and the draft has recently been rejected by the European Parliament, data exporters will be reliant on the Commission ramming through the roadblock or will find themselves stuck in traffic on the UK-US data flyover.

Read More
Nicola CainData Protection, Personal Data, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Privacy Shield, Schrems II, Transatlantic Data Privacy Framework, Adequacy Decision, EUROPEAN COMMISSION, Safe Harbor, Adequacy Regulations, UK Adequacy, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, EU-US Data Privacy Framework, UK-US Data Bridge, Chapter 5 GDPR, Chapter 5 UK GDPR, Article 45 GDPR, Article 45 UK GDPR, Article 46 GDPR, Article 46 UK GDPR, Data Protection Act 2018, Section 17A Data Protection Act 2018, s17A Data Protection Act 2018, Qualifying State, Executive Order 14086, TADPF, European Parliament, Committee on Civil Liberties, Committee on Civil Liberties Justice & Home Affairs, LIBE Committee, European Data Protection Board, EDPB, Opinion 5/2023, German-American Data Protection Day, DoJ, Department of Justice, Standard contractual clauses, Standard data protection clauses, Supplementary Measures, Transfer Risk Assessment, Transfer Impact Assessment, Derogation, Data Transfer, Data transfer agreement, US Data Transfers, International Transfers, International data transfers, International Data Transfer Risk Assessment, Data Controller, Data Processor, Data exporter, Data ImporterComment
CrapITa
CrapITa

Handley Gill’s data protection consultants consider recent supply chain cyber attacks, including the unfolding of the recent Capita and Zellis / MOVEit data breaches, and identify the steps data controllers should take when engaging data processors as part of their supply chain or giving third parties access to personal data, and the lessons to be learned for vendor management throughout the data processing lifecycle.

Read More
Nicola CainData Protection, Personal Data, Information Security, Cyber Security, Cyber Resilience, Cyber Attack, Data Breach, Supply Chain Risk, Supply Chain Security, Vendor Management, Capita, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, Information Commissioner, Information Commissioner's Office, ICO, Pensions Regulator, Financial Conduct Authority, FCA, Data subjects, Compensation, Data litigation, Ransom, Ransom Payment, Department for Science Innovation & Technology, DSIT, Cyber Security Breaches Survey 2023, Article 25(1) UK GDPR, Article 25(1) GDPR, Data Controller, Data Processor, Data Processing Agreement, DPA, Data Processing, Article 28 GDPR, Article 28 UK GDPR, Article 32 GDPR, Article 32 UK GDPR, Cyber Insurance, Cyber Insurance Cover, Liability, Data protection impact assessment, DPIA, Administrative fine, Monetary penalty, Article 82(3) UK GDPR, Article 82(3) GDPR, Regulatory Action Policy, Article 33 UK GDPR, Article 33 GDPR, Article 34 UK GDPR, Data Breach Notification, Breach Response Plan, Incident Response Plan, Injunction, Injunctive Relief, Article 82 GDPR, Article 82 UK GDPR, CVE-2023-34362Comment
Data Downgrade Down Under?
Data Downgrade Down Under?

Handley Gill Limited’s data protection consultants consider the implications of the 2021 Free Trade Agreement between the UK and Australia - taking effect on 31 May 2023 - for the protection of personal data and the ease of international transfers of personal data.

Read More
Nicola CainBREXIT, UK, United Kingdom, Australia, Data Protection, Personal Data, Privacy, Data Privacy, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, Section 17A Data Protection Act 2018, Adequacy Decision, Adequacy Regulations, New Zealand, European Commission, Secretary of State for Science Innovation & Technology, Marketing, Direct Marketing, Consent, Marketing Consent, Privacy Act, Privacy Act Review, Foreign Commonwealth and Development Office, Foreign Office, Department for Business and Trade, Department for Science Innovation and Technology, Department for Culture Media & Sport, Data Transfer, Restricted Data Transfer, Restricted International Data Transfers, International data transfers, Standard contractual clauses, Derogations, Data Controller, Data ProcessorComment
New and improved?
New and improved?

The Second Reading of, and first chance for Parliament to debate, the government’s second attempt to reform the UK’s data protection legislation, in what it has described as the “improved” and “common-sense-led” Data Protection and Digital Information (No.2) Bill (Bill 265 2022-23) takes place on 17 April 2023. Handley Gill’s specialist data protection consultants consider its impact on the UK’s existing data protection legislation and identify amendments that would improve the Bill.

Read More
Nicola CainData Protection, Personal Data, GDPR, UK GDPR, Data Protection Act 2018, Data Protection Reform, PECR, DPA 2018, Privacy and Electronic Communications Regulations, Data Reform Bill, Data Protection and Digital Information Bill, Data Protection and Digital Information (No. 2) Bill, Bill 265 2022-23, DPDI Bill, Data: A New Direction, DPDI2 Bill, Bill 143 2022-23, General Data Protection Regulation, UK GENERAL DATA PROTECTION REGULATION, DPDI(2) Bill, DPDI (No.2) Bill, Information Commissioner, Information Commission, Supervisory Authority, Department for Culture Media & Sport, Department for Science Technology & Innovation, Department for Science Innnovation & Technology, Department for Science Innovation & Technology, Brexit, Innovation, Code of Practice, Statutory Code of Practice, DATA SUBJECT ACCESS REQUEST, Data Subject Rights, Vexatious or excessive, Approved person, Data subject complaint, Data controller complaint, Statement of Strategic Priorities, Enforcement, Regulatory Enforcement, Interview notices, First Tier Tribunal (Information Rights), Notice of Intent, Monetary Penalty Notice, Definition of personal data, Data Controller, Data ProcessorComment
Your money... and your life?
Your money... and your life?

New cyber sanctions imposed by the UK and US governments against Russian nationals expose victims of ransomware, and their individual directors and officers, to criminal liability in the event that ransom payments are made.

Read More
Nicola CainRansom, Ransomware, Sanctions, Cyber Sanctions, Ransom Payment, Russia, Ukraine, Sophos State of Ransomware 2022 white paper, Information Commissioner, ICO, Home Secretary, Priti Patel, CyberUK Conference 2021, NCSC, National Cyber Security Centre, NCA, National Crime Agency, OFSI, Office of Financial Sanctions Implementation, Cyber Attack, Cyber Crime, Data Breach, Data Loss, Conti, Conti ransomware, Personal Data, Data Protection, UK Sanctions List, Guidance on Ransomware & Financial Sanctions, HM Treasury, Directors Duties, Directors' Duties, Criminal Offence, Criminal Liability, Cyber (Sanctions) (EU Exit) Regulations 2020, SI 2020/597, Sanctions & Anti-Money Laundering Act 2018, Designated Person, Cryptocurrency, Virtual assets, Due Diligence, Trickbot, Ransomware Victim, CPS, Crown Prosecution Service, Malware, Data Controller, Data ProcessorComment
You know how i feel
You know how i feel

Handley Gill Limited, and its specialist data protection consultants, respond to the Information Commissioner’s (ICO’s) consultation on its draft ‘Employment practices and data protection: information about workers’ health guidance, which address the use of special category data concerning health in the context of maintaining sickness, injury and absence records, occupational health schemes, conducting medical examinations and testing (including drug testing) and other health monitoring.

Read More
Nicola CainData Protection, Personal Data, GDPR, UK GDPR, General Data Protection Regulation, UK GENERAL DATA PROTECTION REGULATION, Information Commissioner, Information Commissioner's Office, ICO, Consultation, Consultation Response, Employment Law, Employees, Workers, SPECIAL CATEGORY PERSONAL DATA, Health Data, Data Processing, Employment, Health and Safety, Health and Safety Executive, HSE, Chartered Institute of Personnel and Development, CIPD, Data ControllerComment
Watch and learn
Watch and learn

Handley Gill Limited, and its specialist data protection consultants, respond to the Information Commissioner’s (ICO’s) consultation on its draft ‘Employment practices: monitoring at work’ guidance, which addresses the lawfulness of the use of workplace monitoring and surveillance technologies in the workplace (whether office, home or remote working) and on workers’ devices.

Read More
Nicola CainData Protection, Personal Data, General Data Protection Regulation, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, DPA 2018, Information Commissioner, ICO, Consultation, Consultation Response, Employment Law, Employee Monitoring, Surveillance, Consent, SPECIAL CATEGORY PERSONAL DATA, Biometric Data, Remote Work, Data Subject Rights, Bring Your Own Device, BYOD, Explicit Consent, DPIA, Data protection impact assessment, Legitimate Interests Assessment, Privacy, Human Rights, Human Rights Act 1998, Article 8, Article 8 European Convention on Human Rights, European Convention on Human Rights, GDPR, UK GDPR, Data ControllerComment