Welcome from the Information Commissioner



It was so good to see around 800 of you at our conference this week, with many more joining in through our live stream.

It’s been an eventful few weeks. It’s been hard to miss the expose of Cambridge Analytica’s alleged use of personal data in election campaigns including information gathered from Facebook.

It’s worth remembering that this is one part of our larger investigation into the use of personal data analytics for political purposes by political campaigns, parties, social media companies and others. You can read more on that below.

If that wasn't interesting enough, the GDPR is now a mere 30 working days away. We’ve provided a whole suite of resources on our website – our Guide to the GDPR is the place to find guidance that is, as you would expect of the ICO, accurate, authoritative and accessible. You’ll also find interactive toolkits, handy checklists and sector-specific FAQs based on real queries received by our customer contact team.

We want you to feel prepared, equipped and excited about the GDPR. I know many of you do. For those that still feel there is work to be done – and there are many of those too – I want to reassure you that there is no deadline.

25 May is not the end. It is the beginning.

Our work 

Investigation into data analytics for political purposes       

Our enquiries involve 30 organisations including Cambridge Analytica, Aggregate IQ and Facebook. The latest ICO statements about the investigation can be found on our website.

A win for the data protection of UK consumers

WhatsApp has signed an undertaking with the ICO, publicly committing  to not sharing personal data with Facebook until they address data protection issues. This follows our investigation into WhatsApp and Facebook, which found that WhatsApp had not identified a lawful basis of processing for any such sharing of personal data among other concerns. Elizabeth Denham explained why this represents a win for UK consumers in her blog.

Updates to the Guide to the GDPR

We have made further updates to our Guide to the GDPR. As well as detailed guidance on legitimate interests, we have also expanded the pages on Data Protection Impact Assessments (DPIAs), data protection officers, the right to be informed, the right to erasure, the right to rectification and the right to restrict processing.

Guide to Law Enforcement Processing

Our Guide to Law Enforcement Processing has been published and highlights the key requirements of Part 3 of the Data Protection Bill. It replaces the Frequently Asked Questions for Law Enforcement Processing. It is important to note that this is a living document and may change to reflect any changes to the Bill as it makes its way through Parliament. It also includes links to further guidance from the ICO and other relevant reading.

Lawful basis tool published

We have produced a lawful basis interactive guidance tool to give tailored guidance on which lawful basis is likely to be most appropriate for your processing activities. It will give an indicative rating for each lawful basis based on your answers to key questions, with advice on suggested actions and links to relevant guidance content.

Data protection self-assessment toolkit for SMEs revamped

Our SME data protection self-assessment toolkit has been revamped in line with the GDPR. Use our toolkit to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. The toolkit covers your obligations as a controller or processor, as well as information security, direct marketing, records management, data sharing, requests for personal data and CCTV.

Elizabeth Denham submits evidence to the DCMS Select Committee  

The Information Commissioner appeared before the Digital, Culture, Media and Sport Committee on 6 March to give evidence on fake news. Read the transcript of the Commissioner’s evidence on the House of Commons website, and watch footage on Parliament.tv.

Information Commissioner speaks at the Alan Turing Institute

Ms Denham spoke at the Alan Turing Institute on 23 March as part of its event 'The GDPR and Beyond: Privacy, Transparency and the Law'. The Commissioner’s speech looked at how developments in Artificial Intelligence (AI) must take privacy into account.

Commissioner delivers annual lectures

The Commissioner also delivered two annual lectures last month. She gave the CRISP (Centre for Research into Information, Surveillance and Privacy) annual lecture at the University of Edinburgh on 14 March, speaking about the many roles she must play as UK Information Commissioner and setting out the challenges and opportunities ahead. On 22 March, she delivered the annual Jenkinson Lecture at University College London, where she discussed Freedom of Information, sustainable governance and openness in the digital age.


In your sector


Making data protection your business

We have launched a GDPR awareness campaign aimed at people running micro-businesses – those employing fewer than 10 people. Resources include a self-assessment tool to determine whether the new law applies to you and eight practical steps for micro-business owners and sole traders.


Making or selling Internet of Things (IoT) devices? Six reasons you need to be thinking about data protection

Demand for IoT devices, such as connected toys, smart watches and smart appliances, is booming. In his recent blog, the ICO’s Technology Group Manager Peter Brown outlined six data protection points manufacturers and retailers need to consider to ensure they remain compliant with the law.

Events, webinars and podcasts

Data Protection Practitioners’ Conference 2018

The ICO’s 11th Data Protection Practitioners’ Conference took place at Manchester Central on 9 April, featuring contributions from ICO staff as well as external experts. You can view recordings of all the auditorium sessions on our website.

Dr. Nigel Houlden, ICO Head of Technology Policy, also discussed the ICO's Technology Strategy with conference host, journalist and broadcaster Kate Bevan. Click here to watch the interview on YouTube.

The ICO Podcast

The second episode of the newly-launched ICO podcast is all about Data Protection Impact Assessments (DPIAs). It will answer questions such as when to do a DPIA and what it should contain. The podcast will be available on the ICO website on Monday 16 April, and you can still listen to the first episode which busted a series of GDPR myths.
Enforcement action

Royal Mail fined £12,000 after sending more than 300,000 nuisance emails

Over two dates in July 2017, Royal Mail sent emails to 327,014 people who had already opted out of receiving direct marketing. The company claimed the emails were a service rather than marketing, but the Commissioner found that the emails sent constituted marketing and not simply a service message.

Warning to police staff as force fined £130,000

Humberside Police has been fined £130,000 after disks containing a video interview of an alleged rape victim went missing.

Steve Eckersley, ICO Head of Enforcement, said: "Anyone working in a police force has a duty to stop and think whenever they handle personal details – making sure they are using the most appropriate method for transferring information and considering the consequences of it being lost before going ahead. Staff training in this area is vital."

ICO raids addresses in Scotland and Greater Manchester

Enforcement officers raided business premises in Clydebank, near Glasgow, as part of an investigation into a company suspected of making over 200 million illegal nuisance calls. Some calls potentially put lives at risk, as they were made to National Rail’s Banavie Control Centre and jammed lines meant for drivers and pedestrians calling to check the status of unmanned level crossings.

In a separate case, officers searched two addresses in Greater Manchester. The companies involved are believed to be responsible for sending over 11 million nuisance text messages between January 2017 and January 2018, resulting in over 3,000 separate complaints to the ICO.

Former housing worker convicted by jury of data protection offences

A former housing worker who shared a confidential report identifying a potential vulnerable victim has been convicted of data protection offences by a jury. Paul Shepherd, 47, of Belswain Lane, Hemel Hempstead, denied three counts of unlawfully disclosing personal data in breach of section 55 of the Data Protection Act 1998, but was convicted following a week-long trial at St Albans Crown Court. He was fined £200 on each count and was also ordered to pay £3,500 costs.

Nuisance calls and messages report

We received 7,387 nuisance marketing concerns in February – a decrease of approximately 4% compared with the previous month.Read our February trends report, including figures on live calls and spam emails, on our website.



Previous e-newsletters can be viewed on the ICO website.

Further information

For more information about the ICO, subscribe to our e-newsletter atwww.ico.org.uk. The ICO is also on TwitterFacebook and LinkedIn.

A list of our latest job vacancies can also be found at:http://www.ico.jobs/


Information Commissioner's Office 
Registered office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF 

Unsubscribe from the ICO e-newsletter