Category Archives: Data Compliance

What does Brexit Mean for GDPR?

brexit eggBritain has voted to leave the EU, and at this stage it seems that Parliament is going to honour the results and take us out of the EU. So what does this mean for data protection?

I don’t think there has ever been such uncertainty, confusion, difficulty and high risk over data compliance.  So I thought this might help clarify what Brexit is likely to mean in relation to the UK’s data protection legislation.

  1. If Article 50 is invoked in or after October 2016 (as suggested by David Cameron this morning) it will take at least two years and four months for the UK to leave the EU. And, given the complexities of the exit negotiations involved, it may well take longer than that.
  2. EU law will continue to apply until the moment the UK actually leaves the EU, which means that, for a minimum of 5 months, UK organisations – even those which do not process data in Europe – will be required to comply with GDPR. 
  3. If Britain leaves the EU and remains a part of the EEA (like countries such as Switzerland, Norway, Iceland and Lichtenstein), it will be required to comply with GDPR.     
  4. If Britain does not want to be part of the EEA, once it has left the EU it will NOT be required to comply with GDPR.
  5. However, if the UK wants to trade equally with the EU (to quote the Information Commissioner’s Office)UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”  To achieve this end, the ICO has already stated its intention to speak to the UK government to explain that reform of the UK law remains necessary Having clear laws with safeguards in place is more important than ever given the growing digital economy”

Although it’s too early to know exactly what will happen to UK Data Protection law, what is quite clear is that all UK businesses need to continue making preparations for GDPR compliance.  An excellent starting place is to ensure that you understand and comply with current legislation right now.  I’d suggest the following process:

brexit compliance process

If you have any questions about data protection governance, compliance or security and would like a no-strings chat, please don’t hesitate to call on 0203 815 8003 or email

GDPR is here – Data Protection is Changing

shutterstock_128215814The General Data Protection Regulation (GDPR) will become law on 25th May 2018.  This is the biggest data protection shake-up for twenty years and impacts every organisation in the world that processes the personal data of UK and European citizens.

GDPR is designed to strengthen individuals’ rights and give them greater control over their data.  Data breaches and data theft … and the catastrophic publicity that goes with them … are now everyday events.  Just ask Morrisons, Talk Talk, eBay, Altzheimers Society and VTech. Under GDPR, these, and all other organisations will face fines of up to 4% of worldwide turnover or 20 million euros (whichever is higher).

The onus is on Boards, individual directors and management to understand and comply with the Regulation, and to make the critical changes required to the way in which organisations handle personal data.  And the clock is already ticking – there are only 24 months available to make the vital procedural, technical and resource changes required for compliance.

shutterstock_14154718The first issue is to understand exactly what personal data you hold.  This is not always simple. Data’s a bit like a river, and sometimes the flow can just be too fast to control. It may flow down the main stream, pause in a deep pool, join another river at a junction,  then wander off down tributaries, streams and burns, and disappear – only to bubble up unexpectedly in the middle of an isolated moor.  Like a river, data can be full of good and exciting things, or stagnant and disgusting.


It is essential to know what personal data you hold, where it is held, where it came from, how it was collected, what evidence you have that it has been collected and processed legally, with whom it has been shared (internally and externally), on what terms it has been bought or licensed, whether and where it has been archived or deleted, and who is responsible for its safekeeping.

Until all that information is in place, there is no chance that you can keep it clean, up-to-date and protect it from external or internal threats.  And there’s absolutely no chance you can comply with the Data Protection Act as it stands now – let alone GDPR.

Data Compliant has developed a quick GDPR Compliance Checker – if you’d like to know more about where you are compared to where you need to be for GDPR compliance, just click here, answer the questions, and we’ll send you a free report, including:

–  your topline level of compliance by category
–  a benchline summary of how you compare with other UK organisations
–  a summary of the key steps you need to take to become compliant
Remember, enforcement begins on May 25th, 2018 – now’s the time to start to get ready.

EU DPA Regulation – 7 Key Changes

EU balance

A good balance between business needs and individual rights

Talks on ensuring a high level of data protection across the EU Marketers are now complete and draft text was agreed on Wednesday 16th December 2015.  Marketers are delighted with the “strong compromise” agreed by Parliament and Council negotiators in their last round of talks.

The draft regulation aims to give individuals control over their private data, while also creating clarity and legal certainty for businesses to spur competition in the digital market.  Back in September Angela Merkel appealed to the European parliament to take a business view rather than simply look at the Regulation from a data protection perspective  lest the legislation hold back economic growth in Europe.  At the same time she described data as the “raw material” of the future and expressed her belief that it is fundamental to the digital single market.

The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned.

EU DPA Regulation – 7 Key Changes

  1. 4% Fines:  The Council had called for fines of up to two percent of global turnover, while the Parliament’s version would have increased that to five percent.  In apparent compromise, the figure has been set at four percent, which for global companies could amount to millions.
  2. Data Protection Officers (DPOs):  Companies will have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers.  These do not have to be internal or full-time.
  3. Consent:  to marketers’ relief, consent will now have to be ‘unambiguous’ rather than the originally proposed ‘explicit’ which provides a more business-friendly approach to the legislation. In essence this means that direct mail and telephone marketing can still be conducted on an opt-out basis.  Nonetheless, businesses will be obliged to ensure that consumers will have to give their consent by a clear and affirmative action to the use of their data for a specific purpose.
  4. Definition of Personal Data – the definition has been  expanded in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
  5. Online identifiers -whether cookies and ISPs are personal data has been the subject of discussion for some months.  James Milligan of the DMA has expressed the view that a compromise has been reached “Whether or not online identifiers such as cookies fall into the definition of ‘personal data’ will depend on where they are placed in the online ecosystem. For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data.  This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, ‘blind’ data can be more widely used than identifiable personal data.”
  6. Profiling – Profiling has now been included under the term ‘automated decision making’.  Individuals have the right not to be subject to the results of automated decision making, so they can opt out of profiling. It will be necessary to implement tick-boxes or similar mechanisms to secure the data subject’s positive indication of consent to specific processing activities related to Profiling.
  7. Parental consent – Member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, member states will now be free to set their own limits between 13 and 16 years.


Next Steps

The provisional agreements on the package will be put to a confirmation vote in the Civil Liberties Committee today (Thursday 17 December) at 9.30 in Strasbourg.

If the deal is approved in committee it will then be put to a vote by Parliament as whole in the new year, after which member states will have two years to transpose the provisions of the directive into their national laws. The regulation, which will apply directly in all member states, will also take effect after two years.

Written by Michelle Evans, Compliance Director at Data Compliant Ltd.

If you would like further advice on how the EU Regulation will affect your business, just call Michelle or Victoria on 01787 277742 or email



Safe Harbor Framework ruled “Inadequate”

global transfers

What was Safe Harbour?

The Safe Harbour Framework was a cross border transfer mechanism which complied with EU data protection laws and allowed the transfer of personal data between the EU and the USA.  More details on how Safe Harbour worked can be found here.

Why was the Safe Harbour Framework invalidated?

After the recent Facebook case ruling, on 6th October, the Court of Justice of the European Union (CJEU) judged that “US Companies do not afford an adequate level of protection of personal data” and therefore the Safe Harbour Framework is now invalid.

The CJEU indicated that US legislation authorises on a general basis, storage of all personal data of all the persons whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access and use of this data by public authorities.

The CJEU further observed that the Safe Harbour Framework does not provide sufficient legal remedies to allow individuals to access their personal data and to obtain rectification or erasure of such data. This compromises the fundamental right to effective judicial protection, according to the CJEU.  You can read the European Court of Justice Press Release here.

There have been concerns about the Safe Harbour Framework for some time and the European Commission and the US authorities have been negotiating with a view to introducing an arrangement providing greater protection of privacy to replace the existing agreement.

How can I now transfer my data to US?

Organisations that have been using Safe Harbour will now have to review how they transfer personal data to the US and come up with alternative solutions.  However, it is worth noting that the Information Commissioner’s Office has recognised that this process will take some time.  And James Milligan at the DMA states that data already transferred to US-based companies under Safe Harbour will be unaffected.

In the meantime multi-national companies transferring data to their affiliates can look at using Binding Corporate Rules which allow the transfer of data from the EEA to be in compliance with the 8th data protection principle.

Another legal method of transferring personal data to the US is to use the Model Contract Clauses produced by the EU for transfers of personal information outside the EU.

Michelle Evans, Compliance Director at Data Compliant Ltd.

If you are planning to transfer data between the EU and the US, and would like help on how to do so in the light of this new ruling, just call Michelle or Victoria on 01787 277742 or email

Charities … data protection … reputation

The ongoing stories in the press are hurting charities who are being seen to be treating decent people – particularly vulnerable people – monstrously unfairly.  The press and media are giving consumers an ever clearer perception of the charity sector as being irresponsible, uncaring and aggressive  in their treatment of donors.  And it does the data industry no favours at all.

Charity Data

CCTV Data Protection Guidelines from ICO

drone delivering parcelClearly surveillance has both benefits and drawbacks, and the level of public interest and debate about both is increasing. Technology is advancing swiftly, and surveillance cameras are no longer simply passively recording and retaining images. They are now also used proactively to identify people of interest, to keep detailed records of people’s activities both for social (eg schooling, benefits eligibility) and political (eg terrorist) reasons.

There’s a real risk that, despite the benefits, use of CCTV can be very intrusive.

The ICO’s new CCTV code of practice continues its focus on the principles that underpinned the previous code of practice. However, it has been updated to take into account both the changes in the regulatory environment and the opportunities to collect personal data through new technology.

There is some fascinating information in the guidelines – specifically around some of that new technology, where three of the key recommendations are:

  • Privacy Impact Assessments – a requirement that involves ensuring that the use of surveillance systems is proportionate and addresses a pressing need (see the
  • Privacy Notices / Fair processing – a key issue for many of the new technologies is finding creative says of informing individuals that their personal data is being processed – particularly where such processing is simply not obvious.
  • Privacy by design – for example, the ability to turn the recording device (audio and / or sound) on and off as appropriate to fulfil the purpose; the quality must be high enough to fulfil the purpose; the use of devices with vision restricted purely to achieve the purpose

The new technology specifically covered in the guide includes:

Automatic Number Plate Recognition (when to use it, data storage, security issues, sharing the data and informing individuals that their personal data is being processed – something of a challenge needing some creative thinking);

Body Worn Video (warnings against continuous recording without justification; the use of BWV in private dwellings, schools, care homes and the like – and, again, the thorny issue of informing subjects that they are being recorded);

Unmanned Aerial Systems drones are now increasingly used by businesses as well as the military (Amazon has stated its intention to use drones to deliver parcels …). Some of the key issues are privacy intrusions where individuals are unnecessarily recorded when the drone has some other purpose; the distinction between domestic and commercial use; providing justification for their use; the ability to switch the recording system on and off; the whole system of data collection, storage, accessibility, retention periods and disposal requires compliance.

Automated recognition technologies are increasingly used commercially to identify individuals’ faces, the way they walk, how they look at advertising and suchlike. Again, the issues of fair processing, degree of accuracy of images and their identification, storage, retention, transfer, disposal and security are all key to compliance.

If you are using surveillance devices to view or record and / or hold information about individuals, then it’s worth noting that such use is subject not only to the Protection of Freedoms Act (and its Surveillance Camera Code of Practice), and the Data Protection Act, but you also need to consider your obligations under The Freedom of Information Act 2000 and the Human Rights Act 1998.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email


Surveillance Camera Code of Practice – 12 Principles

security cameraDo you use a surveillance camera system within your organisation?  If so, it’s worth noting that the Surveillance Camera Code of Practice must not only comply with the Data Protection Act and its 8 Principles, but also provides its own 12 guiding principles:

  1. Purpose: Use of a surveillance camera system must always be for a specified purpose in pursuit of a legitimate aim, and necessary to meet an identified pressing need
  1. Privacy Impact: Use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified
  1. Transparency: There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  1. Accountability: There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  1. Policies and procedures: Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them
  1. Relevance and Retention: No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged
  1. Access to retained images and information should be restricted. There must be clearly defined rules on who may gain access for what purpose; the disclosure of images and information should only take place where it is necessary for such a purpose or for law enforcement purposes
  1. Standards: Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose, and work to meet and maintain those standards
  1. Security: Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  2. Audit: Effective review and audit mechanisms should be in place to ensure legal requirements, policies and standards are complied with in practice.  Regular reports to be published.
  3. Public Safety: When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  4. Accuracy: Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email


Data Privacy and the Internet of Things

iStock_000044457776Small (1) Earlier this month (August 2014) Offcom announced that UK adults spend an average of eight hours and 41 minutes a day on media devices – which compares with an average night’s sleep of eight hours and 21 minutes …

I have to admit to being something of a science fiction fan and it seems to me that our own world has some interesting parallels with that created by E M Forster in his short novel, The Machine Stops.

The setting is a world where humans live in isolation in underground cells, and where everything is provided by the global “Machine” – music, art, literature, conversation, education, knowledge, interaction with other humans, food, religion, medicine – truly everything that humankind allegedly requires. In Forster’s world, travel is available, but unpopular and treated with suspicion. The physically strong are culled at birth. The weak survive.  When the Machine breaks down, the humans – its subjects – perish, leaving the only hope for the human race with those who had previously escaped the underground world and made their way to the surface to live outside the Machine’s jurisdiction.

In our own world, we have the internet, social media, online music, art, and the ability to educate, work and communicate, both personally and in business, from a distance.

And, of course, we have the Internet of Things, which is currently generating a great deal of interest and discussion, and which brings us ever closer to Forster’s world.

What is the Internet of Things?

The answer lies in the name, though it’s worth mentioning that “Things” include people.

??????????????????????????????????????????????????????In a nutshell, we are living in a world where broadband is an ubiquitous fact of life, technology is moving faster and faster – and becoming increasingly less expensive, and more and more devices are being created with wifi capability and sensors – from smartphones to fridges,  remote household heating systems to tumble-dryers, razors to kettles, and TVs to wearable devices.

According to Gartner (a Connecticut-based IT research and advisory company) by 2020 there will be over 26 billion connected devices.  With an assumed 8 billion people on the planet in the same year, that’s an average of over 3 ¼ ‘smart’ devices per man, woman and child!

For example, LG has developed a fridge that has a camera which allows owners to see what food is inside.  It scans items as they’re added, tracks expiry dates and recommends recipes based on the food available. The owner can also programme Body Mass Index (BMI) and weight loss targets.  Using smart TV and voice recognition technology, the fridge can see who is opening the door, recommend a recipe … and even in future turn on the oven to the right temperature if you choose that recipe!

It’s intended that this fridge will link with online food shopping services so that it can restock itself when supplies run low.  The fridge’s data will all be accessible to the owner vie smartphone, tablet or PCF so the owner can stay in control. (If you like the idea, the fridge is scheduled to be on sale in the UK later this year for around £2,000.)

RFID Tags and Security Issues

There is no doubt that the opportunity for automated household management may be appealing and is possibly unavoidable in the future.   And there are many other potential uses too, including tracking wildlife, chipping pets (and even humans), providing access to a person’s medical records, and monitoring our medical conditions to notify us of drugs and dosages to be taken.  We already have RFID technology in our passports, our travel passes, even our clothes (though primarily for stock control reasons rather than intended tracking).

But privacy is a real concern.  Given the sensitivity of some of the data to be collected, it is alarming to read that the default security settings on these devices are often very weak, making it straightforward for hackers to break into devices.  This has been amply demonstrated already:

‘Smart’ Devices Send out Spam emails …

Between December 23rd 2013 and January 6th 2014, about 750,000 spam messages were sent out by smart gadgets.  The malware involved was able to instal itself on a range of kitchen appliances, home media systems and web-connected televisions.  It was able to do so because the gadgets had not been set up securely, used default passwords, and the owners were unaware of the potential for security issues – if they even knew the devices carried RFID tags.

Privacy and Security

Data Compliant Cloud considerationsBusinesses must be mindful of the consumer’s privacy and security when they develop products that can gather and share data about what they, their owners, and other, linked “smart” products do.  This new technology will be collecting private, and sometimes deeply personal and sensitive data about the owners who may be wearing the technology or installing it in their homes.

Currently it seems that companies are storing data from these smart devices onto the cloud, without necessarily informing the consumer or giving them a choice.  Even with the antiquated Data Protection legislation currently in place, if such data would allow individuals associated with that data to be personally identified, that must be a breach of the DPA.

There’s no doubt that becoming compliant and secure in the RFID environment will be much simpler for businesses if they start the process at the very beginning of the technological developments.  They would also be well advised to make their compliance and security solutions scalable to avoid significant problems in the future.

The EU Directive on the Protection of Personal Data states that a person must freely give specific consent and be informed before their personal information is processed.  EU Member States are required to ensure confidentiality of communications by prohibiting unlawful interception and surveillance of personal information unless consent has been provided.

This suggests that using RFID chips unleashes serious privacy implications.  To remain compliant with EU data protection legislation, organisations should make it absolutely clear that:

  • The merchandise includes RFID tags
  • Whether the user’s data will be will be collected and stored by the organisation
  • What data will be collected
  • How the data will be used


EU RFID Technical Standards

RFD-Blue-1bAt the end of July, the European Commission has put out a series of recommendations to protect consumers from privacy risks associated with RFID chips.  Viviane Reding, former EU Commissioner said: “While smart chips working with RFID technology can make businesses more efficient and better organised, I am convinced they will only be welcomed in Europe if they are used by the consumers and not on the consumers. No European should carry a chip in one of their possessions without being informed precisely what they are used for, with the choice of removing or switching it off at any time. The ‘Internet of Things’ will only work if it is accepted by the people.”

Privacy Impact Assessments

While the sentiment is admirable, it has, until now, been difficult to see quite how it is enforceable.  A good starting point, however, is that an RFID Privacy Impact Assessment has been agreed, which should ensure data protection within current EU privacy regulations.

rfid logo


In the meantime, the European Commission’s new RFID logo has been developed for items that include RFID tags so that individuals will know that they are carrying items that can be tracked – eg Oyster cards, fashion items, wearable technology and so on.   Unfortunately the scheme is voluntary, which means that businesses are not obliged to use the logos.

The Future

RFID items are increasingly widespread and popular – the technology is cheap and efficient, retailers find it enormously helpful from a stock control perspective, consumers find it useful.  It will be fascinating to see how the development of RFID products impacts on our lives, our privacy and our security.  Perhaps we’re not so very far away from the world envisioned by EM Forster back in 1909 – long before the internet and all its trimmings were in place.

As Shakespeare so tellingly put it:  “O brave new world that has such people in’t”

Big Data and the Data Protection Act

big data privacyBig data is a big issue for organisations across the world.  Businesses, governments, health organisations, analysts and scientists are all looking at the opportunities to be gained from using big data.

Another big issue is the matter of individuals’ privacy and data protection. The EU data protection principles are already established throughout the member states, and in the UK we have the Data Protection Act, which is regulated and enforced by the ICO.

So what is big data?

I first wrote about big data in 2012.  Analyst Doug Laney described it as being three-dimensional – a combination of volume, velocity and variety.

It probably began when customers started shopping over the internet.  Businesses started to save and analyse data from clicks, searches, registrations, purchases and so on. Then came social networks where individuals post personal and business information about themselves, hold conversations with their friends, family and colleagues, post updates and opinions, store their photographs and music and films and videos in the cloud…

This technology is continuing to develop at speed, while big data analysis and algorithms are becomng ever more sophisticated.  As a result, big data’s relationship with data protection and privacy regulations is becoming a serious and significant issue.

Big Data and the Data Protection Act

Of course, not all big data actually uses personal information.  For example, researchers analysing data from particle physics experiments at CERN’s Large Hadron Collier sift through approximately 16 million gigabytes of data every year.  This is hardly a serious threat to individuals’ privacy.

On the other hand, businesses using data from social media, in combination with sales transactions and loyalty cards does indeed use personal data, and in this case the Data Protection Act (DPA) comes into force to protect the individual.

Regardless of whether or not we think the DPA is adequate to protect individuals against organisations working with data, it is the only legislation we have.  And the ICO has just produced a report suggesting a number of areas where organisations must be mindful of their big data regulatory responsibilities:

  1. Fair processing: Where big data is used to make decisions affecting individuals, a key requirement is that such processing – including the initial collection of that individual’s data – is fair and transparent.  A clear explanation of why the data is being collected (the Purpose) and, where necessary, consent of the individual to that purpose is a key element in the compliant use of such data.
  2. Consent: any consent must be ‘freely given, specific and informed’.  People must be able to understand how their data is to be used, and there must be a clear indication that they have consented to such use. If an organisation is relying on consent as a condition for processing big data, it is important that the data subjects have a clear choice and are able to withdraw their consent if they wish. Otherwise, the consent does not meet the requirements of the DPA.
  3. Repurposing: where data has been collected for one reason, and is now being used for a completely different purpose, then the organisation needs to make its users or customers aware of this – most particularly if the data is being used for a purpose that the individual could not reasonably have expected at the time the data was initially collected.  In this case, where consent is relied on, consent is required.
  4. Excessive, relevant data: using all the available data for analysis might be expected to contravene Principle 3 of the data protection act which states that data must be adequate, relevant and not excessive.  An organisation must be clear from the outset what they expect to learn or do by processing all the data.  They must also be in a position, if necessary, to demonstrate how they have satisfied themselves that the data they are using from perhaps a multiplicity of sources is relevant and not excessive.
  5. Security: organisations using personal data should always be mindful of security and the potential for data security breaches.  The use of big data is no different in this respect – but the number of new datasets that may be acquired in combination with the existing data used may make the security issues a little more widespread, and will require robust risk assessment and risk management policies and procedures.
  6. Anonymisation: if data is correctly anonymised it will no longer be considered personal data and will therefore not be subject to the DPA.  However, when using the multiple data sources associated with big data analytics, achieving genuine anonymisation can be difficult to achieve and the ICO advises organisations to carry out a robust risk assessment of the risk of re-identification, and provide solutions proportionate to the risk.
  7. Privacy Impact Assessment (PIA): a PIA is an important part of being compliant as it helps gain an understanding of how the processing will affect the individuals concerned.  For example, there is a difference between using personal data to identify general trends, and using it to make decisions that affect those individuals.
  8. Long-term use: using big data for analytics does not waive the requirement that data should be kept only for the period required for the stated business purposes.  If a business wants to hold the data for long-term use, the reasons must be articulated and justified.
  9. Subject access: don’t forget that people can request to see the data you are processing about them.  When using big data, systems can become complex and unwieldy making such requests difficult, time-consuming or expensive to fulfil.  Keeping the system simple will obviously benefit the organisation.
  10. Third parties: if data has been purchased from a third party in order to run its big data analytics, the purchaser becomes the data controller for the purchased data.  It is now responsible for ensuring it has met the DPA’s conditions for further use of that data, and, if it is relying on the original consent obtained by the supplier, then the purchaser must ensure that this is adequate to cover its further processing requirements.

In summary

When using big data, always make sure you comply with the DPA.

Don’t be secretive, deceptive or misleading.  Make sure you obtain appropriate consents as required.  Explain clearly what you’re doing with big data to your users, your customers and those from whom you’re collecting data.  And make sure the information is utterly transparent.  It’s also worth being creative about how you tell them what you’re doing, by finding, describing and providing visible benefits that they will appreciate.

If you have any compliance or security questions on your own use of big data, please contact or call 01787 277742. Data Compliant offers the following services: