Protecting Data, Rights and Responsibilities
Above is an example of spreadsheet data
Please don’t forget to subscribe:
and please don’t forget to give a donation:
Introduction
The aim of the report is to inform readers about both the Data Protection Act 1998 (DPA) and the European General Data Protection Regulations (GDPR). In addition, the report aims to inform readers about the key changes in terms of data privacy and responsibilities that the Data Protection Bill will enact. This report will also advise how businesses can prepare for compliance with the new data protection laws that are set to come into force. To achieve these aims, the report will inform readers of past cases of data protection breaches. This report will inform readers about the preparation for business for compliance with GDPR and the new DPA (DPA) that is at the moment in the process of being passed. This aim will be achieved by writing a proposal based on how businesses can avoid repeating the mistakes that will be examined in this report.
The processing and storage of personal data within the UK is currently governed by the DPA 1998. However, the UK government has recently proposed the Data Protection Bill. The aim of the Bill is to repeal elements of the existing DPA 1998 and incorporate the GDPR, which is due to come into effect on the 25th May 2018. The new regulations bring about significant changes and protection whilst enforcing greater responsibility and accountability on those involved in the storage and processing of personal and potentially sensitive data.
The reason for researching this topic because technology is being used more and more in the workplace and in society. In addition, more data is being stored online although hard copies are still used so laws relating to technology in general and storing data have to be updated. In this case, data protection laws need to be updated with new technology providing new ways of storing data. For example the DPA 1998 would be unlikely to cover cloud computing but, GDPR is likely to cover cloud computing. This report will also cover cloud computing as this report is primarily about the DPA and the GDPR.
GDPR versus DPA
The DPA ensures personal data is protected. According to Heathcote and Langfield (2004) the DPA provides rights for individuals and demands good information handling practice. Bott (2014) outlined eight principles of the DPA. The first principle is fair and lawful processing must be undertaken. Data must be obtained fairly and lawfully in the first instance. Processing for limited purposes is another principle where data must be processed for notified purposes. With sensitive data, explicit consent is required. Data must be adequate, relevant and not excessive therefore, only the required data should be collected. Accurate and up-to-date information is another principle, which can be difficult to enforce, but are useful to businesses. Data shouldn’t be kept longer than necessary. For example, keeping financial data for at least 7 years obligation under a self-assessment tax regime. Data must be processed in accordance with data subjects’ rights. Personal data must not be processed if the data controller has not complied with data subjects’ rights regarding personal data access. Data must be secure from unauthorised access, which can be done with passwords and ensuring only suitable staff can access personal data. Data must not be transferred to countries without adequate protection for data subjects. These principles will remain the case under GDPR albeit more rigorous.
GDPR is a regulation aiming to strengthen and unify data protection for European Union (EU) countries. GDPR has six principles, similar to DPA’s eight principles. GDPR’s first principle is personal data must be processed fairly and lawfully in a transparent manner in relation to data subjects. This is the first principle of DPA. The second principle is personal details are only collected for specified, explicit and legitimate purposes and not further processed for other purposes. The third principle is data must be adequate, relevant and limited to what is necessary in relation to the purposes of processing. Like DPA, GDPR’s principle ensures accurate and where necessary, updated data. The fifth principle of GDPR is data must be kept in a form that permits identification of data subjects for no longer than is necessary for purposes for which the personal data is processed. The sixth principle of GDPR is data must be processed in a way ensuring appropriate security of personal data. This will include protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
According to Murray (2013) one of the aims of GDPR is harmonising and extending data protection rights in a number of areas. GDPR aims to introduce a right to be forgotten. This aims to help people better manage their data protection risks online. When someone doesn’t need or want their data to be retained, they can apply for erasure. There are arguments for and against this particular law. Arguments in favour are the rules would be more efficient, new technology and freedom of speech. Arguments against are that it is up to individuals to take responsibility for data they upload, the so-called right to be forgotten may not be realistic and the cost of implementing the rules would have detrimental impact on SMEs (Debating Europe, 2017). De Hert and Papakonstantinou (2012) suggested GDPR is a sound system. GDPR replaces Directive 95/46/EC. This directive is the basic EU data protection instrument incorporating the regulatory model and guiding principles that over the years denote the EU data protection approach. This is redundant so the GDPR is effectively an update on the existing approach.
According to Bainbridge (2008) the DPA 1998 applies to the UK and extends to Northern Ireland. Bainbridge mentioned how DPA is applied when foreign companies operate in the UK. Bainbridge came up with an example where an Australian company using the services of a computer bureau situated in Scotland and using equipment situated, they will be subject to the UK DPA. That company must appoint a UK representative. In this case, it would be the Scottish company being the representative. The Australian company must notify the Information Commissioner regarding processing activity carried out in Scotland. This will remain the case when GDPR is introduced.
The DPA is enforced by the Information Commissioner’s Office (ICO). The ICO enforces penalties when DPA is breached. Section 40, sub-section 1 of the DPA, stated if the Commissioner is satisfied that a data controller contravenes data protection principles, the Commissioner may give the data controller a notice requiring them, for complying with the principle or principles in question, to either take within such time as may be outlined in the notice or refrain from processing any personal data, or any personal data of a description specified in the notice, or refrain from processing them for a purpose specified or in a manner specified, after such time as may be specified (Great Britain. DPA 1998). The ICO can prosecute organisations, including prison sentences. The ICO can audit government departments without consent from the department under audit (IT Governance, 2017). Under GDPR, controllers must inform and remind users of their rights and document the fact that they have reminded them of those rights. In addition, under GDPR, users should not have to opt-out of their data being used and they must opt-in to systems.
Whenever the ICO finds organisations breaching DPA, the ICO can issue fines of up to £500,000 for serious breaches. Under GDPR, financial penalties will rise dramatically. The penalty for breaching GDPR can be as high as £20 million or 4% of annual global turnover, whichever is higher (IT Governance, 2017). The threat of insolvency or closure as a result of GDPR is real. Under the 1995 EU Data Protection Directive, users can see their collected data through subject access requests. Data controllers have to supply information, controlled by each country. In the UK’s case, 40 days is allowed. Under GDPR, 20 days will be allowed.
Under GDPR, users can request their data be erased permanently. This is through the debated right to be forgotten. The proposal for the GDPR caused a wide debate between lawyers and legal scholars. Many opinions were voiced on the issue. One particular issue surrounded the concept of the right to be forgotten (Mantelero, 2013). The argument against is once something has been published on the Internet, it can be cached, archived, reposted and replicated everywhere online. Those against GDPR pose two points, one being where privacy becomes censorship and other, being there must be a balance between the right to be forgotten and everyone else’s right to remember individuals (Debating Europe, 2017).
Under DPA, data subjects can make compensation claims for damage caused if their personal data is inaccurate, lost or disclosed. This is difficult to achieve. Users will still be able make compensation claims under GDPR in the instance of data loss resulting from unlawful processing, providing that individuals can provide evidence of their distress. This also includes group action, which isn’t stated in the DPA. Under DPA, ICO can’t prosecute unlawful processing. Under DPA, it is already prohibited to transfer personal data outside the European Economic Area (EEA) unless the controller assures adequate level of privacy protection. In addition, the controller assures an adequate level of privacy protection and meets the adequacy requirement. Under GDPR, the rules will be tightened.
Data Privacy and the Data Protection Bill
One of the key changes in terms of data privacy is that the Data Processor can hide behind the Data Controller whenever a breach takes place under DPA. Under GDPR, the Data Processor and the Data Controller will both be just as liable. Another key change is that under DPA, organisations don’t have to report data breaches to the ICO, but will must do so once GDPR comes into force. GDPR is more stringent than the 1995 directive in the area of data privacy. Data controllers will have to meet reasonable expectations of data subjects regarding their data privacy.
Although data privacy is a good practice requirement, GDPR makes data privacy a legal obligation through privacy by design and default. It means businesses have to take privacy into account throughout the whole lifecycle of businesses minimising privacy risks whilst avoiding infringement of data protection rules. It only covers personal information (BT, 2017). There were however, concerns over privacy and applying GDPR as civil liberties campaigner, Privacy International, were quick to raise the issue that its response to the Data Protection Bill mirroring GDPR are unnecessarily complex according to Hall and Hill (2017).
A new bill is being proposed. It is called the Data Protection Bill. According to Gov.uk (2017) the Data Protection Bill aims to make UK data protection laws fit for the digital age and to support businesses and organisations through the changes. Gov.uk stated in their overview factsheet that the government planned to do this by replacing the DPA 1998 with a new law thereby, providing a comprehensive and modern framework for data protections and set stronger sanctions for malpractice. The Data Protection Bill is not limited solely to UK GDPR provisions (ICO, 2017). Kerpan (2017) however, stated the proposed Data Protection Bill intends to make it simpler for users to withdraw consent for personal data use and expand the definition of personal data to include IP addresses, internet cookies and DNA. In the case of data privacy, the Bill promotes data privacy from the start. One example of privacy by design used is by introducing GDPR (ICO, 2017). It will however, remain up to the companies to document compliance as described in GDPR’s article 25.
According to Hancock (2017) it was a generation since the UK government last updated data protection laws. However, the framework of an organisation that is compliant with existing data protection laws are in a good position to take the step of being compliant in the update data protection laws. As good as the DPA/Bill sounds, some improvements could be made. Improvements to the Data Protection Bill were recommended by Privacy International. They didn’t mean to get rid of it. Neal (2017) stated the government made little attempt to reconsider and restrict conditions for collection and use of personal information such as political opinions. Neal added that safeguards are needed against decisions made by a system independent of human intervention. Regarding data privacy and GDPR, BioID teamed up with Microsoft and Deutsche Telekom aiming to improve data privacy, which is necessary for BioID customers, who must be ready for GDPR. BioID took the initiative regarding privacy for online service providers. Organisations are gearing up for GDPR, because they may already know the financial penalties if they breach GDPR. Articles 12, 13 and 14 mention data privacy in GDPR, which are more detailed than in DPA. Privacy is more accessible and understandable (ICO, 2017). EY (2017) stated that data privacy be one of the major requirements in preparing for GDPR.
Compliance Preparation
Businesses can prepare for the GDPR law that is due to come into force in a number of ways. They include a wide range of products to help organisations meet the requirements of the DPA and GDPR. They include the Certified EU GDPR Foundation training course, offering an introduction to GDPR and providing practical understanding of the implications and legal requirements of GDPR (IT Governance, 2017).
A document from the ICO published a document whereby it states how to prepare for when the GDPR comes into effect. The document suggests that businesses should make sure they have the correct procedures in place to detect, report and investigate data breaches. One of the areas the ICO suggests business can prepare for GDPR is in data breaches. GDPR makes it obligatory for organisations to report on data breaches to the ICO and in some cases individuals. Companies have a responsibility ensuring that data of their employees and customers alike are kept safe and secure within the constraints of data protection law. According to Hall (2017) employers are responsible for granting their staff the right to access information their employer has on them whilst ensuring that staff are compliant in their day-to-day work. Employers are also obliged to monitor telephone calls, emails and CCTV wherever necessary.
There were past examples of the breaches in the DPA that took place over the years. One example was an incident when the government agency called the DVLA broke data protection rules when it was claimed that confidential documents were sent to the wrong motorists (BBC, 2007). In this case, principle 2 was breached. Under GDPR, principle 2, would be breached. In addition, under article 30 of GDPR, DVLA would have failed to have an effective way of assessing technical and organisational security controls. Government agencies should be setting an example for other organisations as it governments that have to bring in the new DPA, mirroring GDPR.
Another example in breaching the DPA 1998 was a data breach in HMRC in 2007. This incident came about when two disks, owned by HMRC containing data relating to child benefit went missing. The two CDs had data regarding 25 million child benefit recipients (BBC, 2007). Kamath (2008) suggested the government promised changes to how data secured across HMRC was considered inadequate. Principle 7 of the DPA 1998 was breached. HMRC failed to adequately secure data and prevent damage to the data. Under GDPR, principle 6 would be breached. Encryption will also be a standard requirement. Kerpan mentioned organisations like HMRC should prepare with security and plan for data breaches. Hopping, Millman and Curtis (2017) discuss that councils are not adequately prepared for GDPR. They haven’t allocated money to deal with implementation. Government agencies need to allocate the necessary amount of money for GDPR otherwise, risk big fines. Other ways to comply with GDPR include agreeing approaches to risk assessment and conduct a risk assessment to see what areas where they already comply with GDPR and address areas they could be in breach (IT Governance, 2017).
Business Responsibilities in Data Breaches
The new DPA will mirror GDPR. Should a data breach under the new Data Protection Bill take place, businesses will be legally responsible for compliance with both GDPR and the Data Protection Bill that mirrors it. In addition, data processor are legally obliged to notify the data controller of a data breach (IT Governance, 2017). All breaches must be reported with no exemptions and without undue delay. The data controller must explain why they failed to report data breaches (IT Governance, 2017).
Should a data breach under the new Data Protection Bill take place, businesses will have ethical responsibilities. Smith (2017) argues that GDPR promotes ethical use of data among businesses. It forces them to follow a strict code of ethics of holding information. Cecconi (2017) counters the promotion of ethical use of data by saying GDPR is likely to only go after the worst offenders, which could help the most in educating the public. Cecconi added that the real problem is not GDPR but businesses accepting responsibility for their ethical choices regarding management of personal data and their consequences. Neither source considered the ethical responsibilities of business in a data breach. Martin (2017) argues that organisations will be ethically responsible for retaining customer trust by keeping data safe as organisations can flout data protection laws. One example Martin referred to was when 11 charities were fined for misusing donors’ data. GDPR will only get tougher. Van Driel (2016) suggests customer relationships cannot be built by doing something contrary to an organisation’s mission statement. Businesses are responsible for transparency regarding data protection to customers.
Should a data breach under the new Data Protection Bill take place, businesses will be professionally responsible for training staff members involved in data processing, a key part of GDPR compliance. This could be delivered through a treatment plan (Thorntons Law, 2017). This approach to an extent is questionable as organisations should inform employees about any law. Professionals should be concerned with GDPR’s Article 38, which involves monitoring Codes of Conduct. Article 38 requires professionals to ensure the data protection officer (DPO) is involved in data protection. Under GDPR, the data controller and processor will have to provide the DPO with resources necessary to comply with GDPR (Privacy-Regulation, 2017). In addition, organisations must notify breaches. According to the BCS (2017) the notification must describe the nature of the breach, which must be clear and plain. ICO recommends considering four important elements to any breach management plan. They are containment and recovery, assessing the ongoing risks, notification of a breach and evaluation and response from organisations (ICO, 2012). Under GDPR, all organisations must notify ICO of certain types of data breach where it is likely that individual rights being in jeopardy. Employers could appoint a dedicated data privacy team to deliver appropriate organisational and technical measures. This will require specialist knowledge. In addition, board management and staff need continual access to such knowledge (IT Governance, 2016).
Where are we now?
Since GDPR started to be enforced on the 25th May 2018, all companies that trade with the EU or have business based there have had to comply with the regulation. There are some however, who haven’t. According to Husain (2023) it has massively shaped how companies collect, store and process potentially sensitive data.
Data Breaches
There have also been issues relation to GDPR since its enforcement. There were data breaches that took place since the 25th May 2018. One such was Instagram, which is owned by Meta (formerly known as Facebook). There was a long-running complaint related to how the social media platform handles children’s data, which is of particular focus of GDPR as children are less aware of the risks and the potential consequences of the processing of their personal data on their rights (Lievens and Verdoodt, 2018; Lomath, 2022).
Lievens and Verdoodt also came to the realisation that GDPR at the time of inception offered little clarity as to the actual implementation and impact of a number of provisions that could have significantly affected children and their rights, leading to legal uncertainty for data controllers, parents and children. According to Ainsough and O’Donoghue (2022) and Lomath, Instagram published email addresses and phone numbers when teenage users aged 13-17 were allowed to operate ‘business accounts’ on Instagram. According to Lopes, Ta and Korkontzelos (2023) Instragram isn’t the only company to not be fully compliant. The number of noncompliant apps is still significant on Android applications. Even the apps designed for children do not always comply with GDPR. This lack of compliance could contribute to creating a path to causing physical or mental harm to children. However, they didn’t mention Apple devices.
Right to be Forgotten – For Good Cause or Something Sinister?
Another issue in relation to GDPR relates to the right to be forgotten. Charities feared it would effectively ban automated scanning for child abuse images, including paedophiles. In this case, you could say the EU protects paedophiles. This is because GDPR would allow offenders groom children without detection, and offenders accessing and abusing children off line would not be apprehended (Imossi, 2018).
The EU’s GDPR law comes into conflict with safeguarding principles that must be undertaken when working with children and vulnerable people. The term safeguarding is defined within the government’s guidance Working Together to Safeguard Children (2018) as protecting children from maltreatment, preventing the impairment of children's health or development, ensuring that children are growing up in circumstances consistent with the provision of safe and effective care and taking action to enable all children to have the best outcomes (Great Britain. Department for Education, 2018).
There are four types of abuse: physical; emotional; sexual; and neglect. For the sake of this article, we will focus on sexual abuse. Sexual abuse can involve forcing or enticing a child or young person to take part in sexual activities, whether or not the child is aware of what is happening, physical contact, including penetrative or non-penetrative acts, non-contact activities, such as involving children in looking at, or in the production of, sexually inappropriate images, pornographic material or watching sexual activities and Child sexual exploitation (CSE). CSE is a form of sexual abuse that involves the manipulation and/or coercion of young people under the age of 18 into sexual activity in exchange for things such as money, gifts, accommodation, affection or status.
Signs of sexual abuse in children range from trouble walking or sitting, knowledge or interest in sexual acts inappropriate to his or her age, doesn’t want to change clothes in front of others or participate in physical activities, has a Sexually Transmitted Infection (STI) or pregnancy, especially under the age of 14 and has injuries to the mouth, genital or anal areas (for example, bruising, swelling, sores, infection). You could say GDPR can post a conflict between protecting data of legitimate individuals whom outside the EU want to protect and dodgy individuals like paedophiles whom the EU protects.
Conclusion
This report aimed to inform readers about both the DPA 1998 and the GDPR. In addition, the report also aimed to inform readers about the key changes in terms of data privacy and responsibilities that the Data Protection Bill will enact. This report also advised as to whether how businesses can prepare for compliance with the new data protection laws that are set to come into force. To achieve these aims, the report informed readers of past cases of data protection breaches. This report also informed readers about the preparation for business for compliance with GDPR and the new DPA that is at the moment in the process of being passed. This aim was also achieved by writing a proposal based on how businesses can avoid repeating the mistakes that were examined in this report.
The new DPA, coupled with the GDPR can have many benefits, but there will still be problems with regards to keeping data about individuals safe. This is because there are new technologies that are evolving every day. In other words, government need to keep up with updating the laws as new technologies take place. Since GDPR’s enforcement, there have been issues in relation to data breaches and protecting potentially dodgy people. There is a fine balance there.
Reference List
Ainscough, S. O’Donoghue, C. (2022) ‘Irish DPC fines Instagram a record €405 million’ Technology Law Dispatch 8th September Available at: https://www.technologylawdispatch.com/2022/09/privacy-data-protection/irish-dpc-fines-instagram-a-record-e405-million/ (Date Accessed: 10/07/2023)
Bainbridge, D. I. (2008) Introduction to Information Technology Law Sixth Edition, Harlow Essex, Pearson Education Limited
BBC, (2007) http://news.bbc.co.uk/1/hi/wales/7132278.stm (Date Accessed: 29/09/2017)
BBC, (2007) http://news.bbc.co.uk/1/hi/7103911.stm (Date Accessed: 20/10/2017)
BBC, (2014) http://www.bbc.co.uk/news/technology-27394751 (Date Accessed: 26/10/2017)
BCS, (2017) http://www.bcs.org/upload/pdf/impact-of-gdpr.pdf (Date Accessed: 28/11/2017)
Bott, F. (2014) Professional Issues in Information Technology, Swindon: BCS Learning and Development Ltd
Breitbarth, P. (2019) ‘The impact of GDPR one year on,’ Network Security, 2019(7), pp.11-13.
Cecconi, G. (2017) ‘GDPR is distracting, let’s talk ethics instead’ Medium Available at: https://medium.com/mydata/gdpr-is-distracting-lets-talk-ethics-instead-a5dfb1a044f1 (Date Accessed: 28/11/2017)
Debating Europe, (2017) http://www.debatingeurope.eu/focus/infobox-arguments-for-and-against-eu-data-protection-rules/#.Wc4Bs1uPKUk (Date Accessed: 29/09/2017)
Drozd, A. (2017) ‘Your money or your data: 4 reasons to comply with GDPR’, The Law Society, 24 May. Available at: http://www.lawsociety.org.uk/news/blog/your-money-or-your-data-4-reasons-to-comply-with-gdpr/ (Accessed: 29/092017)
EY, (2017) http://www.ey.com/Publication/vwLUAssets/ey-gdpr-demanding-new-privacy-rights-and-obligations/$FILE/ey-gdpr-demanding-new-privacy-rights-and-obligations.pdf (Date Accessed: 15/12/2017)
Gov.uk, (2017) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/644634/2017-09-13_Factsheet01_Bill_overview.pdf (Date Accessed: 12/10/2017)
Gov.uk, (2017) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/644636/2017-09-12_Data_Protection_Bill_IA_final.pdf (Date Accessed: 12/10/2017)
Gov.uk, (2017) https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law (Date Accessed: 06/10/2017)
Great Britain. DPA 1998 (1998) London: The Stationary Office.
Great Britain. Department for Education (2018) Working Together to Safeguard Children. [Online]. Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/942454/Working_together_to_safeguard_children_inter_agency_guidance.pd (Date Accessed: 10/07/2023)
Hall, J. (2017) The 8 principles of the DPA 1998: a summary for small businesses in the UK Available at: https://www.simplybusiness.co.uk/knowledge/articles/2010/04/2010-04-23-data-protection-key-responsibilities-for-small-businesses/ (Date Accessed: 04/10/2017)
Hall, K. Hill, R. (2017) ‘Concerns raised about privacy, GDPR as Lords peer over Data Protection Bill’ 10th October The Register Available at: https://www.theregister.co.uk/2017/10/11/fears_raised_over_privacy_and_gdpr_in_second_reading_of_the_data_protection_bill/ (Date Accessed: 16/11/2017)
Hancock, M. (2017) ‘How the UK's data laws will now be fit for the digital age’ 14th September Available at: http://www.cityam.com/271982/uks-data-laws-now-fit-digital-age (Date Accessed: 12/10/2017)
Heathcote, P.M. Langfield, S. (2004) A Level Computing 5th Edition. Oxford: Payne-Gallway Publishers Ltd
Hopping, C. Millman, R. Curtis, J. (2017) ‘General Data Protection Regulation (GDPR): 25% of employees storing data in public without permission’ IT Pro 11th July Available at: http://www.itpro.co.uk/data-protection/26365/general-data-protection-regulation-gdpr-25-of-employees-storing-data-in-public (Date Accessed: 16/11/2017)
Husain, O. (2023) ‘51 Biggest GDPR Fines and Penalties So Far (Updated!)’ Enzuzo 23rd May Available at: https://www.enzuzo.com/blog/biggest-gdpr-fines (Date Accessed: 08/06/2023)
IBM, (no date, https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation/) (Date Accessed: 04/10/2017)
Imossi, T. (2018) ‘New EU rules on data protection are a 'gift to paedophiles', government officials warn’ ABI 4th December Available at: https://www.theabi.org.uk/news/new-eu-rules-on-data-protection-are-a-gift-to-paedophiles-government-officials-warn (Date Accessed: 10/072023)
ICO, (2017) https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/ (Date Accessed: 15/12/2017)
ICO, (2017) https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf (Date Accessed: 19/10/2017)
ICO, (2017) https://ico.org.uk/for-organisations/data-protection-bill/ (Date Accessed: 12/10/2017)
ICO, (2017) https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/ (Date Accessed: 12/10/2017)
ICO, (2012) https://ico.org.uk/media/for-organisations/documents/1562/guidance_on_data_security_breach_management.pdf (Date Accessed: 27/10/2017)
IT Governance, (2017) https://www.itgovernance.co.uk/dpa-penalties (Date Accessed: 29/09/2017)
IT Governance, (2017) https://www.itgovernance.co.uk/download/2017-08-03_GDPR-webinar_Legal-obligations-for-and-responsibilities-of-data-processors-and-controllers-under-GDPR_Alan%20Calder_v1.1.pdf (Date Accessed: 30/11/2017)
IT Governance, (2017) https://www.itgovernance.co.uk/download/data-breaches-and-the-eu-gdpr.pdf?utm_source=Email&utm_medium=Micro&utm_campaign=GDPRWebinar&utm_content=2016-07-01&kmi=ehartley%40itgovernance.co.uk (Date Accessed: 30/11/2017)
IT Governance, (2016) https://www.itgovernance.co.uk/download/Accountability-and-the-GDPR-Webinar-Jan-19-2016.pdf (Date Accessed: 15/12/2017)
IT Governance, (2017) https://www.itgovernance.co.uk/download/2017-11-02_Risk-assessments-and-applying-organisational-controls-for-GDPR-compliance.pdf (Date Accessed: 29/11/2017)
Kamath, J. P. (2008) ‘HMRC left the door open to data loss’ Computer Weekly Available at: http://www.computerweekly.com/news/1280096733/HMRC-left-the-door-open-to-data-loss (Date Accessed: 20/10/2017)
Kerpan, P. (2017) ‘Why comply? Europe’s GDPR, UK’s Data Protection Bill and your enterprise’ IT Proportal Available at: https://www.itproportal.com/features/why-comply-europes-gdpr-uks-data-protection-bill-and-your-enterprise/ (Date Accessed: 24/11/2017)
Lievens, E. Verdoodt, V. (2018) Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation Computer Law & Security Review, 34(2), pp.269-278.
Lee, J. (2017) ‘BioID ramps up data privacy and protection commitment’ 9th November Biometric Update Available at: http://www.biometricupdate.com/201711/bioid-ramps-up-data-privacy-and-protection-commitment (Date Accessed: 16/11/2017)
Lomas, N. (2022) ‘Instagram fined €405M in EU over children’s privacy’ Tech Crunch 5th September Available at: https://techcrunch.com/2022/09/05/instagram-gdpr-fine-childrens-privacy/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAMBKEyEXq5hYOxCHVE0liElLJjJfclriUFcz92oVZzFS-Ll0fRKyKO0AltQydevMHI6y56-FII2Y7UdO_0A6KXj0w6E8SRjprXlUJus9MahzZTY04Mjx2RGcc66TniFY9H4daBAAG57hI6TOXeMfYglNlR5fxGx4C2k-vegPjBkG (Date Accessed: 08/06/2023)
Lopes, R. Ta, V.T. Korkontzelos, Y. (2023) ‘On the conformance of Android applications with children's data protection regulations and safeguarding guidelines’. arXiv preprint arXiv:2305.08492.
Macaulay, T. (2017) GDPR explained: How to prepare for the approaching General Data Protection Regulation (GDPR) 7th August Available at: https://www.computerworlduk.com/data/how-prepare-for-general-data-protection-regulation-gdpr-3652439/ (Date Accessed: 04/10/2017)
Martin, G. (2017) ‘Will GDPR change the ethics of data privacy?’ Vox 12th April Available at: https://vox.veritas.com/t5/Information-Governance/Will-GDPR-change-the-ethics-of-data-privacy/ba-p/829595 (Date Accessed: 28/11/2017)
Murray, A. (2013) Information Technology Law, Oxford: Oxford University Press
Neal, D. (2017) ‘Privacy International suggests improvements to the Data Protection Bill’ 9th October Available at: https://www.theinquirer.net/inquirer/news/3018799/privacy-international-suggests-improvements-to-the-data-protection-bill (Date Accessed: 12/10/2017)
No Author, (2008) ‘Child benefit data loss: timeline of scandal’ The Telegraph 25th June [Online] Available at: http://www.telegraph.co.uk/news/majornews/2191680/Child-benefit-data-loss-timeline-of-scandal.html (Date Accessed: 20/10/2017)
Privacy-Regulation, (2017) https://www.privacy-regulation.eu/en/38.htm (Date Accessed: 01/12/2017)
Smith, I. (2017) ‘GDPR and the ethical use of data’ IT Pro Portal Available at: https://www.itproportal.com/features/gdpr-and-the-ethical-use-of-data/ (Date Accessed: 28/11/2017)
Van Driel, R. (2016) ‘GDPR: Big data, privacy, ethics and innovation’ Linkedin 8th June Available at: (Date Accessed 01/12/2017)