Rapid emergence of the vaping market and all the restrictions applied to the market


The use of e-cigarettes as a quit smoking aid has rapidly gained traction as users see it as a safer alternative to smoking. In a recent report carried out by Ernst and Young, 2.2 million Brits are now vaping, a rise of 55% in just three years.

But, despite its popularity and Public Health England claiming that is it 95% less harmful than smoking, controversy surrounding the use of ENDS (Electronic Nicotine Delivery Systems) continues to rage. Many still believe that is it no less harmful than smoking traditional tobacco products, and governments are experiencing a huge tax shortfall with so many people turning away from lucrative tobacco.

Controversy aside, this new and emerging market is now subject to strict EU legislation aimed “…at harmonising the quality and safety requirements of the products for the benefit of consumers. In addition, rules on packaging and labelling will ensure that consumers are better informed."

The Tobacco Products Directive, which became law in May 2016 and gave suppliers a year to fully comply, is now in full force. And comes nearly two years after the government placed age restrictions on the purchase of e-cigarettes. This new directive requires all cigarette and tobacco products to be sold in plain packaging and limits of the size of cigarettes and tobacco packages, in an attempt to make it less attractive to young smokers. But the TPD also places several additional restrictions on vaping and e-cigarettes.

The maximum nicotine capacity of liquid is now 20mg, down from 24mg previously. As well as restrictions on flavours and size of refill bottles and tanks (10ml and 2ml respectively). Restrictions on advertising similar to those placed on traditional tobacco products are also in force, as well as a complete ban on celebrity endorsements.

There are also stricter controls on the innovation of new products, with manufacturers required to notify government bodies about new products six months before they are launched.

Whether or not the restrictions contained in the TPD will slow down the growth of the vaping market remains to be seen, but many people see legislation of this innovative and emerging industry as a necessary and welcome defence in the battle against nicotine addiction.

New regulations coming in for Adult Entertainment vendors online


The government recently announced new regulations which will require all adult entertainment websites accessed by UK users to be stricter with their policies, changing the way people access adult content on the internet.

The new Digital Economy Act will force all websites containing adult content to prove their users are over 18 years old before they grant access, which means all affected websites must enable age verification tools by April 2018. Companies not complying with the new regulations will face fines of up to £250,000 or being blocked by ISP’s.

Websites may well adapt similar systems to those used by online gambling companies, by asking users to provide credit card details (which can only be issued to people over the age of 18). This tactic has been used successfully by online betting sites since the Gambling Bill of 2004.

Protecting children from potentially damaging online content is at the forefront of the changes. Child protection groups have long been demanding legislation of online adult material to reduce the number of children affected. A recent NSPCC study stated that 65% of 15-16 year olds, and 48% of 11-16 year olds had seen sexually explicit videos online.

Despite the unarguable need to protect children from damaging content, privacy campaigners claim that these new regulations could spell problems. Adult content companies holding sensitive data about people using them exposes the users to risks from online hackers and fraudsters. As we saw with the Ashley Madison hacks in 2015, sensitive data regarding use of certain sites can be a highly lucrative bonus for criminals.

Adult sites from anywhere in the world will be required to show age verification tools for them to be accessed from the UK or websites will face being blocked by ISP’s. Adult content websites have just 6 months to comply with the new rules and should be preparing for the changes now.

Highlighting the main changes to have taken effect in terms of legislation, data protection and regulatory change

UK derogations from the GDPR


As part of the United Kingdom’s move towards compliance with the European General Data Protection Regulation (GDPR) next year, the government have published a statement of intent, detailing some of the differences between the EU regulations and the announced Data Protection Bill.  There are to be a number of significant areas where the new legislation will differ from the GDPR:

The right to be forgotten, although included and made clearer in the GDPR, will be extended under the Data Protection Bill to consider only children aged thirteen or older to be able to give consent to the processing of their personal data.  Although in the UK there are currently no overall rules in place that specify children in the context of consent, to comply with the GDPR the defined age must be between thirteen and sixteen.  The new bill will also include an individual’s right to request that data that was collected about them before the age of eighteen be deleted from social media.

Article 10 of the GDPR specifies that only official authoritative bodies have the right to process criminal conviction and offence data and that even then, justification under specific legislation would be required.  The UK, in recognition of the number of industries that could be affected by this change, have proposed that domestic legislation extend this right to other organisations that process this data.  At this stage, specific legislation regarding access to the different levels of criminality checks (for example basic disclosure checks) has not been released, however it is likely that the current UK rules will be transposed into the Data Protection Bill. Industry bodies will be liaising with Ministers to ensure that the current status quo is maintained and the extent of legislation scope extends wide enough to include all non-regulated industry sectors.

New criminal offences have been proposed for inclusion in the Bill.  These include “Altering records with intent to prevent disclosure following a subject access request” which, although currently a part of the Freedom of Information Act 2000, would be extended to include not just public authorities but all data controllers and data processors.  Furthermore, the act of “Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data” would also be anoffence, designed to prevent the identification of individuals listed in otherwise anonymous date, typically by combining information from different sources.  It will also become an offence to retain data against the wishes of the data controller – extending the current rules from obtaining or disclosing personal data to include retention.

Are you ready for GDPR?


The General Data Protection Regulation (GDPR) will come into force in May 2018 and will affect all companies doing business in the EU. It is imperative that you and your company are ready for the changes to ensure that you comply with the strict new requirements.

Designed to protect personal and sensitive data, the goal of GDPR is to give all EU citizens complete control of their personal data, by providing a universal approach to data protection for all businesses who hold information about EU citizens (regardless of their place of business). It is the biggest shakeup of data protection in the EU since 1998.

Many businesses will need to make significant changes to their operational habits or face the consequences. Failure to comply with GDPR would be costly mistake, with fines of up to €20 million.

The main themes of GDPR are:

  • Data protection - All companies that collect personal data from EU citizens must ensure that they have reasonable data protection measures in place. This includes a data breach policy (data breaches must be reported immediately) and threat assessment.
  • Data control - EU citizens have the right to access their data and request information about how it is being used, can request to take their data elsewhere and have the right to demand that their data be erased.
  • Data responsibility - Public authorities and those who store or process a large amount of personal data must appoint a Data Protection Officer (DPO).

GDPR Preparation

  1. Examine areas where data protection strategies are necessary for your business.
  2. Employ a Data Protection Officer (DPO) if required.
  3. Conduct a risk assessment of all data coming into your company and create a data protection policy which will govern how you control the use and storage of data.
  4. Employ security measures to ensure you are GDPR compliant.
  5. Regularly review security measures and risks to ensure that you stay compliant.

In the months leading up to GDPR it is imperative that companies examine their current data protection policies and put appropriate data security measures in place before the deadline.

This is where we can help. We have a team of regulatory experts ready to advise you on every aspect of GDPR.

Challenges on identity checking on data poor countries


Ireland recently published their “eGovernment Strategy 2017-2020” in which it was revealed that the Public Services Card will become compulsory for those applying for a driving license or passport. Arguments have already begun over what has been coined as a National Identity Card by “stealth”.

Verifying identity in this data rich world is challenging, and the ID card debate raged strongly in the UK before being banished in 2011. Ireland’s government claims that the Public Services Cards are not mandatory. However, some people believe that making them essential for those applying for a passport or driving license effectively makes them so.

The lack of a global standard for ID verification is something that needs to be addressed in order to improve cross border interactions as well as make local transactions quicker and more reliable. Being able to prove a person’s identity is necessary to protect economies and businesses against fraud, money laundering and individuals against identity theft. So, there is a strong argument for a recognised national identity card which is accepted within its own country if not globally.

Many identity verification systems currently rely on submission of original documents, which need to be checked and verified, and seems somewhat archaic in this digital age. This costly and time-consuming process could be avoided if a national identity card were to be adopted. Lack of quick and standard verification processes cost businesses too. A recent study by Experian showed that around half of UK customers abandon online transactions due to the length and complicated nature of ID verification.

But despite the apparent positives of having a national ID card scheme, the argument continues that they are intrusive and the widespread sharing of data is unsafe.

Ireland’s Public Services Card may not be the answer to the identity verification problem, and certainly a global standard needs to be discussed to solve the issues of cross border transactions. While the debate continues, it is imperative that businesses remain vigilant; by keeping up to date with the current identity checking methods, and using all the tools available to verify identity beyond all reasonable doubt and protect themselves as well as customers.

For help with identity verification please visit https://www.capitaidentitysolutions.co.uk