Do I Need a Tickbox on My Newsletter Sign Up Form? I had an interesting conversation with a new client this week about their newsletter signup form. Picture the scene: the usual suspects were there – name field, email address field, and then that familiar tick box declaring "I agree to receive the newsletter." But here's where it gets properly daft – they'd made the tick box compulsory. So much for freely given consent, [...]
Hidden Dangers in Data Processing Agreements: A Payroll Data Breach Case Study The Scenario: A Simple Error with Complex Implications Recently, we encountered a situation that serves as a perfect case study for businesses relying on third-party data processors. One of our clients, who outsources their payroll processing, experienced what might initially seem like a minor data breach – a payslip and P45 belonging to one employee were mistakenly sent to another employee within [...]
One size does not fit all When it comes to GDPR compliance, too many businesses fall into the trap of copying larger competitors' privacy policies. As a GDPR compliance consultant, I recently witnessed this firsthand during a client call, where I had to stop myself from screaming "NO!" into my mug as they suggested copying a section from a major competitor's privacy policy verbatim. The Dangerous Temptation of Copy-Paste GDPR Compliance Creating a GDPR-compliant [...]
The fear of data protection legislation is creating a new type of business paralysis, where companies are so worried about making a misstep that they're choosing to do nothing at all. Recently, I encountered this exact scenario with a new client who was hesitant to review their digital marketing practices simply because they weren't confident in their understanding of data protection regulations. This fear-based approach to data protection is holding businesses back from marketing [...]
Why GDPR Consent Isn't Your Only Compliance Requirement Understanding GDPR consent requirements is a common challenge for businesses, with many organisations believing they've achieved compliance by simply adding consent forms to their processes. While these GDPR consent requirements are important, they're just one piece of the compliance puzzle. The General Data Protection Regulation actually provides several other legal bases for processing personal data that are equally valid and sometimes more appropriate than consent. Beyond [...]
The Uncomfortable Truth About IT Providers and GDPR Businesses operate in data environments and being able to obtain IT support when something goes wrong is key to working effectively. Those IT Providers have complete access to a businesses digital assets and information. This makes it very risky when those IT providers have no awareness of their security or GDPR obligations. This happened to a client recently when we undertook a gap analysis and revealed [...]
"We're GDPR Compliant" - The Common GDPR Compliance Mistakes UK Businesses are making Are you making critical GDPR compliance mistakes without realising it? Our many years of Data Protection and GDPR consulting reveals that lots of UK businesses are. Even those who think they've ticked all the compliance boxes are often shocked when they discover their mistakes. In our lengthy time providing GDPR and data protection consulting, we've encountered countless businesses who discovered they [...]
Best practices for note-taking in organisations What can we put in notes? It's a question that organisations seek advice on regularly. The challenge with notes is they are usually free text fields and can be as long as you want which is great for flexibility, however from a data protection perspective, what is written in notes would be disclosable during a Subject Access Request process and they can frequently contain opinions (not so great). [...]
When Age Verification Goes Too Far: A GDPR Perspective In the world of online shopping, we've all become accustomed to filling out forms and providing personal information. But when does data collection cross the line from necessary to excessive? A recent experience, shopping for my daughter's birthday present, highlighted this issue and got me thinking about GDPR compliance and consumer rights. The 26-Year-Old Shopper (Or Am I?) Picture this: I'm browsing a well-known retailer's [...]
GDPR's Impact on AI and Machine Learning: Navigating Compliance Challenges Since its inception, the General Data Protection Regulation (GDPR) has reshaped the landscape of data privacy across Europe and beyond. As AI and machine learning technologies continue to evolve, organisations must navigate the complex interplay between innovation and compliance. GDPR's Impact on the use of AI is broad and multifaceted. In this blog post, we delve into the challenges of implementing AI while maintaining [...]
Why should I do a Record of Processing Activities (ROPA)? In the complex landscape of modern business, data has emerged as a critical asset. Yet, many organisations are unaware of what data they hold and the purposes they have retained it. The key to unlocking this value? A comprehensive data audit or Record of Processing Activities. GDPR requires larger organisations to undertake an audit of the data they hold, the purposes it's used for, [...]
The need for GDPR privacy notices at every collection point is an essential way that you can demonstrate transparency and define how data will be used. Data is constantly being collected - often without the individuals full awareness. From browsing websites to using mobile apps, personal information is gathered, stored, and analysed by countless organisations. This makes it more important than ever to have clear privacy notices at all points where data is collected. [...]
The data protection environment needs to be able to respond to new technologies and security concerns that may come with their use. Despite the General Data Protection Regulation (GDPR) being in effect for over six years, many organisations still struggle to maintain a mature compliance framework. This week, I had the opportunity to meet with three clients to discuss their GDPR progress and we discussed their use of AI technologies. The AI Blindspot One [...]
Maintaining Confidentiality: A Crucial Aspect of GDPR Compliance Protecting the personal information in an organisation is more important than ever. The General Data Protection Regulation (GDPR) sets strict standards for how organisations handle and protect personal information. One key aspect of GDPR compliance is maintaining the confidentiality of information. The Importance of Staff Training Your employees are on the front lines of data protection. Without proper training, even well-intentioned staff members can inadvertently compromise [...]
GDPR and Employee Privacy: Balancing Employer Obligations and Employee Rights The General Data Protection Regulation (GDPR) has reshaped how organisations handle personal data, including that of their employees. Employers must navigate the delicate balance between monitoring and collecting data for legitimate business purposes and respecting the privacy rights of their employees. This blog post explores the implications of GDPR on employee monitoring and data collection, best practices for maintaining this balance and how to [...]
Data Protection Roles Under GDPR: What You Need to Know. One of the key things to understand to be able to comply with your data protection obligations is what is your data protection role. Your role will dictate your responsibility for data protection compliance. Data Controller The data controller determines the purposes and means of processing personal information. They decide what to collect, how it will be used, how long it will be stored, [...]
Data Breaches and GDPR: What You Need to Know Data breaches are a nightmare for any organisation, but under GDPR, they can become even more challenging. This post will explain what a data breach is, your obligations under GDPR, and best practices for prevention and response to safeguard your business. What is a Data Breach? Under GDPR, a data breach is defined as a security incident leading to the accidental or unlawful destruction, loss, [...]
Understanding Soft Opt-In for GDPR Compliance: A Guide for Marketing With all the data protection requirements and understanding lawful basis, marketers must navigate complex privacy legislation to ensure their marketing aligns with legal requirements. One such topic that's particularly relevant for email marketing is the "soft opt-in." This blog post will explore what soft opt-in means under the General Data Protection Regulation (GDPR) and how businesses can use it effectively. What is the Soft [...]
Data Sharing Agreements: Enabling Collaboration While Protecting Information Data sharing agreements are essential tools when organisations want to share personal information. A Data Sharing Agreement is a legal contract that sets out the responsibilities of the partners involved in the data sharing. The terms set out how data can be accessed, used, protected and retained when shared between parties. Whether you're a business partnering with vendors, a researcher collaborating across clients, or a membership [...]
Data Classification: Why it is important Not all business data is created equal. Some information is more valuable—and more sensitive—than others. This is where data classification becomes important. It helps separate the low risk information from the highly sensitive and confidential. What is Data Classification? Data classification is the process of categorising business information based on its level of sensitivity and the impact to the organisation should that data be disclosed, altered, or destroyed [...]