A few years ago I was running some GDPR Implementation classes for small businesses and each week, we had a Q&A call where anyone with questions could come onto the call and get an answer. It became a running joke that my initial response was always “it depends” and the right thing to do always depended on the individual set of circumstances. Although it would be lovely to think that data protection legislation was [...]
It has been a busy few weeks helping organisations who work with large corporates respond to procurement and security questionnaires. The questionnaires have all sorts of names; assurance, security, procurement, information security, data protection etc. They are all effectively trying to achieve the same thing, assurance about the security surrounding the information you are working with. They are becoming more frequently requested as part of working with larger organisations. In the last few weeks, [...]
It’s one of those things that people struggle with. Am I a Data Controller or Data Processor? Let’s talk through what each one is and the role that they play. Data Controller The Data Controller decides how information is collected, used, stored and destroyed. Effectively they are in charge of the personal information that they are collecting. They are responsible for informing the individual, via privacy information, how the information will be used, shared, [...]
“I’ve read the information on the ICO website and I’m still confused.” We hear this so often through our helpline. It’s not the fault of the ICO website, they are trying to meet the needs of all organisations from big to small, complex to simple and it doesn’t just provide the level of advice that someone needs sometimes. Also, the language can be confusing and frequently organisations struggle to understand the implications for their [...]
The EU countries covered by GDPR and data exchange are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. The EEA (European Economic Area) includes all the EU countries and Iceland, Norway and Liechtenstein. Additionally there are countries which have an adequacy decision and so data can be passed to and from them [...]
The last minute Brexit deal has some good news for those organisations who are working with companies in the EU or whose cloud storage is based in the EU. Up till now the Uk and EU/EEA have been able to exchange personal information without any issues or concerns. As part of the new Brexit deal that exchange can continue unhindered until the UK achieves adequacy status but no longer than six months. This means [...]
We’ve had a flurry of requests for support for subject access requests in the last few weeks. This is because of the redundancies being made by organisations and changing job market. Don’t think that only large organisations get Subject Access Requests, we have recently helped an organisation with only one employee to respond to a Subject Access Request. The most recent ones have been slightly larger organisations and there has been a common theme [...]
My father went to the doctors recently. He needed to have a blood test and the doctor gave him his blood test forms to book the appointment with. The doctor checked that the top form (of those stapled together) had his name and address on it. When we got home, I got the forms out the make the appointment. There were three sheets of paper stapled together, the top two referred to my dad [...]
Should Membership organisations support their members with GDPR? I believe they should. It's not often I get frustrated but this was one of those times. I have a client in the security industry who contracts out some of the security monitoring to a third party. I have spoken with the third party and they do not understand GDPR or what they need to do but they are a member of a security industry body. [...]
I think that to be good at something requires a mix of knowledge, talent and passion. I have extensive data protection experience as well as a formally recognised qualification. So that makes me a good data protection officer. What makes me different from lots of other data protection professionals, some of whom jumped on the GDPR bandwagon as a means to making money, is that I have continued to learn, not just about data [...]
I had to telephone a company the other day to chase an order, when I called, the person who answered the phone asked me if I would mind holding as he was on another call. I said that was fine, but he didn't mute himself or put me on hold. As a result I could clearly hear the conversation he was having with the other caller, which included taking their credit card details (including [...]
Recently with many organisations working from home, we have seen increased scrutiny happening for organisations managing information on behalf of other organisations. One of our clients is an international market research company. They work with large corporates throughout the world providing insight on new ideas and services. For the first time ever, they have received a security questionnaire from their biggest client. What we mean when we say security questionnaire is a form asking [...]
Working from home is becoming the norm. Staff who are used to working in an office environment are now working from home and trying to create an acceptable office environment. From a productivity and security point of view, the best thing to do is to ensure that the space you are using to work from is a dedicated space. Even if it's only a small desk in a corner of a room. Once you [...]
When we talk about how long to keep information, we should also be considering the sensitivity of that information. Can you identify information which is confidential and should be restricted access from other information? For example, personnel records would be considered confidential information. They would have access restricted to those who need to know. So how are you marking those records to provide that information? It's easy with paper records, you can just mark [...]
The Information Commissioners Office (ICO) has fined the Door Step Dispensaree £275,000 for failing to deal securely with paper records. There are some interesting elements to this case. The fine was for the lack of security over paper records. A reminder to organisations that the legislation doesn't just relate to electronic information. Concerns about the security of information were reported to the ICO by the Medicine and healthcare Products Regulatory Agency (MHRA). It was [...]
Vishing calls are not new. They have been happening for a while but after an incident at one of my clients recently and then a discussion with one of my groups, I thought I would cover it here. You can stop reading know if you think you know it all! A vishing call is where someone contacts you by phone and then tries to get information from you. This information may be personal to [...]
There is a limited time period to respond to a subject access request. How long depends on a couple of factors. Let's start at the beginning. When you receive a subject access request, you need to be able to verify the identity of the person making the request. You can view my previous blog about verifying their identity here. You cannot hold up verifying the individual's identify to delay a response. Frequently an individual [...]
Disposing of old office equipment is always a challenge to ensure that it is properly "clean" before disposal. How do you do it? When you think of all the office equipment which might have business or personal information on it, there's a lot. Computers, laptops, servers, printers, mobile phones, memory drives etc. It's not just the electronic equipment either. There's also the need to ensure office furniture such a desks, filing cabinets etc are [...]
I'm often asked what I like about data protection. Well, I love the fact that it is not always black and white. Anyone who knows me, knows that I usually start a response with "it depends". It depends how you collect the information, what you want to use it for, who you are sharing it with etc. But understanding data protection legislation is not the real challenge with achieving compliance. The biggest challenge is [...]