I am on a number of mailing lists, like most of us :-) One of the companies I receive a newsletter from sent me details of an event. Somehow I ended up on the list of interested parties for this event and started getting emails about it (I don't remember signing up but the company says I did). Anyway after the initial few emails, I started getting texts about this event promoting it. I [...]
We've been helping businesses get their privacy policies in place over the last couple of weeks. It's been a surprise to find so many businesses not having a basis privacy policy in place on their website. We write bespoke privacy policies. We also selling a template privacy policy which you can adapt for your use. There is no excuse for having a privacy policy which doesn't meet the requirements. So what should a privacy [...]
Now I am not one of the GDPR advisors that uses the formal language. I don't use the word data, I say personal information as so many people struggle to understand what data really means. I spend quite a lot of time talking with other data protection professionals and I always find it daunting when they start talking article this, data that. Not because I don't know what they are talking about but it [...]
There has been a recent news story about a man making subject access requests in the name of his girlfriend (with her knowledge) to see how much information he could obtain. On the basis of his research 1 in four companies gave him information on the basis of the information he had provided. This comes down to poor verification processes in place at the organisations before they give the information out. So here are [...]
Another week, another data subject access request or SAR. We were contacted this week by an individual who wanted to know if an organisation had complied with their obligations. That's a bit unusual as its usually organisations contacting us. On this occasion this individual had asked for their parents care records from a care agency. The information had been provided but there was no explanation about the content. Care agencies are likely to receive [...]
IT support companies are the key to being able to access business information in a timely manner. Most small businesses outsource their IT support to another small IT Support Business. This can be a challenge when neither business knows how they should be complying with GDPR. Whenever I am working with a business on their GDPR compliance, the sticking point is always with the IT support company. Generally, the IT support company's terms and [...]
When I interact with a website, I always look at the privacy policy, a bit sad, I know but it tells me a lot about a business and their attitude to privacy. A privacy policy should include certain information to meet the requirements of data protection. My daughter recently wanted to buy some clothing from a large retailer. Their privacy policy was poor and had not been updated as a result of GDPR which [...]
On the 25th May 2018, GDPR became enforceable. It's been an interesting year. From what you can see around you and the way companies are behaving, some are still not aware of their GDPR obligations (let's put it that way). So far none of the big fines that everyone has been worried about have come to fruition. The different supervisory bodies across the EU are making their interpretations of the legislation known. Things are [...]
My son has been looking for some specialist insurance recently which has meant a lot of phone calls from various brokers. The really interesting thing is that none of these brokers disclosed that they were recording the calls at the start of the conversation. Only when my son asked if they were recording the calls, did they say that they were. Not a lot of transparency there. One of the brokers directed him to [...]
Can the ICO get in touch with you? What happens if they use the email address on your website? Sometimes the ICO may wish to contact you. This may be if they have received a complaint from another person or organisation. Their first stop will be your website and they will probably use the email address shown there to send you an email. So what happens when you are not monitoring that email address? [...]
Large companies continue to get it wrong. There's been a Facebook ad appearing in my feed recently. It is for a GDPR checklist. So despite not needing a checklist, today I followed the link. The page asks for your email address, first name, last name and telephone number before you can download the checklist. You shouldn't have to provide all that information for a free download, its part of the data minimisation principle of [...]
What is a Subject Access Request (SAR) or a Data Subject Access Request (DSAR)? This is the right of an individual to see any information held about them by an organisation. Someone can make a request by any method they choose, including verbally. This is creating some challenges as most organisations are struggling to put a process in place to recognise verbal requests. A friend of mine made a verbal request to a local [...]
I received a call the other day from someone who wanted to talk GDPR with me. Nothing unusual in that, except this person started the call by telling me they were a GDPR expert. As far as I am concerned there are no GDPR experts. There are people with lots of knowledge and experience but until the case law starts to flow through, there are no experts. Anyway, back to my caller. Having introduced [...]
GDPR is on the horizon and lots of organisations are seeking reconsent by sending you an email to get you to reconfirm your email address. And that's fine providing they are doing it the right way. I was contacted recently by a charity seeking reconsent. They had made some fundamental mistakes, including a data breach! What did they do? Firstly when seeking reconsent they sent an email to all the subscribers via outlook and [...]
It's a common question - How long should we retain records? The answer depends on a whole range of things. The General Data Protection Regulation states that information should not be kept for longer than required. Sounds simple. But how long should you keep files? Accountancy records are 7 years but what about something like a display screen equipment assessment? There is a judgement to be made around the files a business holds where [...]
In most cases recently, no. What am I talking about? What websites are doing with my information. I have been working on contracts as part of some GDPR implementation work and one of the contracts I reviewed was with a call answering service. The contract was very unclear with regard to confidentiality and Data Protection so I went across to the website to see what it said there. It did have terms and conditions [...]
I'm going to let you into a little secret. I can go to your website and just by looking at it, I can tell whether you comply with GDPR. It's not magic or clever. Once you know what GDPR requires of a business, anyone with that knowledge can go to a website and see if a business complies. Looking at a privacy notice will tell you whether they are meeting the latest requirements about [...]
This is often the first thing that is said (after the introductions) when I go to companies to talk about GDPR and frequently I don't know what to say. Let's start with data protection. It all started about 16 years ago when I was put in charge of data protection for a charity I was working for. I have to admit it was like the blind leading the blind. I didn't have a clue [...]
I'm a small business so the Data Protection Act and General Data Protection Regulation don't apply to me. You would be surprised how frequently I hear this and I even heard it from a solicitor who told facts vs myths, newspaper article text me that there was a small business exemption! The legislation around how to handle a persons information including how to collect, store, handle and destroy that information is [...]
This is a question which I frequently hear and often extending it to its full name of the General Data Protection Regulation doesn't prove any more enlightening to the person asking the question. GDPR is the regulation agreed by the European Community as the standard that should be in place across the EU when handling a persons information. It's the replacement for the European directive that became the Data Protection Act. Simply put, GDPR [...]