16 05, 2022

Legitimate interest as a lawful basis is not an excuse to market to everyone.

This week through the helpline, we had a call from a company who had used legitimate interests to scrape email addresses from the web, and then send them marketing information. They explained that marketing emails were in their interests and the interests of the person emailed so they could place their services and goods on the caller’s platform for sale. There are very specific rules about email marketing both in data Protection legislation and [...]

Read More
30 04, 2022

Email Marketing – Do I need a tickbox?

Back to Basics and email marketing. Over the last couple of weeks we've been looking at some email marketing signup forms. And it's quite interesting when an organisation decides to put a tick box, although sometimes it's the software that has a tick box that you cannot remove. When someone is signing up for your email marketing list, you might create a form where someone can insert their email address and there's a tick [...]

Read More
18 04, 2022

Are your suppliers protecting your business information?

We find clients don't often think about supplier risk. Currently we're working with a company to implement ISO27001 and as part of that process, we are checking their suppliers for information security standards and GDPR etc. As part of checking suppliers for compliance, we needed a list of the suppliers and this particular company have outsourced their finance function to an accountancy firm. We asked the accountants to provide a list of the suppliers [...]

Read More
7 03, 2022

Special Category Information related to Employees

Since my blog on health information, we've had a number of questions around health information or special category information when it’s collected from employees.  When you have employees, you will often be processing special category information around their health because you need to pay them sick pay, information about their ethnicity or ethnic origin because you might collect that as part of your equal opportunities monitoring. You might collect information about trade union membership [...]

Read More
2 03, 2022

Dealing with special category information related to health

Under data protection legislation, health information is considered a special category of personal information. This means that it needs some additional controls in place to be able to collect and store it. There are a number of special categories and health information is one of the most commonly used because we collect it through various channels within our businesses. Today, we're just going to focus on those companies that collect it because they deal [...]

Read More
1 02, 2022

A common email data breach – failing to BCC

A common email data breach by failing to BCC the recipients My son has started a new job and is heading off for a training course on Sunday. As part of attending the training course he was provided with information about the venue and training sessions along with the other new starters. My son could see the personal email addresses of colleagues he’s yet to meet on a company email. As my son (And [...]

Read More
15 09, 2021

What is Processing in Data Protection terms?

In data protection terms we spend a lot of time talking about processing personal information. This week we have had two conversations which highlighted that processing is not always understood. The first company we were talking to are a document storage company being used by one of our clients. We were explaining that they were a data processor because they are storing the personal information. They explained that my client only stores the paper [...]

Read More
26 07, 2021

The UK is adequate for Data Protection Purposes

The UK is adequate. Doesn't sound great does it but it is really good news for continuing to make transfers to and from the EU/EEA. You may remember me telling you at the beginning of the year that there was a 6-month period where transfers to the EU could continue until the UK achieved an adequacy status from the EU. The adequacy status was approved on the 28th June (talking about taking it to [...]

Read More
27 06, 2021

It’s not all Black and White

A few years ago I was running some GDPR Implementation classes for small businesses and each week, we had a Q&A call where anyone with questions could come onto the call and get an answer. It became a running joke that my initial response was always “it depends” and the right thing to do always depended on the individual set of circumstances. Although it would be lovely to think that data protection legislation was [...]

Read More
27 04, 2021

Procurement Questionnaires and how to respond

It has been a busy few weeks helping organisations who work with large corporates respond to procurement and security questionnaires. The questionnaires have all sorts of names; assurance, security, procurement, information security, data protection etc. They are all effectively trying to achieve the same thing, assurance about the security surrounding the information you are working with. They are becoming more frequently requested as part of working with larger organisations. In the last few weeks, [...]

Read More
12 04, 2021

Data Controller or Data Processor?

It’s one of those things that people struggle with. Am I a Data Controller or Data Processor? Let’s talk through what each one is and the role that they play. Data Controller The Data Controller decides how information is collected, used, stored and destroyed. Effectively they are in charge of the personal information that they are collecting. They are responsible for informing the individual, via privacy information, how the information will be used, shared, [...]

Read More
1 03, 2021

GDPR Basics 1 – I’ve read the information on the ICO website and I’m still confused

“I’ve read the information on the ICO website and I’m still confused.” We hear this so often through our helpline. It’s not the fault of the ICO website, they are trying to meet the needs of all organisations from big to small, complex to simple and it doesn’t just provide the level of advice that someone needs sometimes. Also, the language can be confusing and frequently organisations struggle to understand the implications for their [...]

Read More
23 01, 2021

Which Countries are in the EU and EEA for data protection purposes?

The EU countries covered by GDPR and data exchange are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. The EEA (European Economic Area) includes all the EU countries and Iceland, Norway and Liechtenstein. Additionally there are countries which have an adequacy decision and so data can be passed to and from them [...]

Read More
18 01, 2021

What does the Brexit deal mean for data transfers with Europe?

The last minute Brexit deal has some good news for those organisations who are working with companies in the EU or whose cloud storage is based in the EU. Up till now the Uk and EU/EEA have been able to exchange personal information without any issues or concerns. As part of the new Brexit deal that exchange can continue unhindered until the UK achieves adequacy status but no longer than six months. This means [...]

Read More
12 01, 2021

Data Subject Access Requests (DSAR)

We’ve had a flurry of requests for support for subject access requests in the last few weeks. This is  because of the redundancies being made by organisations and changing job market. Don’t think that only large organisations get Subject Access Requests, we have recently helped an organisation with only one employee to respond to a Subject Access Request. The most recent ones have been slightly larger organisations and there has been a common theme [...]

Read More
31 08, 2020

Blood test – Taking the Pee?

My father went to the doctors recently. He needed to have a blood test and the doctor gave him his blood test forms to book the appointment with. The doctor checked that the top form (of those stapled together) had his name and address on it. When we got home, I got the forms out the make the appointment. There were three sheets of paper stapled together, the top two referred to my dad [...]

Read More
19 07, 2020

Should Membership Organisations support their members with GDPR?

Should Membership organisations support their members with GDPR? I believe they should. It's not often I get frustrated but this was one of those times. I have a client in the security industry who contracts out some of the security monitoring to a third party. I have spoken with the third party and they do not understand GDPR or what they need to do but they are a member of a security industry body. [...]

Read More
22 06, 2020

What makes me a good Data Protection Officer (DPO)?

I think that to be good at something requires a mix of knowledge, talent and passion. I have extensive data protection experience as well as a formally recognised qualification. So that makes me a good data protection officer. What makes me different from lots of other data protection professionals, some of whom jumped on the GDPR bandwagon as a means to making money, is that I have continued to learn, not just about data [...]

Read More
24 05, 2020

Telephone Security or lack of it

I had to telephone a company the other day to chase an order, when I called, the person who answered the phone asked me if I would mind holding as he was on another call. I said that was fine, but he didn't mute himself or put me on hold. As a result I could clearly hear the conversation he was having with the other caller, which included taking their credit card details (including [...]

Read More
Copyright 2019-2023 | All Rights Reserved | Privacy Policy | Audit & Risk Professionals LLP T/A GDPR Advisors Uk | Registered in England and Wales (company number OC393687) Registered Address: Masefield Avenue, Borehamwood, HERTS., WD6 2HQ
FacebookInstagramLinkedIn
Go to Top