I'm often asked what I like about data protection. Well, I love the fact that it is not always black and white. Anyone who knows me, knows that I usually start a response with "it depends". It depends how you collect the information, what you want to use it for, who you are sharing it with etc. But understanding data protection legislation is not the real challenge with achieving compliance. The biggest challenge is [...]
Do you need to register with the Information Commissioners Office (ICO)? The ICO is the supervisory body for the UK with regard to data protection matters. Under the old Data Protection Act the ICO had a list of Data Controllers. The need to maintain a list of data Controllers disappeared with GDPR, BUT in order to fund the ICO, a bill was passed which means that the ICO maintains a register of fee payers. [...]
Lets face it GDPR is not top of a start-up businesses initial concerns. It comes a bit down the list of priorities after marketing, getting clients, making a profit and potentially having the right insurance in place. GDPR is a challenge for any small business. There is not usually the knowledge or expertise to understand the requirements. Sometimes there is not even the drive to understand what needs to be in place. It's all [...]
What is considered processing under GDPR? It's a question we get asked a lot. Mainly as a result of our work with clients and their data processors. The definition of processing is covered by Article 4 paragraph 2 of GDPR and states: "‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, [...]
If you are collecting special category information under GDPR, do you know what to do? There have been incidences recently where an organisation has been collecting GDPR special category information. That is, information about: health ethnicity sex life or sexual orientation trade union membership biometric data when used to identify you political opinions and religious or philosophical beliefs. To be able to collect this information you need to have a second condition in place. [...]
It's happened again. One of the most common data breaches and one which is easily avoided has happened to West Berkshire Council. So what happened? Someone sent an email to 1,107 people about a leisure centre survey and didn't hide the email addresses. As a result, everyone getting the email could see who else it had been sent to. It's really disappointing when these types of data breaches occur as they could so easily [...]
We do a lot of training sessions for companies. As well as running webinar training for individuals so that they can stay up to date with the requirements and legislation. The training we run for companies is completely bespoke. We don't just provide a PowerPoint presentation. We all know that a PowerPoint presentation is the basis of most training sessions but people learn in different ways. If you want everyone to understand what you [...]
Does it ring alarm bells with you when a contractor is unable to provide you with basic information about their data protection practices? A company that is working on your behalf but unable to tell you how they use the personal information you provide. It does with me. Even more so if they have no idea what I am talking about when I request a data protection policy. Recently one of my clients was [...]
Once you know whether your organisation needs a Data Protection Officer (DPO), you then need to decide who can undertake the role. If you are not sure if you need a DPO, then read my blog post here to find out. Companies often ask us who is the best person to be the DPO? This comes down to who can match the requirements set out in GDPR. Under GDPR you should appoint a DPO [...]
Since GDPR came into force, there is now an legal definition for a Data Protection Officer (DPO). Some organisations are required to have a DPO because of their size or the personal information that they are processing, whereas other do not need one. Under GDPR you must appoint a DPO if you are a public authority or body (except for courts acting in their judicial capacity); your core activities require large scale, regular and [...]
I am on a number of mailing lists, like most of us :-) One of the companies I receive a newsletter from sent me details of an event. Somehow I ended up on the list of interested parties for this event and started getting emails about it (I don't remember signing up but the company says I did). Anyway after the initial few emails, I started getting texts about this event promoting it. I [...]
We've been helping businesses get their privacy policies in place over the last couple of weeks. It's been a surprise to find so many businesses not having a basis privacy policy in place on their website. We write bespoke privacy policies. We also selling a template privacy policy which you can adapt for your use. There is no excuse for having a privacy policy which doesn't meet the requirements. So what should a privacy [...]
Now I am not one of the GDPR advisors that uses the formal language. I don't use the word data, I say personal information as so many people struggle to understand what data really means. I spend quite a lot of time talking with other data protection professionals and I always find it daunting when they start talking article this, data that. Not because I don't know what they are talking about but it [...]
There has been a recent news story about a man making subject access requests in the name of his girlfriend (with her knowledge) to see how much information he could obtain. On the basis of his research 1 in four companies gave him information on the basis of the information he had provided. This comes down to poor verification processes in place at the organisations before they give the information out. So here are [...]
Another week, another data subject access request or SAR. We were contacted this week by an individual who wanted to know if an organisation had complied with their obligations. That's a bit unusual as its usually organisations contacting us. On this occasion this individual had asked for their parents care records from a care agency. The information had been provided but there was no explanation about the content. Care agencies are likely to receive [...]
IT support companies are the key to being able to access business information in a timely manner. Most small businesses outsource their IT support to another small IT Support Business. This can be a challenge when neither business knows how they should be complying with GDPR. Whenever I am working with a business on their GDPR compliance, the sticking point is always with the IT support company. Generally, the IT support company's terms and [...]
When I interact with a website, I always look at the privacy policy, a bit sad, I know but it tells me a lot about a business and their attitude to privacy. A privacy policy should include certain information to meet the requirements of data protection. My daughter recently wanted to buy some clothing from a large retailer. Their privacy policy was poor and had not been updated as a result of GDPR which [...]
On the 25th May 2018, GDPR became enforceable. It's been an interesting year. From what you can see around you and the way companies are behaving, some are still not aware of their GDPR obligations (let's put it that way). So far none of the big fines that everyone has been worried about have come to fruition. The different supervisory bodies across the EU are making their interpretations of the legislation known. Things are [...]
My son has been looking for some specialist insurance recently which has meant a lot of phone calls from various brokers. The really interesting thing is that none of these brokers disclosed that they were recording the calls at the start of the conversation. Only when my son asked if they were recording the calls, did they say that they were. Not a lot of transparency there. One of the brokers directed him to [...]
Can the ICO get in touch with you? What happens if they use the email address on your website? Sometimes the ICO may wish to contact you. This may be if they have received a complaint from another person or organisation. Their first stop will be your website and they will probably use the email address shown there to send you an email. So what happens when you are not monitoring that email address? [...]