"What is the difference between GDPR and Data Protection?" is a questions I asked the other day. It can be very confusing as we use the term GDPR regularly to describe a piece a legislation we need to adhere to. GDPR stands for the General Data Protection Regulation. It’s the European wide legislation brought in in 2018, that created a tsunami of changes to the way businesses collect, store and destroy personal information. In [...]
What is your password policy and is it effective? Frequent password changes are one of the things many organisations advocate and actively manage by expiring a password so that it has to be replaced. We are helping a client obtain Cyber Essentials Certification and have been looking at the National Cyber Security Centre (NCSC) website, which has a different viewpoint on passwords. Password changes are designed to limit the harm that comes from an [...]
Two days before Christmas we had a call to the helpline about a Subject Access Request. A company had received a request and the requestor had said that they had 14 days to respond and provide the information. Obviously with all the Christmas and New Year bank holidays, the company were panicking about responding within 14 days. Firstly, the response time for a subject access request is one calendar month. The person making the [...]
What is processing explained simply.
We find clients don't often think about supplier risk. Currently we're working with a company to implement ISO27001 and as part of that process, we are checking their suppliers for information security standards and GDPR etc. As part of checking suppliers for compliance, we needed a list of the suppliers and this particular company have outsourced their finance function to an accountancy firm. We asked the accountants to provide a list of the suppliers [...]
A common email data breach by failing to BCC the recipients My son has started a new job and is heading off for a training course on Sunday. As part of attending the training course he was provided with information about the venue and training sessions along with the other new starters. My son could see the personal email addresses of colleagues he’s yet to meet on a company email. As my son (And [...]
In data protection terms we spend a lot of time talking about processing personal information. This week we have had two conversations which highlighted that processing is not always understood. The first company we were talking to are a document storage company being used by one of our clients. We were explaining that they were a data processor because they are storing the personal information. They explained that my client only stores the paper [...]
It’s one of those things that people struggle with. Am I a Data Controller or Data Processor? Let’s talk through what each one is and the role that they play. Data Controller The Data Controller decides how information is collected, used, stored and destroyed. Effectively they are in charge of the personal information that they are collecting. They are responsible for informing the individual, via privacy information, how the information will be used, shared, [...]
“I’ve read the information on the ICO website and I’m still confused.” We hear this so often through our helpline. It’s not the fault of the ICO website, they are trying to meet the needs of all organisations from big to small, complex to simple and it doesn’t just provide the level of advice that someone needs sometimes. Also, the language can be confusing and frequently organisations struggle to understand the implications for their [...]
The EU countries covered by GDPR and data exchange are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. The EEA (European Economic Area) includes all the EU countries and Iceland, Norway and Liechtenstein. Additionally there are countries which have an adequacy decision and so data can be passed to and from them [...]