16 05, 2022

Legitimate interest as a lawful basis is not an excuse to market to everyone.

This week through the helpline, we had a call from a company who had used legitimate interests to scrape email addresses from the web, and then send them marketing information. They explained that marketing emails were in their interests and the interests of the person emailed so they could place their services and goods on the caller’s platform for sale. There are very specific rules about email marketing both in data Protection legislation and [...]

Read More
7 03, 2022

Special Category Information related to Employees

Since my blog on health information, we've had a number of questions around health information or special category information when it’s collected from employees.  When you have employees, you will often be processing special category information around their health because you need to pay them sick pay, information about their ethnicity or ethnic origin because you might collect that as part of your equal opportunities monitoring. You might collect information about trade union membership [...]

Read More
2 03, 2022

Dealing with special category information related to health

Under data protection legislation, health information is considered a special category of personal information. This means that it needs some additional controls in place to be able to collect and store it. There are a number of special categories and health information is one of the most commonly used because we collect it through various channels within our businesses. Today, we're just going to focus on those companies that collect it because they deal [...]

Read More
1 02, 2022

A common email data breach – failing to BCC

A common email data breach by failing to BCC the recipients My son has started a new job and is heading off for a training course on Sunday. As part of attending the training course he was provided with information about the venue and training sessions along with the other new starters. My son could see the personal email addresses of colleagues he’s yet to meet on a company email. As my son (And [...]

Read More
27 06, 2021

It’s not all Black and White

A few years ago I was running some GDPR Implementation classes for small businesses and each week, we had a Q&A call where anyone with questions could come onto the call and get an answer. It became a running joke that my initial response was always “it depends” and the right thing to do always depended on the individual set of circumstances. Although it would be lovely to think that data protection legislation was [...]

Read More
27 04, 2021

Procurement Questionnaires and how to respond

It has been a busy few weeks helping organisations who work with large corporates respond to procurement and security questionnaires. The questionnaires have all sorts of names; assurance, security, procurement, information security, data protection etc. They are all effectively trying to achieve the same thing, assurance about the security surrounding the information you are working with. They are becoming more frequently requested as part of working with larger organisations. In the last few weeks, [...]

Read More
1 03, 2021

GDPR Basics 1 – I’ve read the information on the ICO website and I’m still confused

“I’ve read the information on the ICO website and I’m still confused.” We hear this so often through our helpline. It’s not the fault of the ICO website, they are trying to meet the needs of all organisations from big to small, complex to simple and it doesn’t just provide the level of advice that someone needs sometimes. Also, the language can be confusing and frequently organisations struggle to understand the implications for their [...]

Read More
18 01, 2021

What does the Brexit deal mean for data transfers with Europe?

The last minute Brexit deal has some good news for those organisations who are working with companies in the EU or whose cloud storage is based in the EU. Up till now the Uk and EU/EEA have been able to exchange personal information without any issues or concerns. As part of the new Brexit deal that exchange can continue unhindered until the UK achieves adequacy status but no longer than six months. This means [...]

Read More
12 01, 2021

Data Subject Access Requests (DSAR)

We’ve had a flurry of requests for support for subject access requests in the last few weeks. This is  because of the redundancies being made by organisations and changing job market. Don’t think that only large organisations get Subject Access Requests, we have recently helped an organisation with only one employee to respond to a Subject Access Request. The most recent ones have been slightly larger organisations and there has been a common theme [...]

Read More
31 08, 2020

Blood test – Taking the Pee?

My father went to the doctors recently. He needed to have a blood test and the doctor gave him his blood test forms to book the appointment with. The doctor checked that the top form (of those stapled together) had his name and address on it. When we got home, I got the forms out the make the appointment. There were three sheets of paper stapled together, the top two referred to my dad [...]

Read More
19 07, 2020

Should Membership Organisations support their members with GDPR?

Should Membership organisations support their members with GDPR? I believe they should. It's not often I get frustrated but this was one of those times. I have a client in the security industry who contracts out some of the security monitoring to a third party. I have spoken with the third party and they do not understand GDPR or what they need to do but they are a member of a security industry body. [...]

Read More
24 05, 2020

Telephone Security or lack of it

I had to telephone a company the other day to chase an order, when I called, the person who answered the phone asked me if I would mind holding as he was on another call. I said that was fine, but he didn't mute himself or put me on hold. As a result I could clearly hear the conversation he was having with the other caller, which included taking their credit card details (including [...]

Read More
4 05, 2020

Security Questionnaires and how to respond

Recently with many organisations working from home, we have seen increased scrutiny happening for organisations managing information on behalf of other organisations. One of our clients is an international market research company. They work with large corporates throughout the world providing insight on new ideas and services. For the first time ever, they have received a security questionnaire from their biggest client. What we mean when we say security questionnaire is a form asking [...]

Read More
30 03, 2020

Working from Home – Getting the set up right

Working from home is becoming the norm. Staff who are used to working in an office environment are now working from home and trying to create an acceptable office environment. From a productivity and security point of view, the best thing to do is to ensure that the space you are using to work from is a dedicated space. Even if it's only a small desk in a corner of a room. Once you [...]

Read More
2 03, 2020

Are you classifying your information?

When we talk about how long to keep information, we should also be considering the sensitivity of that information. Can you identify information which is confidential and should be restricted access from other information? For example, personnel records would be considered confidential information. They would have access restricted to those who need to know. So how are you marking those records to provide that information? It's easy with paper records, you can just mark [...]

Read More
24 02, 2020

How secure are your records?

The Information Commissioners Office (ICO) has fined the Door Step Dispensaree £275,000 for failing to deal securely with paper records. There are some interesting elements to this case. The fine was for the lack of security over paper records. A reminder to organisations that the legislation doesn't just relate to electronic information. Concerns about the security of information were reported to the ICO by the Medicine and healthcare Products Regulatory Agency (MHRA). It was [...]

Read More
24 02, 2020

Vishing Calls – What they are and how to handle them

Vishing calls are not new. They have been happening for a while but after an incident at one of my clients recently and then a discussion with one of my groups, I thought I would cover it here. You can stop reading know if you think you know it all! A vishing call is where someone contacts you by phone and then tries to get information from you. This information may be personal to [...]

Read More
10 02, 2020

Subject Access Requests – How long do you have to respond?

There is a limited time period to respond to a subject access request. How long depends on a couple of factors. Let's start at the beginning. When you receive a subject access request, you need to be able to verify the identity of the person making the request. You can view my previous blog about verifying their identity here. You cannot hold up verifying the individual's identify to delay a response. Frequently an individual [...]

Read More
Copyright 2019-2023 | All Rights Reserved | Privacy Policy | Audit & Risk Professionals LLP T/A GDPR Advisors Uk | Registered in England and Wales (company number OC393687) Registered Address: Masefield Avenue, Borehamwood, HERTS., WD6 2HQ
FacebookInstagramLinkedIn
Go to Top