Large companies continue to get it wrong. There's been a Facebook ad appearing in my feed recently. It is for a GDPR checklist. So despite not needing a checklist, today I followed the link. The page asks for your email address, first name, last name and telephone number before you can download the checklist. You shouldn't have to provide all that information for a free download, its part of the data minimisation principle of [...]
What is a Subject Access Request (SAR) or a Data Subject Access Request (DSAR)? This is the right of an individual to see any information held about them by an organisation. Someone can make a request by any method they choose, including verbally. This is creating some challenges as most organisations are struggling to put a process in place to recognise verbal requests. A friend of mine made a verbal request to a local [...]
I received a call the other day from someone who wanted to talk GDPR with me. Nothing unusual in that, except this person started the call by telling me they were a GDPR expert. As far as I am concerned there are no GDPR experts. There are people with lots of knowledge and experience but until the case law starts to flow through, there are no experts. Anyway, back to my caller. Having introduced [...]
GDPR is on the horizon and lots of organisations are seeking reconsent by sending you an email to get you to reconfirm your email address. And that's fine providing they are doing it the right way. I was contacted recently by a charity seeking reconsent. They had made some fundamental mistakes, including a data breach! What did they do? Firstly when seeking reconsent they sent an email to all the subscribers via outlook and [...]
It's a common question - How long should we retain records? The answer depends on a whole range of things. The General Data Protection Regulation states that information should not be kept for longer than required. Sounds simple. But how long should you keep files? Accountancy records are 7 years but what about something like a display screen equipment assessment? There is a judgement to be made around the files a business holds where [...]
In most cases recently, no. What am I talking about? What websites are doing with my information. I have been working on contracts as part of some GDPR implementation work and one of the contracts I reviewed was with a call answering service. The contract was very unclear with regard to confidentiality and Data Protection so I went across to the website to see what it said there. It did have terms and conditions [...]
I'm going to let you into a little secret. I can go to your website and just by looking at it, I can tell whether you comply with GDPR. It's not magic or clever. Once you know what GDPR requires of a business, anyone with that knowledge can go to a website and see if a business complies. Looking at a privacy notice will tell you whether they are meeting the latest requirements about [...]
This is often the first thing that is said (after the introductions) when I go to companies to talk about GDPR and frequently I don't know what to say. Let's start with data protection. It all started about 16 years ago when I was put in charge of data protection for a charity I was working for. I have to admit it was like the blind leading the blind. I didn't have a clue [...]
I'm a small business so the Data Protection Act and General Data Protection Regulation don't apply to me. You would be surprised how frequently I hear this and I even heard it from a solicitor who told facts vs myths, newspaper article text me that there was a small business exemption! The legislation around how to handle a persons information including how to collect, store, handle and destroy that information is [...]
This is a question which I frequently hear and often extending it to its full name of the General Data Protection Regulation doesn't prove any more enlightening to the person asking the question. GDPR is the regulation agreed by the European Community as the standard that should be in place across the EU when handling a persons information. It's the replacement for the European directive that became the Data Protection Act. Simply put, GDPR [...]
We have just got a new puppy, turns out she is a rich source of potential data protection and GDPR breaches. :-) Lets start with trying to insure her. We already have another dog so I rang to get a quote for adding her to the policy. The lovely person gave me a quote and then asked if I would like it emailed to me. I said yes, this was my first mistake. I [...]
I don't know about you but I think this is starting to be common practice in some retailers, the dreaded "Would you like your receipt emailed to you?". Now I know about data protection compliance and I know that this fills me with dread, especially if there is a queue, I could probably gather 5 or 6 emails addresses before they even get to me. :-) And its a really simple question isn't it. [...]
Roll Back time to March 2016. I had been receiving emails about dance classes for the last few months. I don't remember signing up for them and anyone who knows me will testify to the fact that I have no sense of rhythm at all. I'm never going to be a dancer. Anyway, somehow I had been added to this mailing list for salsa dance classes. I started receiving emails about January and on [...]