Too many organisations are making a big mistake by appointing the wrong person to be their DPO. Learn why.
For those of you who don’t know, Article 14 of the GDPR says that if you obtain data about someone, and you didn’t get it directly from them, you have to tell them that you have it, and what you’re doing with it. In the lead up to the May 25th GDPR launch date, this … Continue reading Article 14 – what was that all about, then?
Here's another thing people are getting wrong. Just because your data isn't stored inside the EEA - wait, you thought it had to be inside the EU? wrong! - doesn't mean you should panic and repatriate it. What you need to do is check whether wherever you've put it has an adequacy decision. A what? … Continue reading Where’s your data? (Second reprise)
[Link updated as the ICO has moved its blog] On the 25th of April, I wrote GDPR: you're all getting it wrong. On the 9th of May, Steve Wood (the Deputy Commissioner) wrote this: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/05/blog-raising-the-bar-consent-under-gdpr/ See? I may be a voice in the wilderness, but I'm not (always) wrong.
If I get one more email telling me that “GDPR means we have to ask you to opt-in” I think I’m going to go postal. Let’s do this slowly, and this time with feeling. Marketing (and fundraising) emails are covered by the Privacy and Electronic Communications Regulation 2003. That’s right, a 15-year-old piece of legislation. … Continue reading GDPR: you’re all getting it wrong
I wasn't going to blog about Carphone Warehouse being fined £400k by the ICO for a breach, because boring-boring-you've-done-this-before, but then I couldn't help myself. Carphone's offence? A data breach. Resulting from poor maintenance of cyber security on an internet-facing webserver. You remember TalkTalk? They were fined £400,000 just over a year ago. For a … Continue reading What does it take?
If 60’s and 70’s programmers had anticipated that their code would still be in use thirty-odd years later, we wouldn’t have needed a massive effort to fix the installed codebase before the century rolled over. But they didn’t, and we did. A lot of money was spent. The world didn’t end on the 1st of … Continue reading Y2K wasn’t a rip-off; neither is GDPR
Plutarch said it, so it must be true. “What is this?”, I hear you cry. “Have I stumbled upon some new age contemplative dribble when I was looking for sound advice on cyber-security?”. Well, no. Firstly, Plutarch is hardly new-age and secondly that’s all the philosophy you’re getting. This post is actually about Morrisons. There: … Continue reading What we achieve inwardly will change outer reality
Uber decided to double-down in its race to the moral bottom. Not content with spying on customers, misleading regulators, employing sex-pests and generally having a toxic corporate culture, the taxi-subsidy service tried to conceal a hack that breached the personal details of more than 57m people, including drivers as well as riders. Much is being … Continue reading Big fines aren’t the big deal
The Equifax mega-breach has now led to two UK regulators investigating the same cock-up. The ICO obviously jumped in straight away, as you'd expect, but now the FCA has turned up to the party, bottle of cheap Bulgarian red from the corner shop in sweaty hand, hoping there's still some cake left. This will be fun. … Continue reading You’re in trouble no-o-o-w…