This is more of a reminder than anything else. I've already blogged about the risks of a hard Brexit from a data protection compliance perspective, and we've featured it in our October newsletter at Securys. But now the ICO has also said similar things, and the government is moving to "full hard-Brexit preparation". So it's … Continue reading Hard Brexit preparation
A number of major breaches have hit the news recently - including the 500-million-data-record Marriott Hotels breach, and the Sotheby's Home Magecart hack. I'll probably go on about over-retention of ID data in another post, but right now I was wondering... Is it attractive for hacked organisations to exaggerate how long a "just-discovered" breach has … Continue reading A quick thought on moral hazard
We were worried this was going to happen. So much so that we flagged it in our October newsletter. This is section 25 of the European Commission's current draft contingency plan for a no-deal Brexit: Personal data25 In the case of a no deal scenario, as of the withdrawal date, the transfer of personal data … Continue reading Well, there you go. We’re inadequate.
UKDPA 2018 says: 171 Re-identification of de-identified personal data (1) It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data. (2) For the purposes of this section and section 172— (a) personal data is “de-identified” … Continue reading Advertising cookies and the law
That's how much companies in the UK have been fined over the past 12 months for data breaches and contraventions of data protection law. Sounds like a lot - or maybe it doesn't, given how frequently data breaches are in the news. There's a reason for that. Of the £21.5m, 76% is one fine. Not … Continue reading £21,474,000.00
Finally, we begin to see some enforcement of the Regulation we all worked so hard to be ready for by May. The ICO has sent an enforcement notice to - of all people - a Canadian data firm linked to the Brexit vote micro-targeting scandal. The regulator contends that AggregateIQ obtained and processed data without … Continue reading Boom! It begins. ICO posts first GDPR enforcement notice.
Too many organisations are making a big mistake by appointing the wrong person to be their DPO. Learn why.
Here's why: https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales Short version - if you buy something in a US store with your Mastercard, they tell Google about it. Google then reconciles your purchase with your advertising exposure while logged in with a Google account, and sends a report to advertisers to show how on-line ads drive offline sales. This is, of course, … Continue reading Why do we need data protection laws?
For those of you who don’t know, Article 14 of the GDPR says that if you obtain data about someone, and you didn’t get it directly from them, you have to tell them that you have it, and what you’re doing with it. In the lead up to the May 25th GDPR launch date, this … Continue reading Article 14 – what was that all about, then?
Here's another thing people are getting wrong. Just because your data isn't stored inside the EEA - wait, you thought it had to be inside the EU? wrong! - doesn't mean you should panic and repatriate it. What you need to do is check whether wherever you've put it has an adequacy decision. A what? … Continue reading Where’s your data? (Second reprise)