Data Protector

OCTOBER 2, 2020

I am he as you are he as you are me and we are all together See how they stun the world and my mum, see how they fine I'm crying Sitting in the courthouse, waiting for the man to come Covid mask and goggles, stupid bloody Tuesday Man, you been a naughty boy, you set your cookies wrong I am the bad man, I spammed some good men My fine is enormous, goo goo g'joob Mister lead prosecutor sitting Pretty little lawyers in a row See how they drone “he should have known,” see how they fine I'm crying, I

156

156

Data Protector

SEPTEMBER 13, 2020

Early train from Euston, just a croissant and two teas Didn't get to eat last night Who today will I see pleading on their knees Liz, I had a dreadful fright I've breached the GDPR You don't know how lucky you are, boys Breaching the GDPR Been away so long I barely know the place BC, it's good to be back home Don't make me pack my case Honey disconnect the phone I'm fed up with the GDPR’s ploys You don't know how lucky you are, boys Breaching the GD Breaching the GD Breaching the GDPR Well paid

GDPR 156

GDPR Compliance Privacy IT 156

Data Protector

SEPTEMBER 11, 2020

In data protection law, transfers of personal data must be safeguarded by written contracts between the parties. If the personal data is transferred from the EU to a country which the European Commission has not been recognised as having adequate data protection standards, special clauses, known as SCCs are usually inserted in these contracts. In July 2020, a decision by the European Court of Justice made it virtually impossible for companies to determine whether the SCCs must be supplemented by

Personal data 156

Personal data Government IT 156

Data Protector

AUGUST 21, 2020

I was recently asked this question and found it hard to answer. So much depends on the culture of the organisation and the resources available to the DPO. Notwithstanding the specific obligations that are set out in Section 4 of the General Data Protection Regulation, I’ve known some that operate as one-man-bands, working in virtual isolation from the rest of the organisation.

Privacy 156

Privacy GDPR Risk Education 156

Data Protector

AUGUST 19, 2020

One of the consequences of the Scherms II decision is that EU organisations need to take greater care in determining how best to protect the flows of personal data outside the EU. This means more than just considering whether Standard Contractual Clauses (SCCs) need to be incorporated in the contracts that the data exporters negotiate with the data importers.

Personal data 156

Personal data GDPR Privacy Risk 156

Data Protector

AUGUST 17, 2020

Many privacy professionals will be shocked to learn that, in terms of safeguarding personal data flows from an EU to a non-EU country, in the absence of an adequacy decision, more is required than simply slipping the right set of SCCs into a vendor contract. The CEJU has clarified that one of the key tasks facing data exporters, when considering whether SCCs are appropriate, is to consider whether there is a conflict between the protections afforded by the SCCs and other local laws, particularly

GDPR 156

GDPR Personal data Privacy Access 156

Data Protector

AUGUST 17, 2020

A number of commentators will assume that, should the UK not receive an adequacy assessment by the European Commission with regard to its data protection standards, a key reason will be the impact of the UK’s Investigatory Powers Act (IPA) which prescribes how UK public authorities obtain personal data for national security and law enforcement purposes.

Communications 156

Communications Government Personal data Compliance 156

Data Protector

AUGUST 17, 2020

It is possible that the European Commission will fail to provide the UK with a data protection adequacy assessment by the end of the year. It is also possible that, in the near future, the EU will publish revised sets of Standard Contractual Clauses to replace the existing SCCs in a bold effort to ensure that flows of personal data outside the European Union remain suitably protected.

GDPR 120

GDPR Personal data Government Privacy 120

Data Protector

AUGUST 17, 2020

One of the Government's core objectives throughout the Brexit negotiations has been to respect data protection rights, slash Brussels' red tape and allow the United Kingdom to be a competitive safe haven for businesses all over the world. With that in mind, how could the Government reduce its ties to the EU's 'data protection level playing field' while continuing to maintain a robust and effective data protection regime?

Privacy 156

Privacy GDPR Personal data Computer and Electronics 156

Data Protector

AUGUST 17, 2020

Here we go again. The compulsory Sunday morning church services for all Anglicans at my boarding school served as an opportunity for The Reverend James Culross, (or Druid, as we boys affectionately called him), to churn out stuff from the Book of Common Prayer. It was stuff designed to cleanse our souls and provide us with helpful words of comfort, to prepare us for the horrors that would be inflicted upon each and every one of us during the school week ahead.

Privacy 156

Privacy Personal data Risk Compliance 156

Data Protector

JULY 1, 2018

I t’s not often that the UK is praised for the manner in which its intelligence agencies adopt appropriate data protection standards. So let's give due acknowledgement to Joe Cannataci, the UN’s Special Rapporteur on the right to privacy, who has recently used some very warm words to comment on these privacy practices. Of the Investigatory Powers Act, he proclaimed: "I am satisfied that the UK systematically employs multiple safeguards which go to great lengths to ensure that unauthorised survei

Privacy 120

Privacy IT Security 120

Data Protector

JULY 1, 2018

Time to start blogging again.

24

24

Data Protector

NOVEMBER 26, 2017

Many of even the most dedicated members of the UK’s data protection fraternity may not have heard of Elizabeth Stafford. And that’s a shame. Why? Because she, along with a small band of colleagues in the Department of Digital, Culture, Media & Sport are doing great things. How? Because, as Head if EU Data Flows, not only is she working on ensuring UK businesses can rely on unencumbered data flows between the UK and the EU post Brexit, she’s also one of the key DDCMS officials working hard be

Privacy 120

Privacy Communications IT 120

Data Protector

AUGUST 3, 2015

Students of surveillance and counter terrorism have another (81 page) report to add to their summer reading list. The Henry Jackson Society has recently published " SurveillanceAfter Snowden: Effective Espionage in an Age of Transparency. " The report, written by Robin Simcox, looks at the ways the actions of Edward Snowden have impacted the US and the UK, particularly with regards to safeguarding national security.

Encryption 120

Encryption Communications Military Government 120

Data Protector

AUGUST 7, 2015

Why are so many privacy professionals driven to despair? Don’t worry. It’s not that unusual for privacy professionals to be driven to despair by the demands of their job. It’s just a mindset that most of them go through when business “requirements” and legal “restrictions” continually clash. As Tom Fletcher, the UK’s former Ambassador to the Lebanon recently put it : “You think you’re reached rock bottom – then you hear a noise from below.

Privacy 120

Privacy Compliance IT 120

Data Protector

AUGUST 10, 2015

I don't know, either. The TPS’s website provides individuals with an easy way to register their objection to receiving unsolicited direct marketing calls, but no information on how effective it is at stamping out these practices. There’s no information on the volume of complaints it receives, and how these are trending over time. There’s no information on the work it does to investigate these complaints, before handing them to the Information Commissioner’s Office.

Marketing 120

Marketing IT 120

Data Protector

AUGUST 11, 2015

What are we to make of today’s Big Brother Watch report which claims that local authorities commit 4 data breaches every day? In the words of TV magician Paul Daniels: “Not a lot.” At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April

Data breaches 120

Data breaches Paper GDPR Access 120

Data Protector

AUGUST 12, 2015

I was asked this question at 6.15 am today. And, if I knew the answer, was I available for a BBC radio interview immediately after the 7.00 am news? No and Yes were my answers – so I subsequently had a chat with BBC Radio’s Adrian Goldberg. The question arose because the Birmingham Mail had asked West Midlands Police to disclose the names and images of ten suspects it had been hunting for at least a decade for crimes including rape and murder.

Privacy 136

Privacy Risk IT 136

Data Protector

AUGUST 17, 2015

The (discrete) search to appoint a successor to David Smith, soon-to-retire Deputy Information Commissioner and Director of Data Protection is over. Shortly, the successful candidate will be unveiled. Don't worry, it’s not me. And a (discrete) search will commence to find a suitable replacement for Chris Graham, soon-to-be outgoing Commissioner. How secret should this process be, and when is it appropriate to extend the selection process?

Compliance 136

Compliance Risk IT 136

Data Protector

AUGUST 18, 2015

As Deputy Commissioner David Smith completes his last lap of the data protection conference circuit, various speakers are extending their hastily-prepared remarks to include a short homily on his contribution to data protection over the decades. Yes, he really has been at the ICO for decades. It's a convention that public servants are never presented with anything other than small tokens of appreciation from grateful hosts.

IT 120

IT 120

Data Protector

FEBRUARY 11, 2016

The point about pre-legislative scrutiny is that a parliamentary bill gets a good prod before it begins its usual passage through Parliament. The main issues are identified, and stakeholders can marshal their views in an attempt to influence the decision-makers in good time for changes to be made that ought to result in a statute that is far fitter for purpose.

Communications 120

Communications Government Privacy Encryption 120

Data Protector

MARCH 30, 2016

Privacy activists in the olden days There weren’t many privacy activists in the olden days. This was because there was no Internet, and very few people had heard of the Data Protection Commissioner. As it was expensive to make a telephone call, and texts had not yet been invented, it was quite hard to spread rumours and exchange information with lots of people you didn’t know.

Privacy 120

Privacy Education Paper Encryption 120

Data Protector

MAY 5, 2016

How often do organisations get 750 days’ notice of new rules that may require them to make huge changes to comply? Well, it’s happened. The European Commission has just announced that the General Data Protection Regulation, a mighty piece of legislation that took over 4 years to negotiate, will come into force on 25 May 2918. What will it mean to most organisations?

Personal data 120

Personal data Data breaches Privacy GDPR 120

Data Protector

OCTOBER 29, 2016

Given what can only be described as an omnishambles of security breaches, is there much more that the ICO can do to warn data controllers of the risks they should take account of? Probably not. What might be helpful though, is data controllers refreshing their memories about the guidance which has emerged from the ICO over the past few years. In terms of the top 7 ICO publications, (virtual) copies of the following guides really ought to be at every DPO’s fingertips: 7.

Security 120

Security Personal data Encryption Cloud 120

Data Protector

OCTOBER 30, 2016

Let’s think the unthinkable. Lets assume that, post Brexit, the British Government has an opportunity to decide how its data protection legislation should reflect the requirements of an aspiring British economy. And let’s assume that the Minister with responsibility for Data Protection asks for options about trimming back those elements of the General Data Protection Regulation that are unduly burdensome and, in practice, actually do very little to safeguard fundamental human rights.

GDPR 136

GDPR Personal data Compliance Cloud 136

Data Protector

NOVEMBER 9, 2016

In light of the recent US elections, paving the way for a Trump presidency in 2017, why should companies take the risk of adopting the Privacy Shield as a means of legitimising EU/US transfers? Frankly, I wouldn't bother. Not until the latest set of legal challenges has been resolved, anyway. Why? Well, a recent lunch with a chum who is closer to the minds of the policy-making and legal elites within the EU reminded me of the deep cultural divide that exists inside the Brussels bubble.

Privacy 120

Privacy GDPR Personal data Risk 120

Data Protector

NOVEMBER 16, 2016

Two years ago I blogged about an unsettling experience I had with Apollo, a firm that had confused me as to what they were really all about. Since then, I’ve had a number of emails from people who have had similar experiences. Today, I’m reprinting (most of) the most recent one – which comments about an organisation called Apollo-Transitions. Surely, this is not the same company as the Apollo company I had encountered?

IT 120

IT 120

Data Protector

DECEMBER 31, 2016

I’ve recently had a quiet year on the blogging front – my professional duties have prevented me from playing a more active role on the Internet during this year than I would have liked, but that is set to change in 2017. My professional work this year included acting as a specialist adviser to the Joint Parliamentary Committee on the Draft Investigatory Powers Act, one of the most significant pieces of legislation to be laid before Parliament for many years, to advising large (and some not so la

GDPR 120

GDPR Communications Financial Services Education 120

Data Protector

JANUARY 8, 2017

I’m increasingly asked whether particular firms actually need to appoint a Data Protection Officer in order to comply with the requirements of the GDPR. Given that the potential fine for non-compliance (with Article 37) is €10 million Euros or up to 2% of the total worldwide annual turnover, companies quite understandably don't want to get such a basic issue wrong.

B2B 136

B2B Personal data GDPR Compliance 136

Data Protector

JANUARY 29, 2017

We have 480 days to go before the General Data Protection Regulation is “in force”. And then what? That's the question I’m being increasingly asked these days. Does it really mean that in 481 days, European privacy regulators will be heralding the first megafine for non-compliance with one of the GDPR’s more obscure requirements? I think not. But it will undoubtedly lead to greater unease amongst the audit committees of many firms, particularly those in the (regulated) financial services sector,

GDPR 136

GDPR Privacy Compliance Personal data 136

Data Protector

MARCH 8, 2017

Concern has been mounting that the attitude the Information Commissioner’s Office is currently taking towards charities will result in it becoming even harder to raise funds from supporters and potential supporters. New guidance about how charities should obtain consent to contact supporters, and how this consent should be used, has recently been published by both the ICO and the Fundraising Regulator.

Marketing 120

Marketing Communications Personal data Compliance 120

Data Protector

AUGUST 19, 2017

As May 2018 looms, I’m aware of a growing number of companies that are seeking help with their GDPR compliance obligations. For most of them, it's a huge wake-up call. Many (me included) have been sent a stream of emails from self-styled “GDPR experts” containing dire warnings of ginormous fines for non-compliance. Many (me included) have been offered the opportunity to spend money on worthless qualifications from institutions I had never heard of to obtain some certificate of GDPR proficiency,

GDPR 120

GDPR Compliance Records Management Financial Services 120

Data Protector

SEPTEMBER 10, 2017

A huge percentage of the organisations I’ve recently come into contact with have little chance of becoming “GDPR compliant” by May 2018. To be fair, a good proportion of these organisations have spent the past decade or so ignoring the professional advice that's available on how to better comply with the requirements of the existing data protection legislation.

GDPR 149

GDPR Compliance Risk Records Management 149

Data Protector

SEPTEMBER 16, 2017

Parliamentarians who are tasked with scrutinising the Data Protection Bill have an inenviable job. Can there be a less desirable appointment than siting on a Parliamentary Committee, scrutinising text that many seasoned data protection professionals have thrown their arms up in the air in despair over? Given that the Bill is intended to last a generation, (the current Act will have lasted 20 years by the time of its repeal) , surely we deserve something we can more readily understand.

Government 120

Government Communications Privacy IT 120

Data Protector

SEPTEMBER 22, 2017

Whenever I visit a clinic for a health check, I’m asked a slightly different set of questions. Each clinic is very professionally run, and, until recently I haven’t been unduly concerned that the same questions aren’t always asked. I’ve generally been healthy, so I guess there was never any real need for the medical profession to probe too deeply. So, why should I be worried about different questions being asked about data protection?

GDPR 120

GDPR IT Data breaches Risk 120

Data Protector

SEPTEMBER 28, 2017

Parliamentarians will soon be debating the merits of the Data Protection Bill, and I’m wondering whether much consideration will be given to the implications of the proposal to gift citizens with “free” Subject Access Requests. What parliamentarian might oppose such a measure? After all, what’s not to like about “free” stuff? But hang on a minute. This stuff is not “free”.

Access 120

Access Privacy Compliance IT 120

Data Protector

OCTOBER 11, 2017

What follows below is an edited version of the debate in the House of Lords of the Second Reading of the Data Protection Bill, held on 10 October. Colleagues that prefer not to read the entire (46,709 word) transcript of the 5 hour debate will get an impression of the key interventions in this (16,000 word) summary: The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con) My Lords, I am delighted to be moving the Second Reading toda

GDPR 120

GDPR Personal data Government IT 120