GDPR: lawful bases for processing, with examples

IT Governance

For tasks carried out in the public interest or exercise of authority vested in the data controller. For example, when you process staff data for payroll purposes, contractual obligations will apply, as staff will have signed a contract of employment.

Digital transformation threats and opportunities in travel and transportation

DXC Technology

In travel and transportation most companies today don’t look at customer journeys as a collaborative exercise. A railway, for example, may only care that it has moved passengers safely from station A to station B.

Man Behind Fatal ‘Swatting’ Gets 20 Years

Krebs on Security

For example, perpetrators of swatting often call non-emergency numbers at state and local police departments to carry out their crimes precisely because they are not local to the region and cannot reach the target’s police department by calling 911.

Intelligent Information Management - Learning from CHOCOLATE?!


Everyone participated and was engaged throughout - livened up with a few good stories and examples of lessons learned that they shared. One of the exercises I developed was called "The Taxonomy of Salad".

Key Skills for Records Managers: How RIM Professionals Can Best Work With CPOs


For example, you may be able to assist CPOs in matters regarding the metadata that describes customer data. Using role reversal exercises , records managers and CPOs can briefly assume the other’s position to understand one another better. For example, where the CPO understands the current privacy climate and the needs and demands of the customer, the records manager knows how end-of-life deletion of customer data avoids exposure for affected customers.

Calif. Man Pleads Guilty in Fatal Swatting Case, Faces 20+ Years in Prison

Krebs on Security

But it would also be nice if more police forces around the country received additional training on exercising restraint in the use of deadly force, particularly in responding to hostage or bomb threat scenarios that have hallmarks of a swatting hoax.

What is data protection by design and default

IT Governance

In this blog, we explain how data protection by design and by default works, and provide examples of the steps you should take to achieve it. Examples of data protection by design. Examples of data protection by default.

Business Architecture and Process Modeling for Digital Transformation


Fidelity International is an example of a successful digital transformation adopter and innovator. With it, any transformation initiative becomes a simple, streamlined exercise to support distributed information capture and management, object-oriented modeling, simulation and collaboration.

What is ‘privacy by design’?

IT Governance

This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.

The Customer Journey Digital Transformation Workbook

Bill Schmarzo - Dell EMC

To support this training, we created a methodology that guided the students through a digital transformation exercise. For example, digital renders distribution intermediaries obsolete (with limitless choice and price transparency). For example, Customer Journey Mapping provides a step-by-step guide to putting the customer you serve at the center of your design process, and to come up with new answers to difficult customer problems and challenges [1].

Communicating About Cybersecurity in Plain English

Lenny Zeltser

I’m not suggesting that the resulting statement should replace the original text; instead, I suspect this exercise will train you to write more plainly and succinctly.

Why Personal Data Privacy Needs a Customer-centric Focus


More specifically: 84% of respondents claim to know of the right to opt out of direct marketing, and 23% say they have exercised this right. Awareness among consumers of their rights under GDPR – and their willingness to exercise those rights – will only increase over time.

UK ICO issues largest ever GDPR privacy fine of £183m ($228m)

Data Matters

Key aspects for companies to consider include: Conduct regular testing, for example, periodic attack and penetration testing, or other similar testing to assess cyber risk preparedness. Develop and carry out regular training to different groups to communicate expectations in respect of breach, prevention identification and reporting including senior managers with regular practical table top exercises which run through and practice dealing with hypothetical cyber incidents.


Is your organisation equipped for long-term GDPR compliance?

IT Governance

It could be a simple tick-box exercise, with the unchecked steps forming the gaps that need to be addressed. Providing this information helps individuals understand their rights and how they can be exercised. Last week, the GDPR (General Data Protection Regulation) turned one year old.


The Need for Strong Federal Data Privacy Legislation


Managing up to 50 different “flavors” of privacy legislation would be a daunting or even futile exercise for companies that do business nationwide, with a disproportionate impact on new or smaller businesses.


#ModernDataMasters: Mike Evans, Chief Technology Officer


If you are not tying what you are doing, in any kind of data initiative, to a business vision and some tangible outcomes that a business is trying to achieve, then MDM can become just a complex academic exercise.”. Kate Tickner, Reltio.

MDM 82

UK: Greater Scrutiny for Public Sector Contractors: The ICO’s Proposals for Reform to the Freedom of Information Regime

DLA Piper Privacy Matters

Under section 5 of the Freedom of Information Act 2000 (FOIA), the Government has the power to designate private sector suppliers as a public authority for the purposes of FOIA legislation (and therefore be subject to FOIA requests and issue publication schemes) if they are exercising functions of a public nature. The ICO notes in the report that the EIR do not permit the designation of organisations exercising functions of a public nature in the same way as section 5 FOIA.


Artificial Intelligence: 6 Step Solution Decomposition Process

Bill Schmarzo - Dell EMC

For example, PNC Financial Services Group’s annual report mentions the business initiative to “grow profitability through the acquisition and retention of customers and deepening relationships.” We will use this “increase customer retention/reduce customer attrition” business initiative for the rest of this exercise. For example, instead of asking: “What was customer attrition last month?” The results of this exercise might look like Figure 7. It’s simple.

CNIL Details Rules On Audience and Traffic Measuring In Publicly Accessible Areas

Hunton Privacy

On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers ( i.e. , media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas.

California Consumer Privacy Act: The Challenge Ahead — Data Mapping and the CCPA

HL Chronicle of Data Protection

As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise. For example, beyond the immediate benefit of assessing risks and identifying legal obligations, a data mapping exercise can promote organizational hygiene, identify problematic practices and security risks, and uncover operational inefficiencies.

Where does data flow mapping fit into your GDPR compliance project?

IT Governance

You should begin your data mapping exercising by identifying the following key elements: Data items (e.g. This blog has covered the basics of data flow mapping, but you can get more comprehensive advice by reading Conducting a Data Flow Mapping Exercise Under the GDPR.


5 Signs You Just Got a Phishing Email


For example, attackers will craft emails to look like bank alerts hoping the targets will be tricked into giving up credentials on a fake login page. For example, “[link] will direct clickers to “” and is not affiliated with the legitimate PayPal site in any way.

How to start your career in cyber security

IT Governance

Account executives and junior penetration testers, for example, tend to have little work experience, and can learn while on the job. A version of this blog was originally published on 8 December 2017.

Tips 76

Why your DPO needs specialised training

IT Governance

It’s only through practical exercises that DPOs can learn to bridge that gap. Using practical examples and exercises, you’ll learn how to fulfil the DPO’s tasks and develop the soft skills that the role requires.

Beyond Compliance – Personal Data Protection as a Key Differentiator


For companies, getting data privacy right is no longer just a compliance exercise – a box to be ticked. For example, GDPR is actually part of the EU’s Single Digital Market initiative, which seeks to empower both its citizens and its economy.

SCHREMS 2.0 – the demise of Standard Contractual Clauses and Privacy Shield?

DLA Piper Privacy Matters

In exceptional circumstances and for the sake of legal certainty, the CJEU may decide to limit the effects of any judgement to the future although this discretion is rarely exercised by the court and notably wasn’t used in the Schrems 1.0 For example, following the demise of Safe Harbor several fines were imposed by the German data protection supervisory authorities for breach of international transfer restrictions and a number of injunctions threatened.


Retired Malware Samples: Everything Old is New Again

Lenny Zeltser

When training professionals how to reverse-engineer malware , I’ve gone through lots of malicious programs for the purpose of educational examples. For example, I recently came across a DarkComet RAT builder that was surreptitiously bundled with a DarkComet backdoor of its own.

MY TAKE: Michigan’s Cyber Range hubs provide career paths to high-schoolers, underutilized adults

The Last Watchdog

State-of-the-art telepresence gear, supplied by Merit Network , funnels everything from capture-the-flag exercises to full course work and certification testing to earn 42 different professional designations. Take, for example, 17-year-old Pinckney senior Aidan Ozias.

The Tension between GDPR and Blockchain: Are they Polar Opposites or Can they Co-exist


GDPR on the other hand is designed to primarily enable data subjects to exercise greater degree of control over the processing of their personal information. This is yet another example of where regulation is addressing a problem in the rear view mirror rather than looking at the road ahead….

The debate on the Data Protection Bill in the House of Lords

Data Protector

For example, although there are clear benefits to medical research from giving researchers access to anonymised medical data, it remains a matter of concern to the public, the media and the profession itself. Withdrawal from the EU means that we stand to lose the institutional platform from which we have exercised that influence. It would no doubt be totally unfair to suggest any smoke-and-mirrors exercise to confuse the fact of the centrality of EU law now and in the future.

GDPR 120

How to write a GDPR-compliant data subject access request procedure

IT Governance

Recital 63 of the GDPR states, “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”.

What Should Be The Core Competencies For Cybersecurity For C-Suite

Cyber Info Veritas

This example, therefore, serves to show you the importance of taking cybersecurity seriously since a cyber attack can terribly damage an organization’s reputation and even lower the quality of the service or product it offers.

California Consumer Privacy Act: The Challenge Ahead — Data Mapping and the CCPA

HL Chronicle of Data Protection

As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise. This is the third installment in Hogan Lovells’ series on the California Consumer Privacy Act.

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s Anti-Discrimination Clause

HL Chronicle of Data Protection

One of the most controversial elements of the California Consumer Privacy Act (“CCPA”) is the establishment of an “anti-discrimination” right – businesses may not “discriminate” against consumers for exercising certain rights under the CCPA, and they will need to assess whether and how they can require consumers to accept certain data practices as a condition of service. If a consumer opts out of a financial incentive program, they have exercised a right under the CCPA.

Department of Commerce Updates Privacy Shield FAQs

Hunton Privacy

When responding to individuals seeking to exercise their rights under the Privacy Shield Principles, the FAQs state that a processor should respond pursuant to the instructions of the EU data controller. For example, the FAQs state that organizations may use contracts that fully reflect the requirements of the relevant standard contractual clauses adopted by the European Commission to fulfill the Accountability for Onward Transfer Principle’s contractual requirements.

Considerations when buying managed security services


Efficiency and innovation – Do they, for example, use machine learning for scale and additional levels of security? Managed security is evolving from a compliance “tick–box” exercise into a fully formed and crucial part of enterprise architecture and national defense activities.

How to improve your cyber resilience

IT Governance

It’s not helpful to list ‘hacking’ as a risk, for example, because that could include anything from phishing scams to exploited databases. For example, staff awareness training is a requirement of almost all security frameworks because it helps reduce the likelihood of a variety of risks.

The Copyright Card Game


Practice using the exceptions and licences in specific HE examples. Introduction - slides 3-11 show a suggested ice-breaker exercise and ?pub exercise. Copyright the Card Game ? Instructions. Introduction.

European Data Protection Board Issues Privacy Shield Report

Hunton Privacy

Issuance of guidance for EU individuals on exercising their rights under the Privacy Shield, and for U.S. authorities more closely monitor the implementation of this principle by certified entities, suggesting, for example, that the Department of Commerce exercise “its right to ask organizations to produce the contracts they have put in place with third countries’ partners” to assess whether the contracts provide the required safeguards and whether further guidance or action by the U.S.

Free resources to help you prevent and respond to data breaches

IT Governance

Conducting a Data Flow Mapping Exercise Under the GDPR : Data mapping is an essential part of information security, helping organisations discover where information is held and which areas are vulnerable.