This is often the first thing that is said (after the introductions)
when I go to companies to talk about GDPR and frequently I don’t know
what to say.
Let’s start with data protection. It all started about 16 years ago
when I was put in charge of data protection for a charity I was working
for. I have to admit it was like the blind leading the blind. I didn’t
have a clue and data protection seemed to be contradictory and
confusing. Luckily I got some training and then a few years later I took
the BCS exams for Data Protection Officers. This was enlightening, it
all started to click into place. I kept up to date with the new things
and because I only worked for the charity part time, word spread that I
would help other organisations with their data protection practices.
Work came in by referral. Then GDPR appeared and there was a whole lot
more to learn and decipher and more organisations needing support and
advice.
In addition to my data protection qualification, I have been an
internal auditor for nearly 30 years, so I know how to look for
information, ask people how they work and create effective process
improvements. I’m also a qualified Institute of Leadership and
Management Level 5 Coach and Mentor, a member of the Association of
Accounting Technicians and earlier this year completed the Institute of
Risk Management Exams.
So how do I work? First up, I don’t claim to be an expert on GDPR, at
this time nobody is, there are too many unknowns about how the
legislation is going to be interpreted but I do have 15 years experience
actually working with businesses to support their data protection
practices. I don’t believe in making things onerous, if there is a
straightforward way of doing things I will choose that, why
overcomplicate it. I don’t use the jargon or recite the articles or
recitals, you’ll get the plain English version from me. I also believe
that data protection compliance shouldn’t be an add on but should be
part of the way you do business, it should be embedded into your
business practices. I believe that every member of staff should have
basic understanding of the Data Protection Act and GDPR, it shouldn’t be
one persons responsibility. Its too difficult to make one person
responsible for a whole organisations data protection practices and it
means frequently that people negate responsibility because it is
“someone else’s job”.
My aim is to create the right solution of each business I work with,
it’s not about you fitting to the legislation but how the legislation
fits your organisation, your business strategy, your aspirations.
With GDPR as the new “Y2k” for consultants and every Tom, Dick and
Harriet jumping on the bandwagon, there is lots of choice for
businesses. Many people have read the legislation and know the law, but I
know that and how to implement it into a variety of businesses.
Companies work with me because I have a pragmatic approach, can
implement cost effective solutions, manage the changes required and I
have experience in a variety of industries.
If that sounds like someone you want to work with, then I would be very happy to talk GDPR with you.
Thursday 9 November 2017
Sunday 12 June 2016
Does your unsubscribe work?
I have been receiving spam email, lets face it who doesn't?
So I tried to unsubscribe and the link didn't work it took me to the contact us page of the financial services company. On this page there was a complaint phone number which I called. This took me to a menu where the selections all related to credit card applications, so as well as not keen on your unsubscribing, they weren't keen on you complaining either. When I eventually got through to a human I asked to speak to their Data Protection Officer and was told they didn't have one! I asked about unsubscribing and they said they would take my details and pass them on (they weren't sure who to). Really!
So I tried to unsubscribe and the link didn't work it took me to the contact us page of the financial services company. On this page there was a complaint phone number which I called. This took me to a menu where the selections all related to credit card applications, so as well as not keen on your unsubscribing, they weren't keen on you complaining either. When I eventually got through to a human I asked to speak to their Data Protection Officer and was told they didn't have one! I asked about unsubscribing and they said they would take my details and pass them on (they weren't sure who to). Really!
Anyway while I was holding on for a person to answer the phone, I went
online and reported them to the ICO for spamming me, so my time wasn't
wasted ;-)
Always check that your unsubscribe function works. You don't want someone to report you to the ICO while they wait.
Make sure your staff are adequately trained and you have a named person who knows how to deal properly with the data protection queries.
Always check that your unsubscribe function works. You don't want someone to report you to the ICO while they wait.
Make sure your staff are adequately trained and you have a named person who knows how to deal properly with the data protection queries.
Sunday 15 May 2016
Back to Basics - Collection Notices
One of the keys to collecting information in line with the Data Protection Act is to ensure that you are telling the person providing the information a few key things. Collection notices aren't properly understood and are sometimes overly complicated.
So here are the basics, a collection notice must tell the person providing their information:
Remember that regardless of whether you are registered with the ICO you have to comply with the Data Protection Act so any forms that you use for the collection of information MUST have a data collection notice on it. Without a valid collection notice you are breaking the law!
So here are the basics, a collection notice must tell the person providing their information:
(a) who the organisation collecting the information is
(b) what the information provided will be used for
(c) how the information will be stored and for how long
(d) whether the information will be shared with another organisation or organisations
The wording does not have to be formal, you can just write in plain english the information required.
Collection notices should be provided on both paper and electronic forms. Frequently individuals do not remmebr signing up for something or when they gave information so to ensure that you stay off the ICO's naughty step you should record when the information was collected and this should be retained for the life of your relationship with the individual. Additionally, if it is a paper form you either need to hold the hard copy or have a scanned copy for your records. This will all help with proving that you are protecting the individuals privacy should you need to.
The wording does not have to be formal, you can just write in plain english the information required.
Collection notices should be provided on both paper and electronic forms. Frequently individuals do not remmebr signing up for something or when they gave information so to ensure that you stay off the ICO's naughty step you should record when the information was collected and this should be retained for the life of your relationship with the individual. Additionally, if it is a paper form you either need to hold the hard copy or have a scanned copy for your records. This will all help with proving that you are protecting the individuals privacy should you need to.
Remember that regardless of whether you are registered with the ICO you have to comply with the Data Protection Act so any forms that you use for the collection of information MUST have a data collection notice on it. Without a valid collection notice you are breaking the law!
Sunday 8 May 2016
Back to Basics - What is personal information?
There was a discussion on one of the forums that I belong to about what is considered personal information.
Personal information is any information which relates to a living individual who can be identified -
(a) from that information, or (b) from that information and other information which is in, or is likely to come into the possession of your organisation.
So if you code an account with the reference 123 and in another file link reference 123 with John Smith, then both pieces of information are considered personal information as they can then relate to a living individual.
For example a hairdresser who retains details of their clients, even something simple like a phone and contact number and dates of appointments, are retaining personal information under the Data Protection Act.
Personal information is any information which relates to a living individual who can be identified -
(a) from that information, or (b) from that information and other information which is in, or is likely to come into the possession of your organisation.
So if you code an account with the reference 123 and in another file link reference 123 with John Smith, then both pieces of information are considered personal information as they can then relate to a living individual.
For example a hairdresser who retains details of their clients, even something simple like a phone and contact number and dates of appointments, are retaining personal information under the Data Protection Act.
Monday 2 May 2016
How many complaints before you need to take action?
I am often asked how many complaints the Information Commissioners Office (ICO) need about a company before they start to take action. There is no definitive answer. I have known companies have as few as 12 complaints raised with the ICO before they start to make enquiries into a businesses practices. It is easy for someone to complete the online form and raise a "concern" with the ICO. When the ICO starts to investigate your practices, it can take up to six months to resolve the queries raised and receive a conclusion from the ICO as to what action they intend to take against your business.
If you are working on the basis that you won't improve your information security practices until the ICO starts to take an interest, you might not have to wait long. Data Protection is becoming more high profile and, as can be seen from the bad publicity, something that is featured in the news on a regular basis. The outcome of any investigation will depend on the type of complaint, number of complaints and the personal information involved. We regularly provide support to businesses as they go through the investigation process.
What would you do?
If you are working on the basis that you won't improve your information security practices until the ICO starts to take an interest, you might not have to wait long. Data Protection is becoming more high profile and, as can be seen from the bad publicity, something that is featured in the news on a regular basis. The outcome of any investigation will depend on the type of complaint, number of complaints and the personal information involved. We regularly provide support to businesses as they go through the investigation process.
What would you do?
Sunday 17 April 2016
Incident Trends for Data Protection Breaches
The Information Commissioners Office has published the list of ways in which personal data has been inadvertently disclosed over the last quarter. This is based on the information received by the ICO. There are undoubtedly a significant number of breaches which are never disclosed to the ICO but those that are show a definite trend.
The graph below is reproduced from the ICO website. Here's the link to the full page https://ico.org.uk/action-weve-taken/data-security-incident-trends/
Top of the incidents reported is sending an email to the wrong person. Surprisingly this is followed by information being posted or faxed to the wrong person. In contrast, providing personal information verbally to the wrong person is quite low. Is this because we are more sceptical about providing information over the phone or in person to someone? The training provided by companies often focusses on this area and that may also be why this figure is so low.
The above list should be an indication to all organisations of the key areas where there is scope for losing personal information, so what steps do you have in place to make sure that information is not leaked or disclosed from your organisation in the same ways?
Sunday 3 April 2016
Who is letting your organisation down?
There have been a number of high profile data breaches by members of staff in organisations.
From the disgruntled Morrison's employee who leaked the salaries of staff onto the internet and was subsequently jailed for 8 years to the Tesco employee who was emailing details of customers to his personal email account and the Enterprise car rental employee who was selling customer information to a claims company, the main weaknesses in most organisations are the staff.
So what do you do about it? The cases shown above have been high profile and widely reported but organisations are probably suffering breaches on a regular basis and may not even be aware of them. We get used to what we see and do and so often we forgot to stand back and view the situation with fresh eyes.
When I start to work with organisations, I am that fresh pair of eyes. I often also represent your clients. Are you collecting information to help you communicate effectively with them? We can easily identify the areas in your business where there is potential for losing your business information.
If you want to find out more, we offer a free initial consultation so you can see how we would work with you. Contact us today to book a meeting.
From the disgruntled Morrison's employee who leaked the salaries of staff onto the internet and was subsequently jailed for 8 years to the Tesco employee who was emailing details of customers to his personal email account and the Enterprise car rental employee who was selling customer information to a claims company, the main weaknesses in most organisations are the staff.
So what do you do about it? The cases shown above have been high profile and widely reported but organisations are probably suffering breaches on a regular basis and may not even be aware of them. We get used to what we see and do and so often we forgot to stand back and view the situation with fresh eyes.
When I start to work with organisations, I am that fresh pair of eyes. I often also represent your clients. Are you collecting information to help you communicate effectively with them? We can easily identify the areas in your business where there is potential for losing your business information.
If you want to find out more, we offer a free initial consultation so you can see how we would work with you. Contact us today to book a meeting.
Subscribe to:
Posts (Atom)