Published Articles & Thought Leadership
1. Managing a processor breach
December 10th, 2019
This is the first in a series of articles to help your business through the pragmatic aspects of real-world problems. These articles assume the reader has some familiarity with the legislation; what we will try to do is show how the requirements can be applied in practice. The first topic will will address is what to do if you, the data controller, or a data processor working for you, discover a potential or actual data breach.
4 variants on the following scenario: One of your vendors that processes information for your political party campaign office informs you that they have been compromised and personal data of many thousands of data subjects may have been accessed by an as-yet unknown entity. Your duty in this event depends on several time-critical factors, outlined below. Each variant, in order of increasing severity, will be examined through 4 lenses: Processor Action, Controller Implication, Controller Reaction and To make this scenario less severe, you need to…
2. How do we comply with GDPR Article 30?
March 31st, 2020
What is Article 30 of GDPR, and why does it matter?
GDPR, or General Data Protection Regulation, is the biggest re-write in over 20 years of the laws governing how Personal Data are gathered, stored, processed and disposed of. With the amount of Personal Data in the world increasing at an exponential rate, and the potential for abuse ever more serious, this is one set of laws that all virtually businesses need to understand and adhere to.
Article 30 is the part of GDPR concerned with how processing activities are recorded.
3. Covid-19 doesn’t stop your legal obligations
April 15th, 2020
With all the disruption the world is currently experiencing, it would be easy to assume that some legal obligations may be put on hold. This assumption could be an expensive mistake – and here’s one example why.
.
4. Solving Data Protection or Covid -19: Not mutually exclusive
May 12th, 2020
The battle against COVID-19 is often described as a balancing act between public health and privacy. In other words, we are supposed to be prepared to sacrifice some of our privacy for the sake of saving lives, perhaps including our own. But far from positioning this as a binary zero-sum choice, around the world there are concerted efforts to ensure that privacy and cybersecurity are part of the solution. By building data protection practices into the very measures that may threaten our privacy, we can help ensure that those measures are truly effective. For this reason, many governments and organisations are adopting the most advanced data protection practices and making compliance efforts not seen since the preparations for the arrival of GDPR.
5. GDPR – what’s working and what’s not?
June 26th, 2020
GDPR: What’s working, and what maybe isn’t?
A couple of days ago the European Commission published a report, gathered with contributions from consumer-groups and industry experts around Europe (snappily called the ‘Multistakeholder Expert Group’) about their thoughts, and their members’ thoughts on GDPR. The feedback was gathered between June 2019 and February 2020.
It runs to just under 20,000 closely written words, so in the 30 Celsius heat I’ve read and summarised it, so you don’t have to. Inevitably, in reducing something by a factor of fifteen, I’ll be simplifying greatly, but I think the observations so far raise some interesting points.
6. Does the ICO have teeth?
October 19th, 2020
Ladies and gentlemen, I ask the question above because today we finally have news on the ICO’s penalty to British Airways, regarding their 2018 personal data breach.
We know the history – in July 2019 the Information Commissioner issued British Airways with a notice proposing to impose a fine of £183m. It really looked like the world of commerce would be finding unequivocally that if it could not keep customer personal data secure, the consequences would be severe.