Data is a risky business and you might need to assess the situation
As we’ve said many times before… Data – if you don’t need it, don’t keep it. It can be a risky business! We have seen a sudden surge in the number of calls we are receiving and the number of people applying for the GDPR training courses that we run. I have to confess, there have been moments when I was concerned that all the GDPR advertising would start to have the same annoying effect as the persistent PPI adverts. It appears that people are starting to pay attention to the GDPR noise now. I hear about it on the radio and it’s coming up a lot on people’s social media feeds.
Who are the data controllers and data processors within an organisation?
There’s a wind of change in the big wide world of data regulation and the GDPR. More organisations are becoming aware of the GDPR and business owners have started to ask a lot of important questions. Phew! At last, the message is getting through. However, there is still some confusion about data accountability. Most recently, I have been asked to explain the job roles of a data controller and data processor.
Most people won’t even see 50% or more of the data exposure risks in this scene, can you?
We see these scenes like this every day and perhaps take things for granted or we presume or ignore. We miss the obvious. Recently I was discussing potential ‘data breach hazards’ in the office with a customer. Explaining how something as basic as an office rubbish bin has a big part to play in data protection. Normally when I mention this there is a pause in the conversation, followed by a realisation as to what I am talking about or just silence and a look of confusion.
Is a Privacy Shield compliant with the GDPR?
The big question is… If a company is self-certified under the Privacy Shield, would that mean the company would be automatically in compliance with GDPR? The GDPR, like the EU Directive, permits data transfer to countries with ‘adequate protection’. In the case of ‘self-certification’, who is to say that in a court of law, someone could simply demonstrate the company didn’t, in fact, meet certification requirements?