Consent is NOT always required!

Consent is one way of getting the right to use personal data under the General Data Protection Regulations (GDPR).

However, the rules around consent only apply if you are relying on consent as your basis to process personal data.

The new law provides five other ways of processing data that may be more appropriate than consent.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.

Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information – each one of these examples uses a different lawful basis for processing personal information that isn’t consent.

You know your organisation best and should be able to identify your purposes for processing personal information. Before 25th May 2018, you’ll need to document your decisions to be able to demonstrate which lawful basis you’re using.

See previous posts for more information on the GDPR.

If you would like a short (4 page) briefing document setting out what companies need to be doing right now about the GDPR, please drop an email to karen.mason@novalex.co.uk. If you would like to attend a practical seminar in Milton Keynes on what the changes are and how to implement them, please sign up using this link:

https://www.eventbrite.co.uk/e/gdpr-a-new-era-in-data-protection-tickets-37869021262

Consent ticks the box for the General Data Protection Regulation

The GDPR is raising the bar to a higher standard for consent, clarifying that pre-ticked opt-in boxes are not valid indications of consent.

The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.

The requirement for clear and plain language when explaining consent is now strongly emphasised and you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.

If you would like a short (4 page) briefing document setting out what SMEs need to be doing right now about the GDPR, please drop an email to karen.mason@novalex.co.uk. If you would like to attend a practical seminar in Milton Keynes on what the changes are and how to implement them, please sign up using this link:

https://www.eventbrite.co.uk/e/gdpr-a-new-era-in-data-protection-tickets-37869021262

GDPR and the new Data Protection Bill – A fine reputation!

Referring to the GDPR (see previous post), the Information Commissioner says, “This law is not about fines” but goes on to point out that: “It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us.  It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.”

She then says: “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm… the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders.  While these will not hit organisations in the pocket – their reputations will suffer a significant blow…  And you can’t insure against that.”

You might think that’s just a different kind of scaremongering!

If you would like a short (4 page) briefing document setting out what SMEs need to be doing right now, please drop an email to karen.mason@novalex.co.uk. If you would like to attend a practical seminar in Milton Keynes on what the changes are and how to implement them, please sign up using this link:

https://www.eventbrite.co.uk/e/gdpr-a-new-era-in-data-protection-tickets-37869021262

GDPR and the new Data Protection Bill

Described by the Information Commissioner as “the biggest change to data protection law for a generation”, the General Data Protection Regulation (GDPR) attempts to bring data protection into the age of “big data”. It comes into force across the whole of Europe (including the UK) on 25th May 2018 which means that, if you process personal data, you don’t have long to get your data, systems and policies up to date and compliant.

In addition, the Data Protection Bill, which will replace the Data Protection Act 1998, had its first reading in the House of Lords on 13 September 2017. It is liable to change during the parliamentary process but is intended to provide “a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice”.

If you would like a short (4 page) briefing document setting out what SMEs need to be doing right now, please drop an email to karen.mason@novalex.co.uk. If you would like to attend a practical seminar in Milton Keynes on what the changes are and how to implement them, please sign up using this link:

https://www.eventbrite.co.uk/e/gdpr-a-new-era-in-data-protection-tickets-37869021262

£60,000 fine for sending filing cabinet (and contents!) to second hand shop

In April 2014, social work case files were discovered in a cabinet purchased by a member of the public from a second hand shop. The cabinet had been used by the children’s social work team at Norfolk County Council and the case files included information relating to seven children.

The Information Commissioner’s Office found that the Council did not have in place appropriate organisational measures for ensuring that such an incident would not occur and in particular did not have an adequate written procedure governing how office furniture disposal should be managed.

The Council was issued with a monetary penalty under the Data Protection Act for a serious contravention of the seventh data protection principle, and was fined £60,000.