Tag Archives: Privacy

Consent ticks the box for the General Data Protection Regulation

The GDPR is raising the bar to a higher standard for consent, clarifying that pre-ticked opt-in boxes are not valid indications of consent.

The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.

The requirement for clear and plain language when explaining consent is now strongly emphasised and you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.

If you would like a short (4 page) briefing document setting out what SMEs need to be doing right now about the GDPR, please drop an email to karen.mason@novalex.co.uk. If you would like to attend a practical seminar in Milton Keynes on what the changes are and how to implement them, please sign up using this link:

https://www.eventbrite.co.uk/e/gdpr-a-new-era-in-data-protection-tickets-37869021262

GDPR and the new Data Protection Bill – A fine reputation!

Referring to the GDPR (see previous post), the Information Commissioner says, “This law is not about fines” but goes on to point out that: “It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us.  It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.”

She then says: “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm… the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders.  While these will not hit organisations in the pocket – their reputations will suffer a significant blow…  And you can’t insure against that.”

You might think that’s just a different kind of scaremongering!

If you would like a short (4 page) briefing document setting out what SMEs need to be doing right now, please drop an email to karen.mason@novalex.co.uk. If you would like to attend a practical seminar in Milton Keynes on what the changes are and how to implement them, please sign up using this link:

https://www.eventbrite.co.uk/e/gdpr-a-new-era-in-data-protection-tickets-37869021262

GDPR and the new Data Protection Bill

Described by the Information Commissioner as “the biggest change to data protection law for a generation”, the General Data Protection Regulation (GDPR) attempts to bring data protection into the age of “big data”. It comes into force across the whole of Europe (including the UK) on 25th May 2018 which means that, if you process personal data, you don’t have long to get your data, systems and policies up to date and compliant.

In addition, the Data Protection Bill, which will replace the Data Protection Act 1998, had its first reading in the House of Lords on 13 September 2017. It is liable to change during the parliamentary process but is intended to provide “a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice”.

If you would like a short (4 page) briefing document setting out what SMEs need to be doing right now, please drop an email to karen.mason@novalex.co.uk. If you would like to attend a practical seminar in Milton Keynes on what the changes are and how to implement them, please sign up using this link:

https://www.eventbrite.co.uk/e/gdpr-a-new-era-in-data-protection-tickets-37869021262

Health care firm fined £200,000 after patients’ confidential conversations were revealed online

An English private health company has been fined £200,000 after its Indian subcontractor failed to keep fertility patients’ personal information secure.

An investigation was commenced in April 2015 when a patient found that transcripts including details from interviews with hospital patients could be freely accessed by searching online.

The investigation revealed the hospital had been routinely sending unencrypted audio records of the interviews by email to the Indian subcontractor. Details of private conversations between a doctor and various hospital patients wishing to undertake fertility treatment were transcribed in India and then sent back to the hospital. It was found that the Indian company could not restrict access to the personal information because it stored audio files and transcripts using an unsecure server.

The English company was fined as it had breached the Data Protection Act 1998 by failing to ensure that its sub-contractor acted responsibly in compliance with the Data Protection Act.

This case shows the importance of ensuring that appropriate subcontracts are in place and enforced. If you feel your subcontracts might need checking, I would be happy to help.

Please drop me an email or give me a call.

Karen Mason

First fine under new powers for unsolicited marketing texts

The Information Commissioner’s Office (ICO) has fined Help Direct UK Ltd £200,000 for sending thousands of unsolicited marketing texts. This is the first time that the ICO has used its new enforcement powers under section 55A of the Data Protection Act 1998.

The lead generation company ran a marketing campaign in April 2015 which prompted 6,758 complaints in one month alone. People complained about a variety of messages offering services including the reclaim of PPI payments, bank refunds and loans.

As the ICO considers unsolicited text marketing “a matter of significant public concern” and as it is now be easier for it to issue fines for failing to comply with regulations 19 to 24 (relating to unsolicited direct marketing calls, texts and emails, automated calls, fax messages, identification of sender (when concealed) for email, and the information regulations), companies should ensure that their direct marketing activities comply fully with the Privacy Regulations 2003.