Phil Brining

Untangling Misconceptions Around Recording Meetings

Untangling Misconceptions Around Recording Meetings

In this week’s episode of the Data Protection Made Easy Podcast, we delve into the complex world of recording meetings and dispel some common misconceptions. Joined by data protection experts Jasmine Harrison, Joe Kirk, and Phil Brining, we unravel the intricacies of ensuring data protection and compliance during recorded meetings.

Key Data Protection Considerations

1. Purpose and Necessity: Before recording a meeting, it is essential to establish a clear and legitimate purpose for the recording. Ensure that the recording is necessary for a specific business objective and that there are no less intrusive alternatives.
2. Consent: Obtain explicit consent from all participants before recording a meeting. The consent should be informed, meaning participants should be aware of the purpose of the recording, the duration, who will have access to the recording, and how it will be stored.
3. Data Minimisation: Only record the necessary parts of the meeting. Avoid recording irrelevant or excessive information.
4. Data Security: Implement robust security measures to protect recorded data from unauthorised access, alteration, or disclosure. This includes encryption, access controls, and regular backups.
5. Data Retention: Establish a clear data retention policy for recorded meetings. Determine how long recordings will be kept and when they will be deleted or archived.
6. Transparency: Inform participants about the recording and provide them with information about their rights, such as the right to access, rectify, or erase their personal data.
7. Data Protection Impact Assessment (DPIA): For high-risk data processing activities, such as recording meetings involving sensitive personal data, conduct a DPIA to assess the risks and identify appropriate safeguards.

Common Misconceptions

• Implied Consent: Simply informing participants that a meeting is being recorded does not constitute implied consent. Explicit consent is required.
• Internal Use Only: Recordings made for internal use only are still subject to data protection laws.
• Anonymisation: Anonymising recorded data does not necessarily eliminate privacy risks.
• Cloud Storage: Storing recordings in the cloud may pose additional security risks.

Best Practices for Recording Meetings

• Use Secure Recording Equipment: Ensure that the equipment used for recording is secure and compliant with data protection standards.
• Implement Access Controls: Restrict access to recorded data to authorised personnel only.
• Regularly Review and Delete: Regularly review recorded meetings and delete those that are no longer necessary.
• Provide Clear Information: Inform participants about the recording at the beginning of the meeting and provide them with clear information about their rights.

Recording meetings can be a valuable tool for businesses, but it is essential to do so in compliance with data protection laws. By following the guidelines outlined in this article, organisations can ensure that their recording practices are lawful and protect the privacy of individuals. If you have any unanswered questions, feel free to reach out to a member of our team: Contact Us.

Tune in to all 185 episodes of the Data Protection Made Easy podcast on all major-audio streaming platforms including Spotify.

Listen on Spotify here: https://open.spotify.com/episode/3V0SW8HNxXHT39r8vIWooF?si=jPZQK9SBQv-l26tLwZ35bQ

The Role of a DPO: A Deep Dive

Podcast: The Role of a DPO: A Deep Dive

In this episode, we delve into the crucial role of the Data Protection Officer (DPO) in the UK. We discuss the specific responsibilities outlined in the UK GDPR, the potential conflicts of interest that can arise, and how organisations can ensure that their DPOs are operating independently and effectively.

The Essential Tasks of a DPO

The UK GDPR mandates that certain organisations appoint a DPO to oversee data protection compliance. Key responsibilities of a DPO include:

• Informing and advising the organisation on data protection obligations
• Monitoring compliance with data protection laws and internal policies
• Providing advice on Data Protection Impact Assessments (DPIAs)
• Acting as the primary contact point for the Information Commissioner’s Office (ICO)
• Handling data subject requests
• Assisting in data breach response and reporting
• Providing data protection training for staff

Avoiding Conflicts of Interest

A DPO must operate independently to effectively fulfil their role. Conflicts of interest can arise when the DPO‘s other responsibilities within the organisation could influence their judgment or decision-making regarding data protection. Common roles that may present conflicts include:

• Finance: A focus on cost minimisation might lead to compromises in data protection measures.
• Human Resources: Managing sensitive employee data can create challenges in maintaining objectivity.
• Information Technology: Overlap in responsibilities can impact the DPO’s ability to ensure data protection compliance.
• Sales and Marketing: Prioritising revenue generation might lead to shortcuts in data handling practices.
• Directors/Chief Officers: Strategic focus on business operations can overshadow data protection priorities.

How to Ensure a DPO’s Independence

To prevent conflicts of interest, organisations should:

• Clearly define the DPO’s role, responsibilities, and reporting lines.
• Establish robust governance structures, such as a data protection committee.
• Regularly assess potential conflicts and implement mitigation strategies.
• Consider outsourcing the DPO role to a third party.

Conclusion

The role of the DPO is essential in ensuring compliance with data protection laws and protecting individuals’ privacy rights. By understanding the DPO’s responsibilities and avoiding potential conflicts of interest, organisations can effectively safeguard their data and mitigate risks.

Additional Resources

• Information Commissioner’s Office (ICO) Guidance on DPOs
• Data Protection People’s Outsourced DPO Service

GDPR Radio – Episode 182

Unlocking Data Protection: Quality, Governance, and Legal Complexities with Industry Experts

Welcome to this week’s episode of Data Protection Made Easy podcast, where hosts Jasmine Harrison, Joe Kirk, and Phil Brining delve deep into the world of data protection, unraveling the complexities of quality, governance, and legalities. Led by experts from Data Protection People, our hosts work with a huge range of clients every day, together, they expert insights and advice surrounding data protection. If you’re serious about mastering data integrity and compliance, this episode is a treasure trove of expert insights and practical advice.

Mastering Data Integrity and Compliance

The episode kicks off with a comprehensive discussion on data quality, software solutions, and consulting. Jasmine, Joe, and Phil spotlight their exciting new partnership with a cutting-edge data management firm that offers innovative solutions to enhance data quality beyond just personal data. They explore how these advancements can help organisations navigate the tough terrain of processor contracts and ensure compliance with multiple controller relationships.

Navigating Data Contracts and Legalities

One of the highlights of this episode is the in-depth analysis of processor contracts. Joe raises a critical question: Can a single overarching agreement suffice for multiple controllers, or are individual contracts necessary? The discussion covers the legal requirements of Article 28.4, the practical challenges of managing these agreements, and real-world scenarios that emphasise the importance of maintaining compliance while dealing with complex contract frameworks.

Revolutionising Data Quality with AI

Jasmine shares an intriguing case study on Everton Football Club’s transition from Siebel to Salesforce, showcasing how this shift revolutionised their data management operations. The conversation extends to the significance of data quality measures, especially as AI becomes integral to organisational strategies. The hosts debate the universal applicability of data classification schemes and the various contexts that necessitate different levels of data accuracy.

Challenges in Data Management and Protection

Phil sheds light on the often-overlooked inconsistencies in GDPR and ISO guidelines, highlighting differences in interpretations between German and UK contexts. This leads to a broader discussion on the importance of governance, the practical benefits of information asset registers, and how these elements contribute to compliance with standards like ISO 27001 and GDPR.

The Future of Data Protection and Compliance

The episode also features a detailed exploration of sub-processor agreements within the context of UK GDPR. Joe and Phil dissect the legalities surrounding these agreements, emphasising the importance of imposing the same data protection obligations on sub-processors as on processors. They share various perspectives on managing these agreements, considering factors such as the nature of services, contract variations, and specific requirements like breach notification timelines.

Responsibilities and Liabilities in Data Protection

The conversation takes a critical turn as the hosts examine the complexities of liability between data controllers and processors, particularly in light of a significant data breach involving the Advanced Computer Software Group. They discuss the challenges controllers face in ensuring that processors have robust security measures and the implications of processor failures despite due diligence. The episode underscores the need for thorough audits and role of the ICO in enforcing compliance.

Duties of Data Protection Officers

In the final segment, the hosts delve into the responsibilities of Data Protection Officers (DPOs), drawing insights from the latest directives by the Brazilian National Data Protection Authority. They discuss varying interpretations of a DPO’s duties, including security incident reporting, data protection impact assessments, and internal oversight mechanisms. The conversation also touches on the resignation of the UK’s Biometrics and Surveillance Camera Commissioner and the implications of advancements in facial recognition technology.

Final Thoughts

This episode of Data Protection Made Easy podcast is packed with essential information for anyone serious about data protection. From practical advice on data quality and governance to deep dives into legal complexities and future trends, Jasmine, Joe, and Phil provide a well-rounded perspective on the current and future state of data protection. Our hosts run two kinds of sessions. This week’s episode is called GDPR Radio, which takes place every other week. These are alternated with more topic-focused sessions. The GDPR Radio sessions are more relaxed; we discuss the news from the last two weeks (since the previous episode), any updates to laws or legislation, and take live Q&As from our audience.

If you would like to join us on future episodes, you can visit our events page and either request to join specific discussions or request to subscribe and benefit from weekly invites to insightful sessions where our experts share opinions. You can have the chance to ask our hosts questions live on air, make use of the live chat, benefit from links shared in the chat, visuals from the episode, and most importantly, network with like-minded individuals.

Stay tuned, stay compliant, and stay ahead with Data Protection Made Easy podcast!

RoPA Round Up (Part 2)

Effective ROPAs, Cybersecurity Updates, and Building a Proactive Culture

Welcome back to another insightful episode of Data Protection Made Easy! In our latest instalment, we delve deep into the multifaceted world of data protection and cybersecurity, offering you practical advice, timely updates, and real-world stories that underscore the importance of maintaining robust data protection practices. Here’s what you can expect from this episode:

• 0:03:46 – Risk Identification in ROPAs
• 0:07:14 – Facial Recognition vs Blacklist Comparison
• 0:14:58 – US Data Protection and Online Safety
• 0:21:10 – Maintaining Data Processing Documentation
• 0:31:18 – Understanding Risk in Project Work
• 0:36:39 – Data Retention and Privacy Compliance Review
• 0:43:41 – Engaging Data Protection Compliance Challenges
• 0:48:30 – Managing Complex Relationships in Databases
• 0:53:26 – UK GDPR Compliance and International Business
• 0:58:52 – Policy and Procedure Simplification

Unlocking the Secrets of Data Protection

Are you struggling to keep your Records of Processing Activities (ROPAs) up-to-date in your complex organisation? We begin by unravelling the intricacies of ROPAs, comparing them with privacy notices and information asset registers. We also emphasise the importance of regular updates to ensure they reflect the current reality of your data processing activities. Moreover, we introduce the concept of risk registers, which play a crucial role in assessing risks associated with data processing.

Staying Ahead in Cybersecurity and Privacy

The episode doesn’t just stop at ROPAs. We bring you the latest cybersecurity and data protection updates, covering significant incidents like the Leeds riots and the challenges of facial recognition technology in the age of mask-wearing criminals. We explore the role of social media in criminal identification and touch upon international incidents, such as an Olympic swimmer’s breach of COVID protocols. Additionally, we shed light on the UK’s cybersecurity vulnerabilities, Meta’s settlement over biometric data privacy, and new US legislation aimed at protecting children’s online safety.

Embedding Data Protection in Global Organisations

One of the standout segments of this episode is our discussion on embedding a data protection culture within large, international organisations. Discover strategies for managing ROPAs effectively, even with a global workforce, and learn about the importance of data champions and top-down support. We emphasise the power of community collaboration in overcoming shared challenges, ensuring that data protection becomes an integral part of your organisation’s culture.

Navigating the Challenges of Facial Recognition Tech

Facial recognition technology is a hot topic, and we dive into its practical implications and challenges. From a personal story involving facial recognition tech at John Lewis to the broader concerns around its use, especially during the Leeds riots, we provide a balanced view of this controversial technology.

Crafting a Culture of Proactive Data Privacy

Creating a proactive data protection culture isn’t easy, but it’s essential. We discuss the importance of assigning responsibility to data champions and the role of senior management in leading by example. We also highlight the balance between encouraging positive behaviour and ensuring there are consequences for non-compliance. Our goal is to make data protection engaging and relatable, helping you foster a proactive attitude towards data privacy within your organisation.

Managing Risks and Records in Data Processing

Finally, we explore the practical aspects of managing data protection systems and records. From using AI tools to maintain accurate ROPAs to evaluating comprehensive data protection solutions, we cover it all. We even touch upon the complexities of managing ROPAs for organisations with international employees, providing best practices for maintaining these records effectively.

Cybersecurity and Data Protection Update

We examine recent events, such as the Leeds riots and the limitations of facial recognition technology when perpetrators use masks. The discussion also covers international incidents and cybersecurity vulnerabilities in the UK, providing a comprehensive overview of the current data protection landscape.

Risk Assessment in Data Protection

This segment focuses on the multifaceted aspects of recruitment, selection, and the comprehensive lifecycle of employment. We discuss the utility of AI tools in maintaining accurate ROPAs and the importance of human oversight despite AI’s capabilities.

Implementing Data Protection Culture Within Organisations

We explore strategies for embedding a data protection culture within organisations, emphasising the importance of data champions, top-down support, and continuous engagement to make data protection an integral part of the organisation’s culture.

Managing Data Protection Systems and Records

Our hosts delve into the capabilities of data protection systems, highlighting a custom-built system based on Salesforce. They discuss the functionalities of such systems and provide insights into evaluating and selecting the right data protection solutions.

International Employees in Data Protection

We address the complexities of managing ROPAs for organisations with international employees, exploring scenarios involving UK-based companies with global operations and the implications of local laws.

Conclusion

As we wrap up this episode, we emphasise the importance of community collaboration in overcoming common challenges. We thank our contributors, Phil and Joe, for their invaluable insights and remind everyone about the upcoming GDPR radio session.

Tune in to this episode for a comprehensive guide to mastering data protection, staying ahead of cybersecurity threats, and fostering a proactive data protection culture within your organisation.

Don’t miss out on this essential discussion—your organisation’s data protection and cybersecurity strategies will be all the better for it!

If you would like to join us on future episodes of the Data Protection Made Easy podcast you can visit our events page. You can also request to subscribe via our contact us page. 

Our community now has over 1300 members from a wide range of backgrounds. Click below to subscribe.

Freedom Of Information – A Tool For Transparency

Freedom Of Information – A Tool For Transparency

Working in the data protection industry, where information is power, ensuring transparency within organisations is crucial. Freedom of Information (FOI), also known as the Freedom of Information Act (FOIA), empowers individuals to request access to information held by public authorities. During this week’s episode of the AWARD WINNING Data Protection Made Easy podcast, with over 20,000 Spotify plays and 170 episodes, dives deep into the world of FOI with expert Laura Brentnall, Support Desk Manager from Data Protection People.

Transparency: The Cornerstone of Public Trust

The FOI serves as a cornerstone for open government and public trust. It allows individuals to hold organisations accountable and fosters a more informed citizenry. Laura, with her experience working in local authorities and across diverse sectors, sheds light on the practicalities of FOI for organisations of all sizes.

Intriguing Encounters with FOI Requests

The session wouldn’t be complete without a touch of intrigue! Laura along with some of our listeners shared some fascinating (and sometimes bizarre) FOI requests they’ve encountered. From the infamous UK parliamentary expenses scandal, where information was disclosed outside of FOI channels, to a local council paying a psychic for an exorcism (yes, you read that right!), these real-world examples highlight the vast scope of FOI requests.

Navigating the Legal Landscape

FOI comes with its own legal framework. The discussion explores recent cases and considerations surrounding the FOIA. This includes the concept of vexatious requests, where someone submits excessive or unreasonable FOI requests to disrupt an organisation’s operations. A link to a case study from the Information Commissioner’s Office (ICO) is provided for further exploration.

Equipping You for FOI Success

The session equips organisations with practical strategies for handling FOI requests effectively. This might involve streamlining processes, understanding exemptions under the FOIA, and effectively communicating with requesters. Data Protection People have a dedicated team of FOI experts if you have further questions after listening.

Our New FOI Service: Simplifying the Process

Data Protection People are excited to announce its new FOI service! This service is designed to support organisations of all sizes and sectors in navigating the FOI process with confidence. Whether you need help developing a robust FOI policy or require assistance in responding to complex requests, our team of experts is here to guide you.

Calling All Outrageous Requests!

For the upcoming part two of this FOI discussion, the team is looking for your input! Submit your most outrageous (and anonymous) FOI experiences, and they’ll be discussed on the next episode. This is a fantastic opportunity to learn from the experiences of others and gain valuable insights.

Join Our Vibrant Community!

Data Protection Made Easy is more than just a podcast; it’s a thriving community. If you enjoyed this session and want to be part of the conversation, subscribe! Simply visit the contact us page and request to subscribe. You’ll then receive weekly invites to insightful discussions led by our industry experts.

Here’s what makes our community special:

• Diversity: We welcome everyone, from veteran Data Protection Officers (DPOs) with 20 years of experience to students just starting their careers.
• Open Forum: Our discussions are designed to be enthusiastic and informative. Professionals share valuable top tips, practical advice, and real-world stories to empower others.
• Commitment to Education: We are passionate about data protection and believe in sharing knowledge freely. There’s no sales pitch here; just genuine conversation.
• Impressive Reach: With over 100 live listeners every week, our podcast is a top contender in the data protection space. You’ll be joining a community of passionate individuals committed to data privacy.

Don’t miss out! Subscribe today and unlock a world of data protection knowledge with Data Protection Made Easy.

Tune in now via Spotify. 

GDPR Radio – Episode 134

Faces, Farage and Pseudonymisation

In this week’s episode, our knowledgeable hosts, Phil Brining and Tristan Mills, dive deep into the latest updates in data protection law, recent breaches, fines, and much more. Join us as we discuss the most relevant news of the week and simplify complex data protection topics, making them easy to understand and navigate.

Exploring Unauthorised Apps in the Workplace, Including WhatsApp: A Data Protection Standpoint

One of the key topics covered in this episode is the use of unauthorised apps in the workplace, with a special focus on WhatsApp. While these apps offer convenience in communication, they can pose significant data protection risks. Learn how organisations can address these risks and promote secure communication channels to protect sensitive information.

Facial Recognition and Its Implications on Data Protection

Another crucial discussion in this episode revolves around facial recognition technology and its implications on data protection. We explore the challenges surrounding the use of this technology, data privacy concerns, and the importance of obtaining proper consent when implementing facial recognition systems.

Understanding Personal Data, Pseudonymisation, and Anonymisation

We delve into the fundamental concept of personal data and its categorisation under data protection regulations. Additionally, we demystify the concepts of pseudonymisation and anonymisation, discussing their roles in protecting individual privacy and complying with data protection requirements.

Get Involved in Future Episodes!

Data Protection Made Easy values our community of data protection enthusiasts, and we want you to be a part of our podcast’s growth. Here’s how you can get involved:

Listener Questions: Have questions related to data protection or specific topics you’d like us to cover? Send us your queries, and we may feature them in upcoming episodes!
Guest Speakers: Are you an expert in data protection or know someone who is? We welcome guest speakers to bring fresh perspectives and insights. Reach out to us, and let’s collaborate on an engaging discussion.
Feedback and Suggestions: Your feedback matters to us. Share your thoughts and suggestions to help us improve the Data Protection Made Easy podcast for all our listeners.

Listen to Episode 124: GDPR Radio Now!

Don’t miss this insightful episode packed with valuable information and expert insights. Tune in to Data Protection Made Easy Podcast Episode using the player above or search for ‘Data Protection Made Easy’ on all major audio streaming platforms.

GDPR Radio – Episode 128

TikTok, International Transfers and Professor Hackett

Tune in to the latest episode of GDPR Radio on the Data Protection Made Easy podcast!

In Episode 128, our hosts Jasmine Harrison (Account Manager), Tristan Mills (Support Desk Manager), and Philip Brining (Founder and Managing Director) from Data Protection People delved into the fascinating world of data protection news. They explored various topics, including breaches, intriguing cases, emerging technologies, and much more.

Join the discussion as they analyse the ICO’s opinion on privacy information regarding TikTok and delve into the complexities of TikTok’s privacy policy, exploring potential compliance issues. Discover insights from a deep dive into TikTok’s privacy notice and gain valuable knowledge on international data transfers, with a specific focus on the data bridge between the UK and US.

You’ll also hear about an alarming data breach at the University of Manchester, where students received an email notifying them of the exposure of their personal data. Find out the intriguing details, including the curious fact that the hacker responsible was fittingly named Mr. Hacket.

This insightful episode is available now on our website and all major audio streaming platforms, including Spotify and Amazon. Don’t miss your chance to listen to our expert hosts share their opinions and analysis on the latest developments in the data protection landscape.

Data Protection People is a leading data protection consultancy in the UK, offering a comprehensive range of tools and services to simplify complex aspects of data protection. Stay informed, gain valuable insights, and take your data protection knowledge to the next level by tuning in to this captivating episode.

If you would like to get involved and join us live on future episdoes of the podcast, check out the upcoming episodes of the Data Protection Made Easy podcast and register for an individual session or subscribe and join one of the UK’s fastest growing data protection communities.

GDPR Radio – Episode 126

Recent Data Breaches and Employee Surveillance

Welcome to another episode of GDPR Radio, brought to you by Data Protection People. In today’s episode, we discuss some recent data breaches that have raised concerns about supply chain risks and personal data exposure. Additionally, we delve into the growing issue of employee surveillance in the workplace. Let’s get started!

Data Breach: MOVEit File Transfer Tool Exploited Recent media reports have revealed that cybercriminals successfully exploited a zero-day vulnerability in the MOVEit file transfer tool, affecting thousands of organisations internationally. The breach, attributed to the Russian-speaking ransomware group Clop, compromised personal data, including contact information, National Insurance numbers, and bank details. Progress Software, the provider of MOVEit, promptly patched the vulnerability, but the incident underscores the importance of addressing security flaws and supply chain risks.

Data Breach: Scrubs & Beyond Exposes Customer Data Healthcare retailer Scrubs & Beyond experienced a severe data exposure incident, leading to the public exposure of personally identifiable information and sensitive financial data of its customers. The leaked server contained a wealth of personal information, including names, email addresses, phone numbers, physical addresses, and even internal credentials. The breach also exposed plaintext credit card details and PayPal payment logs, putting affected customers at risk of financial fraud and identity theft. Scrubs & Beyond’s lack of response to the issue raises questions about their commitment to data protection.

Data Breach: GP Data Breach after Capita Cyber-Attack NHS England reported a data breach involving GP information following a cyber-attack on Capita, affecting 90 organisations. Initially downplayed by Capita, it was later revealed that data had been exfiltrated, leading to significant costs associated with recovery and remediation. The breach involved limited optometry information for two patients and accessed files containing names and NHS numbers of deceased and de-registered GP patients. While no health data or other patient data was compromised, the breach highlights the need for organisations to promptly address and report security incidents.

Data Breach: Tesla’s Alleged Data Protection Violations Tesla faced allegations of data protection violations following a data leak reported in Germany. Confidential data, including employee and customer information, was leaked by a whistleblower, potentially violating the GDPR. The leaked files contained personal information of thousands of employees, including Tesla CEO Elon Musk’s social security number, private email addresses, phone numbers, and salary details. The case highlights the need for organisations to implement robust data protection measures and respond promptly to potential vulnerabilities.

Employee Surveillance: The Impact on Privacy and Productivity The growing trend of employee surveillance is raising concerns among workers. Companies have increasingly turned to monitoring tools, such as Hubstaff, to track employees’ activities remotely. However, the constant monitoring can negatively impact employees’ productivity and well-being. Workers feel constantly watched, leading to stress and the need for additional measures to maintain privacy. Transparency and trust between employers and employees are crucial to ensure a healthy work environment.

Regarding the personal data breach query, it is important to assess the incident and take appropriate actions to mitigate the risks and ensure compliance with data protection regulations.

Here are some considerations:

Incident Response: The customer has already taken a step in the right direction by implementing a block to prevent further access to the disclosed information. This helps contain the breach and limit potential harm.

Data Compromised: In this case, personal information such as customer names, contact details, addresses, and property alerts were disclosed. It is essential to assess the sensitivity and potential impact of this information. The fact that the phishing attack targeted banking details suggests the possibility of fraudulent activity beyond the initial breach.

Data Access and Download: Since it is unknown how many files were accessed or if the information was downloaded, it is challenging to determine the full extent of the breach. It is advisable to assume the worst-case scenario and consider that the data may have been compromised.

Risk Assessment: Conduct a risk assessment to evaluate the potential impact on individuals’ privacy and rights. Factors to consider include the sensitivity of the data, the potential harm to affected individuals, and the likelihood of unauthorised access or misuse.

Breach Notification: If it is determined that the breach poses a risk to individuals’ rights and freedoms, it may be necessary to notify the relevant supervisory authority as per the requirements of the applicable data protection regulations, such as the General Data Protection Regulation (GDPR). The specific notification obligations and timelines may vary depending on the jurisdiction.

Communication with Affected Individuals: Promptly inform the affected individuals about the breach, the type of data involved, and the potential risks they may face. Provide guidance on how they can protect themselves from potential harm, such as being vigilant against phishing attempts or monitoring their financial accounts.

Regarding data sharing with the police, here are some points to consider:

Legal Basis: Under the GDPR, data sharing with law enforcement authorities, including the police, may be justified on various legal grounds, such as compliance with a legal obligation or the performance of a task carried out in the public interest.

Purpose Limitation: Data sharing with the police should be limited to the purpose for which it is necessary and relevant. Ensure that the sharing is directly related to the prevention, investigation, detection, or prosecution of criminal offenses.

Lawful Authority: Determine whether there is a legal basis or specific legislation that authorises or mandates the sharing of personal data with the police. Consult applicable laws and regulations in your jurisdiction to understand the requirements and conditions for such sharing.

Data Protection Safeguards: Prior to sharing personal data, consider implementing appropriate safeguards to protect the rights and freedoms of the individuals involved. This may include ensuring data accuracy, implementing security measures, and considering data minimisation and retention principles.

Individual Rights: Inform individuals about the data sharing with the police, their rights regarding their personal data, and how they can exercise those rights. This includes the right to access their data, rectify inaccuracies, and lodge complaints if they believe their rights have been violated.

Data Protection Impact Assessment (DPIA): In cases where the data sharing involves high risks to individuals’ rights and freedoms, conduct a DPIA to assess and mitigate these risks. This is especially important when processing sensitive data or when implementing systematic and extensive surveillance measures.

It is recommended to consult with legal professionals or data protection experts to ensure compliance with the specific requirements of the GDPR and any relevant local data protection laws when dealing with personal data breaches and data sharing with law enforcement authorities.

In conclusion, these recent developments highlight the importance of data protection and the challenges organisations face in maintaining compliance with regulations such as the GDPR. The case involving the Lithuanian app builder and the National Public Health Centre underscores the need to carefully analyse the roles and responsibilities of data controllers in collaborative projects, as well as the requirement for explicit consent in data processing activities.

Furthermore, the Dutch Data Protection Authority’s observation that individuals should assume their personal data has already leaked or will do so at some point emphasises the necessity for individuals and organisations to prioritise data protection measures. Taking proactive steps, such as using unique passwords, implementing secure login methods, and exercising privacy rights, can help mitigate the risks associated with data breaches.

On the regulatory front, the expansion of ICO powers in the UK, as outlined in the DPDI Bill, grants the Information Commissioner’s Office wider investigative capabilities. This may have implications for organisations in terms of their obligations to provide information and documents during investigations, potentially leading to increased resourcing burdens.

In the international landscape, the new partnership agreement between the UK and the US, as established by Prime Minister Rishi Sunak and President Joe Biden, includes a data protection deal that aims to facilitate data sharing between certified US organisations and UK businesses. This agreement is expected to reduce red tape and benefit small firms engaged in transatlantic trade.

Looking ahead, it is crucial for organisations to be prepared for various data protection challenges. The upcoming discussion on rights requests provides an opportunity to delve deeper into the intricacies of individuals’ rights under data protection laws. Hosted by Phil Brining, Joe Kirk, and featuring the return of Jasmine Harrison, this session promises valuable insights and practical guidance. To stay informed about this and other upcoming sessions, visit the events page of the Data Protection People website at https://dataprotectionpeople.com/events/.

By staying abreast of the evolving data protection landscape, organisations can navigate the complexities of data breaches, data sharing, individual rights, and regulatory compliance, ultimately safeguarding the privacy and security of personal data.