Untangling Misconceptions Around Recording Meetings

Untangling Misconceptions Around Recording Meetings

In this week’s episode of the Data Protection Made Easy Podcast, we delve into the complex world of recording meetings and dispel some common misconceptions. Joined by data protection experts Jasmine Harrison, Joe Kirk, and Phil Brining, we unravel the intricacies of ensuring data protection and compliance during recorded meetings.

Key Data Protection Considerations

1. Purpose and Necessity: Before recording a meeting, it is essential to establish a clear and legitimate purpose for the recording. Ensure that the recording is necessary for a specific business objective and that there are no less intrusive alternatives.
2. Consent: Obtain explicit consent from all participants before recording a meeting. The consent should be informed, meaning participants should be aware of the purpose of the recording, the duration, who will have access to the recording, and how it will be stored.
3. Data Minimisation: Only record the necessary parts of the meeting. Avoid recording irrelevant or excessive information.
4. Data Security: Implement robust security measures to protect recorded data from unauthorised access, alteration, or disclosure. This includes encryption, access controls, and regular backups.
5. Data Retention: Establish a clear data retention policy for recorded meetings. Determine how long recordings will be kept and when they will be deleted or archived.
6. Transparency: Inform participants about the recording and provide them with information about their rights, such as the right to access, rectify, or erase their personal data.
7. Data Protection Impact Assessment (DPIA): For high-risk data processing activities, such as recording meetings involving sensitive personal data, conduct a DPIA to assess the risks and identify appropriate safeguards.

Common Misconceptions

• Implied Consent: Simply informing participants that a meeting is being recorded does not constitute implied consent. Explicit consent is required.
• Internal Use Only: Recordings made for internal use only are still subject to data protection laws.
• Anonymisation: Anonymising recorded data does not necessarily eliminate privacy risks.
• Cloud Storage: Storing recordings in the cloud may pose additional security risks.

Best Practices for Recording Meetings

• Use Secure Recording Equipment: Ensure that the equipment used for recording is secure and compliant with data protection standards.
• Implement Access Controls: Restrict access to recorded data to authorised personnel only.
• Regularly Review and Delete: Regularly review recorded meetings and delete those that are no longer necessary.
• Provide Clear Information: Inform participants about the recording at the beginning of the meeting and provide them with clear information about their rights.

Recording meetings can be a valuable tool for businesses, but it is essential to do so in compliance with data protection laws. By following the guidelines outlined in this article, organisations can ensure that their recording practices are lawful and protect the privacy of individuals. If you have any unanswered questions, feel free to reach out to a member of our team: Contact Us.

Tune in to all 185 episodes of the Data Protection Made Easy podcast on all major-audio streaming platforms including Spotify.

Listen on Spotify here: https://open.spotify.com/episode/3V0SW8HNxXHT39r8vIWooF?si=jPZQK9SBQv-l26tLwZ35bQ

The Role of a DPO: A Deep Dive

Podcast: The Role of a DPO: A Deep Dive

In this episode, we delve into the crucial role of the Data Protection Officer (DPO) in the UK. We discuss the specific responsibilities outlined in the UK GDPR, the potential conflicts of interest that can arise, and how organisations can ensure that their DPOs are operating independently and effectively.

The Essential Tasks of a DPO

The UK GDPR mandates that certain organisations appoint a DPO to oversee data protection compliance. Key responsibilities of a DPO include:

• Informing and advising the organisation on data protection obligations
• Monitoring compliance with data protection laws and internal policies
• Providing advice on Data Protection Impact Assessments (DPIAs)
• Acting as the primary contact point for the Information Commissioner’s Office (ICO)
• Handling data subject requests
• Assisting in data breach response and reporting
• Providing data protection training for staff

Avoiding Conflicts of Interest

A DPO must operate independently to effectively fulfil their role. Conflicts of interest can arise when the DPO‘s other responsibilities within the organisation could influence their judgment or decision-making regarding data protection. Common roles that may present conflicts include:

• Finance: A focus on cost minimisation might lead to compromises in data protection measures.
• Human Resources: Managing sensitive employee data can create challenges in maintaining objectivity.
• Information Technology: Overlap in responsibilities can impact the DPO’s ability to ensure data protection compliance.
• Sales and Marketing: Prioritising revenue generation might lead to shortcuts in data handling practices.
• Directors/Chief Officers: Strategic focus on business operations can overshadow data protection priorities.

How to Ensure a DPO’s Independence

To prevent conflicts of interest, organisations should:

• Clearly define the DPO’s role, responsibilities, and reporting lines.
• Establish robust governance structures, such as a data protection committee.
• Regularly assess potential conflicts and implement mitigation strategies.
• Consider outsourcing the DPO role to a third party.

Conclusion

The role of the DPO is essential in ensuring compliance with data protection laws and protecting individuals’ privacy rights. By understanding the DPO’s responsibilities and avoiding potential conflicts of interest, organisations can effectively safeguard their data and mitigate risks.

Additional Resources

• Information Commissioner’s Office (ICO) Guidance on DPOs
• Data Protection People’s Outsourced DPO Service

GDPR Radio – Episode 182

Unlocking Data Protection: Quality, Governance, and Legal Complexities with Industry Experts

Welcome to this week’s episode of Data Protection Made Easy podcast, where hosts Jasmine Harrison, Joe Kirk, and Phil Brining delve deep into the world of data protection, unraveling the complexities of quality, governance, and legalities. Led by experts from Data Protection People, our hosts work with a huge range of clients every day, together, they expert insights and advice surrounding data protection. If you’re serious about mastering data integrity and compliance, this episode is a treasure trove of expert insights and practical advice.

Mastering Data Integrity and Compliance

The episode kicks off with a comprehensive discussion on data quality, software solutions, and consulting. Jasmine, Joe, and Phil spotlight their exciting new partnership with a cutting-edge data management firm that offers innovative solutions to enhance data quality beyond just personal data. They explore how these advancements can help organisations navigate the tough terrain of processor contracts and ensure compliance with multiple controller relationships.

Navigating Data Contracts and Legalities

One of the highlights of this episode is the in-depth analysis of processor contracts. Joe raises a critical question: Can a single overarching agreement suffice for multiple controllers, or are individual contracts necessary? The discussion covers the legal requirements of Article 28.4, the practical challenges of managing these agreements, and real-world scenarios that emphasise the importance of maintaining compliance while dealing with complex contract frameworks.

Revolutionising Data Quality with AI

Jasmine shares an intriguing case study on Everton Football Club’s transition from Siebel to Salesforce, showcasing how this shift revolutionised their data management operations. The conversation extends to the significance of data quality measures, especially as AI becomes integral to organisational strategies. The hosts debate the universal applicability of data classification schemes and the various contexts that necessitate different levels of data accuracy.

Challenges in Data Management and Protection

Phil sheds light on the often-overlooked inconsistencies in GDPR and ISO guidelines, highlighting differences in interpretations between German and UK contexts. This leads to a broader discussion on the importance of governance, the practical benefits of information asset registers, and how these elements contribute to compliance with standards like ISO 27001 and GDPR.

The Future of Data Protection and Compliance

The episode also features a detailed exploration of sub-processor agreements within the context of UK GDPR. Joe and Phil dissect the legalities surrounding these agreements, emphasising the importance of imposing the same data protection obligations on sub-processors as on processors. They share various perspectives on managing these agreements, considering factors such as the nature of services, contract variations, and specific requirements like breach notification timelines.

Responsibilities and Liabilities in Data Protection

The conversation takes a critical turn as the hosts examine the complexities of liability between data controllers and processors, particularly in light of a significant data breach involving the Advanced Computer Software Group. They discuss the challenges controllers face in ensuring that processors have robust security measures and the implications of processor failures despite due diligence. The episode underscores the need for thorough audits and role of the ICO in enforcing compliance.

Duties of Data Protection Officers

In the final segment, the hosts delve into the responsibilities of Data Protection Officers (DPOs), drawing insights from the latest directives by the Brazilian National Data Protection Authority. They discuss varying interpretations of a DPO’s duties, including security incident reporting, data protection impact assessments, and internal oversight mechanisms. The conversation also touches on the resignation of the UK’s Biometrics and Surveillance Camera Commissioner and the implications of advancements in facial recognition technology.

Final Thoughts

This episode of Data Protection Made Easy podcast is packed with essential information for anyone serious about data protection. From practical advice on data quality and governance to deep dives into legal complexities and future trends, Jasmine, Joe, and Phil provide a well-rounded perspective on the current and future state of data protection. Our hosts run two kinds of sessions. This week’s episode is called GDPR Radio, which takes place every other week. These are alternated with more topic-focused sessions. The GDPR Radio sessions are more relaxed; we discuss the news from the last two weeks (since the previous episode), any updates to laws or legislation, and take live Q&As from our audience.

If you would like to join us on future episodes, you can visit our events page and either request to join specific discussions or request to subscribe and benefit from weekly invites to insightful sessions where our experts share opinions. You can have the chance to ask our hosts questions live on air, make use of the live chat, benefit from links shared in the chat, visuals from the episode, and most importantly, network with like-minded individuals.

Stay tuned, stay compliant, and stay ahead with Data Protection Made Easy podcast!

RoPA Round Up (Part 2)

Effective ROPAs, Cybersecurity Updates, and Building a Proactive Culture

Welcome back to another insightful episode of Data Protection Made Easy! In our latest instalment, we delve deep into the multifaceted world of data protection and cybersecurity, offering you practical advice, timely updates, and real-world stories that underscore the importance of maintaining robust data protection practices. Here’s what you can expect from this episode:

• 0:03:46 – Risk Identification in ROPAs
• 0:07:14 – Facial Recognition vs Blacklist Comparison
• 0:14:58 – US Data Protection and Online Safety
• 0:21:10 – Maintaining Data Processing Documentation
• 0:31:18 – Understanding Risk in Project Work
• 0:36:39 – Data Retention and Privacy Compliance Review
• 0:43:41 – Engaging Data Protection Compliance Challenges
• 0:48:30 – Managing Complex Relationships in Databases
• 0:53:26 – UK GDPR Compliance and International Business
• 0:58:52 – Policy and Procedure Simplification

Unlocking the Secrets of Data Protection

Are you struggling to keep your Records of Processing Activities (ROPAs) up-to-date in your complex organisation? We begin by unravelling the intricacies of ROPAs, comparing them with privacy notices and information asset registers. We also emphasise the importance of regular updates to ensure they reflect the current reality of your data processing activities. Moreover, we introduce the concept of risk registers, which play a crucial role in assessing risks associated with data processing.

Staying Ahead in Cybersecurity and Privacy

The episode doesn’t just stop at ROPAs. We bring you the latest cybersecurity and data protection updates, covering significant incidents like the Leeds riots and the challenges of facial recognition technology in the age of mask-wearing criminals. We explore the role of social media in criminal identification and touch upon international incidents, such as an Olympic swimmer’s breach of COVID protocols. Additionally, we shed light on the UK’s cybersecurity vulnerabilities, Meta’s settlement over biometric data privacy, and new US legislation aimed at protecting children’s online safety.

Embedding Data Protection in Global Organisations

One of the standout segments of this episode is our discussion on embedding a data protection culture within large, international organisations. Discover strategies for managing ROPAs effectively, even with a global workforce, and learn about the importance of data champions and top-down support. We emphasise the power of community collaboration in overcoming shared challenges, ensuring that data protection becomes an integral part of your organisation’s culture.

Navigating the Challenges of Facial Recognition Tech

Facial recognition technology is a hot topic, and we dive into its practical implications and challenges. From a personal story involving facial recognition tech at John Lewis to the broader concerns around its use, especially during the Leeds riots, we provide a balanced view of this controversial technology.

Crafting a Culture of Proactive Data Privacy

Creating a proactive data protection culture isn’t easy, but it’s essential. We discuss the importance of assigning responsibility to data champions and the role of senior management in leading by example. We also highlight the balance between encouraging positive behaviour and ensuring there are consequences for non-compliance. Our goal is to make data protection engaging and relatable, helping you foster a proactive attitude towards data privacy within your organisation.

Managing Risks and Records in Data Processing

Finally, we explore the practical aspects of managing data protection systems and records. From using AI tools to maintain accurate ROPAs to evaluating comprehensive data protection solutions, we cover it all. We even touch upon the complexities of managing ROPAs for organisations with international employees, providing best practices for maintaining these records effectively.

Cybersecurity and Data Protection Update

We examine recent events, such as the Leeds riots and the limitations of facial recognition technology when perpetrators use masks. The discussion also covers international incidents and cybersecurity vulnerabilities in the UK, providing a comprehensive overview of the current data protection landscape.

Risk Assessment in Data Protection

This segment focuses on the multifaceted aspects of recruitment, selection, and the comprehensive lifecycle of employment. We discuss the utility of AI tools in maintaining accurate ROPAs and the importance of human oversight despite AI’s capabilities.

Implementing Data Protection Culture Within Organisations

We explore strategies for embedding a data protection culture within organisations, emphasising the importance of data champions, top-down support, and continuous engagement to make data protection an integral part of the organisation’s culture.

Managing Data Protection Systems and Records

Our hosts delve into the capabilities of data protection systems, highlighting a custom-built system based on Salesforce. They discuss the functionalities of such systems and provide insights into evaluating and selecting the right data protection solutions.

International Employees in Data Protection

We address the complexities of managing ROPAs for organisations with international employees, exploring scenarios involving UK-based companies with global operations and the implications of local laws.

Conclusion

As we wrap up this episode, we emphasise the importance of community collaboration in overcoming common challenges. We thank our contributors, Phil and Joe, for their invaluable insights and remind everyone about the upcoming GDPR radio session.

Tune in to this episode for a comprehensive guide to mastering data protection, staying ahead of cybersecurity threats, and fostering a proactive data protection culture within your organisation.

Don’t miss out on this essential discussion—your organisation’s data protection and cybersecurity strategies will be all the better for it!

If you would like to join us on future episodes of the Data Protection Made Easy podcast you can visit our events page. You can also request to subscribe via our contact us page. 

Our community now has over 1300 members from a wide range of backgrounds. Click below to subscribe.

Freedom Of Information – A Tool For Transparency

Freedom Of Information – A Tool For Transparency

Working in the data protection industry, where information is power, ensuring transparency within organisations is crucial. Freedom of Information (FOI), also known as the Freedom of Information Act (FOIA), empowers individuals to request access to information held by public authorities. During this week’s episode of the AWARD WINNING Data Protection Made Easy podcast, with over 20,000 Spotify plays and 170 episodes, dives deep into the world of FOI with expert Laura Brentnall, Support Desk Manager from Data Protection People.

Transparency: The Cornerstone of Public Trust

The FOI serves as a cornerstone for open government and public trust. It allows individuals to hold organisations accountable and fosters a more informed citizenry. Laura, with her experience working in local authorities and across diverse sectors, sheds light on the practicalities of FOI for organisations of all sizes.

Intriguing Encounters with FOI Requests

The session wouldn’t be complete without a touch of intrigue! Laura along with some of our listeners shared some fascinating (and sometimes bizarre) FOI requests they’ve encountered. From the infamous UK parliamentary expenses scandal, where information was disclosed outside of FOI channels, to a local council paying a psychic for an exorcism (yes, you read that right!), these real-world examples highlight the vast scope of FOI requests.

Navigating the Legal Landscape

FOI comes with its own legal framework. The discussion explores recent cases and considerations surrounding the FOIA. This includes the concept of vexatious requests, where someone submits excessive or unreasonable FOI requests to disrupt an organisation’s operations. A link to a case study from the Information Commissioner’s Office (ICO) is provided for further exploration.

Equipping You for FOI Success

The session equips organisations with practical strategies for handling FOI requests effectively. This might involve streamlining processes, understanding exemptions under the FOIA, and effectively communicating with requesters. Data Protection People have a dedicated team of FOI experts if you have further questions after listening.

Our New FOI Service: Simplifying the Process

Data Protection People are excited to announce its new FOI service! This service is designed to support organisations of all sizes and sectors in navigating the FOI process with confidence. Whether you need help developing a robust FOI policy or require assistance in responding to complex requests, our team of experts is here to guide you.

Calling All Outrageous Requests!

For the upcoming part two of this FOI discussion, the team is looking for your input! Submit your most outrageous (and anonymous) FOI experiences, and they’ll be discussed on the next episode. This is a fantastic opportunity to learn from the experiences of others and gain valuable insights.

Join Our Vibrant Community!

Data Protection Made Easy is more than just a podcast; it’s a thriving community. If you enjoyed this session and want to be part of the conversation, subscribe! Simply visit the contact us page and request to subscribe. You’ll then receive weekly invites to insightful discussions led by our industry experts.

Here’s what makes our community special:

• Diversity: We welcome everyone, from veteran Data Protection Officers (DPOs) with 20 years of experience to students just starting their careers.
• Open Forum: Our discussions are designed to be enthusiastic and informative. Professionals share valuable top tips, practical advice, and real-world stories to empower others.
• Commitment to Education: We are passionate about data protection and believe in sharing knowledge freely. There’s no sales pitch here; just genuine conversation.
• Impressive Reach: With over 100 live listeners every week, our podcast is a top contender in the data protection space. You’ll be joining a community of passionate individuals committed to data privacy.

Don’t miss out! Subscribe today and unlock a world of data protection knowledge with Data Protection Made Easy.

Tune in now via Spotify. 

The Road to Data Protection Compliance

A Starter Guide for Everyone

The Road to Data Protection Compliance

The Road to Data Protection Compliance can be tricky to navigate, especially when it comes to ensuring compliance. In my role as an account manager, I’ve noticed varying levels of understanding among customers regarding the measures required for compliance and their current organisational situation.

So, what does it take to work towards compliance? It is worth stating that no organisation is ever fully compliant as the data protection landscape is everchanging. Nonetheless, if starting from scratch, this process might feel overwhelming. However, at DPP, we guide customers through the steps to gain and maintain control over their organisation’s personal data. We aim to help organisations work towards compliance with the law and best practices in the most streamlined way possible. That’s why our mantra is Data Protection Made Easy and why organisations come to us.

To demystify what’s involved, below I’ve outlined key focus areas imperative to your data protection compliance. DPP can guide you on all these areas so feel free to contact us for support.

*Please note that the highlighted measures and risks are not exhaustive*

Key Focus Areas for Data Protection Compliance

ICO Registration/DPO

What is it?

If you haven’t already done so, the initial step is to assess whether your organization is registered with the ICO. Most organisations that handle personal data are obligated to register, with certain exceptions. This requirement can be verified on the ICO’s website.

Additionally, you must determine whether the legal criteria for appointing a Data Protection Officer (DPO) is met. The DPO must fulfil the responsibilities outlined in the UK GDPR. In cases where a DPO isn’t mandated by law, appointing a data protection lead, whether an individual or a team, is advisable to oversee and ensure compliance with data protection regulations within the organisation.

Non-compliance risks

• Increased vulnerability to legal actions
• Lack of expertise and guidance
• Increased risk of data breaches
• Poor handling of data subject rights
• Negative impact on reputation
• Difficulty demonstrating compliance.

Information Governance Framework (IGF)

What is it?

This is your organisation’s handbook on how it’s committed to compliance.

It includes a data protection policy (the “what you will do to ensure individuals’ information is protected”) and corresponding procedures (the “how you will do what you say you will do”), like individual rights and breach procedures. As a corporate document recognised by your Board, a policy sets the boundaries for what is acceptable or tolerated and what isn’t.

Non-compliance risks

• Failure to meet the accountability principle of the UK GDPR – may lead to regulatory fines.
• No centralised approach to handling personal data.
• Increased chance of data breaches.
• Reputational damage/loss of trust.

*DPP has an Information Governance Framework which we can help customers implement*

Record of Processing Activities (RoPA)

What is it?

A RoPA is a crucial document for recording and managing personal data, and ensuring it is used lawfully. It includes details such as the reason for use, recipients of the data, storage details, and security measures.

It is a big task to compile a RoPA as it requires involvement from nearly every department in most cases. But once it is done, it is the most useful document to refer to for mapping out a business’s processes and illustrating UK GDPR compliance measures. It provides a composite from which you can link or hang many of your other evidence off i.e., lawful reasons, retention periods, etc.

Non-compliance risks

• Failure to meet Article 30 of the UK GDPR (this Article sets out the requirement for a RoPA).
• Failure to meet the accountability principle of the UK GDPR.
• Difficulty responding to regulatory inquiries (this is one of the first documents the ICO would request in an investigation).
• Lack of oversight on data processing.

*DPP can help you build an effective RoPA*

Privacy Notices and Cookies

What is it?

Privacy notices explain how information is collected, used, disclosed, and managed, promoting transparency and informing individuals about their privacy rights. This is the one area that every data subject is encouraged to access and can support and clarify a significant range of queries in advance if it is done right.

Cookies are small text files that collect your information as you browse websites. While some are essential, others require consent. It’s important to have a cookie policy on your website and an appropriate consent mechanism, such as a banner, which complies with the requirements for obtaining valid consent.

Non-compliance risks

• Failure to meet the transparent principle of the GDPR.
• Individual complaints and litigation.

Failure to fulfil rights available to individuals.

*DPP can help you create sufficient privacy notices and advise on cookie compliance*

Third Parties

What is it?

Third parties are external organisations that have access to your organisation’s personal data. If the third party only acts under your instructions, then they will be known as a processor for that shared data (e.g. a software provider or a contractor). If they take that information and make their own decisions about how to use it, then they will be a controller (e.g. the police or an insurance company).

When sharing data with processors you need to undertake data protection due diligence as it is a data controller’s responsibility to ensure the shared data will remain safe. If satisfied, then you should enter a ‘data processing agreement’ contractually binding both parties to protect the data.

When sharing data with controllers, measures should be in place to ensure the secure sharing of data. This may include a data sharing agreement which lays out the arrangements and responsibilities of each party.

There are added responsibilities when engaging in international data sharing, and these obligations are dependent upon the specific country to which the data is being transferred.

Early engagement with managers and procurement partners at contract discussion phase can raise questions and identify the need for data sharing agreements, international data transfer arrangements, clarify controller to controller relationships, etc. that can reduce workload and offer breathing space before a contract is entered into.

Non-compliance risks

• Legal and regulatory non-compliance with Article 28 of the UK GDPR.
• Supply chain vulnerabilities.
• Ineffective breach response.
• Ineffective rights handling.
• Potential loss of data if sharing internationally without appropriate safeguards.

*DPP can undertake supplier audits including undertaking due diligence on all processors and review agreements to ensure they are sufficient. We can also review international transfer arrangements*

Individual Rights

What is it?

Under the UK GDPR, individuals have specific rights concerning their personal data. These rights include, but are not limited to, the ability to request a copy of their information, ask for the deletion of their data, and seek corrections to inaccuracies in their data.

It is the organisation’s responsibility to ensure that its staff can identify a rights request and have effective measures in place to fulfil them within the one-month period.  You need to have a log of requests received and a procedure of how to handle requests which will be in your IGF.

A sound Privacy Notice can support dialogue with requesting individuals.

Non-compliance risks

• Failure to fulfil people’s legal rights.
• Failure to comply with Chapter 3 of the GDPR.
• High chance of individual complaints and litigation.
• Adverse impact on customer relationships.

*DPP can manage subject access requests, offer training, and provide guidance on recognising and handling such requests*

Data Protection Impact Assessment (DPIAs)

What is it?

DPIAs are risk assessments examining a business activity involving people’s information. They assess the risks posed to individuals by using their information and mitigate these risks. Certain activities legally require a DPIA, while others, considered riskier (e.g., changing database), are best practice.

Risks may uncover individual concerns, failure to acknowledge a specific part of the law, organisational financial or reputation risks, etc.

You should have a procedure for determining when a DPIA is required and how to complete one. Documenting a DPIA late in the procurement, deployment, or business change process may create unnecessary surprises and anxiety.

 Non-compliance risks

• Failure to comply with Article 35 of the UK GDPR and potentially other areas of the law.
• Operational disruptions.
• Missed opportunities for risk mitigation.
• Regulatory actions and fines.

*DPP provides training on DPIAs and assistance in writing and reviewing them*

Training

What is it?

All employees should undergo data protection training at least annually to foster and uphold a culture of data protection throughout the organisation. General data protection training is essential for all staff, with more specialised training provided to those who need it (e.g., rights requests training for staff handling such requests or board-level training emphasising the importance of data protection at that level).

Training should include relevant legal requirements and raise awareness of organisational measures staff are expected to follow. Remember, although they struggle with some of the terminology, many teams will process the same personal data but in different ways depending on their focus, so offer bespoke sessions to test how well they understand their role in processing and safeguarding personal data and recognise their value.

Non-compliance risks

• Failure to comply with data protection laws due to a lack of understanding.
• Data breaches and security incidents with ineffective incident response.
• Absence of a data protection culture.
• Challenges in implementing policies and procedures.
• Limited awareness and handling of individual rights.

*DPP offers a range of training services at all levels*

Security

What is it?

Security is a fundamental principle of the UK GDPR, requiring organisations to implement suitable measures to protect people’s data. This includes physical measures like locked cabinets, technical measures like multi-factor authentication, and organisational measures like policies and procedures. In today’s digital age, it is crucial that data security measures match the level of risk posed to people’s information.  You need to be able to show that you have implemented security measures appropriate to the risks and that these measures are kept under review.

Non-compliance risks

• Data breaches.
• Reputational damage.
• Failure to comply with the law.
• Risks to affected people (this even includes risk of physical harm).

*DPP have a suite of security services, including consulting, ISO 27001 support, Cyber Essentials+ and PCI DSS*

Audits

What is it?

Every organisation should conduct annual audits of their data protection practices, policies, procedures, and technical measures to ensure compliance with applicable data protection laws. Audits identify potential risks of non-compliance, assess the effectiveness of data protection measures in place, and ensure lawful and secure handling of personal data.

Data protection audits demonstrate accountability, identify areas for improvement, and proactively address risks. It is advised to engage an independent auditor to ensure an impartial and objective assessment.

Non-compliance risks

• Lack of accountability.
• Lack of understanding of organisation’s compliance stance.
• Increased risk of non-compliance.
• Increased chance of breaches and security incidents.
• Increased regulatory scrutiny in an investigation.

*DPP provides a suite of audit services, including a gap analysis, full compliance audit, PECR audit, and bespoke audits*

Responsibilities

In conclusion, safeguarding personal data is a collective responsibility within the organisation, necessitating ongoing training and awareness initiatives. By establishing clear objectives tailored to individual job roles and involving all staff in relevant data protection projects, we ensure a proactive approach to compliance.

Given the intricate nature of data protection, we understand the challenges you may face. Should you require any assistance or guidance in navigating these complexities, please feel free to reach out to us. We’re here to alleviate any pressures and support your efforts toward maintaining robust data protection practices.

GDPR Radio – Episode 134

Faces, Farage and Pseudonymisation

In this week’s episode, our knowledgeable hosts, Phil Brining and Tristan Mills, dive deep into the latest updates in data protection law, recent breaches, fines, and much more. Join us as we discuss the most relevant news of the week and simplify complex data protection topics, making them easy to understand and navigate.

Exploring Unauthorised Apps in the Workplace, Including WhatsApp: A Data Protection Standpoint

One of the key topics covered in this episode is the use of unauthorised apps in the workplace, with a special focus on WhatsApp. While these apps offer convenience in communication, they can pose significant data protection risks. Learn how organisations can address these risks and promote secure communication channels to protect sensitive information.

Facial Recognition and Its Implications on Data Protection

Another crucial discussion in this episode revolves around facial recognition technology and its implications on data protection. We explore the challenges surrounding the use of this technology, data privacy concerns, and the importance of obtaining proper consent when implementing facial recognition systems.

Understanding Personal Data, Pseudonymisation, and Anonymisation

We delve into the fundamental concept of personal data and its categorisation under data protection regulations. Additionally, we demystify the concepts of pseudonymisation and anonymisation, discussing their roles in protecting individual privacy and complying with data protection requirements.

Get Involved in Future Episodes!

Data Protection Made Easy values our community of data protection enthusiasts, and we want you to be a part of our podcast’s growth. Here’s how you can get involved:

Listener Questions: Have questions related to data protection or specific topics you’d like us to cover? Send us your queries, and we may feature them in upcoming episodes!
Guest Speakers: Are you an expert in data protection or know someone who is? We welcome guest speakers to bring fresh perspectives and insights. Reach out to us, and let’s collaborate on an engaging discussion.
Feedback and Suggestions: Your feedback matters to us. Share your thoughts and suggestions to help us improve the Data Protection Made Easy podcast for all our listeners.

Listen to Episode 124: GDPR Radio Now!

Don’t miss this insightful episode packed with valuable information and expert insights. Tune in to Data Protection Made Easy Podcast Episode using the player above or search for ‘Data Protection Made Easy’ on all major audio streaming platforms.

GDPR Radio – Episode 128

TikTok, International Transfers and Professor Hackett

Tune in to the latest episode of GDPR Radio on the Data Protection Made Easy podcast!

In Episode 128, our hosts Jasmine Harrison (Account Manager), Tristan Mills (Support Desk Manager), and Philip Brining (Founder and Managing Director) from Data Protection People delved into the fascinating world of data protection news. They explored various topics, including breaches, intriguing cases, emerging technologies, and much more.

Join the discussion as they analyse the ICO’s opinion on privacy information regarding TikTok and delve into the complexities of TikTok’s privacy policy, exploring potential compliance issues. Discover insights from a deep dive into TikTok’s privacy notice and gain valuable knowledge on international data transfers, with a specific focus on the data bridge between the UK and US.

You’ll also hear about an alarming data breach at the University of Manchester, where students received an email notifying them of the exposure of their personal data. Find out the intriguing details, including the curious fact that the hacker responsible was fittingly named Mr. Hacket.

This insightful episode is available now on our website and all major audio streaming platforms, including Spotify and Amazon. Don’t miss your chance to listen to our expert hosts share their opinions and analysis on the latest developments in the data protection landscape.

Data Protection People is a leading data protection consultancy in the UK, offering a comprehensive range of tools and services to simplify complex aspects of data protection. Stay informed, gain valuable insights, and take your data protection knowledge to the next level by tuning in to this captivating episode.

If you would like to get involved and join us live on future episdoes of the podcast, check out the upcoming episodes of the Data Protection Made Easy podcast and register for an individual session or subscribe and join one of the UK’s fastest growing data protection communities.