Email templates are one of the most popular features in the VinciWorks learning management system. Templates enable you to customise the text and look of every email from the system down to the last detail. Many organisations recreate the exact look-and-feel of internal emails down to the graphics in a signature. Templates can include dynamic fields that are personalised to every user, such as first name, department, date of last cyber security training or any other field in the system.

All templates can “spoof” sender information, so that the emails appear to come from a colleague or manager. Carbon copied addresses can also be added.
Continue reading

On Tuesday 26th September at 12:00pm, Marshalls’ modern slavery expert Richard Beale joined VinciWorks to discuss the practical aspects of modern slavery compliance and answer attendee questions. Director of Best Practice Gary Yantin began the webinar with a review of VinciWorks’ modern slavery training suite before introducing Richard.

Watch now

Continue reading

A Data Protection Authority (DPA) in Europe has recently issued Facebook with a significant €1.2 million fine for two ‘serious’ and one ‘very serious’ breaches of data protection law.

The investigation, which formed part of a joint initiative by Data Protection authorities across Belgium, France, Hamburg, and The Netherlands, revealed that Facebook users’ personal data, e.g. political views, religious beliefs, location, and other personal preferences had been collected without the users’ informed consent. Data subjects were also left unaware as to the purpose of sharing their information with Facebook (and other third-party web pages), and the use of it thereafter.

The breach equating to ‘very serious’ in the eyes of the DPA, which amounted to €600,000 of the total fine, was the discovery that Facebook did not ‘obtain unequivocal consent, specific and informed’ from its users before processing types of data (known as ‘special categories’ of data in legislative speak) for marketing purposes.

When issuing the fine, the DPA also took into consideration that users are not informed about how their data is collected via use of cookies on the site, some of which the social network categorised as ‘secret’. Webpages which are not affiliated with Facebook, yet contain a ‘like’ button for the network all the same, were also shown to be in breach – some of them collecting data exclusively for marketing purposes without providing clear information to the user about what data will be collected and how it will be processed.

Additionally, it was shown that Facebook’s privacy policy was below par in terms of transparency, containing general formulations and statements that would be unclear to the average user and which required readers to click through a multitude of links in order to access the policy in its entirety.

Finally, The DPA were able to prove that Facebook did not, in fact, delete personal data upon user request (e.g. termination of account), but instead retained the data via cookies for up to seventeen months – a time period which extends way beyond the original purpose for collecting it in the first place.

Is your organisation fully aware of Data Protection directives and the right to be forgotten legislation?

For more information on VinciWork’s Data protection, GDPR, and Information Security courses and microlearning courses, please don’t hesitate to get in touch.

Privacy Policy written on a wall

A privacy policy must set out the different areas where user privacy is concerned and outline the obligations and requirements of the users, the website and website owners. Furthermore, the way your organisation processes, stores and protects user data and information should also be detailed in a privacy policy. The policy should be made available on your organisation’s website.

What is a GDPR privacy policy?

A GDPR privacy policy is a legal document that outlines how an organisation collects, uses, stores, and protects personal data in compliance with the General Data Protection Regulation (GDPR). The GDPR is a set of data protection regulations implemented in the EU to enhance the privacy rights of individuals and establish consistent data protection standards across the EU member states.

In a GDPR privacy policy, organisations provide transparent information about the personal data they collect, the purposes for which it is collected, how it is processed, and the legal basis for processing. The policy also covers details about data retention, data subject rights, security measures, data transfers outside the EU, and contact information for the data protection officer.

What needs to be included in a privacy policy?

Here are the main points that should be addressed in a privacy policy:

Use of the cookies

Your policy should first define what cookies are and then explain what the organisation used the cookies for. It should stress that they are used to enhance the user experience and any tracking software used should also be stated.
Continue reading

Opening screen of data protection course in German
Our fully customisable data protection course is now available in German

VinciWorks’ GDPR data protection course is now available in German. The course combines the latest in policy and law with best practice guidelines. It provides real-world scenarios, interactive features and review questions to test understanding of key points. By completing this course users will learn how to comply with data protection laws for their specific role in the organisation. The online training is based on the General Data Protection Regulations (GDPR).

German Data Protection Amendment Act

While GDPR will be coming into force across Europe on 25 May 2018, Germany has already enacted a new data protection law to prepare for the new regime. The German Data Protection Amendment Act (GDPAA) enters into force on 25 May 2018 and contains some key national differences with GDPR.
Continue reading

Modern slavery child victim

Action against modern slavery is ramping up. In just the month of May 2017, the Modern Slavery Helpline dealt with nearly 200 potential victims in the UK. In the first five months of this year, 1,179 potential victims of modern slavery were identified.

Yet this number is a drop in the ocean compared to the tens of thousands of men, women and children being held as slaves right now in the UK. The Modern Slavery Act 2015 not only brought in tougher laws and sanctions against slavery, but encourages businesses to ensure they are not participating in labour abuse in their supply chains.

The Modern Slavery Act – Section 54

Section 54 of the Modern Slavery Act mandates companies with an annual turnover greater than £36m publish an annual slavery and human trafficking statement. Companies with a financial year-end date of 31st December were required to produce and publish their statement by 30th June. Many still haven’t.
Continue reading

According to the report ‘Solving the Compliance Conundrum’ published by Towards Maturity in June 2017, 77% of the 250+ compliance professionals surveyed identify Code of Conduct as a key risk within their business. This makes Code of Conduct the second highest risk area behind data privacy and a higher risk priority than health and safety.

This fact won’t surprise compliance professionals; the conduct and behaviours of people (e.g. employees, contractors, and third parties) poses the greatest risk for non-compliance in the workplace (either through a lack of awareness, inappropriate behaviour, or through deliberately malicious activity). Organisations may attempt to manage this risk through a collection of policies and procedures that are supported by compliance training programmes for each topic area.

Surprisingly, though, many organisations do not have an up-to-date formal Code of Conduct in place – perhaps they see this as a duplication of information from the existing policies and training they have in place, or maybe it has never become a high enough priority. In this article we explore the benefits of having a formal Code of Conduct and help you to build the business case for a Code of Conduct.

Onboarding

New starters often get overloaded with information upon joining an organisation; maybe in the form of face-to-face briefings, death by PowerPoint, multiple sources of background reading, and/or a collection of eLearning programmes. All of this information competes for the attention of new employees and they are left unable to see the ‘wood for the trees’, with only a small proportion of the information sinking in.

A well designed Code of Conduct provides a high level overview of this complex information landscape. It lets new employees know immediately what is expected of them and what they can expect from the organisation in turn. It signposts the most complex information and allows more time for this to be absorbed. It also creates immediate value in the relationship between the new starter and the organisation, and gets their induction off to the best possible start.

Of course, a Code of Conduct isn’t just for new employees. Equally, it’s an ideal platform through which to let employees know of organisational changes, and also to reinforce the Code of Conduct over a prolonged period of time.

Tone from the top

A Code of Conduct is the ideal way for senior management to endorse the organisation’s overall compliance programme and in doing so set the tone from the top.

It’s an ideal platform for the CEO, and other C-Suite board members, to endorse the standards of conduct expected by everyone within the organisation (including themselves), and it promotes the ‘Speak Up’ process for reporting instances where these standards are not being met.

Creating a compliance culture

The message from the CEO and other C-Suite board members starts the process of creating a compliance culture within your organisation. The investment in producing and implementing your Code of Conduct will not go unnoticed and will naturally reinforce the importance of ethical behaviours and, in doing so, strengthen the compliance culture within your organisation.

The compliance culture is further strengthened when your Code of Conduct provides:

  • Clear guidance on what is acceptable and unacceptable behaviour (ideally though real-life scenarios and/or anecdotal references)
  • Encouragement to behave in an acceptable and ethical way
  • Help on how to identify unacceptable behaviour
  • Support and encouragement on reporting unacceptable behaviour

Life doesn’t exist in silos

Once you drill down to specific compliance risks, e.g. data privacy or anti-bribery, policies and training material naturally gravitate to the subject matter being covered. But life is never this simple, and almost always a situation will be affected by multiple compliance risk areas.

A Code of Conduct is an umbrella for all compliance risks, and will allow you to explore complex scenarios/situations covering multiple compliance topics. This is much more aligned to real-life situations and allows employees to explore ethical solutions to these more complex scenarios.

VinciWorks Risk Summit
General Counsel and Heads of Risk attended VinciWorks’ first risk summit

On 12th September more than 30 senior counsel and heads of risk gathered to discuss the risk horizon at VinciWorks’ first risk summit in the Soho Hotel.

Delegates from international law firms, accountancy firms and corporates shared their insights into the issues that they hope will grab their board’s attention as they plan their risk management strategies. The event was chaired by VinciWorks CEO Howard Finger.
Continue reading

If you are already preparing for GDPR, and with VinciWorks GDPR Guide to Compliance and our Data Protection: Privacy at Work course, you already should be, then most of what is in the Data Protection Bill will not be news to you. However this will explain the key points of the new Data Protection Bill that are different from GDPR.

Running to over 200 pages, with 194 clauses, 18 schedules and 112 pages of explanatory notes, the government describes the Bill as a “complete data protection system.” That system already exists however, and it’s called the General Data Protection Regulation.

The Bill is essentially Brexit-proofing GDPR by bringing in the European standard of data protection, along with allowed UK exemptions, no matter if, when or how the UK leaves the EU. Also the Bill is necessary to implement a single data protection regime as GDPR, as a European Directive, only applies to areas of law under EU competency. The Bill itself says things like: “Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR.” So there’s no reason to throw out all the GDPR compliance work you might have done so far. Indeed, now is the time to speed it up.
Continue reading