The GDPR resource page
Tens of thousands of businesses have used VinciWorks’ GDPR resources to ensure their policies and training are up-to-date

Is your organisation ready for the EU-wide General Data Protection Regulation which comes into force on 25 May? What still needs to be done to prepare? VinciWorks has created a helpful resource page that containing GDPR compliance tools, course demos, policy templates and more.

The resource page includes:

  • Course demos of all the training included in the GDPR training suite
  • Knowledge checks to test staff’s knowledge of the changes to data protection regulation under GDPR
  • Online guides, including the VinciWorks guide to GDPR
  • Downloadable and editable GDPR related policy templates
  • On-demand GDPR webinars
  • Helpful articles on GDPR compliance

View the GDPR resource page

GDPR banner
Businesses across the EU, large and small, are scrambling to get privacy notices ready for GDPR

 

What is a GDPR-compliant privacy policy?

A GDPR-compliant privacy policy should set out the different areas where user privacy is concerned and outline the obligations and requirements of the users, the website and website owners. It should also detail the ways your organisation processes, stores and protects user data and information. The policy should be made available on your organisation’s website.

The main points that should be addressed in a privacy policy include: 

  • Use of cookies: define what cookies are and how and why your organisation uses them
  • Personal information: If your organisation requests or stores personal information, this should be made clear. Under GDPR, individuals have the right to request a copy of this information and can request to be removed from the database at any time
  • Information collection and use: The policy should make clear how your organisation collects information and how long it’s stored for
  • Other information: A GDPR-compliant privacy policy must make clear how any other information that is collected, such as through registration forms or any other means, is used, and also must provide instructions on how to unsubscribe from any mailing list

What is a GDPR-compliant privacy notice?

A privacy notice tells people from whom you are taking data:

  • Who you are
  • What you are going to do with their information
  • Who you will share it with

At minimum, a privacy notice must contain those three key things. GDPR requires a privacy notice to be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language, appropriate for the audience, and free of charge.

3 Key aspects of developing good GDPR privacy notice

There are three key aspects of good practice to keep in mind when developing a GDPR compliant privacy notice.

Continue reading

Under GDPR, as well as meeting all of the GDPR principles, an organisation must rely on one of six legal justifications to use personal data, known as the conditions for processing. For instance, you could process a sale to a customer by relying on condition 2, fulfilling a contract.

Different conditions give different rights to individuals. Relying on consent, for instance, gives the person the right to withdraw their consent, a right they must be informed about, usually in a privacy notice.

  1. The person gave explicit consent
  2. It is to fulfil or prepare a contract
  3. There is a legal obligation (excluding a contract)
  4. To save someone’s life or in a medical situation
  5. To carry out a public function
  6. There is some other legitimate interest (excluding public authorities)

If the data is sensitive, i.e. about a person’s race, religion, or health status, there must be an additional justification to process this which can include explicit consent, employment law, or for medical purposes. Under GDPR, genetic and biometric data such as data from a biometric passport or fingerprint scans will now count as sensitive personal data.

Facebook

As Facebook CEO Mark Zuckerberg continues his testimony in Congress following the Cambridge Analytica scandal, he has been set a pile of homework to beef up Facebook’s data protection policies and become GDPR compliant. While the enquiry came about following an investigation into cambridge analytica, in the long run it may have come at the perfect time, with GDPR just weeks away from coming into full force. During the hearing, Zuckerberg committed to implementing GDPR’s standards worldwide.

Eight things Facebook must do to comply with GDPR

Here is what the social network giant must do ensure they are at least on the way to full compliance come 25 May 2018.

1. Appoint a data protection officer (DPO)

Under GDPR, Organisations that process large amounts of personal data, are in the public sector or process particularly sensitive data are required to appoint a DPO. Facebook has certainly recognised this need, advertising the vacant position on their website and other forums. It remains to be seen, however, whether Zuckerberg will seek to appoint a DPO, or someone in a similar role, to strengthen their data protection compliance across the US.

Continue reading

Data Protection Impact Assessment cubes

What is data protection impact assessment?

Data protection impact assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced. A DPIA should be managed by the data controller, or data protection officer (DPO) if you have appointed one. Some organisations may consider appointing someone externally to conduct the project.

DPIAs contain a detailed description of the processing operations, an assessment of risks, and what controls need to be put in place to protect people’s information. DPIA’s must be carried out using new technologies or if there is a high risk. It’s also good practice to conduct them on any large scale data processing you carry out. A DPIA needs to contain a detailed description of the processing operations, an assessment of the necessity and proportionality of the processing in relation to the purpose, an assessment of risks to individuals, and what controls are put in place to mitigate any risks.

Read more: on-demand DPIA webinar

When is a GDPR Data Protection Impact Assessment Required?

In general, GDPR requires Data Protection Impact Assessments (DPIAs) to be carried out for any new high risk processing activities, and specifically in the following cases:

  • If you use systematic and extensive profiling with significant effects
  • If you process special category or criminal offence data on a large scale
  • If you systematically monitor publicly accessible places on a large scale 

The GDPR guidelines suggest that usually, only processing operations that involve two or more of these criteria will require a DPIA, but take into account that in some cases, a processing operation that involves even one of these criteria will actually also require one.

The process of carrying out a DPIA helps to make informed decisions about data protection risks and to communicate effectively with the individuals affected. Although risks can never be completely eliminated, the DPIA can help you identify and mitigate data protection risks early, to find solutions to those risks, and to assess whether a project is viable.

High risk data processing

Under GDPR, organisations must undertake a DPIA when processing risky or large scale data. High risk data processing includes systematic and extensive processing activities, large scale processing, processing of special categories (sensitive) data, including those related to criminal convictions, and systematic monitoring of public areas such as CCTV.

Continue reading

Keyboard with Data Protection Officer key

With GDPR (General Data Protection Regulation) day approaching, the number of vacancies in roles as a Data Protection Officer (DPO) has reportedly increased by over 700% in the last two years. Data protection professionals are finding that their skills and knowledge are suddenly invaluable and in high demand compared to a few years ago. VinciWorks’ guide to being a DPO will give you a clearer idea of what is required from a DPO, helping you appoint the right person for the role. The guide will also help those being promoted to the role of DPO gain an understanding of what is required of them under GDPR.

Free download

Continue reading

Social media screen on a smart phone

Often used as a free marketing tool, and with some staff having thousands of personal followers on social media platforms such as Twitter, Facebook and LinkedIn, social media is becoming an important cog in many companies’ marketing campaigns. Here is some guidance on what GDPR requires of us when using social media for marketing purposes.

Read: The digital marketing guide to GDPR

GDPR and social media

In recent years social media has become a central platform for communication between businesses and customers or clients. Since social media tools all work with personal data, those using them for business purposes must take data protection regulations into account. But this shouldn’t deter you from using these tools: used correctly, social media can be an excellent form of communication and marketing. The important thing is to make sure you keep your social media platforms secure and that you handle all customers’ data appropriately.

What does GDPR mean for social media marketing?

When considering how to best manage social media marketing, it’s important to keep data protection rules and best practice in mind. It is unlawful to collect more data than you need, and you need to be able to justify any information you collect. But social media marketing can actually be better for marketing and for GDPR compliance than older methods of email lists and marketing, which are not as effective as they once were. Connecting with potential leads through social media, sharing relevant content and contact details can be much more effective and targeted than blunt force direct marketing, and when done correctly, potentially less problematic on a GDPR front.

Who does the legislation apply to?

GDPR does not apply to individuals using social media for their own purposes, but does apply to individuals acting as sole traders or organisations who use social media in the following ways:

  • Posting personal data on a website
  • Downloading and using personal data from a website
  • Running a website which allows others to post comments or other content about people

Continue reading

This year has already been significant in terms of compliance breaches by some of the world’s largest companies. And it’s not just business who’ve seen major failings recently, as we review recent compliance scandals in this years’ Compliance Update: 1 April Special.

Easter bunny fined for sanctions breaches

The Easter Bunny has been fined a record £21m by the Office of Financial Sanctions

Implementation (OFSI) for illegally importing up to 40 million Easter eggs. The eggs were illegally imported from Never Never Land in violation of international sanctions against the rogue state, with The Easter Bunny allegedly committing serious acts of bribery during the import of the eggs to cover up their origins.

Never Never Land continues to remain under severe international sanctions due to its failure to adhere to data protection laws and the continued WMD programme of dictator Captain Hook. With recent EU legislation expanding the scope of sanctions compliance, all organisations are being reminded to ensure their compliance is up to speed and they are not doing business with designated persons such as Captain Hook.

Free sanctions policy template

Continue reading