Thinking statue
When it comes to GDPR, do users have free will?

Is free will an illusion? Determinist philosophers might think so. Ancient Greek thinkers Leucippus and Democritus were two of the first to theorise that all processes in the world were due to a mechanical interplay at an atomic level, precluding the idea of human beings exercising any kind of free will in a universe operated by deterministic forces.

Aristotle, however, stated that we have the power to do or not to do, and free will can exist when we are aware of the particular circumstances of our actions. However, he still left unanswered the question of defining the choices we make based on causes outside of our control.

On-demand webinar – GDPR Mythbusters 2019

continue reading
Creation of Adam painting

Was the General Data Protection Regulation handed down on tablets of stone? Were its articles intended to be revered, venerated and feared for all time? Or, as many businesses might prefer, is GDPR more of a set of guidelines, good ideas for living a moral life that don’t really matter if they aren’t actually followed?

One could be forgiven for mistaking some GDPR compliance professionals for wandering clerics; preaching the gospel of data protection and warning of the world to come. Yet, like every prophecy, the date of the apocalypse came and went, and nothing much happened… Or did it?

On-demand webinar – GDPR Mythbusters 2019

continue reading
Screenshot from a newspaper article
As GDPR came into force in May 2018, many people questioned the hype around compliance with the regulation

VinciWorks has revisited our popular GDPR mythbusters series to separate the data protection facts from fiction.

GDPR received the kind of hype normally saved for a celebrity meltdown or an Avengers movie. In 2018, the eponymous EU directive, otherwise known as Regulation 2016/679, scored higher in Google search rankings than Beyoncé and Kim Kardashian. GDPR notched up over 300,000 media mentions, three times as many as Mark Zuckerberg managed. It even spawned a sub-culture of memes as EU citizens drowned under a flood of emails informing them of privacy policy updates and “click here to re-subscribe”.

On-demand webinar – GDPR Mythbusters 2019

continue reading
Silhouhette of a spy
The Information Commissioner’s Office (ICO) is deploying agents around the world to clamp down on those failing to comply with GDPR

As a year since the introduction of the EU’s General Data Protection Regulation (GDPR) approaches, we revisit our popular GDPR Mythbusters series to separate the data protection facts from fiction.

GDPR’s reach promised to be global. Companies around the world would fear the shadow of the EU regulators. They would quake in their sandals or snow boots as diligent Europeans pursued international data bandits across baking desserts and frigid tundra in the name of justice; serving enforcement actions on those crooks, wherever they may hide.

Read more: GDPR training for US-based staff

continue reading

As a year since the introduction of GDPR approaches, VinciWorks revisits our popular GDPR mythbusters series to separate the data protection facts from fiction.

Just six minutes after GDPR came into force on 25 May, 2018, two European advocacy groups, Quadrature du Net and None Of Your Business (NOYB), filed complaints against search giant Google. Similar complaints were also levied against the titans of the internet age: Facebook, WhatsApp and Instagram. These actions were not confined to just one jurisdiction. The white knights of data protection made their mark in the halls of national regulators in Paris, Vienna, Brussels and Berlin.

The complaint? Nothing greater than the default advertising settings that come when signing up for a standard Google account. Users must agree for their personal data to be used in order to show them personalised adverts, and Google requires people to agree to those terms and conditions via pre-ticked boxes in what NYOB calls “forced consent.”

On-demand webinar – GDPR Mythbusters 2019

continue reading

Phone showing GDPR comes into force on 25 May
The General Data Protection Regulation comes into force across the EU on 25 May 2018

It’s not true. If you do absolutely nothing to prepare for GDPR, take 25 May off, put your out-of-office on and don’t pay any attention to anything related or connected to GDPR, you’ll be found out pretty quickly.

What happens if I don’t comply with GDPR?

First of all, people will know you aren’t complying because your privacy notices will not be GDPR compliant. They must identify the legal basis for processing data, and if that’s consent, then the consent being taken must comply with GDPR rules.

GDPR consent rules are a lot more specific than previous ways to collect consent, so much so that consent which does not meet GDPR requirements will not be valid after 25 May and you’ll be in breach of GDPR if you rely on it.

continue reading

HR Polices and Procedures book
To what extent will HR policies and procedures be affected by GDPR, which comes into force on 25 May?

With so much attention given to the marketing and IT departments when it comes to GDPR compliance, it’s easy to overlook the other parts of the business that will be impacted. HR is probably one of the most affected areas in a business, as the new rules apply to employee information as well, not just customers. GDPR is about the regulation of all personal data, and HR departments have a lot of it.

GDPR requires you to identify the lawful basis for processing data. This would normally be consent, i.e. the person agrees for their data to be processed. But GDPR complicates this when it comes to employee/ employer relationships. Under GDPR, consent has to be freely given, and not as a condition for another service, such as a job. Due to the imbalance in a relationship between the employee and the employer, it is not clear that relying on consent would hold up under GDPR. Consent can also be withdrawn at any time under GDPR, and without a fallback ready, processing activities would need to stop.

continue reading

Lawyer writing in a ledger

“We don’t do marketing.” “We already comply with the DPA.” “We outsource our IT.”

Does the legal sector need to worry about GDPR?

These are all bedtime stories some in the legal sector have been telling themselves about GDPR. The truth is, like any business, the legal sector must be ready for GDPR-day in May. There’s a lot of evidence to suggest it isn’t.

Law firms are both controllers and processors of their client’s data, meaning there are quite a lot of rules that must be followed. Current data collection methods, particularly consent, must be reviewed before May. It’s crucial to review the conditions for processing data and identify the correct legal basis. Some conditions, like consent, may not be valid for all processing activities after May.

continue reading

Send button on computer keyboard
Will continuing to send marketing emails put your business at risk of breaching GDPR?

Do the General Data Protection Regulations (GDPR) mean you can’t send any more marketing emails?

JD Wetherspoons, the UK’s largest pub chain, hit the industry headlines last year when it decided to delete its entire marketing list. GDPR has injected a sense of impending doom into email marketers worried that carefully cultivated lists will need to be trashed come GDPR day.

This is not the case. GDPR does not prevent direct marketing taking place, nor does it mean your lists have to be deleted and collected again from scratch. However, it does mean marketers have a greater responsibility in processing personal data, and some issues around consent to market may have to be looked at.

Read more 

VinciWorks adds Subject Access Request module to GDPR course

GDPR Myth #2: GDPR requires you to delete all of a person’s data if they ask

continue reading

Delete button on a computer keyboard
Does GDPR require businesses to delete all data upon an individual’s request?

What is meant by “The Right to be Forgotten” under GDPR?

The right to be forgotten is one of the key innovations of GDPR, but it’s not exactly a new right, nor is it absolute. It developed in European law in the aftermath of an important court case known as the Google vs Spain ruling. In 2010, a Spanish citizen complained about an outdated court order against him appearing on Google search results. The European Court of Justice agreed this infringed on his right to privacy and ruled that individuals have the right, under certain conditions, to ask search engines to remove links with personal information about them where the information is inaccurate, inadequate, irrelevant or excessive.

The right to be forgotten has been enshrined in GDPR as the right to erasure. This is slightly more encompassing than the original Google vs Spain rules, giving an individual the right to have their personal data erased and prevent it being processed in specific circumstances.

Read more: what should a GDPR compliant privacy policy include?

continue reading