Birthday candles for GDPR

Wednesday 25 May, 12pm (UK)

The EU’s General Data Protection Regulation (GDPR) has now been in force for four years. During that time, fines have reached a total of over €1.6 billion, with the majority of fines having been levied in the past 12 months. Also during that time, the UK left the EU, data protection regulation reforms were announced in the UK and the ICO appointed a new commissioner.

On the fourth anniversary of GDPR coming into force, we took a look at the last four years of GDPR, the effect the regulation has had on the way we collect and process data and what we can expect going forward.

The webinar covered:

  • A review of where businesses are falling short in GDPR compliance
  • What can we learn from recent GDPR fines?
  • How the UK’s data protection reforms affect UK GDPR
  • Best-practice guidance
  • How to implement an effective GDPR compliance programme

Watch now

Continue reading

Intro to CCPA vs. GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR), a law regulating how businesses must handle personal data, came into effect. The impact on how online user data had to be handled was massive. Shortly thereafter, on 28 June that year, the California Consumer Privacy Act (CCPA) was passed, going into force on 1 January 2020. On August 14, 2020, the final regulations were approved and it immediately went into effect. To the relief of those companies that were already GDPR compliant, CCPA is, in many ways, a more lenient version of GDPR. However, there are important differences.

GDPR recap

GDPR legislates how companies in the EU must handle personal data. This includes names, email addresses, location data, browser data, etc. This legislation places a responsibility upon companies to be transparent in their handling of personal data and maintain records of how they process that information. The law is meant to ensure that individuals always retain control over their information. Most importantly, consent to use personal information must be explicitly given before being collected and can be revoked whenever it is requested. There is no such thing as implicit consent. For example, browsing or scrolling through a website cannot be considered consent to collect and make use of personal information. 

Try VinciWorks’ GDPR training here

Continue reading

Trends in data protection for direct marketing

Have data protection authorities begun the great fightback against business? Perhaps they have been tasked with bringing in some much-needed cash to national coffers, because fines have become the next big trend in data protection and should seriously concern marketers in all sizes of business.

Some recent marketing-related fines have included:

  • Amazon – €746m for compiling data on customers
  • WhatsApp – €225m for failing to provide information in clear and plain language
  • Austria Post – €9.5m for failing to allow subject access requests by email
  • Grindr – €6.3m for sharing location services without consent because it was special category data on sexual orientation
  • Sky Italia – €3.3m for unwanted phone calls

Overall, there’s been a 113% increase in GDPR fines between July 2020 to July 2021, with 709 in total compared to 332 in the year before. Penalties for violations have more than doubled as well, from €130.69 million up to July 2020 to €293.96 million up to July 2021. 

Continue reading

The UK government is planning significant changes to the UK’s data protection regime. From re-orientating the Information Commissioner’s Office (ICO) to new ways for businesses to process data, these far-reaching GDPR reforms are set to have a significant impact on business. We covered these changes in depth in a previous article and webinar

High on the government’s agenda as outlined in their consultation is reform of the ICO – the Information Commissioner’s Office. This has been on the cards for sometime, with the government keen to align the ICO towards delivering the National Data Strategy. The Department for Digital, Culture, Media and Sport (DCMS) has outlined their proposed changes to the regulator.

Continue reading

The UK government’s consultation on reforming data protection, launched on 9 September, sets out a radically different framework for data protection than GDPR. From re-orientating the Information Commissioner’s Office to new ways for businesses to process data, these far-reaching reforms are set to have a significant impact on business.

Although the plans have been announced in consultation and not every proposal may make it into law, the direction of travel has been clear for some time. The UK plans to make it much easier for most businesses to use data, and get the most from data, while still ensuring strong levels of protection.

In this short video, our Director of Learning and Content takes us through what the potential changes are and how they might affect the way we process data.

Watch now

Here’s what you need to know about the UK’s plans to radically alter GDPR

The UK government’s consultation on reforming data protection, launched on 9 September, sets out a radically different framework for data protection than GDPR. From re-orientating the Information Commissioner’s Office to new ways for businesses to process data, these far-reaching reforms are set to have a significant impact on business.

Although the plans have been announced in consultation and not every proposal may make it into law, the direction of travel has been clear for some time. The UK plans to make it much easier for most businesses to use data, and get the most from data, while still ensuring strong levels of protection.

“The government wants to remove unnecessary barriers to responsible data use. A small hairdressing business should not have the same data protection processes as a multimillion-pound tech firm. Our reforms would move away from the “one-size-fits-all” approach and allow organisations to demonstrate compliance in ways more appropriate to their circumstances, while still protecting citizens’ personal data to a high standard.” Department for Culture, Media and Sport.

Continue reading
Webinar invitation banner

As COVID-19 restrictions are lifted and businesses begin to return to the office, companies are taking a variety of approaches to managing the transition. While some are staying at home for now and others have gone back full time, most are opting for a hybrid working policy. While this might be a sensible and fair solution for the time being, having staff work both at home as well as the office raises several data security and GDPR compliance concerns.

In this webinar, we were joined by Dechert LLP’s Director of Risk and Compliance Mohbub Rahman to explore the key things you need to remember to keep data safe during the latest transition.

The webinar covered:

  • How companies are transitioning back to the office
  • How hybrid working works
  • Data protection risks in a hybrid working environment
  • How hackers and scammers took advantage during the pandemic
  • Best practice for data security with hybrid working

Watch now

Continue reading

But European Commission warns adequacy could be revoked ‘immediately’

The UK has adequate standards of data protection, the EU Commission ruled yesterday, allowing businesses to breathe a sigh of relief. This decision means that data can continue to flow between the UK and EU, despite the UK now being a ‘third country’. Several other countries including Uruguay, Canada and New Zealand are considered to have adequate standards of data protection by the EU. Without an adequacy decision, data flows between the UK and EU would have been severely disrupted, requiring a wholesale review of clauses and contracts to ensure data could be transferred as it is now between the EU and third countries such as South Africa, India and China.

While the adequacy decision has been adopted for four years, Didier Reynders, the European commissioner in charge of data protection, said the adequacy decision could be withdrawn “immediately” if the commission had serious concerns. 

Continue reading

On the three year anniversary of GDPR coming into force, VinciWorks hosted a webinar to look at the last three years of GDPR. We explored the effect the regulation has had on the way we collect and process data and discussed what we can expect in the next 12 months.

During the webinar we shared a conversation between our Director of Learning and Content Nick Henderson and Richard Hogg, who is the global Information Governance Director for White & Case LLP. Hogg, who has 20 years of global experience in the field, is responsible for global information governance across the firm. He previously worked at IBM, where he played a critical role in their journey to preparation for GDPR, and he speaks regularly on topics of privacy and information governance. Richard shared his expert perspective on GDPR and his views on the future of data protection.

GDPR – Three years on: Watch the full webinar here

Continue reading

Your questions answered on the international data transfer component of GDPR

On Friday, 4 June 2021, the European Commission published the long-awaited Standard Contractual Clauses (SCCs) to help European companies transfer data outside of the EEA.

Organisations can carry on using the current SCCs for a further 3 months and 20 days, until 24 September, 2021. Then there will be 18 months and 20 days to get the new SCCs in place. This means that GDPR organisations must ensure that all vendor contracts and intra-group agreements contain the new SCCs by 24 December, 2022.

Continue reading