GDPR Myth #2: GDPR requires you to delete all of a person’s data if they ask

Delete button on a computer keyboard
Does GDPR require businesses to delete all data upon an individual’s request?

What is meant by “The Right to be Forgotten” under GDPR?

The right to be forgotten is one of the key innovations of GDPR, but it’s not exactly a new right, nor is it absolute. It developed in European law in the aftermath of an important court case known as the Google vs Spain ruling. In 2010, a Spanish citizen complained about an outdated court order against him appearing on Google search results. The European Court of Justice agreed this infringed on his right to privacy and ruled that individuals have the right, under certain conditions, to ask search engines to remove links with personal information about them where the information is inaccurate, inadequate, irrelevant or excessive.

The right to be forgotten has been enshrined in GDPR as the right to erasure. This is slightly more encompassing than the original Google vs Spain rules, giving an individual the right to have their personal data erased and prevent it being processed in specific circumstances.

Read more: what should a GDPR compliant privacy policy include?

Continue reading

GDPR Myth #1: Fine of 4% of global turnover for your first GDPR offence

Question mark

Will regulators actually fine businesses 4% of global turnover for committing a General Data Protection Regulation offence? What are the actual repercussions of failing to comply with GDPR?

It’s a headline-grabbing threat designed to leave you shaking at your keyboard, fearful that one wrong keystroke will siphon off €20m, or 4% of turnover, whichever hurts the most. The current maximum level of fine that can be levied under the Data Protection Act 1998 is peanuts in comparison, £500,000.

Some of the biggest fines levied by the UK’s data protection regulator, the ICO, would balloon under GDPR rules. TalkTalk’s 2016 fine of £400,000 would become nearly £60m

However, GDPR is not about fines. The ICO has made clear that maximum fines will not become the norm, nor will examples be made of big brands for minor infringements. As they’ve said, they prefer the carrot to the stick. The ICO’s record stands to reason. In 2016/17, the regulator dealt with over 17,000 cases. Only 16 resulted in a fine.

Learn more: download VinciWorks’ GDPR guide to make sure your business is ready for GDPR implementation on 25 May.

Continue reading

VinciWorks’ online course plan

After a successful 2017 that saw over 170,000 course completions, we are excited to present our tentative plan for our new course releases and updates planned for 2018. Every year, Vinciworks plans its course schedule based on a combination of client feedback and prevalent compliance issues.

Updated cyber security training suite with two new courses

After several high profile cyber attacks exposed millions of systems in 2017, VinciWorks is set to release two mini courses to help staff protect themselves and their organisation from the latest threats. Each course can be completed in just five minutes. The two new courses are:

Continue reading

Free webinar: GDPR – 10 steps to take before May

21 FebruaryOn Tuesday 21 February at 12pm, Director of Best Practice Gary Yantin will be joined by Director of Course Development Nick Henderson to explore the challenges facing organisations in preparing for GDPR and give guidance on what still needs to be done.

The webinar will cover:

  • Is your organisation ready for the changes?
  • What are your biggest challenges?
  • Conducting Data Protection Impact Assessments (DPIA) and making the most out of them?
  • Dealing with sensitive categories of data
  • What to consider when appointing a Data Protection Officer
  • The Data Protection Bill 2018 There will be an opportunity for answering your questions.

The webinar will end with the opportunity to have any questions on the topic answered. You can register for the webinar by clicking on the button below.

Register now

GDPR: 10 things to do now

Data protection lock

The General Data Protection Regulation (GDPR) is now in force. GDPR’s reach is global. Any company that offers goods or services to anyone in the EU will be required to comply.

If you haven’t started to comply, or are not sure what to do next, following these steps will help ensure you are ready for GDPR day.

1. Undertake a data audit

Organising an in-depth data audit across your organisation and all parts of the business is crucial to understanding where data exists, how it is used, and what should be done next. Think of data like oil running through an engine; it powers your organisation and makes it function, but it can also leak if the various conduits are not working properly. After an audit, you should be better able to identify risks, weak spots and priority areas to address.

Continue reading

New module added to Data Protection: Privacy at Work – Subject Access Requests

Subject Access Request module screenshot
GDPR mandates certain procedures when dealing with subject access requests

VinciWorks has added a new module to its data protection course, Data Protection: Privacy at Work. The new module on subject access requests explains what a subject access request is and how to respond to one. The module is the latest addition to the course, following the global data protection guide that was recently added.

Continue reading

Six months until GDPR implementation – how to prepare

Keyboard with GDPR implementation button
The General Data Protection Regulation comes into full force on 25th May 2018

There are now less than six months to go until GDPR implementation, when it becomes law throughout the EU, including the UK. Any business operating in the EU, serving EU customers or shipping orders inside Europe will need to comply.

From training staff to rewriting privacy policies, there’s a lot that needs to be done to ensure your business is ready for GDPR. If you’re in the UK, the new Data Protection Act will form the basis of data protection law. However, ensuring your business is ready for GDPR will also ensure you are ready for the new Data Protection Act.

What is in the new UK Data Protection Bill?

Along with transposing GDPR into UK law, the Bill will replace the UK’s DPA 1998 and ensure that data protection law remains Brexit-proof. Continue reading

New data protection course module: A Guide to Global Data Protection

Screenshot from latest data protection module to be added to the course

VinciWorks has just added a new module to the course Data Protection: Privacy at Work. The new module explores and contrasts data protection legislation in countries around the world. This new module consists of an interactive guide to global data protection, whereby users can easily lookup the answers to a range of questions they may have about the data protection laws in various countries. This allows businesses to easily familiarise themselves with the data protection laws in any country they operate in and ensure they comply.

Continue reading

Six principles of GDPR that you need to know about

Computer with a GDPR padlock on it
GDPR will come into full force in May 2018

The six principles of GDPR (General Data Protection Regulations) are similar in many ways to the eight principles of the Data Protection Act. While the six principles of GDPR do not include individuals’ rights or overseas transfers, these are included elsewhere in GDPR.

One key difference is that under GDPR, you must show how you comply with the principles, not just that you do. This is a separate requirement known as the accountability principle which is integrated across GDPR.

Free mini course on the six principles of GDPR

VinciWorks has recently released a new mini course on the six principles of GDPR. The five minute course tests users’ knowledge on the six principles of GDPR and is part of VinciWorks’ course Data Protection: Privacy at Work. You can take the short course here.

What are the 6 GDPR Principles?

The six principles of data protection in GDPR are that data must be treated in a way that is:

1. Lawful, fair and transparent

There has to be legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect.

2. Limited for its purpose

Data should be collected for specified and explicit purposes and not used in a way someone wouldn’t expect.
Continue reading

Free GDPR ready data protection privacy policy template

Privacy Policy written on a wall

A privacy policy must set out the different areas where user privacy is concerned and outline the obligations and requirements of the users, the website and website owners. Furthermore, the way your organisation processes, stores and protects user data and information should also be detailed in a privacy policy. The policy should be made available on your organisation’s website.

What is a GDPR privacy policy?

A GDPR privacy policy is a legal document that outlines how an organisation collects, uses, stores, and protects personal data in compliance with the General Data Protection Regulation (GDPR). The GDPR is a set of data protection regulations implemented in the EU to enhance the privacy rights of individuals and establish consistent data protection standards across the EU member states.

In a GDPR privacy policy, organisations provide transparent information about the personal data they collect, the purposes for which it is collected, how it is processed, and the legal basis for processing. The policy also covers details about data retention, data subject rights, security measures, data transfers outside the EU, and contact information for the data protection officer.

What needs to be included in a privacy policy?

Here are the main points that should be addressed in a privacy policy:

Use of the cookies

Your policy should first define what cookies are and then explain what the organisation used the cookies for. It should stress that they are used to enhance the user experience and any tracking software used should also be stated.
Continue reading