Concerns about AI and its potential dangers have been raised by industry professionals, prompting calls for action. Over 50,000 signatories signed a letter in March urging an immediate halt in the development of “giant” AIs and the establishment of robust AI governance systems.
Continue reading
Wednesday 24 May, 12:00pm (UK)
The EU’s General Data Protection Regulation (GDPR) has now been in force for five years. During that time, fines have totalled close to €2.8 billion, with over €1 billion in fines coming in the past 12 months. The most recent fines show that both large and small businesses are subject to regulators’ scrutiny.
Listen again to our webinar on GDPR’s fifth anniversary to look at the effect the regulation has had on the way we collect and process data and what we can expect going forward. We were joined by our own in-house DPO and went through the key developments in GDPR from across the EU.
The webinar will cover:
– A review of where businesses are falling short in GDPR compliance
– What can we learn from recent GDPR fines and enforcement actions?
– An update on the UK government’s proposed GDPR reforms
– The GDPR risks of AI services like ChatGPT
– Best-practice guidance
– How to take your GDPR compliance to the next step
As the UK grapples with if, how, when and exactly what it will replace GDPR with (or not), there’s some data which shows the wider compliance gap with whatever data protection regime the UK will come up with.
Data from the UK government’s own impact assessments paint some stark figures. There are over 4 million companies in the UK, each one of these registered with Companies House. There is just over a million companies registered as data controllers on the ICO’s public register.
Continue readingUnder GDPR, a data subject has the right to obtain confirmation as to whether or not their personal data is being processed. The right to receive data under a subject access request must not adversely affect the rights and freedoms of others. You cannot comply with a subject access request if it would adversely affect someone else’s rights. If the information is subject to legal privilege or concerns a third party, it may not be able to be released.
Data subjects are entitled to find out what personal data is held about them by an organisation, why the organisation is holding it and who else knows the information. The process of finding this out is known as a subject access request, or SAR.
A subject access request is not the same as a Freedom of Information (FOI) request. An FOI request covers all information held only by public authorities, but not personal information about the person making the request. If you are not a public body or otherwise covered by FOI legislation, an FOI request cannot be made to you.
Continue reading
The government have published the draft legislation to amend the data protection regime in the UK. The Data Protection and Digital Information Bill (DPDIB), which was introduced to Parliament just before the summer recess and before the appointment of the new government in September, would modify the existing UK version of GDPR and cause some significant areas of diversion with EU GDPR. Earlier this year, VinciWorks outlined the key changes that were expected to be made. The aim of the new UK data protection legislation is to ease GDPR requirements for companies and make them less burdensome.
Among other things, the changes will:
Even though the bill proposes widespread changes, it actually preserves the existing UK GDPR and the PECR, as it was drafted as an amending act rather than a completely new legislative instrument.
In addition, there is a chance that political factors could stymie the bill. If an election is called prior to the bill receiving royal assent, it won’t become law. The UK’s adequacy status with the EU remains a question, even though the government has expressed the opinion it is entirely possible to retain it.
VinciWorks is closely following the legislation and will, in the coming weeks and months, be releasing new updated resources, guides and a completely revised UK GDPR course that will reflect the changes and keep you and your organisation aware of everything you need to know about the updated bill.
You can keep up with the latest via our blog and through the Regulatory Agenda that we publish, which documents new and important compliance regulations.
The EU’s General Data Protection Regulation (GDPR) has now been in force for four years. GDPR’s reach is global, and in the four years that it’s been in force, fines have reached a total of over €1.6 billion, with the majority of fines having been levied in the past 12 months. Also during that time, the UK left the EU, data protection regulation reforms were announced in the UK and the ICO appointed a new commissioner.
Any company that offers goods or services to anyone in the EU is required to comply with GDPR, and any employee who collects, processes or stores data as part of their responsibilities, needs to be trained in data protection rules and regulations, including business owners, directors, managers, supervisors, staff and contractors.
But now it’s been over four years since GDPR came into force and some might be asking if it’s still relevant, and why they should still care.
Continue reading
Thank you to everyone who came along to last week’s GDPR webinar. We had a number of questions during the webinar and we’ve answered them all here in this blog. Please contact us if you would like a personalised discussion on your data protection compliance needs.
Right now the way to legally transfer data to the USA is using the standard contractual clauses, or the British equivalent mechanism. This means going through a risk assessment process, filling out all the paperwork of who the data is going to, who processes it etc.
Think of it like exporting physical goods. Paperwork needs to be filled out at the port of exit and properly done so, and data is unfortunately no different. But do the paperwork correctly and there shouldn’t be too many problems.
Continue reading
Wednesday 25 May, 12pm (UK)
The EU’s General Data Protection Regulation (GDPR) has now been in force for four years. During that time, fines have reached a total of over €1.6 billion, with the majority of fines having been levied in the past 12 months. Also during that time, the UK left the EU, data protection regulation reforms were announced in the UK and the ICO appointed a new commissioner.
On the fourth anniversary of GDPR coming into force, we took a look at the last four years of GDPR, the effect the regulation has had on the way we collect and process data and what we can expect going forward.
The webinar covered:
On May 25, 2018, the General Data Protection Regulation (GDPR), a law regulating how businesses must handle personal data, came into effect. The impact on how online user data had to be handled was massive. Shortly thereafter, on 28 June that year, the California Consumer Privacy Act (CCPA) was passed, going into force on 1 January 2020. On August 14, 2020, the final regulations were approved and it immediately went into effect. To the relief of those companies that were already GDPR compliant, CCPA is, in many ways, a more lenient version of GDPR. However, there are important differences.
GDPR legislates how companies in the EU must handle personal data. This includes names, email addresses, location data, browser data, etc. This legislation places a responsibility upon companies to be transparent in their handling of personal data and maintain records of how they process that information. The law is meant to ensure that individuals always retain control over their information. Most importantly, consent to use personal information must be explicitly given before being collected and can be revoked whenever it is requested. There is no such thing as implicit consent. For example, browsing or scrolling through a website cannot be considered consent to collect and make use of personal information.
Try VinciWorks’ GDPR training here
Continue readingData Protection is the precautionary procedure used to control personal information used by businesses and organisations. The Data Protection Act (DPA), recently updated in 2018, complies with some of the directives stated within the European General Data Protection Regulation (GDPR). Businesses in the UK are obliged to abide by the protection principles listed in the DPA, from the initial period of receiving personal data to the terminating period, in which data is either returned or destroyed.
Consequently, it is essential that staff members are thoroughly educated and trained with handling personal data. The Information Commissioner’s Office (ICO) maintains and enforces the DPA across the UK, therefore awareness and understanding of the DPA is essential to businesses to ensure they do not breach it, which would result in action from the ICO.
The UK’s DPA is now in its third generation; therefore, organisations are required to modernise and comply with these new regulations. Data protection regulations vary in relation to small and medium-sized enterprises (SME) and large business. This variation is only slight, yet still calls for comprehension.
How does the DPA affect SMEs in particular?
Researchers have suggested that the SME sector is quite unclear as to how the DPA will affect them, therefore the ICO’s guidelines have established that if an organisation, regardless of size, is handling personal data from a living and identifiable individual, then they must comply.
The recent Cambridge Analytica scandal highlights that the size of a company has little impact on whether it should comply with data protection regulations. Cambridge Analytica was considered an SME, with less than 250 employees; however, Cambridge Analytica’s implication in the data breach of ten million Facebook users has led to financial consequences. Facebook users’ data was leaked to Cambridge Analytica, the small firm campaigning for Donald Trump in 2016. Subsequently, Cambridge Analytica has been banned from Facebook following its data breach and refusal to delete this data back in 2015.
This exemplifies the mis-handling of personal data by a business giant such as Facebook and an SME such as Cambridge Analytica. Consequently, SMEs and all businesses which handle personal data fall within the scope of the DPA.
Data Destruction Policy
Businesses are required to formulate a data destruction policy to comply with the DPA. This data destruction policy is formulated to ensure that devices, such as company hard drives, flash memory devices and mobile phones, have made previous data irretrievable.
Computer recycling has hindered data destruction policies, as organisations have discarded of computers, without effectively destroying the data on its IT system. The business sector is saturated with IT systems, therefore there is a responsibility to destroy the data on these computers to prevent cyber-criminals from gaining access to personal data.
Researchers in the UK retrieved personal information in the form of bank account details, company data and medical records from over 300 hard drives bought on eBay and at computer auctions. This research was headed by BT’s Security Research Centre following the highly sensitive case in which a hard drive bought from eBay contained details of a US military missile air defence system. Consequently, data destruction has become imperative if a business wants to mitigate the risks of a data breach.
How serious are the repercussions of a data breach within a business or organisation?
The repercussions of a data breach have intensified with the new legislation. The ICO can now fine an organisation up to four percent of their annual global turnover, or twenty million euros, whichever is higher.
Yahoo! UK Services Limited were fined £250,000 by the ICO following a data breach in November 2014. This data breach encompassed 500 million Yahoo! users and witnessed the compromise of their personal data.
The ICO considered the response from Yahoo! UK Services Limited as inadequate as it did not conform with the correct organisational measures needed to protect personal data. Therefore Yahoo! UK Services Limited were found guilty of breaching the seventh protection principleof in the DPA 1998.
This principle states that:
‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
The severity of this economic repercussion enforced by the ICO upon this organisation demonstrates the crippling nature of a data breach. Therefore, it is essential for a business or organisation to avoid a data breach, to ensure that such repercussions are not experienced.
Through well-formed knowledge and training which has modernised in conjunction with the new DPA legislation, businesses can ensure that compliance with the DPA is upheld. Therefore, staff members and businesses collectively will have a confident base to work from regarding their data protection.