VinciWorks updates several courses in light of Brexit

GDPR training screenshot
GDPR: Privacy at Work is one of the seven courses we have updated in light of Brexit

On 31 January 2020, the UK’s membership in the EU ended, and Britain entered a transitional period that will last until 31 December 2020. To prepare for the change, there was a flurry of Brexit-related legislation passed. One central piece of legislation with a wide-ranging impact that changed is GDPR, which has been replaced in UK law with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The impact of Brexit on each business will depend on its type and the locations in which they collect and process data, but there is sure to be some level of impact for everyone.

On-demand webinar: Is GDPR over? What Brexit means for UK data protection law

A number of our courses required minor amendments following the UK’s departure from the EU on 31 January 2020. Mainly, these changes affected our suite of data protection training, which now includes an opening paragraph making it clear that mentions of GDPR in the course refer to both the EU GDPR rules as well as UK GDPR rules, unless otherwise stated.

Continue reading

Cyber security compliance: How to safely share files

Photo of someone uploading a file via email

Should we be sharing files via email?

Reducing cyber breach risks in your business

Sending information by email is never really secure, even over an HTTPS connection. Not all email providers offer an encrypted way to send messages.

Unless the files themselves are encrypted, such as by using a password-protected PDF, there is no guarantee that the intended recipient will be the only one to see the message.

Continue reading

Four GDPR fines every business can learn from

British Airways plain

Since GDPR came into force, there have been:

  • 160,000 breach notifications made to authorities
    • 247 notifications per day in 2018
    • 178 notifications per day just in the first half of 2019
  • A total of £100m in fines

Here are some of the recent fines that regulating authorities have issued and guidance on how to make sure your business stays on the right side of GDPR.

Four GDPR fines we can learn from

British Airways – £183m (under appeal)

What happened?

The airline was victim to a cyber attack where the personal data of 500,000 customers was stolen by hackers through a fake website. The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said. The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.

Why are they being fined?

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Continue reading

What Brexit means for UK data protection law

Laptop

10 things you need to know about Brexit and GDPR

What’s happening on Friday 31 January 2020?

From Friday 31 January 2020, European rules and regulations stopped having effect in the UK by virtue of the fact that the UK’s membership in the EU will end. Britain has now entered a transitional period which will last until 31 December 2020.

To prepare for this change, the government passed a flurry of Brexit-related legislation in recent years. The one relating to data protection is the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

How much of an impact will Brexit have on business?

While there is sure to be some level of impact for everyone, the impact of Brexit on each business will depend on the type of business and, most importantly, in which jurisdiction they collect and process data. Due to the Brexit transition period, the impact is unlikely to be immediate.

Continue reading

On-demand webinar: Is GDPR over? What Brexit means for UK data protection law

27% of our listeners have suffered a data breach since GDPR came into force

On 31 January 2020, the UK will leave the European Union, and GDPR as we know it will come to an end.

From exit day, the GDPR we have become familiar with will disappear from the statute book and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will come into effect. This will result in hundreds of changes to both the GDPR text in UK law and the Data Protection Act 2018.

In this webinar, our Director of Course Development Nick Henderson and DPO Ruth Cohen helped organisations understand what data protection looks like in a post-Brexit world.

The webinar covered:

  • How Brexit will impact on UK data protection law
  • What changes organisations, DPOs and compliance officers need to make to their policies and procedures
  • The most recent GDPR cases from across the UK and Europe
  • The latest in compliance advice and inside tips
  • Answering all your GDPR and Brexit questions

Watch now

Continue reading

Get ePrivacy done. Unleash GDPR’s potential.

Get ePrivacy done

It’s hard to think of something going on longer than Brexit, but the ePrivacy rules might just be it.

What is the ePrivacy regulation?

The existing 2002 ePrivacy regulation covers electronic communications. This means email marketing, cookies on websites, and privacy in electronic communications. The existing one was meant to be updated and implemented with GDPR in May 2018, but… it hasn’t happened. 

The goal of a new ePrivacy regulation is to develop a regulatory framework for machine-to-machine communications and the internet of things.

Continue reading

Will your Christmas cards cause a GDPR breach?

Company Christmas card
Are your company’s Christmas cards GDPR friendly?

It might sound like a Daily Mail headline, but don’t dismiss this as political correctness gone mad just yet. Your company Christmas cards could very well result in a data protection violation.

Santa Claus checks his list twice, and so should you. Keeping marketing lists up to date is vital for GDPR compliance and sending out the annual Christmas card is no different than any other mass mailing. Are there people on the list who’ve objected to receiving marketing information, or former customers your business hasn’t dealt with in years? Strike them off. The last thing you’ll need in the new year is a flurry of data protection complaints.

Continue reading

VinciWorks releases GDPR refresher training with specialised modules

Compliance with the General Data Protection Regulation (GDPR) is an ongoing process. Organisations should regularly review and update their policies and data collection processes, as well as take training. The best way to refresh staff’s knowledge is to enrol them in a new course around once a year, rather than simply ask them to take the same course they took a year ago. With GDPR now having been in force for over a year, VinciWorks will be adding a new course to the GDPR training suite that includes both refresher training and role-specific advanced modules.

How does the course work?

The recommended use of GDPR: A Practical Overview is to put all staff through the basic six modules, and to add advanced modules for specialised staff in certain departments. Personalisation questions at the beginning of the training means staff in roles that require advanced training, such as HR, IT and marketing, can choose to take job-specific modules. The basic modules cover the basics of datakeeping data safeworking from homedata subject rights and data breaches, with review questions included within each module.

Continue reading

The five basic data privacy rules for US compliance

The five data principles

The meaning of data can be as broad as any information, from health records to a lunch order. Different kinds of data are subject to different laws with varying levels of severity. Data about a person’s health, for example, is subject to a strict set of regulations known as HIPAA. Here is some guidance on protecting your clients’ and colleagues’ data through five basic data privacy rules.

Data privacy law in the US

Data privacy rules apply to any information that can be used on its own, or in combination with other clues, information, or context, to identify, contact, or locate an individual. 

Data covered by data privacy rules is any information related to a person that could be used to identify that person, either directly or indirectly.

It could be a name, photo, email address, date of birth, ethnicity, religion, financial record, medical information, or employment history. It could even be posts on social networking sites.

Different countries use different terms to describe this kind of data. In the US, it’s known as personally identifiable information (PII).

The key data principles

While specific rules on data privacy can vary by state and jurisdiction, there are some basic rules that should always be followed. You need to be aware of these because everyone in an organization is responsible for protecting the data held on employees, customers and clients.

Continue reading

British Airways data breach – GDPR fines may reach new heights

British Airways plane

Information Commissioner’s Office (ICO) announces its intention to fine British Airways for a data breach under GDPR

The ICO have just published its Notice of Intent to fine British Airways £183.39 million for infringements of the security principle of GDPR. The breach was disclosed by the airline back in  September 2018.

While the ICO has merely published its intention and no actual fine has been imposed, the fact that the ICO has published a Notice of Intent suggests that it has enough evidence of the breach to keep British Airways on the hook.

The ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details, as well as the name and address of customers.

Continue reading