GDPR is here. Compliance has just begun.

The General Data Protection Regulation has now come into force. The UK’s third generation of data protection law has received Royal Assent and its main provisions commenced on 25 May 2018. The new Act aims to modernise data protection laws to ensure they are effective in the years to come. VinciWorks has hosted a number of webinars to help businesses prepare for the EU-wide law.

On 24, VinciWorks hosted a full-day live webcast to answer questions, interview experts and review the changes to data protection law under GDPR.

Watch #GDPRday highlights

Full-day live GDPR webcast schedule

10:00am – Q&A on lawful basis for processing, Gary Yantin and Nick Henderson, VinciWorks

11:00am – GDPR Mythbusters, Webinar replay

11:30am – So you’ve been appointed DPO. What now? Interview with Andrew Moyser, MHA MacIntyre Hudson Chartered Accountants

12:00pm – Live Q&A on privacy notices and DPIAs, Alyssa Redsun and Nick Henderson, VinciWorks

1:00pm – Data Protection Impact Assessments, Webinar replay

2:00pm – The ICO’s view – what will change after GDPR? Richard Nevinson, Information Commissioner’s Office

2:15pm – GDPR – getting it right, Alex Brown, Simmons & Simmons

2.30pm – Live Q&A – ask us anything (about GDPR), Gary Yantin and Nick Henderson, VinciWorks

3:30pm – Privacy notices, Webinar replay

4:30pm – Dawn raids – preparing for the unexpected, Karla Gahan, VinciWorks

5:00pm – Closing remarks and guidance

View full schedule and presenter bios

Continue reading

Free on-demand GDPR webinar – conditions for processing

GDPR webinar banner

Under GDPR, you need an approved ‘condition for processing’ for every data processing activity, but you don’t always need to seek consent. With just a week until GDPR comes into force, Director of Course Development Nick Henderson and Director of Best Practice Gary Yantin hosted another webinar to take a deep dive into understanding the conditions for processing data which underpin all uses of personal data.

The webinar covered:

  • When do we need consent and when do we not?
  • How to rely on legitimate interest
  • Data processing scenarios
  • Answering your questions on the topic

Watch now

Continue reading

GDPR course for American-based staff

GDPR: An American Perspective GDPR course screenshot

While the General Data Protection Regulation (GDPR) is an EU-wide regulation, its reach is global. Facebook, for example, look like they will be complying with GDPR following Mark Zuckerberg’s hearing and mixed reports on whether the social media platform will comply on a global scale. EU-based businesses with offices in the US will need to ensure they comply with GDPR. VinciWorks’  course, GDPR: An American Perspective, allows businesses to train their staff based in the US on GDPR from the perspective of an American.

Free demo

Continue reading

Bribery whistleblowing policy template

Man passing over a bribe

The Bribery Act 2010 defines bribery in a very broad way, namely as a gift or donation intended to “induce a person to perform improperly, a relevant function or activity”. When it comes to any compliance matter, it is important to install a culture whereby all staff feel comfortable raising any concerns they may have, be it regarding the actions of a client, a colleague or a member of the management team. VinciWorks has therefore created a bribery whistleblowing policy template that can easily be edited to suit your organisation and include the appropriate contact people.

Download policy template

Continue reading

On-demand GDPR webinar – Data Protection Impact Assessments (DPIAs)

GDPR webinar banner

With GDPR day less than a month away, Director of Course Development Nick Henderson continued  to help organisations prepare for the new EU wide regulation. During the webinar, Nick guided listeners through the process of conducting a DPIA. He also answered questions on the topic of DPIAs and gave guidance on next steps to those who have already begun the process.

Read more: The VinciWorks GDPR training suite

The webinar covered:

  • The seven steps of conducting a DPIA
  • The suggested DPIA timeline
  • What to do if you haven’t yet started conducting your DPIAs
  • Who should be responsible for conducting and monitoring DPIAs
  • Shared tips from attendees

Key findings

  • 55% of attendees said they haven’t consulted externally on their DPIA while 27% said they have and 8% said they haven’t but they should have done
  • Biometric and genetic data are now special categories of data under GDPR and are required to be included in a DPIA
  • It is important to act on the recommendations of the DPIA and often are required to share findings with a third party, such as the Information Commissioner’s Office (ICO)
  • Only 4% of attendees have conducted a DPIA on everything while 30% are planning to begin the process soon

Watch now

Continue reading

British Overseas Territories must adopt public registers of beneficial ownership

A stack of coins with a figurine standing by it

What is a public register of beneficial ownership?

A public register of beneficial ownership is a centralised database or registry that contains information about the individuals or entities that ultimately own or control a company or legal entity. It aims to increase transparency and combat illicit activities such as money laundering, tax evasion, and corruption.

What is a declaration of beneficial ownership?

A declaration of beneficial ownership is a legal document or statement that discloses the individuals or entities who are considered beneficial owners of a company or legal entity. It is a means of providing transparency and fulfilling regulatory requirements in relation to ownership and control.

In the declaration, the company or entity typically identifies and discloses the individuals or entities that have a significant level of ownership or control over the organisation, even if their names do not appear on the official legal documentation. Beneficial owners are those who enjoy the benefits of ownership, such as receiving profits or having control over decision-making, regardless of the legal ownership structure.

Amendment to the Sanctions and Anti-Money Laundering Bill

On 1 May, Foreign Office minister Alan Duncan announced that the government would not oppose a Labour amendment to the Sanctions and Anti-Money Laundering Bill currently going through parliament that will introduce public ownership registers in Britain’s overseas territories.

The 14 overseas territories, including the British Virgin Islands and the Cayman Islands, will be forced to introduce the public registers by 2020 or have them imposed by the UK government. The amendment will not apply to the Crown Dependencies of Guernsey, Jersey and the Isle of Man as Parliament cannot legislate for them, but Conservative MP Andrew Mitchell who introduced the amendment along with Labour MP Margaret Hodge hoped the crown dependencies would also embrace the registers.

Continue reading

The GDPR resource page

The GDPR resource page
Tens of thousands of businesses have used VinciWorks’ GDPR resources to ensure their policies and training are up-to-date

Is your organisation ready for the EU-wide General Data Protection Regulation which comes into force on 25 May? What still needs to be done to prepare? VinciWorks has created a helpful resource page that containing GDPR compliance tools, course demos, policy templates and more.

The resource page includes:

  • Course demos of all the training included in the GDPR training suite
  • Knowledge checks to test staff’s knowledge of the changes to data protection regulation under GDPR
  • Online guides, including the VinciWorks guide to GDPR
  • Downloadable and editable GDPR related policy templates
  • On-demand GDPR webinars
  • Helpful articles on GDPR compliance

View the GDPR resource page

A brief guide to providing GDPR compliant privacy notices

GDPR banner
Businesses across the EU, large and small, are scrambling to get privacy notices ready for GDPR

 

What is a GDPR-compliant privacy policy?

A GDPR-compliant privacy policy should set out the different areas where user privacy is concerned and outline the obligations and requirements of the users, the website and website owners. It should also detail the ways your organisation processes, stores and protects user data and information. The policy should be made available on your organisation’s website.

The main points that should be addressed in a privacy policy include: 

  • Use of cookies: define what cookies are and how and why your organisation uses them
  • Personal information: If your organisation requests or stores personal information, this should be made clear. Under GDPR, individuals have the right to request a copy of this information and can request to be removed from the database at any time
  • Information collection and use: The policy should make clear how your organisation collects information and how long it’s stored for
  • Other information: A GDPR-compliant privacy policy must make clear how any other information that is collected, such as through registration forms or any other means, is used, and also must provide instructions on how to unsubscribe from any mailing list

What is a GDPR-compliant privacy notice?

A privacy notice tells people from whom you are taking data:

  • Who you are
  • What you are going to do with their information
  • Who you will share it with

At minimum, a privacy notice must contain those three key things. GDPR requires a privacy notice to be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language, appropriate for the audience, and free of charge.

3 Key aspects of developing good GDPR privacy notice

There are three key aspects of good practice to keep in mind when developing a GDPR compliant privacy notice.

Continue reading

Cambridge Analytica – What must Facebook do to become GDPR ready?

Facebook

As Facebook CEO Mark Zuckerberg continues his testimony in Congress following the Cambridge Analytica scandal, he has been set a pile of homework to beef up Facebook’s data protection policies and become GDPR compliant. While the enquiry came about following an investigation into cambridge analytica, in the long run it may have come at the perfect time, with GDPR just weeks away from coming into full force. During the hearing, Zuckerberg committed to implementing GDPR’s standards worldwide.

Eight things Facebook must do to comply with GDPR

Here is what the social network giant must do ensure they are at least on the way to full compliance come 25 May 2018.

1. Appoint a data protection officer (DPO)

Under GDPR, Organisations that process large amounts of personal data, are in the public sector or process particularly sensitive data are required to appoint a DPO. Facebook has certainly recognised this need, advertising the vacant position on their website and other forums. It remains to be seen, however, whether Zuckerberg will seek to appoint a DPO, or someone in a similar role, to strengthen their data protection compliance across the US.

Continue reading

What is a Data Protection Impact Assessment and how do you conduct one?

Data Protection Impact Assessment cubes

What is data protection impact assessment?

Data protection impact assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced. A DPIA should be managed by the data controller, or data protection officer (DPO) if you have appointed one. Some organisations may consider appointing someone externally to conduct the project.

DPIAs contain a detailed description of the processing operations, an assessment of risks, and what controls need to be put in place to protect people’s information. DPIA’s must be carried out using new technologies or if there is a high risk. It’s also good practice to conduct them on any large scale data processing you carry out. A DPIA needs to contain a detailed description of the processing operations, an assessment of the necessity and proportionality of the processing in relation to the purpose, an assessment of risks to individuals, and what controls are put in place to mitigate any risks.

Read more: on-demand DPIA webinar

When is a GDPR Data Protection Impact Assessment Required?

In general, GDPR requires Data Protection Impact Assessments (DPIAs) to be carried out for any new high risk processing activities, and specifically in the following cases:

  • If you use systematic and extensive profiling with significant effects
  • If you process special category or criminal offence data on a large scale
  • If you systematically monitor publicly accessible places on a large scale 

The GDPR guidelines suggest that usually, only processing operations that involve two or more of these criteria will require a DPIA, but take into account that in some cases, a processing operation that involves even one of these criteria will actually also require one.

The process of carrying out a DPIA helps to make informed decisions about data protection risks and to communicate effectively with the individuals affected. Although risks can never be completely eliminated, the DPIA can help you identify and mitigate data protection risks early, to find solutions to those risks, and to assess whether a project is viable.

High risk data processing

Under GDPR, organisations must undertake a DPIA when processing risky or large scale data. High risk data processing includes systematic and extensive processing activities, large scale processing, processing of special categories (sensitive) data, including those related to criminal convictions, and systematic monitoring of public areas such as CCTV.

Continue reading