What companies should be thinking about when they think about AI

What companies should be thinking about when they think about AI

A Q&A on AI and business with Shlomo Agishtein, AI lead at Trullion

As artificial intelligence (AI) tools are increasingly becoming part of the daily processes of nearly every company and AI regulations are bearing down (we’re looking at you, AI Act) it’s more and more important to understand how to utilise and develop these tools ethically and effectively.

VinciWorks sat down with AI expert Shlomo Agishtein to discuss what companies need to understand about AI, how these tools can be used, why an AI company policy matters and how worried we should all be about AI regulation.

Continue reading

A guide to LGPD in Brazil

A guide to LGPD in Brazil

How to comply with Lei Geral de Proteção de Dados, Brazil’s data protection law

Brazil’s Lei Geral de Proteção de Dados (LGPD) is the country’s first comprehensive personal data protection law. It entered into force in September 2020 and and aligns closely with the EU’s sweeping data privacy act, the General Data Protection Regulation (GDPR).

Before LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. The aim of the LGPD was to unify the 40 different Brazilian laws that regulated the processing of personal data.

LGPD sets forth Brazil’s conception of personal data and when its use is authorised. Comprising 65 articles, it deals with the rights of data subjects and has 10 legal bases for the processing of personal data, which is four more than GDPR.

Continue reading

The importance of Data Protection Impact Assessments

Thanks to GDPR, DPIAs matter more than ever. Here’s why – and tips on how to do them

A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project. They always mattered but the General Data Protection Regulation (GDPR) made them matter much, much more.

As most Data Protection Officers (DPOs) and data processors are aware by now, GDPR added significant compliance burdens. Under GDPR, data breaches need to be reported to the authorities within 72 hours and each new data processing activity needs to be documented. GDPR also introduced a new obligation to do a DPIA before carrying out processing likely to result in high risk to individuals’ interests. If your DPIA identifies a high risk which you cannot mitigate, you must consult the Information Commissioner’s Office (ICO). The regulator can recommend changes to reduce the risk, give a formal warning not to carry out the processing or even ban the processing altogether. 

Continue reading

Are you managing your subject access requests?

It’s been almost six years since Europe’s data protection landscape changed with GDPR. Are you prepared for SARs?

Since the General Data Protection Regulation (GDPR) was passed there has been almost constant change for companies, with new case law, rulings and court cases making compliance with GDPR an ongoing hot topic for organisations of all shapes and sizes.

With GDPR decisions from 27 different member states coming through on an almost daily basis, it can be a challenge to ensure compliance. One of the basic rights of GDPR is a subject access request (SAR). It provides people with the right to access and receive a copy of their personal data, and other supplementary information. SARs can be made verbally or in writing, including via social media.

People are entitled to find out what personal data is held about them by an organisation, why the organisation is holding it and who else knows the information. 

Continue reading

GDPR four years later – How are businesses getting on?

The EU’s General Data Protection Regulation (GDPR) marks its fourth anniversary after coming into effect on 25th May 2018. Since then, it has paved the way for other data protection regulations, including the CCPA, and 1.6 billion euros of fines have been issued. 

While the UK has adopted its own version – UK GDPR, companies of all sizes continue to fall short of GDPR compliance due to data protection violations such as data breaches.  

Four years on, despite the record number of fines issued by the Information Commissioner’s Office (ICO) over the past financial year (2020/21) at £42m, organisations have taken complying with GDPR and other data protection regulations more seriously.  

Unfortunately, recently, the ICO fined facial recognition database firm Clearview AI £7.5 million for breaching UK data protection rules – which is still a significant reduction from its original fine of £17m in November 2021. The organisation was fined for developing an online database by collecting over 20 billion images of people’s faces and data from publicly available information sources on the internet and social media. It did not notify any of the individuals involved that their images were being collected or used in this way – which goes against data protection regulations. 

What’s the biggest challenge with GDPR? 

We spoke to our CTO, Jason Stirland, who highlighted, “the biggest challenge with GDPR remains that it’s not always fully understood by employees.  

“This is why regularly refreshing data protection training in all employees is crucial – no matter their level – as it ensures that every employee understands their GDPR obligations to protect themselves and the organisation.  

“Data breaches can happen for several reasons, and with employees being the most vulnerable resource, human errors will tend to occur. Be that as it may, reducing the likelihood of data breaches happening remains an organisational responsibility to train employees on cybersecurity awareness training – e.g., learning how to spot a phishing email and not sharing any personal or confidential information with third parties.” 

GDPR and the Great Resignation – Is there an impact? 

Jason revealed that the pandemic created pathways for significant people changes in organisations of all sizes, thanks to the Great Resignation.  

“With this in mind, organisations must remember to do their due diligence and ensure newer team members are provided with GDPR training to ensure compliance. It’s worrying how many organisations fail to consider this within the onboarding process, especially with many employees now joining companies on a remote working or hybrid basis – ensuring they can learn this from home will be vital.” 

If you’re looking to reduce GDPR training gaps within the onboarding process or improve GDPR compliance overall in employees, then take a look at our data protection courses and get in touch with us today for a free demo

How to use eLearning to Satisfy the 7 key Principles of GDPR in 2022.

General Data Protection Regulation (GDPR) has been around long enough for us all to understand it’s basic data protection principles. While the regulation itself may not be new to businesses anymore, there are still new businesses, processes and situations appearing every day across the world. These new businesses, processes and situations must still comply with GDPR.

This blog looks at the 7 key principles of GDPR, what they are and what businesses are expected to do to comply with them, and how to ensure GDPR compliance in 2022.

What are the 7 Key Principles of GDPR?

There are 7 principles of the General Data Protection Regulation which all businesses should be aware of. By creating a culture of compliance around these principles, organisations can rest assured they are well on their way to GDPR compliance.

Image

Setting the scene

To practically demonstrate how the 7 key principles of GDPR can affect business practices, we will follow a newly created company, NeltaDet, as they begin their journey to be GDPR compliant. NeltaDet is building a mailing list to receive a monthly compliance newsletter. They aim to capture website visitors’ details through their online newsletter sign up form or an opt-in tick box on their product enquiry form.

Lawful, fair and transparent

The first GDPR principle consists of 3 components:

1. Lawful – this refers to the gathering of people’s data. There must be a lawful reason for you to process personal data. There are 6 legal reasons deemed as lawful, these are:

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interests
  5. Public task
  6. Legitimate interest

More information on these can be found here.

2. Fair –  this refers to the scope of personal data processing. This should be limited to what is expected by the person whose personal data is being processed.

3. Transparent – when dealing with an individual’s personal data, GDPR guidelines require you to communicate clearly and simply about how that person’s personal data is intended to be used.

For NeltaDet, using a voluntary form and tick box for website visitors to sign up to would be classed as lawful consent. Transparency is achieved by informing the visitor about the compliance newsletter and how their data will be handled by pointing towards NeltaDets privacy policy. When processing the data, NeltaDet would have to be careful to ensure they only used the data fairly, for example it would be a breach of GDPR to use this data to send Health and Safety training emails to.

Image

Purpose Limitation

Purpose limitation ensures that businesses only process data for it’s original purpose. Personal data should not be used for purposes that it wasn’t originally intended for – if it is used for another purpose then the individual, and business, responsible could be fined or have criminal charges pursued.

NeltaDet’s newsletter signup process automatically stores the IP address of the individual on sign up. At the time, this was so NeltaDet could keep a record of how and when NeltaDet gained consent to send the newsletter to this individual. However, someone in the marketing team now wants to repurpose this personal data and use it to send out geographically targeted email campaigns based on their IP addresses. This breaches GDPR and could result in a fine and or criminal charges against individuals and the business. Information should only be used for the purposes originally stated when collecting the data.

Data Minimisation

When collecting customer information, it can be tempting to collect as much data as possible to maximise the information you have on your customer database. However, the GDPR principle of data minimisation requires businesses to only collect the information they need. Long gone are the days of long sign up forms and endless questions. GDPR ensures that the collection of personal data collection is minimised to what is needed, not what is wanted.

For NeltaDet’s compliance newsletter sign up form they should only be asking for two pieces of information – the individual’s name and email address. This is the only information required to send their newsletter and no other information should be requested.

Image

Accuracy

Any businesses data should – at the very minimum – be accurate regardless of GDPR. However, under GDPR guidelines, personal data should be maintained and kept up to date. The data controller and/or data processor should take reasonable measures to ensure personal data remains up to date.

The ICO states that where a business uses it’s own sources to compile personal data, then it should ensure that the information is accurate. Despite this, sometimes, you may not be able to check the accuracy of the information that comes from a third party. In this case, you should:

  • accurately record the information provided;
  • accurately record the source of the information;
  • take reasonable steps in the circumstances to ensure the accuracy of the information;
  • and carefully consider any challenges to the accuracy of the information.

Regarding NeltaDet’s situation, they should ensure that their data controller/processor regularly cleans their data and ensures it is accurate. It would also be good practice to give all subscribers a preferences portal where they can manually edit their own personal data and unsubscribe if they want to, helping to ease the workload for NeltaDet and improve the quality of their data.

Storage limitations

Under GDPR, businesses should not store data for longer than they need it. They should also be able to justify why any data is stored. It is good practice to develop a data retention policy that stipulates how long personal data will stay on file – this helps to satisfy GDPR documentation requirements.

Much like the principle of data accuracy, businesses should review the personal data they hold regularly. Any data that is no longer needed should be erased regularly to meet storage limitation guidelines, and business data is kept clean.

Individuals also have the ‘right to erasure’ which allows them to request their data gets deleted. However, there are scenarios where businesses can still store personal data even if an individual has submitted an erasure request. To better understand the right to erasure, check out our Right to Erasure online training course.

For NeltaDet’s compliance newsletter, storage limitations are straightforward. The individual provided consent to use their data to receive newsletters, and NeltaDet has implemented a preferences management portal to help subscribers make their data more accurate. When an individual unsubscribes from the compliance mailing list, their data must be deleted from the system, if they are not subscribed to anything else and are not a customer. This is because their only purpose to hold their data was to provide them with the compliance newsletter. Once they unsubscribe, they no longer have a reason to store this data.

However, if the individual unsubscribing from the compliance newsletter is an existing customer with active subscriptions to their other newsletters, then NeltaDet can continue holding their data on the system, without sending the compliance newsletter to them.

Integrity and confidentiality

GDPR’s integrity and confidentiality principle derives from two sides of the CIA triad. This principle ensures any business dealing with personal data has appropriate security measures in place to protect it from both internal and external threats.

Integrity – refers to protecting personal data from manipulation, ensuring information stays correct.

Confidentiality - refers to protecting personal data from unauthorised access. Ensuring cyber criminals and other unauthorised people cannot access a business’ stored data, keeping it confidential.

NeltaDet needs to ensure it has proper systems in place to ensure its data is secure. Deploying a password-protected system like a CRM is a great place to start, but this is just a basic level to protect the personal data a company holds. Discover our range of data protection courses here.

Accountability

This is the final principle of GDPR, and it is concerned with taking accountability for GDPR compliance in a business. Accountability should involve more than just tick-box exercises. It requires organisations to take responsibility for their actions, and how they comply with the other GDPR principles. Organisations must demonstrate that they have appropriate measures and records in place to highlight their accountability.

Looking at NeltaDet’s compliance newsletter, NeltaDet must highlight the lawfulness principle/consent given by the individual, as well as documenting how they initially proposed to handle this data. Then ensuring they complied with the rest of the GDPR principles, documenting their compliance procedures and any potential risks or breaches of GDPR.

How to ensure GDPR compliance in 2022

Training. High quality, comprehensive training for all staff is the only way to ensure GDPR compliance in 2022. GDPR is a vast landscape that affects every person and every department within an organisation. High quality, thorough and regular training is essential to ensure GDPR compliance. Non-compliance can be significantly financially and reputationally damaging. Employees can also face potential personal liability in a court of law. Every individual in a business should understand their role to play in assuring GDPR compliance.

eLearning has evolved, and 2022 is looking to be the real post-Covid test businesses will face. Production is due to rise and employees are reluctant to return to the workplace full-time, bringing a new set of challenges. Traditional in-house training and compliance procedures no longer work, and a switch to digital training has already begun. Organisations must ensure they switch to online GDPR training or face potential compliance issues in the future. An organisation’s GDPR compliance is only as good as its weakest link.

We provide a comprehensive collection of online data protection courses which your business can use on our Astute eLearning platform (optional). Our courses are CPD accredited and have been developed alongside GDPR and Data Protection experts to ensure their content is accurate and engaging. By utilising our Astute platform you easily identify and close any skills or knowledge gaps, learn on the go with a tablet or smartphone with our cloud based support, easily report on GDPR training to assist GDPR compliance and much more.

For NeltaDet, using a voluntary form and tick box for website visitors to sign up to would be classed as lawful consent. Transparency is achieved by informing the visitor about the compliance newsletter and how their data will be handled by pointing towards NeltaDets privacy policy. When processing the data, NeltaDet would have to be careful to ensure they only used the data fairly, for example it would be a breach of GDPR to use this data to send Health and Safety training emails to.

Are GDPR Preferences still important three years on?

Are GDPR Preferences still important three years on?

GDPR Compliance – what’s going wrong?

Three years on from the biggest shake up to modern day data regulation, you would be forgiven for thinking businesses ‘get-it’ when it comes to GDPR. Unfortunately over 2020-2021 Google (twice…), Amazon, H&M, British Airways and Marriott among others, have all faced fines that add up to an eye-watering £100+ million.

Some of these fines come from data breaches and unsecure cyber security practices, while in the case of BBVA’s five million euro fine, it was due to a lack of clarity in their privacy policy, and their improper use of customer data preferences.

Three years from the launch of GDPR, American Express (Amex) has been fined for spamming its customers with over 4 million emails by the UK data protection regulator, ICO.

Listen to customer preferences.

It seems that Amex forgot one of life’s basic principles – ‘there is more to listening than not talking’. They gave their customers an accessible preference sheet and allowed them to choose what communications they would receive. However, they decided to keep talking to their customers, sending over 4 million marketing emails to customers who had chosen not to receive marketing communications. Amex argued that these emails were about ‘servicing’ and were not marketing emails. The ICO disagreed after receiving complaints from numerous customers, and fined Amex £90,000.

While this is a contender for the most expensive email marketing campaign ever, it is also a perfect representation of why business-wide understanding of GDPR is so important to an organisation’s overarching operations and reputation.

GDPR lessons:

There are many lessons to be learnt from Amex’s mishandling of customer data. The first being that it is vital to allow your customers to manage their data preferences. It creates a positive experience for the customer and removes the human error factor in data preference handling.

Secondly, have strictly defined preference parameters for all communication. Amex had the foundations in place to have good data handling procedures. They had customer-led preference management, and well categorised preferences for all to understand in the business.

Thirdly, educate your workforce. Amex’s downfall sits somewhere in between their workforce not understanding the difference between servicing communications and marketing communications, and decisions being made to use personal data in a way that it wasn’t supposed to be.

Achieve GDPR best practice with our Online Data Protection Courses

The single best way to guard against breaches of data protection is to educate your workforce. If all employees understand the basics of GDPR, and how they can help their organisation stay compliant, the risk of fines by governing bodies and the subsequent reputational damage is minimised.

We provide expert GDPR e-learning courses to help businesses stay ahead of the GDPR curve. Click here to discover how we can help with your GDPR and other data protection needs.

Contact Tracing: Complying with Data Protection Regulation

As businesses prepare to open up on 4 July, following the easing of lockdown restrictions, they are expected to have robust measures in place to curb the spread of COVID19, including contact tracing. Collecting personal data as part of contact tracing is expected to create a data privacy minefield for some. So how can businesses navigate this minefield?

What is Contact Tracing?

Contact tracing, supported by the NHS Test and Trace service, is a vital strategy in the fight against COVID19. It can help curb the spread of COVID19 by tracing those who are showing symptoms of COVID19 as well as those who may have come into contact with the infected and risk of becoming carriers. Contact tracing requires the collection and sharing of personal data, affecting most businesses with face-to-face customers or visitors, including hospitality, leisure and retail sectors.

Some businesses may already have systems and processes in place to collect personal data. However, for some small businesses, it will be an entirely new experience. Both will need to comply with data protection regulations while employing contact tracing.

Key Data Protection Requirements

Here is a refresher on the data protection requirements for businesses in the UK.

Data protection regulation in the UK

The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). The DPA 2018 sets out the framework for data protection law in the UK. It updated and replaced the Data Protection Act 1998 and came into effect on 25 May 2018. It sits alongside the General Data Protection Regulation (GDPR) and tailors how the GDPR applies in the UK.

The Regulator

The Information Commissioner’s Office (ICO) maintains and enforces data protection regulation across the UK, including the GDPR. Awareness and understanding of data protection requirements are essential for businesses looking to prevent data breaches.

Lawful basis for the processing of personal data

Under the GDPR, acceptable reasons for the lawful basis for the processing of personal data are consent, contract, legal obligation, vital interests, public task and legitimate interests. Data collection for contact tracing is expected to be classed as a public task – a specific task in the public interest that is set out in the law.

Six Tips on Collecting Data for Contact Tracing

So how can businesses ensure that they are fulfilling the requirements for contact tracing but also complying with data protection regulations? Here are six helpful tips on collecting data for contact tracing.

1. Keep the process transparent: Assure your customers on why you are collecting data and how the data helps with contact tracing.

2. Only collect the data you need: For contact tracing purposes, customers only need to provide details such as name, phone number and email address.

3. Keep the data secure: Invest in a secure data collection method or system to make sure the data you have collected is stored away safely.

4. Be clear on retention policy: Government guidance requires businesses to keep a temporary record of customers and visitors for 21 days only.

5. Use the data only for the purpose collected: Personal data collected as part of contact tracing cannot be used for any other purposes such as marketing unless stated explicitly and consent has been given for it.

6. Don’t forget to delete the data: Any personal data must be securely discarded after 21 days.

Contact tracing or not, compliance with the data protection regulation is a vital requirement for most businesses. To mitigate the risks of compliance breaches, always follow best practice around data collection, perform regular audits of policies and processes, and continually review staff readiness.

Helpful resources:

COVID-19 secure guidance for employers, employees and the self-employed

NHS Test and Trace

Data Privacy Day 2020 – Tips on Keeping Your Data Safe and Secure

Happy Data Privacy Day! Created by the Council of Europe in 2006, Data Protection Day is celebrated every year to promote data protection best practices and raise awareness on the importance of data privacy. Globally, it is recognized as Data Privacy Day.

For businesses, data is a valuable entity and it is therefore vital to protect it for ensuring business continuity and compliance with the regulation. In the spirit of data privacy and all things data protection, we share with you some useful tips for keeping your business data safe and secure this year.

Ensuring Compliance in Artificial Intelligence (AI)

Nearly all AI-based products and services rely on the collection of large amounts of data, including personal data, to understand user behaviour and make intelligent decisions. Data is therefore vital in powering AI, but it also poses new challenges for data privacy. In December 2018, an Amazon customer in Germany was mistakenly sent about 1,700 audio files from someone else’s Amazon Echo device – a mistake attributed to human error. In July last year, it was reported that Amazon responded to a letter sent by a US Senator confirming that it maintained Alexa recordings indefinitely (unless a user manually comes in and deletes them).

Incidents such as this highlight the importance of data protection and ensuring compliance in AI.

Legislation in Europe and the US is picking up momentum with the European Commission looking to implement an “appropriate” ethical and legal framework for the development of AI aimed at boosting innovation while making individuals’ rights a priority.

A piloting phase which ran until December 2019 was based on draft Ethics guidelines describing trustworthy AI as:

  • lawful – respecting all applicable laws and regulations
  • ethical – respecting ethical principles and values
  • robust – both from a technical perspective while taking into account its social environment

The General Data Protection Regulation (GDPR) includes ‘privacy by design’, encouraging businesses to develop products with built-in privacy standards from the start. This will certainly hold for AI-driven technology and products which will need to factor in privacy and consent.

Recognizing GDPR as an Opportunity

Speaking of the GDPR, it has been over a year and a half since the regulation came into force and it continues to drive the way businesses collect and use customer data. More customers are also becoming wary about how their personal data is collected and used for business purposes.

For businesses, GDPR is no longer just about compliance, there is also a tremendous business opportunity in a data-driven economy. In a world brimming with data, businesses can stand out by leveraging GDPR best practice to maintain up-to-date data lists and boost their reputation as a responsible, reliable partner and committed to deepening digital trust with its customer base.

Remember to:

  • Audit your data periodically – Ensure that your customer data is up-to-date and your customers are engaged with your business.
  • Implement a strict retention policy – If you are holding data on customers who haven’t engaged with you in a while, maybe it’s time to review if you need that data. You can erase or anonymize the data you no longer need.
  • Aim for ‘privacy by design’ – Make sure you have performed a Data Protection Impact Assessment (DPIA) to identify and reduce the data protection risks your business could face and allow members of staff to fix any problems before a breach occurs.
  • Review your privacy policy – Ensure that your privacy policy clearly states your business identity, how long you intend to use your customer data, your legal basis for processing data, any data retention periods and the customers the right to complain to the ICO.

Evaluating Your Password Policy

2019 survey by the National Cyber Security Centre (NCSC) found that “12345” and “password” remain amongst the top five common passwords accessed in global breaches. Liverpool was the most common Premier League football team used in passwords, with Superman the most popular fictional character.

Making good password choices is vital for protecting individual and professional business data. For businesses, this means continually reviewing and enforcing robust password policy.

Key ingredients of a comprehensive password policy:

  • Reset Password – Passwords must be reset every set number of days to ensure users are changing passwords periodically.
  • Password history – Discourage users from recycling the same password again with a minimum of 10 previous passwords remembered.
  • Maximum password age – Determine how long users can keep their password before they have to change it, forcing users to change their passwords regularly.
  • Password complexity – Rules to ensure users aren’t using their first or last name as password, as well as using a mix of character types such as lower case, upper case, numbers, and symbols.

Staying Safe Online

Social engineering continues to pose one of the biggest security risks to businesses. Cybercriminals often target employees using deception with the intent of gaining confidential information for fraudulent purposes. These techniques include phishing and baiting and could also include links to fake website pages, emails from doctored addresses, or communications that appear to come from government or official sources.

Social engineering also works on manipulation in the digital world, profiling, and misuse of personal information.

Steps to take to protect your business from social engineering:

  • Regularly update your company antivirus software.
  • Secure your business network with a robust firewall.
  • Make sure employees are aware of responding to an email from unknown persons especially those containing links or attachments.
  • Train employees to recognize doctored email addresses from fraudulent sources.
  • Make sure employees never give out financial or sensitive information over the phone or electronically without encryption.

Mitigating the Risks of Human Error

report by Kaspersky Lab revealed that about 90% of data breaches are caused by human error.

Many businesses suffer data breaches because their employees inadvertently created an entry-point to the systems, whether it is from opening unsafe email attachments or clicking on suspicious website links to downloading unsafe files.

Cybercriminals count on human flaws to circumvent the most robust security software. It all comes down to a lack of awareness which can put your employees at risk of making errors in judgment, resulting in data and security breaches, company downtime, or financial loss.

Invest in Awareness Training

Investing in a thorough employee training program is a vital ingredient in any organization’s data protection policy. Raising awareness ensures that employees understand the regulatory obligations for businesses and understand the implications of non-compliance. Realizing the value of sensitive information if breached can also help employees to act with caution and make the right decisions to keep business data safe and protected.

Make sure your employee training program includes a comprehensive overview of key topics such as data protection, GDPR, and information security. We also recommend keeping employees up to date with microlearning courses for refreshing and reinforcing key learning messages over time.

How Can We Help?

At DeltaNet International, we are firm believers in leveraging the power of awareness training to reduce the impact of human error. Without raising awareness, you may be putting your business at risk of non-compliance with data protection and privacy laws. Don’t get caught out by the regulators, invest in awareness training for your staff. Find out how we can help with our range of Data Protection Online Training.