Data Protection Network Associates

𝗨𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱 𝘆𝗼𝘂𝗿 𝗱𝗮𝘁𝗮 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗴𝗮𝗽𝘀 𝘄𝗶𝘁𝗵 𝗼𝘂𝗿 𝗲𝘅𝗽𝗲𝗿𝘁 𝗿𝗲𝘃𝗶𝗲𝘄𝘀 We pinpoint your risks and compliance gaps, providing clear and practical recommendations to solve them. Our reviews are tailored to suit your needs and budget. ❑ Light-touch 'health check' ❑ Activity/department specific ❑ Broad deep dive We work with clients across a diverse range of sectors, both commercial and not-for-profit. We take a proportionate approach based on the size of your organisation, the sensitivity of the personal data you handle, and the nature of your activities. 𝗚𝗲𝘁 𝗶𝗻 𝘁𝗼𝘂𝗰𝗵 𝘄𝗶𝘁𝗵 𝘂𝘀 - 𝗶𝗻𝗳𝗼@𝗱𝗽𝗻𝗲𝘁𝘄𝗼𝗿𝗸.𝗼𝗿𝗴.𝘂𝗸 Simon or Phil will arrange an introductory meeting #dataprotection #gdpr

Why contractual terms with suppliers matter. Supply-chain data breaches happen, and if one of your suppliers suffers a breach affecting your personal data, or another data protection violation occurs, your contractual terms are likely to become significant. GDPR (and it's spin-off UK GDPR) sets out specific requirements for agreements between controllers and processors. These are designed to protect individuals, but also set out the clear duties and obligations of each party. In our experience, it's not uncommon to find such terms lack key data protection clauses, or don't exist at all. Data protection may be covered in a Data Processing Agreement or Addendum, but sometimes relevant clauses will be included in the main contract. It really does pay to scrutinise the detail. And if there's nothing in place, take steps to rectify this pronto! Our quick guide to controller-processor agreements ☛ https://lnkd.in/eJn6uEgs #dataprotection #gdpr #processors

The alarm goes off and it becomes clear a 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗱𝗮𝘁𝗮 𝗯𝗿𝗲𝗮𝗰𝗵 has occurred. It might be a relatively minor incident, or more significant. Our clients sometimes ask us for advice on how to manage incidents and in particular how to assess the level of risk the breach poses, or to give a second opinion on their assessment. 🚩 Does the breach need to be reported to a Data Protection Authority (e.g. the UK's ICO)? 🚩 Should we notify affected individuals? In some cases answering these questions will be pretty clear cut, but not always. We've taken a look at how to evaluate the harm a data breach could cause to those affected ☛ https://lnkd.in/eT77hRfr

There are plenty of shiny new AI tools offering solutions to streamline the recruitment process, but it's important to carefully consider their use. Use of AI in the recruitment process raises privacy concerns. There's the potential for bias and/or inaccurate outputs. Could job applicants be unfairly treated? Will AI providers being using jobseeker's details? Do candidates know AI is being used? And more! The UK's ICO is urging recruiters to make sure AI tools don’t have an adverse impact. Here are 10 key steps for recruiters looking to engage AI providers: 1. Conduct a Data Protection Impact Assessment (DPIA). 2. Make sure you have a lawful basis for processing. 3. If collecting health information or DE&I data make sure you've identified a special category data condition. 4. Clearly establish if the AI provider is a controller or processor. 5. Make sure you're limiting the personal data collected to what's really necessary. 6. Undertake information security due diligence before engaging an AI provider. 7. Seek robust assurances in relation to fairness and mitigating bias risks. 8. Be transparent - make sure candidates are aware an AI tool is being used. 9. Make sure there's meaningful human involvement in the decision-making process. 10. Clearly determine how long the data inputted and generated from AI tools will be kept for. We've written more about this... ☛ https://lnkd.in/e8KnagYZ #aitools #recruitment #dataprotection

Let's dispel the myth (again). You don't always need consent to send marketing emails to UK recipients. And it's not GDPR which sets out the rules for electronic marketing messages. It's the often forgotten (and not so quick to write) Privacy & Electronic Communications Regulations (PECR) which provide the rules in the UK. PECR is derived from a 2003 EU ePrivacy Directive (when the UK was still part of the EU). Each European country has its own rules derived from this Directive, and yes in a few European countries consent is always required for marketing emails, but in the UK it depends on the context. We've written a quick guide to UK email marketing rules ☛ https://lnkd.in/e-g2KKdd #pecr #marketingemails

𝗦𝗵𝗼𝘂𝗹𝗱 𝗰𝗵𝗮𝗿𝗶𝘁𝗶𝗲𝘀 𝘀𝘄𝗶𝘁𝗰𝗵 𝘁𝗼 𝘁𝗵𝗲 '𝘀𝗼𝗳𝘁 𝗼𝗽𝘁-𝗶𝗻'? A recent amendment to the UK's Data (Use & Access) Bill paves the way for charities to use the so called '𝘀𝗼𝗳𝘁 𝗼𝗽𝘁-𝗶𝗻' 𝗲𝘅𝗲𝗺𝗽𝘁𝗶𝗼𝗻 𝘁𝗼 𝗰𝗼𝗻𝘀𝗲𝗻𝘁 for electronic marketing messages (e.g. emails and texts). An ambiguous name for what actually means an 'opt-out' rather than an 'opt-in' (i.e. consent). Responding to this amendment the Information Commissioner, John Edwards warns switching from consent is not a decision to be taken lightly: "I support this extension as it will help charities better communicate with people who support their purposes. However, we would expect charities to consider implementation carefully, including their UK GDPR obligations. Where organisations are relying on legitimate interests for their processing, they will need to carefully assess their interests and balance them against the impact on individual rights and freedoms." I agree. It hasn't been a level playing field - permitting commercial businesses to rely on this exemption but not charities. However, any change needs careful consideration. There's the potential to reach more people, but there's also the potential to create confusion. I've taken a look at some of the '𝘀𝗼𝗳𝘁 𝗼𝗽𝘁 𝗶𝗻' 𝗽𝗿𝗼𝘀 𝗮𝗻𝗱 𝗰𝗼𝗻𝘀 ☛ https://lnkd.in/eTf8DVEa #marketing #pecr #charityfundraising

Many businesses who provide a service to their clients have a final hurdle to overcome before the deal is signed - namely proving their data protection and security credentials. You may be asked questions like... 📌 Do you have a DPO? 📌 What data protection and security policies do you have? 📌 What training do your staff receive? 📌 Where will the processing take place? 📌 Do you sub-contract to other parties? And more! We take a look at how to prepare for due diligence questionnaires ☛ https://lnkd.in/ey54uXVR #dataprotection #datasecurity #gdpr

𝗪𝗵𝗮𝘁 𝗮𝗿𝗲 𝗽𝗲𝗼𝗽𝗹𝗲 𝗲𝗻𝘁𝗶𝘁𝗹𝗲𝗱 𝘁𝗼 𝗿𝗲𝗰𝗲𝗶𝘃𝗲 𝘂𝗻𝗱𝗲𝗿 𝘁𝗵𝗲 𝗥𝗶𝗴𝗵𝘁 𝗼𝗳 𝗔𝗰𝗰𝗲𝘀𝘀? What does a 'copy' of their personal data mean in practical terms? We're regularly asked what is and isn't in scope when responding to this right, commonly known as a 𝗗𝗮𝘁𝗮 𝗦𝘂𝗯𝗷𝗲𝗰𝘁 𝗔𝗰𝗰𝗲𝘀𝘀 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 - 𝗗𝗦𝗔𝗥/𝗦𝗔𝗥. So, we've put together answers to some frequently asked questions, such as: Q: Do we need to provide information the requestee already has, or is obvious to them? Q: Are they entitled to the full content of email correspondence? Q: Are handwritten notes in scope? Read our 𝗗𝗦𝗔𝗥 𝗙𝗔𝗤𝘀 ☛ https://lnkd.in/eGDUxaJM #dsar #privacyrights #gdpr #dataprotection

Handling personal information about employees is an essential part of doing business, but sometimes data protection compliance can get overlooked. Employee records can often include sensitive information such as DE&I data and disability/medical records. Data may also be collected about employees in other ways, for example via staff monitoring activities. Employers need to be mindful of their data protection obligations. Compliance gaps could be exposed in the event of significant data breach, complaint or Subject Access Request. To help organisations get this right, the Information Commissioner's Office (ICO) has just published helpful guidance on managing employee records. We've taken a look at the areas we find are often missed ☛ https://lnkd.in/ez4W-CAF #gdpr #dataprotection #employeerecords

The global regulatory landscape for AI is decidedly unsettled. While the first phase of the comprehensive EU AI Act is now in effect, the US is steering a different course under the Trump Administration. And, just this week the UK joined the US in not signing President Macron's declaration on AI at a Paris Summit. For organisations balancing the benefits and risks of AI development or use, regulation isn't the only factor to consider. To take advantage of AI's possibilities, agile and effective governance will be key. ☛ https://lnkd.in/eh6nZBPU #aiact #airegulation #aigovernance