Understanding how GDPR fits into the new normal.

Home Office GDPR

The new normal of living in a Covid19 world brings with it some important questions about how you’re going to manage your business’s data security.

If you’ve changed how and where your workers are based, such as home workers or shared work spaces, or have taken on extra measures such as track and trace or monitoring your staffs health, there are data security measures that you must implement to comply with GDPR and protect the processing of personal data.

Data Protection Impact Assessment (DPIA)

Under the GDPR you need to show that any processing of personal information is being being done in line with the GDPR. You’re responsible for being able to demonstrate your compliance and to show that you’ve considered the impact of the data your processing. It’s recommended that you have a Data Protection Impact Assessment (DPIA) to help demonstrate your assessment.

Making changes to your GDPR policy should only be done after a DPIA is carried out.

The DPIA is not just for large organisations, any business that is processing personally identifiable information is required to be registered with the ICO and to have a GDPR policy in place.

What counts as Personally Identifiable Data?

Any information that can identify an individual is Personally Identifiable Data, the most obvious being peoples names, but other types of data could also be used to identify someone;

  • Names
  • Client Reference ID’s
  • Order Numbers
  • Browser Cookies from websites
  • PAYE information
  • CCTV images
  • Bank Details
  • Mobile Phone Numbers
  • Social Media Details

What counts as Processing Data?

Any time anything happens to the data, it’s processing. With digital data this would include when it’s first entered into your system, if it’s accessed, sorted or looked up and when it’s modified or printed.

It includes the collection of data even if it’s not stored, such as taking temperature readings.

I don’t use a computer for work?

The GDPR covers processing of data in any format, this includes data on your mobile phone (such as contact details, call logs, text messages, WhatsApp messages etc)

I don’t even have a mobile phone

It’s not just digital data that is covered, an form of filing system is taken into account, so an address book, Filofax or even the top drawer of your desk would all fall under the GDPR.

Track & Trace

If you’re recording information for Track & Trace, you are required to follow the GDPR when doing so. You should update your GDPR policy to include the processing of this data and carry out a DPIA to make sure you are following the requirements of GDPR.

You should make sure that individuals know why you are collecting this information, who will have access to it and how long you will retain it for. The data collected must not be used for any other purpose.

You will need to identify the lawful basis for collecting this information. If you have a legal requirement to collect the information, or are doing so because your industry is encouraged to do so, it’s likely that you will be able to use ‘Legitimate Interest’ as the bases. Otherwise you may be required to use individual consent.

You should collect the minimum amount of information needed for the purpose. This would probably be a contact name, phone number and the date, time and duration of their stay at your premises.

The ICO list an ‘ABCDE’ approach to contact tracing:

Ask for only what’s needed
You should only ask people for the specific information that has been set out in government guidance. This may include things like their name, contact details and time of arrival for example.You should not ask people to prove their details with identity verification, unless this is a standard practice for your business, eg ID checks for age verification in pubs.
 Be transparent with customers
You should be clear, open and honest with people about what you are doing with their personal information. Tell them why you need it and what you’ll do with it. You could do this by displaying a notice in your premises, including it on your website or even just telling people.If you already collect customer data for bookings, you should make it clear that their personal data may also be used for contact tracing purposes.
 Carefully store the data
You must look after the personal data you collect. That means keeping it secure on a device if you’re collecting the records digitally or, for paper records, keeping the information locked away.See our guidance on simple security measures you can take here.
 Don’t use it for other purposes
You cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing, profiling or data analytics.
 Erase it in line with government guidance
You should not keep the personal data for longer than the government guidelines specify. It’s important that you dispose of the data securely to reduce the risk of someone else accessing the data. Shred paper documents and permanently delete digital files from your recycle bin or back-up cloud storage, for example.

Track & Trace QR Code

If you’ve printed out a government Track and Trace QR code, you do not need to include that information on your GDPR as you will not be processing the information in any way.

Get a UK Government NHS Track and Trace QR Code here

Monitoring individuals for signs of Covid-19

(Temperature monitoring, symptom monitoring or asking about their health or the health of household members)

If you’re monitoring individuals (or their household) for signs of COVID-19 you will need to take extra care with the way the data is collected and processed. This type of data is classed as Special Category Data and has extra safeguards offered by the GDPR.

You should carry out a DPIA to ensure you have covered all the legal requirements for processing this kind of information.

The ICO GDPR coronavirus hub ‘Testing’

Individuals who are asked about their health or the health of those they live with, or who are asked to take a test or have their temperature taken, have rights under the GDPR. They are entitled to know at the point of collection;

  • What information is being collected.
  • Why it’s being collected.
  • Who will have access to the data.
  • How long the data will be held for.
  • What the legal basis is for collecting the data.
  • who they should contact if they have any problems or issues.

They will also be entitled to request a copy of the data (Called a Subject Access Request, or a SAR)

Furthermore, they will be required to give specific, clear consent for the collection of this information.

Home workers access to company data

With many organisations now looking at moving to full or part time home workers, you need to make sure your GDPR policy covers the movement of data to and from your remote workers, and the data’s security while off site.

The transfer of data to and from your workforce and your office network should be a closed, secure transfer, either digitally over secured communications channels or physically.

If your workers are in the office or in other company owned premises, the security can be centred around the closed network design, but when your workers are remote or working from a home office, that transfer of data needs to be done via public systems (This could be manual, such as moving paper records and files from the company to the workers, or digitally over the public internet)

If the data falls under the scope of the GDPR, then it is a lawful requirement that you protect the transfer of the data.

For files and paper this could be by using a locked briefcase or storage box, a pre-vetted courier or an employed courier. For digital information, this should include encrypted data over secure connections, such as a VPN (Virtual Private Network) Remote Desktops or secured cloud services.

Passwords

You shouldn’t be letting your staff use weak passwords anyway, but we know in a secure office environment it can happen.

With staff accessing your business network remotely, those passwords suddenly become critically important and must be strong, ideally with 2FA (Two Factor Authentication) in place so any logon attempt needs to be verified by a text message or mobile phone app.

You should have sufficient monitoring of access so you can identify malicious logon attempts and any issues of security.

Data transfer and storage for home workers

You should make sure data is secured during transport, whether digitally over the internet, on USB devices or as paper files.

Once the data has been delivered to the remote worker securely, you need to make sure it’s stored in a secure way.

Paper folders and files should be stored in a secure locked cupboard or filing cabinet in the house for example, it’s not a good idea to leave them in a car or in a garage or shed.

Digital data should ideally be encrypted when not being accessed, and only kept in the remote location for as long as is necessary.

Using a home pc or mobile

If your remote workers are going to use personal devices for processing your organisations data, you should ensure that it meets your data security policy standards.

This should include sufficient secure (encrypted) storage, segregation of data from personal data, robust antivirus measures and secure internet connections as a minimum.

If you already have a Bring Your Own Device (BYOD) policy in your GDPR and IT deployment pack, then you should make sure it’s up-to-date, appropriate for it’s new use and that your employees read it and understand it.

Video Conferencing

Using video conferencing is a great way to keep in touch with staff and clients, but you should cover it’s appropriate use in your DPIA.

You should choose a platform or two that offer corporate level security, two factor authentication, logging and recording facilities and end-to-end encryption and deploy them for use.

You should make sure users are kept updated on proper use, and how to spot improper use or potential scams on the platforms, and you should make sure the end users are keeping their platform client apps up to date.

In your policy file you should include items such as screen sharing, file sharing, remote control and instant messenger chat use.

Office Chit Chat

One of the things people might miss while working from home is the office chit-chat. Not the gossiping at the coffee put for 20 minutes, but the background day-to-day chatter that helps the office function.

To help with this, there are a few digital radio stations and channels that will pay constant background chatter, it sounds odd but having that quite noise in the background can actually make it easier to concentrate on what your’re doing.

For the time when you would just pop your head up and ask a colleague something, you might find it useful to have an ongoing meeting room open between all your office staff. That way they don’t have to start a specific call with someone if they just want to ask a quick question.

tinsleyNET IT Servces Consultants #WeCanHelp

#WeCanHelp

We can help you conduct and write your Data Protection Impact Assessment (DPIA) to make sure you’re protecting personally identifiable data in line with GDPR requirements.

We can help you move your business to an agile, modern IT setup, with remote workers, hot desking and secure digital storage.

We can also help you with IT Support for your remote workers, making sure your agile workforce are getting the support they need in this new way of working.

If you need help with setting up remote workers, GDPR Policy files, DPIA’s or any other IT support issues #WeCanHelp

https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/

The Office (after Coronavirus)

WorkFromHomeC19

When the UK government took the decision to impose working restrictions in March 2020, the nature of office work changed dramatically overnight.

Not all the changes had a negative impact, people who could work from home found that they could be just as productive without the commute to the office.

We look at the lessons learnt and how they can be implemented to make the new normal a better place to work.

Working from home

It’s been a revelation just how convenient working from home is, both for the employer and the employee. No travel time meaning more productive hours and less pollution from driving, and, if your job allows it, more flexible working hours giving you more quality time with your family, fewer distractions (in some cases) and no arguments over who used the your milk.

Going forward, it’s easy to see that employees could use this to their advantage, downsizing their office as it only has to accommodate a fraction of the workforce while the remainder work from home or ‘hot desk’ in shifts.

First, lets look at how working from home could be a long term change, and at what a work from home office might need.

Home Workstation & Hardware

Home Office GDPR
Working From Home

It’s more than likely that your work from home employees will need a computer, chances are they already have a computer of some sort at home, but with the ubiquitousness of tablets and smartphones, it may well be that their home computer is somewhat outdated.

There are a number of options available here depending on the person and their position in the company.

The least expensive method would be to use a remote desktop session (even running it from a ‘live CD or USB rather than from their computers operating system) This requires little processing and memory power from the remote end as all the heavy work is done at the server end (typically cloud based or a server at your office)

You could provide a laptop for work use, giving you control over the spec and budget of the machines your staff are using, or you could give them a budget to buy their own devices for work use.

Unless particular processing power is needed on the remote devices, say for graphics work, then using a laptop is absolutely the best option. There’s a choice of touch screen, stylus input, tablet/laptop or standard laptops again depending on your employees needs.

Additional screens can be setup, especially if your staff are used to using them in the office, wide screens and rotatable screens are ideal for managing large spreadsheets or word processing.

Having a decent camera, microphone and speakers are also very useful especially when you’re running video conferencing calls or your remote workers are contacting clients. If the built in offerings are a bit low quality, it’s easy to buy and use external devices.

If the remote workers home space allows it, have a separate screen that can be dedicated to video calls and conferencing, leaving this logged into an office Microsoft Team meeting (or zoom, Skype or any other conferencing app) all day long so all your remote workers can see and speak to each other without having to start up a specific session. This helps give the office/team feeling to working and means that your staff can keep in contact as they would do normally, such as chitchat over a coffee in the office, or asking for help from colleges while their working.

If the remote workspace is not a dedicated area, such as a home office, then having hardware that can be setup and then packs away quickly and tidily is essential. If your remote workers are working on the dining room table, having two 20 inch monitors in place all the time would really get in the way!

Your remote workers might also need access to a printer or scanner. Depending on what quality they need and how often they need it, there are several options. From providing a multi-function printer/scanner at home for every day print jobs, to setting up the office printer to allow remote print access, and using the camera on the users smartphone as a scanner.

Home Broadband

Broadband
Home Broadband

In most cases, a lightning fast broadband connection at the remote end is not required, the amount of data sent to and from a remote worker can be kept quite light or buffered and cached when the broadband is less busy.

If there are other people sharing the broadband, hogging all the bandwidth when your remote user downloads a set of files is soon going to be picked up on, so using technology you can cache these files on the remote workstation over night, or access them via remote desktop software.

Carrying out a survey of your remote workers homes could help identify better broadband deals, and help your remote workers position their workstations and WiFi access points/routers in the best locations for connectivity and speed.

Compliance

It’s essential that your remote workers remain compliant with various legislation while working from home, Health and Safety and GDPR are the two that immediately spring to mind, but there may be others that you need to take into account.

GDPR General Data Protection Regulation
GDPR (DPA2018)

GDPR, the Data Protection Ace 2018, policies you have in place will need assessing and updating to cover the new situation, but this should not be a barrier to moving to this new working environment.

If home PC’s, tablets, smartphones or other devices are being used to process personal information, they should be assessed and managed according to your GDPR policy.

Business information and household information should be strictly segregated, and management put in place to protect the business data.

Assessing the working conditions for your remote users will quickly identify areas that need to be covered under your GDPR policy, this may include things like; screen privacy, data storage, printing and destroying printed material, transporting data between the office and remote office and data encryption.

Meeting Room & Reception

With your office staff working from home, it means the office doesn’t need to be so big. In lots of situations, a meeting room, reception area and one or two offices would suffice.

This means the meeting room can be large enough to accommodate clients and observe the social distancing rules, and and office workers in the building could work from one of the offices meaning they are isolated from other people while they’re in.

Your reception could be fitted with a client-facing monitor, and any ‘walk in’ clients could still speak with any member of staff via video conferencing.

A networked scanner and printer could also be made available to share documents.

Hot desking would need a slight revamp, with maybe just a docking station and screen left behind when a users leaves, and a wipe down of all surfaces before they are used again.

Keeping it all together

Making sure your company data is available to your remote workers in a reliable and secure way is essential. There are a number of options for you to look at.

Firstly there are cloud only solutions, services like Microsoft and Google. They are the big boys but that is a benefit; their platforms are reliable and robust and have a range of options and prices that give you access to different amounts of storage space and different tools.

Then there are hybrid solutions, part cloud based and part office-server based. These setups allow you to make use of all the transport facilities of cloud based connectivity, but with the security and peace of mind of an office-based server.

Then there is the pure office-only solution, letting you manage and configure every aspect of the system with an in-house server.

Each option has it’s pros and cons and are suitable to different types of work, in some situations you might combine different elements of all three setups to offer the right connectivity and security for your remote workers.

Having control over your data is essential. Being able to audit it’s use, monitor for breaches in your security, and remotely destroy data from a compromised device are all tools you should have at your disposal.

Making sure your data is backed up is critical. Also, making sure the data on your backup targets is up-to-date and includes any data that might be sitting on a remote device should be built into your backup plans.

tinsleyNET IT Servces Consultants #WeCanHelp

#WeCanHelp

We can carry out a review of your remote workers home office and advise you of any changes we think are needed to make it a long term working arrangement. We can check internet connection, WiFi location, device security, working environment and identify areas needed to be included in your GDPR policy

We can also sort out your office based needs, with terminals, servers, internet connections, security and everything else you need to allow your remote workers to be as efficient as possible.

Contact us today to prepare your workplace for the new normal.

Why was British Airways fined so much?

British Airways Logo

Last year, British Airways suffered a data breach that resulted to the details of hundreds of thousands of its online user’s details being stolen, including email details and credit card details including the 3-digit security code from the back.

Read more

GDPR 1 Year On

GDPR General Data Protection Regulation

May 25th, 2018

The GDPR came into force on the 25th May, 2018. From that point onwards, any organisation around the world processing data relating to European citizens had to comply with the new data security laws

GDPR 1st Anniversary

Information from the European Data Protection Board (EDPB) report published in February 2019

GDPR General Data Protection Regulation Logo

Total fines issued:
€55,955,871

Number of Data Breaches reported by a data controller:
64,684

Individual complaints received:
94,622

Full report: http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf 

GDPR vs. Global Brands

Many tech giants set their European headquarters in the Republic of Ireland. Facebook, Google, Apple, Microsoft, Twitter, Dropbox and many more fell under the GDPR as applied in Ireland.

The Irish Data Protection Commission said that in the first year of GDPR, the subject of most data investigations involved the tech giants, with Facebook and it’s brands Instagram and WhatsApp being the most investigated.

Google has already received a £44,000,000 fine from the French data regulator CNIL for it’s handling of personal data in targeted advertising, it is also facing another investigation from the Irish DPC for similar offences.

The tech giants, along with everyone else, had two years notice of the new regulations, but it appears many of them chose to make the minimal effort to adjust to the regulations.

In the USA, individuals have less robust data protection and privacy laws, and its thought that many global companies set the USA standards as the defacto standard. European GDPR sets the bar much higher and gives individuals much more control over the use of their data.

Information Commissioner’s Office

ICO Enforcement

Data taken from the ICO enforcement page May 25th 2018 – 12 February 2019

ICO

ICO Fines issued:
34 (£3,335,000)

ICO Actions Taken:
59

ICO Prosecutions against individuals:
9

Penalties issued to data controllers who have not registered:
103
  • 16 of those were for the maximum amount of £4,000
  • 18 of those were for organisations in the financial/pensions industry
  • Organisations in Construction, Manufacturers, Services and Health were also commonly fined
PECR Nuisance calls & messages reported:
51,314

…of those:
  • 26% were for accident claims
  • 15% were for broadband and telecoms services
  • 9% were for PPI
  • 8% were for computer scams
PECR Spam text messages
13,623
..of those:
  • 12% were for charities
  • 8% were for banking scams
  • 5% were for energy saving companies
  • 3% were for accident claims
PECR Automated calls:
13,623
…of those:
  • 40% were for accident claims
  • 17% were for broadband and telecoms services
  • 11% were for PPI
  • 8% were for Computer scams

Number of complaints about the use of cookies:
949

Some of these fines were a result of complaints made under the Data Protection Act 1998 before the GDPR came into force. The powers available to the ICO and the level of fines that could be issued were significantly lower under the old DPA.

 https://ico.org.uk/action-weve-taken/ 

The ICO is responsible for GDPR Compliance in the UK. If an organisation poresses personal data it is required to be registered with the ICO and to comply with the GDPR, regardless of size.

The ICO have stated that they are looking for organisations to develop on their compliance to include data security by default. This means that any changes or new functions within the organisation will include GDPR as part of the process.

Polish Data Protection Officer fines polish company €220,000 for processing the personal information of people without making them aware of the processing.

https://edpb.europa.eu/news/national-news/2019/first-fine-imposed-president-personal-data-protection-office_en

Data Protection Officers

DPO’s are a requirement for some organisations, and recommended for other smaller organisations. Organisations can make user of external third party DPO’s to help keep costs down and to being in the required experience.

Over 500,000 organisations registered DPO’s across Europe since the introduction of the GDPR

Data Protection Offices

Data taken from JAPP May 2019

GDPR General Data Protection Regulation

Estimated DPO’s:
500,000

Documented DPO’s:
375,000
  • 182,000 in Germany
  • 51,000 in France
  • 48,000 in Italy
  • 32,000 in the UK
  • 30,000 in Spain

Number of cases received by DPOs:
280,000

https://iapp.org/resources/article/gdpr-one-year-anniversary-infographic/ 

A (very quick) overview of what the GDPR is.

Personally Identifiable Data

Personally Identifiable Data is any information that can be used to identify an individual. Obvious data like someone’s name or customer reference number, and less obvious data like a photo, customer number or CCTV image.

Data Subject

The Data Subject is the individual that the personally identifiable data relates to.

Special Category Data

Some information falls under ‘special category data’ this information has extra precautions on it, such as needing explicit consent for processing it.

Special Category Data includes health, ethnic, religious, biometric and sexual information.

What is meant by ‘processing’?

How data is processed is the core of the GDPR. Processing data means any operation performed on data, such as collecting, storing, recording, organising, retrieval, transmission and so on. The data can be digital, paper based or in any other organised structure.

What consent is required?

If you’re collecting information, you need to give the data subject sufficient information about why you’re collecting the information, what you’re going to use it for and how long you’re hold onto it.

If you plan to use the data for a number of reasons (such as for sending marketing information and for processing an order) you need to give the data subject the option to select each use individually.

If you’ve acquired the data not directly from the data subject, you have a limited time to alert the data subject of how and why you received their data, where it came from, how you plan to use it and to give the data subject information on their rights.

If you’re processing special category data, you need to get explicit consent from the data subject before processing.

Not just consent

Consent is only one of a number of lawful basis for processing personally identifiable information. The GDPR give a number of alternatives that might be more appropriate for your situation.

What rights do you have?

As a Data Subject, you have the following rights to manage how your personally identifiable data is used:

  • The right to be informed
    You have the right to be informed about how and why your personally identifiable information is being processed.
  • The right of access
    You have the right to request access to any personally identifiable information any organisation holds about you.
  • The right to rectification
    You have the right to have accurate information processed. If an organisation has inaccurate information they are required to correct it.
  • The right to erasure
    You have the right to have information erased after it’s lawful processing has completed.
  • The right to restrict processing
    You have the right to restrict further processing of your personally identifiable information.
  • The right to data portability
    In some situations, you have the right to receive a portable copy of your personally identifiable information in a format that can be easily transported to a different provider.
  • The right to object
    In some situations you have the right to object to the processing of your personally identifiable data.
  • Rights in relation to automated decision making and profiling
    If data is being processed automatically and determining your eligibility for some service, you have the right to object to the automated decision making.

GDPR Myths

GDPR Prevents data sharing
This is not true, the GDPR does put security and precautions on how data can be shared, such as the type of data that can be shared, the reason for sharing, who it can be shared with and how the data subject needs to be notified. As long as the reason for sharing data is legal and legitimate and the data subject has been made aware of the share, and given the option to not have their data shared, it is fine to share the information.

American tech giants will ignore the GDPR
A lot of tech giants have their European headquarters in Ireland, the Irish DPA responsible for enforcing GDPR in Ireland is already investigating some of the big global names like Facebook and Apple. The French DPA have already issued a massive £44,000,000 fine against Google over it’s lack of transparency.

California have since released it’s own version of the GDPR, it’s the USA’s most comprehensive data protection laws, and it’s got a lot of support, there have already been calls for a GDPR like US-wide federal law protecting personally identifiable information.

Consent is required for everything
While Consent is a lawful basis for processing information, it’s not the only one. GDPR gives organisations several basis for processing personally identifiable information. You should make sure you’re using the right basis for your processing as ti can affect the rights that users have to their information.

You can’t use marketing emails
Under the GDPR, you need to make data subjects aware how you’re going to process their information. As long as the user chooses (opts IN) to receive marketing information, it’s perfectly fine to use their information in that way.

We don’t use computers, GDPR is only about digital information
The GDPR applies irrespective of the type of filing system you use. If you’re processing information that the GDPR covers, you need to be registered and compliant with the GDPR.

Other information that might be of interest.

Caldicott Report on the handling of medical information.
https://www.igt.hscic.gov.uk/Caldicott2Principles.aspx?tk=436113758099715&lnv=18&cb=3dc43b21-7fd7-4897-af04-0c027c7dd4a3

ICO : Jayana Morgan Davis

ICO Fines

Birmingham :
Jayana Morgan Davis


Jayana Morgan Davis forwarded several emails containing personal information from her work account at V12 Sports and Classics Ltd to her personal email account. The information related to customers and employees of V12 Sports and Classics Ltd.

She was fined under the Data Protection Act 1998 of unlawfully obtaining personal data, and ordered to pay costs of £590 and a victim surcharge of £30.

“People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”

Mike Shaw, ICO Criminal Investigations Team

ICO Post


General Data Protection Regulations

Data Protection Act 2018

The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.

If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.

Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.

If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.

GDPR General Data Protection Regulation Logo

ICO : Faye Caughey

ICO Fines

Birmingham : Faye Caughey

Faye Caughey, a former Heart Of England NHS Foundations Trust administrator, has been prosecuted for accessing the medical records of patients without authorisation and without any need to do so. The records related to family members and children known to her, and came from the HEFT iCare and CareFirst system.

She was fined £1000 under the Data Protection Act 1998, and ordered to pay costs of £590 and a victim surcharge of £50

“People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”

Mike Shaw, ICO Criminal Investigations Team

ICO Post


General Data Protection Regulations

Data Protection Act 2018

The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.

If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.

Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.

If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.

GDPR General Data Protection Regulation Logo

ICO fines Facebook £500,000 for breaches of data protection law

ICO

The ICO have issued a fine of £500,000 to Facebook in light of serious breaches of data protection law. This was the maximum fine that could be issued under the Data Protection Act that was in place at the time of the breaches, under GDPR the fines could have been considerably higher.

Facebook have been found to have processed the personal information of users unfairly, notably allowing developers access to personal information without sufficiently clear and informed consent. Access was even granted to users information who had not downloaded the app, but were friends of users who had.

Additionally, Facebook failed to make suitable checks on the apps and developers using their system. One developer was able to harvest the personal information of up to 87 million users worldwide, without their knowledge.

After the Cambridge Analytica story broke and the breach of data protection was identified, Facebook failed to manage the breached data, waiting almost 3 years before suspending some developers access to the system.

Links

Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.

Elizabeth Denham
Information Commissioner
GDPR General Data Protection Regulation

General Data Protection Regulations

Data Protection Act 2018

The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.

If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.

Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.

If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.

GDPR General Data Protection Regulation Logo

Make sure you’ve had the right GDPR advice

GDPR General Data Protection Regulation

The GDPR regulations have been in force for one month now and it’s great to see so many organisations large and small taking on board the message that individuals personal information is a privilege to process and not a right. But for every exceptional measure we’re also seen some poorly put together privacy policies that fail to pass GDPR standards, either using inappropriate lawful bases, not declaring the use of their party processors, not notifying individuals of personal information obtained not directly from them, or just outright misuse of personal information. Read more