The ICO has issued a £60,000 fine to Boomerang Video Ltd after it suffered a cyber attack. An investigation by the ICO found the Berkshire-based company failed to take basic steps to stop its website being attacked.
Not necessarily, but you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR and so you can appoint a data protection officer (DPO) if that helps you meet this criteria.
The GDPR says that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
Public authorities (except for courts acting in their judicial capacity) are required to appoint a data protection officer (DPO), as is any organisation carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking); or carrying out large scale processing of special categories of data or data relating to criminal convictions and offences.
The DPO’s minimum tasks are defined in Article 39:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
You must ensure that:
- The DPO reports to the highest management level of your organisation – ie board level.
- The DPO operates independently and is not dismissed or penalised for performing their task.
- Adequate resources are provided to enable DPOs to meet their GDPR obligations.
The role of DPO can be allocated to an existing employee. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. You can also contract out the role of DPO externally.
Pub chain JD Wetherspoons has quite a fanbase in the UK, but the company has decided it’s safer to delete all its customer data than risk it being hacked.
The rules are changing on data protection, if you want to find out more, Rob will be talking to Miles Hensen on 93.7 Express FM’s Business Programme at 7 pm.
The rules are changing on data protection, if you want to find out more, Rob will be talking to Miles Hensen on 93.7 Express FM’s Business Programme at 7 pm Tonight.
If you are going to telephone a business for unsolicited sales and marketing purposes you are legally required to make sure that they are not on the Corporate TPS.
The Corporate Telephone Preference Service (CTPS) is the central opt out register for corporate subscribers to register their wish not to receive unsolicited sales and marketing telephone calls.
To make sure you don’t break the law and potentially damage your reputation you can check if a number is registered using the online TPS Checker.
You have to register, but then its free to check up to a certain number of phone numbers per day – it’s a simple and quick way to check rather than making a costly mistake that could also harm your reputation.
The rules are changing on data protection, if you want to find out more, Rob from Crimson Crab will be talking to Miles Hensen on 93.7 Express FM’s Business Programme at 7pm on Thursday 29th June 2017.
Many thanks to Reputation Advocate Lorna Jackson of Advance & Get Noticed for arranging this.
Melanie Dawes the Permanent Secretary of the Department for Communities and Local Government (DCLG) has sent a letter to owners, landlords and managers of private residential blocks in England.
DCLG are offering, private owners of residential buildings an opportunity to test cladding on blocks over 18 metres high through arrangements put in place with the Building Research Establishment (BRE).
These checks will be paid for by DCLG, and the information will be available to DCLG from BRE.
Where owners consider that they may have concerns about cladding on buildings over 18 metres high, there is a process to follow described in the letter.
DCLG have provided an email for enquiries: PRShousingchecks@communities.gsi.gov.uk
The letter and downloadable data return form are available here.
It is important to remember that we are only talking about third party personal data under the data protection rules.
If you are holding this as part of your responsibilities then you will need to comply with the Data Protection Act until May 2018 and the GDPR thereafter.
You need to think carefully about the storage and disposal of personal data.
The General Data Protection Regulations (GDPR) came into force in May 2016.
There is a two year lead in period to enable businesses to become familiar with the new regime and so the critical date is:
25th May 2018
The law applies to anyone who processes personal data (which includes storage and disposal) in whatever capacity.