Blog: Practical Privacy
As experts in data protection, privacy and the GDPR, we wanted to share our knowledge with you to ensure your compliance journey is as simple as possible. With a clear understanding, data protection best practice will become a natural part of your organisation’s way of working - a benefit to you and your business.
So take a look over our GDPR and data protection resources below.
I hate cookies. There, I’ve said it. That wasn’t always the case, but after recently going through the exercise of trying to comply with the law on cookies, I’ve changed my mind. Grab a glass of milk and let me tell you my story.
How to choose a lawful basis for processing personal data
If you think that to process personal data all you need is a tick box, think again. If you think that all you need is consent, take another guess. And if you think that you can get away with only one lawful basis, then perhaps you should read this article.
How to write a privacy notice
There are three types of privacy notice. There are those that have been copied and pasted from someone else’s site with a few names changed. There are those drafted by professionals who have little idea of the business that they are writing them for. And then there are those that are done right.
How to create a Record of Vendors & Partners
“Accountability”. It is the cornerstone of trust. You can’t trust someone if they are not accountable for their actions. We all know someone who seems to get away with murder (or more likely avoiding work, or responsibility when things go wrong). Well, privacy regulation knows about such people which is probably why one of the principles of the GDPR is ‘accountability’. Not only must you be compliant, you must be able to demonstrate your compliance. And one thing you need to be able to demonstrate is who you are sharing personal information with.
How to create an Article 30 Record
Records can be interesting if you are a Strava athlete. Or a collector of vinyl. But Article 30 Records are not interesting. Even if we call them by their other name – ‘Records of Processing Activities’ – they still don’t sound interesting. And they are not. What they are is an essential (and often legally required) building block of any data protection compliance programme.
How to map your data flows
“Data flows”. Sounds like a job for someone in IT right? Wrong! Creating accurate maps of your data flows is an essential building block of any data protection compliance programme. Don’t get this bit wrong. If you do, everything else will be wrong as well. Time spent on getting this right will save you time over and over again as you build out your programme. Let us give you some pointers.
The age of consent
What is the biggest myth touted about the GDPR? It is, “If you want to use personal information you must have consent”. Why is this a myth? Because what you need is a lawful basis for processing personal information, not consent. Consent is just one of the six lawful bases available under the GDPR.
Am I a controller, a processor, or both?
Controllers of personal information are the ones with all the liability under the GDPR, right? Wrong. Processors have obligations under the GDPR too. And then there’s joint controllers as well. They are jointly liable to people who have suffered damage because of a GDPR breach. To confuse matters further, an organisation can be both a controller and a processor at the same time (although not in relation to the same processing activity).
How to send marketing emails under the GDPR
Do you remember where you were during the great avalanche of May 2018? Piles of emails swamped inboxes across a vast area covering the UK and the EU. In the run up to the GDPR, these emails requested consent to send further emails to their recipients after 25 May 2018. Some were necessary, but a large proportion of them were not. The avalanche was borne of confusion about the GDPR and fear of fines. Even now confusion remains. Read on to find out when you need consent to send marketing emails and when you don’t.