Author: Martin Kayes, CISSP
If an individual discovers that a company has leaked their data under the UK GDPR, they should take several steps to protect themselves and address the situation: 1. **Document the Incident**: Keep records of any evidence related to the data breach, such as emails, notifications, or screenshots of any suspicious activity. Documentation will help support any claims or actions taken in response to the breach. 2. **Contact the Company**: Notify the company or organisation responsible for the data breach as soon as possible. They should have a designated Data Protection Officer or contact point for data breaches. Contacting the company…
Under the UK GDPR (General Data Protection Regulation) regulations, the use of CCTV (Closed-Circuit Television) is subject to certain principles and regulations to ensure the protection of individuals’ privacy rights. In addition, providing footage from CCTV and surveillance cameras in response to subject access request, or for public viewing, will require careful consideration, editing and censoring of other parties identities. In addition to CCTV, the GDPR covers automatic number plate recognition (ANPR), body worn video (BWV), drones (UAVs), facial recognition technology (FRT), dashcams and smart doorbell cameras. Here are some key points regarding CCTV use under the UK GDPR: 1.…
Submitting a GDPR subject access request (SAR) is a straightforward process designed to empower individuals to access their personal data held by Organisations. Here’s a step-by-step guide on how to file a GDPR subject access request: 1. **Identify the Data Controller**: Determine which organisation or entity is responsible for processing your personal data. The Data Controller is usually the company or organisation that you directly deal with; it is not usually any other companies or organisations that they may need share your data with (these 3rd-party companies are known as Data Processors). For example, if you buy a product online the retailer is…
It is quite broadly known that for serious infringements of the data protection principles, the enforcement body (for the UK this will be the ICO) has the power to issue fines of up to £17.5 million or 4% of a company’s annual worldwide turnover, whichever is higher. What is not so well know is that the UK GDPR sits alongside both the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR), each of which are also enforced by the ICO. Previously, some company directors have been known to put their company in to liquidation to try…
Below are some examples of large fines and actions issued in the UK under the General Data Protection Regulation (GDPR): 1. **British Airways (BA)**: In July 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39 million for a data breach that compromised the personal and financial details of approximately 500,000 customers. The fine was later reduced to £20 million after BA appealed the decision. 2. **Marriott International**: Also in July 2019, the ICO announced its intention to fine Marriott International £99.2 million for a data breach that exposed the personal data of approximately 339…
We offer affordable, professional help with all data privacy matters. Using plain English, avoiding technical and legal jargon wherever possible – after all, one of the fundamentals of the GDPR is that it should be kept clear and simple, for anyone to understand. “Data Privacy has traditionally fallen under the remit of IT and Cyber Security professionals…” Data Privacy has traditionally fallen under the remit of IT and Cyber Security professionals, especially so since the Data Protection Act first passed in to law back in 1998 (DPA 98), followed by the Privacy and Electronic Communications Regulations in 2003 (PECR). Only…
There are 6 lawful bases for processing personal data under the UK GDPR (General Data Protection Regulation); the lawful bases for processing personal data are outlined in Article 6, and they are as follows: These lawful bases provide a framework for organisations to ensure that they are processing personal data in a manner that is fair, transparent, and respects the rights of individuals under the UK GDPR. We can advise you on choosing the correct lawful basis (or bases) for processing personal data – it is important to get it right from the outset as you are generally not allowed…
If your company experiences a data breach involving personal data, you are required to notify the Information Commissioner’s Office (ICO) without undue delay, and where feasible, within 72 hours of becoming aware of the breach. We can help you manage the process correctly and even liaise with the ICO on your behalf. Are you aware that not all data breaches need to be reported to the ICO or enforcing body? It depends on the severity of the breach, the nature of the personal data and whether the data is encrypted or not. Data Breaches include a hacker accessing your systems,…
If a company has not provided all of your data in response to your GDPR subject access request (SAR), there are several steps you can take to follow up with, and ensure your rights are upheld. We can assist you with this: 1. **Follow Up**: As soon as you can, we recommend sending a follow-up communication to the company, informing them that their response to your SAR is not complete and that it is missing data that should be included – be specific if you can. Include details such as the date you originally submitted the SAR and any reference…
Good IT security practices are central to the GDPR (General Data Protection Regulation) for several reasons: Securing your devices, operating systems and network are a crucial part of protecting data and your company’s reputation. Providing GDPR awareness training to all of your staff is also very important. Addressing both of these will often help minimise any action taken by the ICO should a breach occur. The UK Government has a cyber security certification programme called Cyber Essentials which helps your company achieve an acceptable level of IT security to protect your clients, suppliers and company reputation. We recommend that most…