Privacy Kitchen is your FREE video-led help on GDPR and all things Privacy!
Whether you're a GDPR novice or expert, we've free videos on everything from the basics to the advanced so you can increase your GDPR readiness and awareness, achieve GDPR compliance, and show that compliance to others.
We'll cover topics like
- Do I need a Data Protection Officer (or DPO)? - Who can be a DPO? - What does a DPO do? - What is GDPR? - 10 Steps to GDPR Compliance - Brexit and GDPR - GDPR and the USA - and of course Breach, Data Subject Rights (or DSRs), PECR and e-Privacy, and more.
Get involved and use #PRIVACYKITCHEN to tell us the questions and topics you want covered.
Privacy Kitchen is brought to you by the team at Keepabl, the award-winning Privacy Management SaaS Solution. Visit us at Keepabl.com.
And don't miss our FREE guide to to the UK GDPR reforms: privacykitchen.tv/reformsguide
Request your demo today: privacykitchen.tv/getdemotoday
In this Privacy Kitchen session, experts Tash Whitaker and David Clarke join host Robert Bohr to dissect the complexities of data mapping for privacy governance. They explore the nuances of GDPR compliance, the impact of Brexit on data protection strategies, and share practical advice and war stories from the field. The conversation delves into the importance of understanding data maps, the challenges of maintaining accurate records of processing activities, and the implications of Brexit for cross-border data transfers and marketing practices. Takeaways 🗺 The importance of a data map as a cornerstone of privacy governance was highlighted, emphasizing its role in understanding data flows and impacts on privacy. 🤝 Introductions of the panelists, Robert Bohr, Tash Whitaker, and David Clarke, who are experts in privacy management, consultancy, and cyber and data protection, set the stage for a deep-dive discussion. 🔍 The distinction between a data map and an asset register was explored, with the former being a broader concept that includes the latter, which is more about the security and inventory of data assets. 📝 The GDPR's record of processing activities was discussed as a subset of a data map, which is crucial for understanding data processing activities and responding to data subject requests. 🚫 The challenges of questionnaires for data mapping were noted, with panelists preferring interviews to get accurate insights into data processing activities. 🔑 The role of the Data Protection Officer (DPO) in maintaining the record of processing activities was emphasized, as they need a comprehensive understanding of the business to fulfill their role effectively. 📈 The impact of Brexit on data maps was anticipated, with the potential need to revisit and adjust data transfer agreements and the possible requirement for UK companies to appoint EU representatives. 🛑 The potential increase in data subject rights requests due to the removal of PEC Regulation (ePrivacy Directive) was flagged, necessitating a detailed data map to manage these effectively. 📉 The low adoption rate of ISO 27001 was mentioned, with GDPR and other privacy regulations driving a need for more comprehensive data governance practices. 🔄 The dynamic nature of data mapping was underscored, as it needs to evolve with the business and be part of ongoing risk management and compliance activities. 📚 The complexity of managing large-scale data maps was discussed, with the need for robust systems and processes to maintain and update the data map in line with business operations.
GDPR is applicable to Europe. But what if someone from Europe is accessing data illegally in Southern hemisphere? All these fines should apply to that person as well or the company that they work for, right?
I believe they use Confidentiality and Integrity rather than the broader "Security" because Security also covers Availability (the security Triad of CIA).
In my opinion the ICO has no teeth and pretty much useless to the general public....government organisations hide behind this service referring you back to them knowing full well they will close your query down....why are they being paid by the tax payer?
@PrivacyKitchen I wonder whether you could clarify something for me? Many people have been telling me that a "natural person" i.e. private individual, someone who does not have a business, just a regular Joe, can be considered a Data Controller. I know the DPA quite well but not the GDPR. I would imagine it being highly impractical for private individuals to be classed as Data Controllers but some fairly reliable people have told me this is the case. I can't find anything that validates their opinion.
Hello. Where do I stand with a ex employee. I left the fire service due to false allegations, I then joined the police. Once in the police they asked for a reference from the fire service. They replied back the don’t give a detailed reference. 3 months late messaged back stating my investigation. No one asked or gave permission for this. Where do I stand????
Please help me. I have been the victim of Brighton and hove city council's data fraud. A letter written yesterday to Brighton and hove city council's leader. I am stuck and forced to take this route The email is as follows Dear Bella, With concern I contact you regarding fraud by council staff who have knowingly covered up acts of data fraud against myself and others which directly contravenes Brighton and hove city council's policy and legal obligations stated under the data protection act. I have minutes of a coucil meeting that stated there were many deeply regrettable data breaches by outreach staff. I also have evidence from my housing file to back up my allegations. So since September 2020 I have made your council officers aware in writing and by recording calls and the situation has been denied, minimised, gaslight and backlit to try to affect my mental health. In short as literally your own policies and the law have been shattered broken I am unfortunately left to make a private prosecution against you, your corporation and your council officers that have taken part and failed to rectify this incredibly serious set of data breaches and total failure of your corporate body , led by you. I hope you will contact me in person as I have faced retribution every time I have bought this up and it is getting worse and worse with the members of your staff treating me differently by failing to address issues that are ongoing and egregious I hope you do not mind that I send this email to the Local government's ombudsman, the ICO and the media in full and the Labour party HQ so this may not be swept under the rug as it has been for far too long. I have reported these data breaches against myself and others for 4 years in writing to many department heads and staff and your policy is very clear that it must be dealt with full stop. Yet here we still are. Will you call me to lay my fears to rest that a cover up is not happening for the last 4 years ? Your senior governance team has my number. Kind Regards David These are deliberate data breaches in retaliation to complaints regarding fraud and forgery . Please, please help me someone
Hi, the size of business isn't a factor, it's whether your activities fall within Art 37's 3-part test: public sector, core activities large scale monitoring, core activities large scale special categories or crime. And of course you can voluntarily appoint on if you decide that's right for you.
Can you tell me if emails which have gone missing from a company who I'm in dispute with can be claimed against using GDPR? Or point me in the right direction for advice?
We're afraid we can't give tailored personal advice, and recommend you seek legal advice. What we can say is that GDPR allows you to obtain your personal data, not the document itself nor information that isn't about you. Again, particularly in disputes, we strongly recommend seeking legal advice.
Hello Robert, it was a nice explanation of GDRP principles. Regulatory authorities in EU and other countries are tightening the supervision to ensure Data Protection of Data Subjects by the Data Controllers and Data Processors. Element of Free Data Consent f Data Subjects is of crucial importance.
For cookies in the UK, we particularly recommend looking at articles and guides on law firm websites and looking at the particular rules in PECR and the draft DPDI2. Good luck with your project!
@@PrivacyKitchen great! I'm eagerly anticipating watching. By the way, I successfully passed the CIPP/E exam, and I must say your videos were particularly helpful in certain areas. Thank you! 😊
If u was to use a company laptop in a cafe and ask the person during a call if this is stil there email and address but none else in the cafe is this a breach ?
Very clearly explained, thank you for the information. Was that dripping tap water in the background? Makes sense as part of a Privacy Kitchen, I suppose. 💧🚰
How can you prove who gave your details to someone else ? Like my old employer, is someone is trying to get in touch with me and call them ? How long can your old employer keep your details IE phone number, Email?
Hi, you'll understand we can't give long advice or even give advice at all - we're not a law firm and you should seek professional advice. What we can say is there should be retention periods for information depending on the purpose, and no personal data should be kept for ever.
Hi I had an occupational health report left out in a communal area where I work. The person who left it out investigated it themselves and decided no data was breached. Two months later they reported it to the organisation. Any ideas?
So my collection of data can be collected on amopt out basis as a baseline and make it a dataset to run through a machine learning algorythm for sentiment analysis. Truthfull and whatever else I want.unpess the can tell m what I have and prove they are them and as long as I do t hold an unbekcrypted csv train a mlboy to do whatever I want with uptobamd including paroting them deep faking anything but I cqnsell the CSV however I can use the ml tlas a monthly membership making sat DWP the product?
I've been watching a lot of 'auditing' videos lately and I'm fully acquainted with an auditor's right to film... but when it comes to publishing, especially when someone belonging to whatever company is being audited specifically says they do not want this being shown on RU-vid, I get lost in the tangled and layered swamp that covers privacy. Is auditing for 'personal use'? Do auditors have to comply with GDPR? Can they publish someone's image if they have been asked not to? Do Google rules apply in UK? I'm totally lost with all of the legislation.
Hi, you'll understand we can't give long advice or even give advice at all - we're not a law firm and you should seek professional advice. Hope the videos help clarify matters!
What would be the legal grounds for unfair dismissal for a private group conversation on Facebook leading to removal from a charity group? i.e if someone was raising awareness of manipulation or asking a question that would lead to a screen shot which in turn would be shown to the leaders. Thanks for any input, been round the merry go round with google search and Facebook privacy laws.
This video is very good and helpful thank you so much for this. I would like to share my incident and if you could provide your view it will be great of you. I requested for CCTV footage under sujbect access request with Apple regarding an incident in store. They have deleted the footage and apologied saying we failed. ICO has told me they will ask them to improve future incident better. I am at loss on everything, esp with the racist incident in store.. what can I do?
I have a question. In UK, I bought an electronic device, the Application necesary to set up and run this electronic device wasn't available in Google Play store. So I called support centre and they emailed me a link to a Web page to download the phone application. I was anxious to open my new gadget and this webpage contained virus/malware my personal mail( containing all type of sensitive data)was open. After some time I notice the phone working really bad and reset it afraid of Virus. Is this a data breach? Many thanks! #PrivacyKitchen
Good discussion. I have three questions. Does UK GDPR apply to UK employers who use cloud-based companies in EU countries to store staff training and competency records? What polices should they have in place if they are moving away from a paper-based system to digital? Can a UK employer insist on staff having their photo/video used to document a training or competency activity to be held in the cloud based outside the UK?
Hi, glad you enjoyed the conversation! You'll appreciate we can't give advice and we're not a law form or consultancy. We can say that UK GDPR applies to all employers established in the UK. We can also say that an employer should have a range of policies and procedures for Privacy and Security (both can be covered in the same policy they don't need to be separate whatever works for you), just as you should have an Employee Handbook dealing with equality, holidays, expenses, etc. To go further would be to be advising on your situation which we can't do, we can only recommend you obtain appropriate advice, a good Privacy consultant can help you here.
Hey i wanted to ask, can any thing come up from using a declaration vs a checkbox in any scenario I agree to Terms and Conditions [checkbox] I agree to Privacy Policy [checkbox] vs on registration showing a declaration By proceeding i agree to [Service]'s Terms and Conditions and Privacy Policy (popular in tech giants, and other apps i've tested, its nicer UX) I am in a debate with this at work at the moment and am told i am wrong, what about class 2 medical devices?
That's a few questions in there! We don't provide advice and can't advise on particular situations. We always recommend clarifying what the processing activity is, or the multiple activities, deciding on the appropriate legal basis, then deciding on the appropriate notices / flow / records etc.
Great topic for a video, thanks Madhvi! It's essentially the same as if each group member is an unknown third party. There's no free passes for group members. If you have BCRs (and wow, only 200 groups have ever had BCDRs approved so you most likely do not have BCRs) then the BCRs set out the rules - still no free pass, the BCR is a chunky set of rules.
Hi. I don't understand the detail about the Art 28 being covered by the EU SCC Addendum but not the IDTA. The ICO's addendum template mentions Art 28 once, and it is very tentative. However, their IDTA template mentions it five times and does have clauses that mention the need for a linked agreement between the parties that complies with Art 28. Could you clarify more please? Thanks.
Hi Andy. The IDTA refers to a linked agreement which is to address Art 28. See eg Bird & Bird: www.twobirds.com/en/insights/2022/uk/new-uk-standard-contractual-clauses-for-personal-data-transfers: "The mandatory processor requirements under Art. 28 UK GDPR are not included: Whereas the new EU SCCs incorporate the Art. 28 GDPR requirements (i.e. when module 2 (controller to processor) of the new EU SCCs is used, it already has the appropriate mandatory processor obligations under Art. 28 built in so a separate data processing agreement is not needed between controller and processor), this is not the case with the IDTA - Clause 1.4 of the IDTA’s Mandatory Clauses makes it clear that it envisages that a linked agreement will cover this off, which it may well do in practice. However it complicates the patchwork of data transfer agreements."
Great video. Effective information. Dear Sir, I have 8 years experience in ISO 9001, ISO 27001, GRC compliance, I want to go for GDPR compliance, hope this information will help for future.
I know,but it would have been easier if I could hear u and at the same time read it. You can always create am option whereby listeners can switch from one audio pace to another (1x to 1.5x to 2.0) I'm not sure if you understand my message. Do you? Good work. My name is Olaniyi
Thank you for great video! my neighbour filed and still files false allegations against me to the police. Is there any way to erase these reports from my criminal record? I was interviews by the police and managed to rebut some of the accusations, I have made SAR to the police and received catalogue of different offences reported by my neighbour... this accusations are baseless but still with be recorded on my enhanced DBS check... I dont understand how they can punish me, burden my criminal record, for things I have never than... HELP
So sorry to hear you're having such issues but you'll appreciate we can't give advice on individual cases. And we don't give legal advice at all. This is a tricky area. The facts are all important so we recommend you seek legal advice.
Thank you for reply. General Question: Would it be possible (in general) for anyone to stop the police from disclosing allegations on one's enhanced DBS check? Can police make a decision for refusal to erase data on the 'Public interest' ground without explaining the process of how they balanced public interest vs one's rights to reach this decision and how it overrides one's rights? I am just wondering how it could be challenged in general. Can it?
You'll appreciate we can't give specific advice. If GDPR applies you may have data subject rights including the right to copies of your personal data - but that's only to the personal data, nothing else, so it may not deliver what you're after.
