On July 19th 2020, Blackbaud Inc released a statement on a security incident that they had experienced. This incident resulted in a data breach of UK data associated with a number of UK Universities and a number of charity organisations. A full list of affected UK legal entities has not been disclosed by Blackbaud Inc. The University …
The Tim Hortons mobile app has caught the eye of the Canadian Privacy regulator. An investigation is to be conducted by the Canadian Privacy Authorities to assess whether consent to allow location monitoring was properly received by their mobile app. On the face of it, small beer (or coffee) and something just for the Canadians …
The maximum fine was dished out this week by the ICO in the UK, to DSG Retail Ltd (aka Dixons Carphone), for a data breach which compromised internal network for 9 months and led to the loss of approximately 5 million credit card records and the personal data of approximately 14 million individuals. The numbers …
In June 2018, the EU issued updated guidance on certification and identifying certification criteria for Articles 42 and 43 of the GDPR. We are now 18 months further down the road, but there does not seem to be a light at the end of the tunnel. There was a brief glimmer of hope when ISO …
The long and winding road that leads to GDPR certification Read More »
This initial investigation was triggered by guidance that was released by the ICO in the UK, that insists that processors must allow audit and inspection rights to their controllers in their contractual terms. In the GDPR , Article 28.3.h states: That contract or other legal act shall stipulate, in particular, that the processor: makes available …
In my previous post, we left the GDPR review at Clause 74. This was quite a deliberate breakpoint, as Clause 75 and 76 take us straight into the meat of the DPIA (Data Protection Impact Assessment). Privacy Impact Assessment The ISO 27701 Standard refers to a Privacy Impact Assessment as a method to determine the …
Understanding ISO 27701 – Missing GDPR Controls Part 2 Read More »
The ISO 27701 standard makes some additional control recommendations that are supposed to supplement ISO 27002 controls guidance. The ISO 27701 is clearly intended to be a generic Privacy controls framework. How do the controls stack up to the requirements of the GDPR? The GDPR is actually quite prescriptive in the controls that need to …
Cast your minds back to the beginning of 2018, the General Data Protection Regulation (GDPR) was on the horizon. Depending on your point of view, it promised to give citizens back control over their data or herald the end of some types of businesses focused on dubious uses of personal data. “The new legislation will …
GDPR – One year on, busting the myths and exploring the new realities Read More »
When the GDPR came into force on the 25th May 2018, a number of Articles referred to the creation of certification schemes that could be approved by Authorities, to make it easier for data subjects to understand whether an organisation had appropriate privacy controls. Implementing ISO 27701 looks like the easiest route currently to this …
We can generally gauge the level of preparation and understanding a company has about their own cyber security by the way they respond externally to a cyber incident. There have been some notable examples over the years where cyber security professionals have had to put palm to face on some of the media responses placed …
