Disasters Are Like Buses

There is a saying that you can wait ages for a bus and then three come along at once.

This can be true of disasters as well. The story goes like this…

In an office on a small business estate there once was a company that specialised in installing high availability data replication software into medium and large businesses. All was well, business was good, the software solution was good and the clients of the company were secure in the knowledge that their valuable data was being replicated in real time to crucial ‘hot’ backup business systems in recovery locations. Some of these installations had a mere 20 minutes to live switch-over time. The company provided round the clock on … Read the rest

Head In The Clouds

Small businesses who run applications in ‘the cloud’, also known as SaaS (Software as a Service) are becoming increasingly complacent with regards to data security. There are a lot of claims made by SaaS providers about how safe and secure the systems are and by and large they run without issue almost all of the time. The use of cloud computing systems has seen exponential growth over recent years, from around 12% of business applications in 2012 to over 70% by 2015. This is an awful lot of data that may not be under the traditional IT regime of physical backups – data that is virtual, and virtually forgotten. We have arrived at a situation of a vast flotilla of … Read the rest

Insider Threats

In this article I want to talk about a very real but often overlooked threat to a whole gamut of information protection issues – people.

When we consider the arena of information protection it is all too easy to get drawn into the world of IT systems and cyber-crime. Even if we are broader in our approach and consider printed and other forms of information we often only consider the threats from hacking or data corruption, or maybe systems failing and data being lost – maybe extending the risk as far as a fire destroying records etc.

This a poster from the National Archive. It is circa 1939 – 1946 and had an important message about information security that is … Read the rest

GDPR – Not-For-Profit organisations and Charities

On the 5th of April, the ICO fined 11 charities a total of £126,000 for breaking current data protection legislation. Some were fined because they ‘screened’ the subjects to target them for additional funds, some had pieced together data from different sources including lapsed donors and then traded this information with other organisations. After May 25th 2018 this fine might be £180 million!

As fundraisers, charities understand all too well the value and importance of lists. A core principle of the GDPR is the justification for processing personal information.  There are two basic grounds for processing – the personal data is processed pursuant to a contract or delivery of a service, or consent has been given for the … Read the rest

GDPR – To DPO or Not To DPO

Who needs a DPO and what do they do?

This Bite is about the role and requirements of a DPO – that’s a Data Protection Officer. The role and duties of a data protection officer are varied – it is an interesting and challenging job. Within the scope of Article 39 of the GDPR, the tasks include:

  • To inform and advise the organisation of their duties and responsibilities under the GDPR
  • To monitor compliance with the organisation’s own policies and other regulations (including the GDPR) that may be govern the organisations data activities
  • Provide advice and guidance on data impact assessments and monitor their performance
  • Act as the organisation’s contact point and liaise with the regulator (ICO)
  • Always be aware
Read the rest

GDPR – Processing Security

In this short article, I’m going to talk a bit about security of personal data and how the GDPR defines security. The requirements fall under Article 32 of the regulation. This is one of the areas of the regulation where decisions need to be made based upon the sensitivity of the data, the nature of the processing, the likelihood of a data breach and the impact on the data subject. These factors are then combined with the availability of technical solutions and the cost of implementation.  The key phrase in this article is “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

A word that crops up in this article and in several … Read the rest

GDPR – Some Hard Facts

1. Brexit

Many business owners are assuming that because the UK has voted to leave the European Union – especially since article 50 was triggered making this formal – that the GDPR will no longer need to be implemented.

This is not the case. The ICO have indicated that business will be required to comply by 25th May 2018 along with the rest of Europe.  Additionally, it is foreseen that during the enactment of the Great Repeal Bill when the UK officially leaves the EU in May 2019, all the current statutes of the Union will be absorbed into UK law – the GDPR included.  There is also the matter of trade with Europe. It will be a condition … Read the rest

GDPR – Privacy by Design & Privacy by Default

Whenever you read or hear information about the GDPR, you will most likely come across the terms Privacy by Design, and Privacy by Default. They are set out in article 25 of the regulation and they are a way of ensuring data protection becomes a consideration of future systems and procedures and that the protection that is inherent in new software or methodologies is proportionate and workable whilst offering the data subject (the person about whom the data is held) the best level of protection. These protections include controlling access to the data and deletion of the data once it is no longer required.

Privacy by Design

This introduces a new discipline in system design. For many years … Read the rest

GDPR – Am I legally processing personal data?

To comply with the GDPR articles 5 and 6 you need to have a ‘legal basis’ for the collection, storage and processing of personal data.  There are some fundamental ways to demonstrate a legal basis for the collection and processing of such data;


  1. You have explicitly gained the consent of the data subject to hold and process their personal information. This consent must be actively given – it is not sufficient to notify them and allow them to proceed without actively ticking a box or in some other way acknowledging the request. When obtaining consent, the purpose for which the data is being collected and the way it will be processed must be explained in clear and simple terms
Read the rest

GDPR In A Nutshell

The GDPR is designed to allow individuals to more effectively control their personal data. These updated regulations will also allow businesses to make the most of the opportunities of digital markets by improving public trust and harmonising data protection standards across Europe. The regulation will come into force on 25th May 2018.

What is the GDPR? In simple terms, it:

  • Applies to personal data – any data that relates to or can be used to identify a person in any way
  • Controls what can be done with personal information
  • Requires that consent is given or there is a good reason to process or store personal information.
  • Gives a person a right to know what information is held about them.
Read the rest