In short - yes they can assuming they have the necessary skills and expertise and are well engaged with the UK entity so that they can fulfil their oversight and advice role.
In short – yes they can assuming they have the necessary skills and expertise and are well engaged with the UK entity so that they can fulfil their oversight and advice role.
i thought the deadline for the UK IDTA is end of March 2024 not 2023 - or I have I missed something? I have done one UK addendum to the EU SCCs as working for a multinational we have processes in third countries and controllers in the UK and parts of the EU. I spoke to the ICO about when the IDTA/AdRead more
i thought the deadline for the UK IDTA is end of March 2024 not 2023 – or I have I missed something? I have done one UK addendum to the EU SCCs as working for a multinational we have processes in third countries and controllers in the UK and parts of the EU. I spoke to the ICO about when the IDTA/Addendum accompanying guidance was going to be produced and they were fairly non-committal which is disappointing as we’re having to work to the EU deadline of December 2022 for SCC transfers and the UK regulator not having settled on its guidance isn’t great (I don’t find the addendum document that intuitive to follow).
If you have EU based entities providing personal data into UK based processors/Controllers I would suggest prioritizing those contracts/Intra-group agreements and getting ready to potentially implement the EC Standard contract Clauses (these are the only ones available at present) - either controlleRead more
If you have EU based entities providing personal data into UK based processors/Controllers I would suggest prioritizing those contracts/Intra-group agreements and getting ready to potentially implement the EC Standard contract Clauses (these are the only ones available at present) – either controller to Processor or controller on these contracts. UK to EU data flows should be unaffected, given the UK has already deemed the EU adequate.
There is also the issue of Transfer Impact Assessment following the schrems II judgement, but for now I’d say key is to identify those transfers impacted and get access to their contracts if you can and then see if adequacy or an extension to sorting this out is given
I personally would not go down the route of doing a mock data breach as suggested - as I think that won't win you any favours in the long run, particular from senior management. Sure do table top exercises (if you don't get many breaches), but I would not link those negative aspects to the GDPR enfoRead more
I personally would not go down the route of doing a mock data breach as suggested – as I think that won’t win you any favours in the long run, particular from senior management. Sure do table top exercises (if you don’t get many breaches), but I would not link those negative aspects to the GDPR enforcement anniversary (which most colleagues won’t care about).
We produce weekly content for our colleagues which is relevant to them and then add in business messages on data protection too them – we’ve done posts internally on subjects like e-safety for children, avoiding phishing, vishing and smishing scam (and what to do if you get duped), black Friday scams to look out for, remote working dos and don’ts, backed up by quizzes.
For me the keys are:
(a) make it relevant to colleagues.
(b) link it in with your business goals where you can (re themes you use).
Just adding to this thread as we receive waves of these erasure requests from Saymine (generating probably around 95% of all our total erasure requests). We can get 40 one weekend and then 1 or 2 over the next few weeks. Given the random times day and night the requests come in I believe the emailsRead more
Just adding to this thread as we receive waves of these erasure requests from Saymine (generating probably around 95% of all our total erasure requests). We can get 40 one weekend and then 1 or 2 over the next few weeks. Given the random times day and night the requests come in I believe the emails are sent via saymine servers who seem to have peaks and lulls in activity.
Our approach is we contact the individual directly as the email address is included in the request to get them to confirm they raised the request, around 80%+ do not come back to us to confirm this, so we don’t process their erasure request further.
I think the ICOs approach on these would be if the request includes the individuals email address reach out to them, but your under no obligation to sign up to the third party portal as an earlier comment mentioned
DPO in EU and UK
Ian G
In short - yes they can assuming they have the necessary skills and expertise and are well engaged with the UK entity so that they can fulfil their oversight and advice role.
In short – yes they can assuming they have the necessary skills and expertise and are well engaged with the UK entity so that they can fulfil their oversight and advice role.
See lessUK IDTA’s – how are you getting on with it ..
Ian G
i thought the deadline for the UK IDTA is end of March 2024 not 2023 - or I have I missed something? I have done one UK addendum to the EU SCCs as working for a multinational we have processes in third countries and controllers in the UK and parts of the EU. I spoke to the ICO about when the IDTA/AdRead more
i thought the deadline for the UK IDTA is end of March 2024 not 2023 – or I have I missed something? I have done one UK addendum to the EU SCCs as working for a multinational we have processes in third countries and controllers in the UK and parts of the EU. I spoke to the ICO about when the IDTA/Addendum accompanying guidance was going to be produced and they were fairly non-committal which is disappointing as we’re having to work to the EU deadline of December 2022 for SCC transfers and the UK regulator not having settled on its guidance isn’t great (I don’t find the addendum document that intuitive to follow).
See lessEuropean Parliament LIBE Committee seeks amendments to draft EU-UK adequacy decisions
Ian G
If you have EU based entities providing personal data into UK based processors/Controllers I would suggest prioritizing those contracts/Intra-group agreements and getting ready to potentially implement the EC Standard contract Clauses (these are the only ones available at present) - either controlleRead more
If you have EU based entities providing personal data into UK based processors/Controllers I would suggest prioritizing those contracts/Intra-group agreements and getting ready to potentially implement the EC Standard contract Clauses (these are the only ones available at present) – either controller to Processor or controller on these contracts. UK to EU data flows should be unaffected, given the UK has already deemed the EU adequate.
There is also the issue of Transfer Impact Assessment following the schrems II judgement, but for now I’d say key is to identify those transfers impacted and get access to their contracts if you can and then see if adequacy or an extension to sorting this out is given
See lessGDPR 3rd year anniversary messages
Ian G
I personally would not go down the route of doing a mock data breach as suggested - as I think that won't win you any favours in the long run, particular from senior management. Sure do table top exercises (if you don't get many breaches), but I would not link those negative aspects to the GDPR enfoRead more
I personally would not go down the route of doing a mock data breach as suggested – as I think that won’t win you any favours in the long run, particular from senior management. Sure do table top exercises (if you don’t get many breaches), but I would not link those negative aspects to the GDPR enforcement anniversary (which most colleagues won’t care about).
We produce weekly content for our colleagues which is relevant to them and then add in business messages on data protection too them – we’ve done posts internally on subjects like e-safety for children, avoiding phishing, vishing and smishing scam (and what to do if you get duped), black Friday scams to look out for, remote working dos and don’ts, backed up by quizzes.
For me the keys are:
See less(a) make it relevant to colleagues.
(b) link it in with your business goals where you can (re themes you use).
Deletion requests facilitated by a third party
Ian G
Just adding to this thread as we receive waves of these erasure requests from Saymine (generating probably around 95% of all our total erasure requests). We can get 40 one weekend and then 1 or 2 over the next few weeks. Given the random times day and night the requests come in I believe the emailsRead more
Just adding to this thread as we receive waves of these erasure requests from Saymine (generating probably around 95% of all our total erasure requests). We can get 40 one weekend and then 1 or 2 over the next few weeks. Given the random times day and night the requests come in I believe the emails are sent via saymine servers who seem to have peaks and lulls in activity.
Our approach is we contact the individual directly as the email address is included in the request to get them to confirm they raised the request, around 80%+ do not come back to us to confirm this, so we don’t process their erasure request further.
I think the ICOs approach on these would be if the request includes the individuals email address reach out to them, but your under no obligation to sign up to the third party portal as an earlier comment mentioned
See less