Sounds like it is a company wide initiative so in this case I would use one of the 'security awareness providers' who as part of the solution provide phish testing emails, hundreds of videos on GDPR and other security related topics, and importantly a delivery mechanism to ensure employees are engagRead more
Sounds like it is a company wide initiative so in this case I would use one of the ‘security awareness providers’ who as part of the solution provide phish testing emails, hundreds of videos on GDPR and other security related topics, and importantly a delivery mechanism to ensure employees are engaged. Employee engagement is key and very difficult to achieve. If a breach were to happen the ICO will ask the question – ‘When were your employees last trained’….so you need evidence of a program rollout and employee engagement.
We use KnowBe4 as they have the largest video content and then include a services wrap for cyber security training sessions and to deliver the phish email tests.
In the spirit of openness on this forum you could choose from between 10 and 20 mainstream vendors, all of which would fit the bill.
I would recommend the specialist GDPR companies only if you want specific individual’s, such as a DPO, to get some certificates.
If they are your customers then you already have a basis for processing and storing their information however that will not by default include other purposes such as loyalty schemes. You are best advised to seek consent to further process their information for a loyalty scheme.
If they are your customers then you already have a basis for processing and storing their information however that will not by default include other purposes such as loyalty schemes.
You are best advised to seek consent to further process their information for a loyalty scheme.
I'd echo Egil, and like Egil, I'm not truly objective as I am in the process of gearing up to use/promote PriviQ. They are new to the UK but established in other geo locations. The key for me is the price which you can see on their website. Happy to arrange a demo. For sure you cannot go wrong withRead more
I’d echo Egil, and like Egil, I’m not truly objective as I am in the process of gearing up to use/promote PriviQ. They are new to the UK but established in other geo locations. The key for me is the price which you can see on their website. Happy to arrange a demo.
For sure you cannot go wrong with DPOrganiser – it does what is says on the tin.
I've never heard of SmartBox so checked them out. I'd be careful as parts of their website are still in Latin and their cookie 'more info' button takes you to a marketing companies page that drops more cookies. I'm sure they are a good company but it tells me they are resource stretched at present wRead more
I’ve never heard of SmartBox so checked them out. I’d be careful as parts of their website are still in Latin and their cookie ‘more info’ button takes you to a marketing companies page that drops more cookies. I’m sure they are a good company but it tells me they are resource stretched at present which may affect product development, response and support.
As the others have said – due diligence is key.
Finding emails is easy, redacting and preparing for submission to the requestor is not and sadly the cost of doing so in an automated fashion is very expensive.
I’m sure you have not but don’t forget your unstructured data too.
We do have a commercial arrangement with a company called Guardum which is top of the tree when it comes to DSAR’s. If you want to know more let me know.
HellenB is spot on. If you do not have valid consent I would suggest trying the following: Email the ladies explaining the project and the primary purpose is a positive outcome for women in that industry but highlight openly that the long term results will likely be a raised profile and promotion ofRead more
HellenB is spot on. If you do not have valid consent I would suggest trying the following:
Email the ladies explaining the project and the primary purpose is a positive outcome for women in that industry but highlight openly that the long term results will likely be a raised profile and promotion of the charity itself.
Explain that you are looking for testimonials and focus group engagement only and as such are seeking one off consent to participate in this initiative.
Reassure that existing communication preference will remain unaffected.
This is what I call the pragmatic approach and has served me well so far.
LI does not require consent and it is the industries way of circumventing the current cookie regulations that require consent. Most that do this have an object to all button but is is important to realise, which most people don't, that you need to hit two buttons not one! At present there is nothingRead more
LI does not require consent and it is the industries way of circumventing the current cookie regulations that require consent.
Most that do this have an object to all button but is is important to realise, which most people don’t, that you need to hit two buttons not one!
At present there is nothing you can do about it save use a different website. The worst are the media companies and the likes of Formula 1.
If you are relying on LI then make sure you document the LI Assessment. Make sure the LI is appropriate ie if you are selling an expensive service or product eg starting cost of £250k then don't send to companies who have turnovers of £1m.
If you are relying on LI then make sure you document the LI Assessment.
Make sure the LI is appropriate ie if you are selling an expensive service or product eg starting cost of £250k then don’t send to companies who have turnovers of £1m.
This is a more common occurrence than you may think so please don't feel too bad. I deal with at least one of these type of incidents a month eg wrong information such as job offers sent to the wrong people. You do not need to report it but document the decision for future reference. It is not diffiRead more
This is a more common occurrence than you may think so please don’t feel too bad. I deal with at least one of these type of incidents a month eg wrong information such as job offers sent to the wrong people.
You do not need to report it but document the decision for future reference.
It is not difficult, or expensive, to remove the human factor and prevent this happening again. Utilise technology that ensures only the intended recipient can open the communication, and/or that documents are checked and classified automatically.
I am DPO for several small/mid size companies and this situation has arisen a few times. I've also commented on other questions relating to this issue. We have a policy as part of the formal DSAR response process that prohibits the release of personal data to a business entity except in the case ofRead more
I am DPO for several small/mid size companies and this situation has arisen a few times. I’ve also commented on other questions relating to this issue.
We have a policy as part of the formal DSAR response process that prohibits the release of personal data to a business entity except in the case of legal representation.
We simply contact the data subject directly, ask if they requested the DSAR, why they are doing so, any info they are specifically looking for….and then release their data using the contact details we hold on file.
So far this has proved to be acceptable and has not been challenged.
UK company providing GDPR training for employees?
Stephen Lark
Sounds like it is a company wide initiative so in this case I would use one of the 'security awareness providers' who as part of the solution provide phish testing emails, hundreds of videos on GDPR and other security related topics, and importantly a delivery mechanism to ensure employees are engagRead more
Sounds like it is a company wide initiative so in this case I would use one of the ‘security awareness providers’ who as part of the solution provide phish testing emails, hundreds of videos on GDPR and other security related topics, and importantly a delivery mechanism to ensure employees are engaged. Employee engagement is key and very difficult to achieve. If a breach were to happen the ICO will ask the question – ‘When were your employees last trained’….so you need evidence of a program rollout and employee engagement.
We use KnowBe4 as they have the largest video content and then include a services wrap for cyber security training sessions and to deliver the phish email tests.
In the spirit of openness on this forum you could choose from between 10 and 20 mainstream vendors, all of which would fit the bill.
I would recommend the specialist GDPR companies only if you want specific individual’s, such as a DPO, to get some certificates.
See lessUK company providing GDPR training for employees?
Stephen Lark
Yesterday I wrote a full response but it got blocked. Wonder if the fault has been corrected.
Yesterday I wrote a full response but it got blocked. Wonder if the fault has been corrected.
See lessLoyalty schemes
Stephen Lark
If they are your customers then you already have a basis for processing and storing their information however that will not by default include other purposes such as loyalty schemes. You are best advised to seek consent to further process their information for a loyalty scheme.
If they are your customers then you already have a basis for processing and storing their information however that will not by default include other purposes such as loyalty schemes.
You are best advised to seek consent to further process their information for a loyalty scheme.
See lessROPA/PIA SaaS solution
Stephen Lark
I'd echo Egil, and like Egil, I'm not truly objective as I am in the process of gearing up to use/promote PriviQ. They are new to the UK but established in other geo locations. The key for me is the price which you can see on their website. Happy to arrange a demo. For sure you cannot go wrong withRead more
I’d echo Egil, and like Egil, I’m not truly objective as I am in the process of gearing up to use/promote PriviQ. They are new to the UK but established in other geo locations. The key for me is the price which you can see on their website. Happy to arrange a demo.
For sure you cannot go wrong with DPOrganiser – it does what is says on the tin.
I don’t know Keepabl
Like all purchases – due diligence is key
See lessExtracting emails and duplication of data in SARs
Stephen Lark
I've never heard of SmartBox so checked them out. I'd be careful as parts of their website are still in Latin and their cookie 'more info' button takes you to a marketing companies page that drops more cookies. I'm sure they are a good company but it tells me they are resource stretched at present wRead more
I’ve never heard of SmartBox so checked them out. I’d be careful as parts of their website are still in Latin and their cookie ‘more info’ button takes you to a marketing companies page that drops more cookies. I’m sure they are a good company but it tells me they are resource stretched at present which may affect product development, response and support.
As the others have said – due diligence is key.
Finding emails is easy, redacting and preparing for submission to the requestor is not and sadly the cost of doing so in an automated fashion is very expensive.
I’m sure you have not but don’t forget your unstructured data too.
We do have a commercial arrangement with a company called Guardum which is top of the tree when it comes to DSAR’s. If you want to know more let me know.
See lessPECR – Marketing and service emails
Stephen Lark
HellenB is spot on. If you do not have valid consent I would suggest trying the following: Email the ladies explaining the project and the primary purpose is a positive outcome for women in that industry but highlight openly that the long term results will likely be a raised profile and promotion ofRead more
HellenB is spot on. If you do not have valid consent I would suggest trying the following:
Email the ladies explaining the project and the primary purpose is a positive outcome for women in that industry but highlight openly that the long term results will likely be a raised profile and promotion of the charity itself.
Explain that you are looking for testimonials and focus group engagement only and as such are seeking one off consent to participate in this initiative.
Reassure that existing communication preference will remain unaffected.
This is what I call the pragmatic approach and has served me well so far.
See lessCookies and legitimate interest
Stephen Lark
LI does not require consent and it is the industries way of circumventing the current cookie regulations that require consent. Most that do this have an object to all button but is is important to realise, which most people don't, that you need to hit two buttons not one! At present there is nothingRead more
LI does not require consent and it is the industries way of circumventing the current cookie regulations that require consent.
Most that do this have an object to all button but is is important to realise, which most people don’t, that you need to hit two buttons not one!
At present there is nothing you can do about it save use a different website. The worst are the media companies and the likes of Formula 1.
See lessb2b emails
Stephen Lark
If you are relying on LI then make sure you document the LI Assessment. Make sure the LI is appropriate ie if you are selling an expensive service or product eg starting cost of £250k then don't send to companies who have turnovers of £1m.
If you are relying on LI then make sure you document the LI Assessment.
Make sure the LI is appropriate ie if you are selling an expensive service or product eg starting cost of £250k then don’t send to companies who have turnovers of £1m.
See lessDSAR disaster!
Stephen Lark
This is a more common occurrence than you may think so please don't feel too bad. I deal with at least one of these type of incidents a month eg wrong information such as job offers sent to the wrong people. You do not need to report it but document the decision for future reference. It is not diffiRead more
This is a more common occurrence than you may think so please don’t feel too bad. I deal with at least one of these type of incidents a month eg wrong information such as job offers sent to the wrong people.
You do not need to report it but document the decision for future reference.
It is not difficult, or expensive, to remove the human factor and prevent this happening again. Utilise technology that ensures only the intended recipient can open the communication, and/or that documents are checked and classified automatically.
See lessRightly.co.uk
Stephen Lark
I am DPO for several small/mid size companies and this situation has arisen a few times. I've also commented on other questions relating to this issue. We have a policy as part of the formal DSAR response process that prohibits the release of personal data to a business entity except in the case ofRead more
I am DPO for several small/mid size companies and this situation has arisen a few times. I’ve also commented on other questions relating to this issue.
We have a policy as part of the formal DSAR response process that prohibits the release of personal data to a business entity except in the case of legal representation.
We simply contact the data subject directly, ask if they requested the DSAR, why they are doing so, any info they are specifically looking for….and then release their data using the contact details we hold on file.
So far this has proved to be acceptable and has not been challenged.
See less