Podcasts

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, Senior Data Protection Consultant at URM, provides his insights on the Data (Use and Access) Act, which received Royal Assent on 19 June.  Stuart draws upon over 25 years of specialisation in data protection law to discuss:

• The background, scope, and intention of the DUA Act
• How the DUA Act is expected to impact the UK’s data protection regulatory landscape, and how it may lighten the compliance burden on organisations, particularly in relation to:
  
  • Automated decision-making
  • International transfers of personal data
  • Data subject access requests (DSARs)
  • The Privacy and Electronic Communications Regulations (PECR)
  • The ‘legitimate interests’ basis for processing
• Which provisions in the Act may make data protection compliance more difficult
• When these changes are likely to come into force.

‍

In this episode of InfoSec Insider – Talk DP, Martin Brazier, Senior Data Protection Consultant at URM, breaks down the General Data Protection Regulation’s (GDPR’s) requirements for organisations that need to share personal data with the police in order to report a crime, or following a request for data to assist with an investigation.  Martin leverages his 20+ years of experience in information management and data protection compliance to discuss:  

• The legislative framework governing police access to personal data, including Part 3 of the Data Protection Act 2018
• The lawful bases under the UK GDPR for sharing personal data with the police, and when each may apply
• Considerations for compliance with the purpose limitation and data minimisation principles when providing the police with personal data
• What to consider when sharing special category and criminal offence data with the police, including applicable conditions under the DPA 2018
• Whether individuals need to be informed of any data sharing
• Practical guidance on how to ensure any data shared is lawful, proportionate, and compliant with the data protection principles.

‍

‍

In this episode of InfoSec Insider – Talk DP, Martin Brazier, Senior Consultant at URM, explains the General Data Protection Regulation’s (GDPR’s) requirements around special category personal data, and how organisations can ensure they are not processing it unknowingly or unnecessarily.  Martin leverages his 20+ years of experience in information management and data protection compliance to discuss:  

• What the GDPR defines as ‘special category data’ and the extra protections it affords to this type of personal data
• The Information Commissioner’s Office’s (ICO’s) guidance on inferring special category data
• Real-world Court of Justice of the European Union (CJEU) judgements that relate to the inferring or inadvertent collection of special category data, and what can be learned from these judgements
• How you may be processing special category data unknowingly, and the steps you can take to avoid noncompliance.

‍

In this episode of InfoSec Insider – Talk DP, Martin Brazier, Senior Data Protection Consultant at URM, explains the importance of data protection for building and maintaining customer trust, and offers key advice on how to ensure that your data processing practices will help facilitate strong relationships with your customer base.  Martin leverages his 20+ years of experience in information management and data protection compliance to discuss:  

• Why customers are now more likely to care about how businesses take care of their data
• How to embed transparency and privacy into your organisation’s processing
• The importance of making customers feel that they have some control over how their personal data is processed
• The types of personal data customers value the most and the least, and the usages of their personal data (e.g., data resale, targeted marketing, etc.) that they do and do not trust.

‍

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, Senior Consultant at URM, provides a break down and analysis of how the Information Commissioner’s Office (ICO’s) has enforced UK data protection (DP) regulations in 2024, and how this compares to the action taken by the regulator in previous years.  Stuart leverages his 25+ years of specialisation in data protection law to discuss:  

• The types of enforcement action available to the ICO (i.e., reprimands, enforcement notices and fines) and how they differ
• How the regulator has enforced the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulation (PECR) in 2024, in terms of:
  • Its approach to fining public vs. private sector organisations, with examples of notable public sector fines imposed this year
  • The differences in its approach to enforcing the GDPR vs. the PECR
  • How the regulator’s enforcement activities compare to the action taken in 2023
• The sums of money involved in ICO fines, i.e., the average figure imposed by the ICO in 2024 and how much the ICO brought in for the Treasury this year
• How the ICO’s approach to enforcing DP law compares to other, European DP regulators
• Emerging trends and upcoming changes, such as the ICO’s crackdown on cookies compliance.

‍

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, a Senior GRC Consultant at URM, breaks down the Social Tenant Access to Information Requirements (STAIRs), an upcoming standard with which private registered providers (PRPs) of social housing (such as housing associations) will need to comply.  Stuart leverages his 25+ years of specialisation in data protection law to discuss:

• What STAIRs is and the issues it has been designed to address
• The rights that STAIRs will provide to tenants living in private sector-run social housing, and the types of information requests it is likely to be used for
• How STAIRs compares to the Freedom of Information Act (FOIA) and to the General Data Protection Regulation’s (GDPR’s) provisions on data subject access requests (DSARs)
• What comes next for STAIRs.

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, Senior Data Protection Consultant at URM, breaks down a recent opinion issued by the EU Data Protection Board (EDPB) in response to questions from the Irish Data Protection Commission (DPC) on the compliant processing of personal data in the development and deployment stages of artificial intelligence (AI) models.  Stuart draws upon his 25+ years of experience in data protection to discuss:

• What the EDPB is and how the opinion it has recently issued came about
• The EDPB’s response to the DPC’s questions, i.e.,
  • How and when an AI model can be considered ‘anonymous’ (not containing any personal data)
  • Demonstrating the appropriateness of legitimate interests as a lawful basis for processing personal data in AI models
  • The impact of unlawful personal data processing in the development phase on the subsequent deployment or operation of an AI model
• The significance of the EDPB’s opinion for UK-based organisations in light of Brexit.  

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, a Senior GRC Consultant at URM, explains records of processing activities (ROPAs), a key document that almost every organisation must create and maintain in order to comply with the General Data Protection Regulation (GDPR).  Stuart leverages his 25+ years of specialisation in data protection law to discuss:

• What a ROPA is, which organisations need to have one
• The advantages of having a ROPA in place and how this can benefit your GDPR compliance efforts
• Who within an organisation needs to create the ROPA
• The challenges associated with producing a ROPA and how these can be overcome
• Whether you should first produce a data flow map before embarking on the ROPA
• The next steps after the ROPA has been built.

In this episode of InfoSec Insider – Talk DP, Martin Brazier, Senior Data Protection Consultant at URM, explores the challenges of maintaining data protection compliance whilst conducting workplace monitoring, particularly in light of the workforce’s ever-increasing mobility, and how these challenges can be overcome.  Martin leverages his 20+ years of experience in information management and data protection compliance to discuss:

• The definition of workplace monitoring and recent advances in monitoring technology
• How to establish whether workplace monitoring complies with data protection legislation, such as the General Data Protection Regulation (GDPR)
• The need to demonstrate fairness and transparency
• Objections employees are entitled to make under the GDPR
• Whether covert monitoring and automated decision making can be compliant
• Balancing compliance and ethics when carrying out workplace monitoring.

In this episode of InfoSec Insider – Talk DP, Martin Brazier, Senior Data Protection Consultant at URM, explores some of the considerations and challenges of maintaining compliance with data protection legislation, such as the General Data Protection Regulation (GDPR), when developing and deploying artificial intelligence (AI) technology.  Martin leverages his 20+ years of experience in information management and data protection compliance to discuss:  

• The definition of AI  
• How the UK legislative framework around AI is evolving
• The challenges associated with maintaining data protection compliance whilst developing and using AI, particularly in light of the GDPR’s 7 core principles
• What you can do to overcome these challenges and achieve data protection compliance in AI systems.

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, Senior Data Protection Consultant at URM, provides some hints and tips on how to achieve and maintain compliance with the General Data Protection Regulation (GDPR), with a particular focus on the key documentation organisations need to have in place to comply.  Stuart leverages over 25 years of experience to discuss:

• The importance of maintaining documented evidence of your GDPR compliance under the ‘accountability’ principle
• Some of the key compliance documentation you need to produce, including records of processing activities (RoPAs) data protection impact assessments (DPIAs), privacy notices and personal data retention policies  
• What information you will need to include in these documents  
• When these documents are mandatory and whether any organisations are exempt from producing them.

In this episode of InfoSec Insider – Talk DP, Martin Brazier, Senior Consultant at URM, explores the key challenges of and considerations for maintaining data protection compliance when using facial recognition technology (FRT).  Martin leverages his 20+ years of specialism in information management and data protection to discuss:  

• The different types of FRT and what they are used for
• Real-world examples of FRT deployments by organisations and of an organisation facing enforcement action for noncompliant FRT deployment  
• The challenges associated with using facial recognition technology for organisations that need to comply with the General Data Protection Regulation (GDPR)
• How you can ensure that your use of FRT is GDPR compliant.

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, a Senior GRC Consultant at URM, provides a break down and analysis of the enforcement actions delivered since the beginning of 2023 by the Information Commissioner’s Office (ICO), the UK’s privacy regulator, to highlight emerging trends and lessons that can be learned from how the ICO enforces data protection legislation such as the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).  Stuart leverages his 25+ years of specialisation in data protection law to discuss:

• The differences between the enforcement actions that are available to the ICO, i.e., Enforcement Notices, Reprimands, and Monetary Penalties
• The ICO’s enforcement activities in 2023 – the amount of fines compared to reprimands, and the sums of money involved
• The ICO’s enforcement activities in the first half of 2024 and how they compare to the same period in 2023
• Trends that can be observed in the ICO’s enforcement activities and the ICO’s approach to issuing fines vs. reprimands  
• How the ICO’s use of monetary penalties compares to its European counterparts.

‍

In this episode of InfoSec Insider – Talk DP, Rachael Salter, Senior Data Protection Consultant at URM, discusses organisations’ obligations under the General Data Protection Regulation (GDPR) when fulfilling data subject access requests (DSARs) and the challenges associated with processing these requests.  Rachael leverages her 10+ years of experience working in data protection compliance to provide advice and guidance on:  

• What a DSAR is and how to recognise one
• When organisations are required to redact information from the personal data provided to the data subject
• When organisations can refuse to process a DSAR and what ‘manifestly unfounded or excessive’ means in practice.

In this episode of InfoSec Insider – Talk DP, Stuart Skelly, a Senior GRC Consultant at URM, takes us ‘back to basics’ with the General Data Protection Regulation (GDPR), breaking down the key data protection concepts and terminology you will need to understand if you want to achieve and maintain compliance with the GDPR.