GDPR

Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR).

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers. The international data transfer agreement...

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation...

In this blog, we are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the five questions. What is a TRA? Who does it...

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgement on the adequacy of both the Privacy Shield and standard contract clauses (SCCs). The EU-US Privacy Shield was...

The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent. Fortunately, guidance exists in the form of ISO/IEC 27701:2019...

The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) both rquire organisations to protect and ensure the privacy of any personal data which they process...

This blog takes a look at data protection officers (DPOs) and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.

This blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations, namely, how do you ensure your supply chain complies with the Regulation when processing

This blog looks at the requirement within both the DPA 2018 and the GDPR to verify the identity of an individual making a request before acting or releasing information. Our clients are regularly...

A question we are increasingly asked is ‘Is there a catch-all international standard that effectively proves external verification of data protection compliance?’ It would be great if the answer to..

This blog looks at a very specific area of the GDPR - Article 28 and data transfer outside of the EEA. One of the ways in which you can legitimise an ex-EEA data transfer is by using the standard...

There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term! So, let’s see if we can clarify the situation

The easy way (if it was available!) would be to certify to an approved UK GDPR certification scheme. The Data Protection Act 2018 gave the UK’s privacy regulator, the Information Commissioner’s...

We have seen an increased focus on the General Data Protection Regulation (GDPR) by certification body (CB) assessors when conducting ISO 27001 audits. In the past, assessments typically focused on..

Broadly speaking, information security is held up by three pillars – People, Process and Technology. As threats to our information security (and particularly cyber-related threats) continue to emerge

BS 10012 is a British management system standard which has been developed to enable organisations to implement a personal information management system (PIMS). It provides a framework for maintaining

“It is non-negotiable…….. the potential fines are enormous…….individuals can be held personally liable”. So, with all of these compelling reasons, why can it still be challenging to gain traction on