(no title)
krisbolton | 1 year ago
Consider one example - you "process" (collecting, using, storing, viewing - literally anything) personal data in an electronic system without the latest security patch. Are you breaking GDPR/DPA18? Easily done, especially for sensitive data. "...taking into account the state of the art, the costs of implementation, ... the risk of varying likelihood and severity for the rights .. of natural persons ... the processor shall implement appropaite technical ... measures to ensure a level of security approapite to the risk" (DPA18 Art 32).
I imagine a large number of companies flout the above without realising. Especially when processing any information regarding health, criminal offense data, race, religion, philosophical beliefs etc, which is "special category data" and requires strong protections.
DPA18 Article 32 "Security of processing" - https://www.legislation.gov.uk/eur/2016/679/article/32
arkh|1 year ago
Most companies flout the 101 of GDPR.
Do you have a registry of the personal data processes you do? Are you able to hand it in less than 48h after receiving a request for them?
Do you do risk assessments when thinking about implementing a new data process?
And it's not only about electronic data. Paper files are concerned.
Yes it can feel like a lot but if you're handling people's personal data you should not be playing around. And if it's too hard, maybe "just" don't process personal data at all. Before GDPR we were already at a point where people just siphoned and stored people's data "in case it is useful later". Now some legislation is in place to make you think about why and how you get and store this kind of data, putting a price on doing it. It's a plus for the public.
Too bad if it does not help sell ads, scams or just abuse people.