Thursday, December 20, 2018

By 2020, there will be 31 BILLION IoT (Internet of Things) connected devices in circulation, with 10,000 new devices coming online every 60 seconds. I re-purposed an image from last year's post to reflect a premonition of Christmas in 2020 where our next privacy and security problems will be caused by IoT devices.

For those of you who follow GDPRtoons may not know that I am now working for DataEM as their Managing Partner. DataEM is a CDP Consultancy that can help you manage the delicate balance between marketing and privacy. CDP = Customer Data Platform. Visit to learn more.

Sunday, May 27, 2018

GDPR Complaint? All You Need Is A Good Privacy Policy And Opt-in Emails, Right? NOT

In the days, weeks, leading up to the effective date of GDPR, we all received a plethora of revised Privacy Policies, as well as a handful of reconfirmation of email opt-ins. Surprisingly,  many people in significant size U.S. organizations seem to think that these actions alone will make them GDPR compliant.

Has anyone else experienced this reaction?

Friday, May 25, 2018

There are many people with SKELETONS in their DATA Closets!

Accordingly to the definition of processing in article 4 of GDPR ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

To say it shortly - if you have the personal data - you process it accordingly to the definition of processing.

What are the consequences of this definition?

It means that you have to comply with different aspects of GDPR like security, notice provided to the data subject and having a legal basis for the processing. 

If you plan to use external supplier to process the personal data you have to sign a Data Processing Agreement accordingly to the article 28 of GDPR.

Contributed by my dear friend Piotr Siemieniak based upon typical 'real life' responses in training sessions. See

Monday, April 2, 2018

GDPR Is Still ALIEN To Many, With Fines That Are Out Of This World

On May 25, 2018, the General Data Protection Regulation (GDPR) will become a global law.

The regulation applies to the collection, processing and movement of personal data for individuals residing in 32 European States. (28 EU States + 4 other European States). If your company has prospects or customers in these States, you most likely have exposure and are mandated to comply, or risk severe penalties and fines.

GDPR Citation (2) states the following;

(2) The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons. 

Why has this become an issue?

GDPR Citation (6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data. 

GDPR Citation (7) Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced. .

Tuesday, November 28, 2017

GDPR Addresses Joint Controllers With Joint Responsibility

The GDPR specifically addresses when more than one controller is involved with the processing of an individual's personal data. In addition to the overlap of data processing responsibilities, liabilities are also shared, including the data subject's rights to compensation. GDPR Article 26 (Joint Controllers) and GDPR Article 82 (Right to compensation and liability) are included below for reference.

Article 26 - Joint Controllers

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects. 

2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject. 

3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers. 

(Inspired by Surkan Krut, privacy lawyer, CIPP/E, CIPM, freelance consultant specializing in Joint Control.)

Tuesday, November 21, 2017

GDPR Balancing Act Of Principles For Collecting Personal Data

As illustrated above, a Controller has the responsibility of balancing six basic principles involving the collection of personal data, as well as being able to demonstrate compliance. 

The basic priciples of GDPR state that the collection of personal data shall be done lawfully, fairly and in a transparent, for specified, explicit and legitimate purposes, adequate, relevant and limited, accurate, 'storage limitation', In a manner that ensures appropriate security of the personal data. The GDPR also states that the controller should be able to demonstrate compliance.

GDPR, Article 5 Paragraph (1), Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'); 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). 

GDPR, Article 5, Paragraph (2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').

This 'toon was inspired and contributed by Helen Haddon and Lucy Kendall of