By 2020, there will be 31 BILLION IoT (Internet of Things) connected devices in circulation, with 10,000 new devices coming online every 60 seconds. I re-purposed an image from last year's post to reflect a premonition of Christmas in 2020 where our next privacy and security problems will be caused by IoT devices.

For those of you who follow GDPRtoons may not know that I am now working for DataEM as their Managing Partner. DataEM is a CDP Consultancy that can help you manage the delicate balance between marketing and privacy. CDP = Customer Data Platform. Visit DataEM.com to learn more.

GDPR Complaint? All You Need Is A Good Privacy Policy And Opt-in Emails, Right? NOT

In the days, weeks, leading up to the effective date of GDPR, we all received a plethora of revised Privacy Policies, as well as a handful of reconfirmation of email opt-ins. Surprisingly,  many people in significant size U.S. organizations seem to think that these actions alone will make them GDPR compliant.

Has anyone else experienced this reaction?

There are many people with SKELETONS in their DATA Closets!

Accordingly to the definition of processing in article 4 of GDPR ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

To say it shortly - if you have the personal data - you process it accordingly to the definition of processing.

What are the consequences of this definition?

It means that you have to comply with different aspects of GDPR like security, notice provided to the data subject and having a legal basis for the processing. 

If you plan to use external supplier to process the personal data you have to sign a Data Processing Agreement accordingly to the article 28 of GDPR.


Contributed by my dear friend Piotr Siemieniak based upon typical 'real life' responses in training sessions. See https://upsecure.pl/

GDPR Is Still ALIEN To Many, With Fines That Are Out Of This World

On May 25, 2018, the General Data Protection Regulation (GDPR) will become a global law.

The regulation applies to the collection, processing and movement of personal data for individuals residing in 32 European States. (28 EU States + 4 other European States). If your company has prospects or customers in these States, you most likely have exposure and are mandated to comply, or risk severe penalties and fines.

GDPR Citation (2) states the following;

(2) The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons. 

Why has this become an issue?

GDPR Citation (6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data. 

GDPR Citation (7) Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced. .