Director's Statement - Vendor Risk Management service
Posted Tue 3rd May 2022
A statement on our new Vendor Risk Management service from Tacita's director of sales
Introducing: Tacita's new Vendor Risk Management Service
Posted Tue 3rd May 2022
Tacita is proud to unveil our latest service- our Vendor Risk Management (VRM) GDPR Assessment!
Risky Business: Why your Third Parties may be a major GDPR risk
Posted Mon 11th Apr 2022
Did you know that your Third Parties often pose a major GDPR risk to your business? Here's why...
Third Time’s the Charm? Why Privacy Professionals are sceptical of ‘Privacy Shield 2.0’
Posted Fri 1st Apr 2022
On March 25th 2022, amidst wider discussions on US-EU cooperation, EU Commission President Ursula von der Leyen and US President Joe Biden announced an ‘agreement in principle’ on a new EU-US data sharing system termed the Trans-Atlantic Data Privacy Framework. Yet rather than relief, the announcement has been met with pronounced scepticism by privacy professionals in Europe. The emerging discourse is a product of a difficult relationship between its political ideals and practical realities.
Tacita Tips: Tired of spam emails? Use this 'plus addressing' trick to find their source
Posted Wed 30th Mar 2022
In this edition of Tacita tips we will be looking at dynamic instant aliases, or 'plus addressing'. This simple tip can help you better manage spam emails and identify where they have originated from.
Everything you need to know about: GDPR and Children's data
Posted Fri 4th Mar 2022
In this edition of ‘Everything you need to know about’ we will be looking at Children's Data: What it is? How is it separate from standard personal data?, and How can you manage it in a secure and legal manner?
Virtual Insanity? The Metaverse, Personal Data, and Problematic Progress
Posted Thu 24th Feb 2022
In October 2021, amid much fanfare Facebook (now Meta) hailed their ‘Metaverse’ as the future of social and working interactions. 4 months on from its announcement, Zuckerberg and Meta are finding that the future may be more resistant to their shaping than they imagined.
Coming soon: New UK SCC's presented to Parliament
Posted Thu 17th Feb 2022
This month (February 2022) the Department for Culture, Media and Sport (DCMS) laid before Parliament the new International Data Transfer Agreement (IDTA). This document, as well as its associated transfer addendum and a further document setting out transitional provisions follows a consultation undertaken by the Information commissioner’s office (ICO) in 2021.
Everything you need to know about: Special Category data
Posted Mon 31st Jan 2022
In this edition of 'Everything you need to know about' we'll be covering special category data: What is it? What separates it from standard personal data? and how can I process it safely and legally?
Schrems II in action: the DSB issues its first ruling
Posted Sun 16th Jan 2022
The Austrian Data Protection Authority (DSB) has issued its first ruling on a Schrems II model case. In it, the DSB ruled that the Standard Contractual Clauses (SCCs) and Technical Organizational Measures (TOMs) implemented as part of the Google Analytics are not sufficient to protect its EU-US data transfers.
Now Streaming: Twitch's Data
Posted Fri 5th Nov 2021
Last month, Amazon’s Twitch streaming service confirmed that it had been the victim of a significant data breach. Around 125GB of data (including the source code for the mobile, desktop, and video game console versions, as well as the earnings of Twitch’s content creators) has been released by the hackers to the anonymous messaging-board website 4Chan.
A Bite to match its Bark? – What Amazon’s fine means for its Data Subjects
Posted Mon 4th Oct 2021
In a landmark case, Amazon has been fined $886m by Luxembourg’s National Commission for Data Protection (CNPD) for serious breaches of the General Data Protection Regulation (GDPR). Whilst the scale of the fine suggest that the GDPR is finally matching the promises of its inception, the circumstance of its reporting still leaves the consumer facing an uphill battle to hold illegal privacy practices to account.
‘Own it all’ - Antitrust, Big Tech, and the battle for ‘Consumer Welfare’
Posted Thu 1st Jul 2021
Regulatory watchdogs, the Federal Trade Commission (FTC), and various antitrust lawsuits are beginning to find that Silicon Valley won't give up its monopolies easily. At the heart of this stands the very consumers both parties claim to protect.
‘From the lab to the Market’ - Will the EU’s proposed AI regulation set a new ‘global standard’?
Posted Fri 14th May 2021
The EU Commission has recently announced a new regulation which aims to govern the development and use of artificial intelligence (AI). The regulation shares many similarities with the general data protection regulation (GDPR). Will this new AI regulation become the global standard, much like the GDPR is the global standard for data privacy?
Rage against the Machine – How Apple’s iOS14.5 might redefine the Data Privacy landscape
Posted Thu 15th Apr 2021
Apple is preparing to finally launch its radical iOS 14.5 update. Despite Facebook’s aggressive advertising campaign against it, the update will fundamentally change the way in which Apple customers interact with their personal data, providing the user with granular control over any applications use of their IDFA (Identifier for Advertisers).
Draft UK Adequacy Decision Published
Posted Mon 1st Mar 2021
The EU has recently published a draft UK adequacy decision. This is the first step in the UK achieving adequacy status in the eyes of the EU-GDPR. This is positive news for UK and EU businesses, but the decision must still be approved by the European Data Protection Board.
What Happens to the GDPR Post-Brexit?
Posted Fri 15th Jan 2021
As of January 2021, the Brexit transition period has ended. As an EU law, many companies may be wondering if the GDPR is still applicable in the UK. This article explores what is happening with UK data privacy laws post-Brexit.
Marriott Hotel: Data Breach
Posted Tue 17th Nov 2020
Marriot International has been fined a total of £18.4 million (a reduction from the original £99 million) for its negligence in safeguarding customer personal data that it is responsible for. This breach is interesting, as the breach initially occurred in 2014 (before the GDPR came into effect) and the breach occurred under a different business group 'Starwood Hotels Group' which was acquired by Marriott after the breach occurred.
Now Departing: £20m from British Airways
Posted Tue 27th Oct 2020
British Airways airline company has been fined the “biggest to date” sum of £20 Million, by the Information Commissioner’s Office (ICO) for failing to protect the personal data of data subjects which resulted in a security breach.
Court Decision on European Mass Surveillance and the Consequences for Brexit
Posted Mon 19th Oct 2020
As a member of the European Union, member states are obliged to abide by some of the strictest privacy laws in the world. Today, UK, French and Belgian national governments all use some form of mass surveillance. In recent years, privacy groups have taken claims to EU courts arguing that this surveillance is illegal. The national governments disagree. The CJEU refuted the claims that mass surveillance is outside their jurisdiction and issued a ruling on the 6th October 2020.
Data Protection Guidance for Test and Trace Schemes
Posted Thu 8th Oct 2020
Since the easing of lockdown, many organisations have implemented new measures so that they can re-open safely to the public. For most businesses, this included collecting customers’ and visitors’ personal information to support the UK Government’s approved contact tracing scheme. There have been criticisms over the governments advice due to a lack of a Data Protection Impact Assessment being performed.
India’s First Major Personal Data Protection Bill.
Posted Mon 14th Sep 2020
India is drafting its first bill that aims to protect the personal data of its citizens. This articles goes over the key differences between the GDPR and the new Indian Personal Data Protection Bill (PDPB) and discusses some controversies surrounding it.
A Timeline of US Mass Surveillance, International Privacy Agreements, and a Disgruntled Austrian
Posted Mon 27th Jul 2020
On the 16th July 2020, the CJEU came to a decision on the Schrems II case. The decision invalidated a major EU-US privacy agreement that previously allowed personal data to freely flow between the EU and the US. This court case is the latest chapter in an ongoing saga of privacy activists, commercial selling of ‘big data’ and revelations made by whistle blower Edward Snowden. This article gives a brief timeline of the events leading up to this case.
Is your use of website cookies currently lawful?
Posted Mon 29th Jun 2020
Covid-19 Contact Tracing Apps, a Centralised vs. Decentralised Approach
Posted Mon 8th Jun 2020
Contact tracing is currently successfully employed in the UK to prevent the spread of sexually transmitted diseases. It is hoped that the development of an NHS app can prevent the spread of Covid-19. Unfortunately, there have been significant concerns over user privacy. There has been debate and even controversy on the centralised vs. decentralised approach.
GDPR individual rights – Is the cost to business just about to explode?
Posted Tue 2nd Jun 2020
The UK government’s job retention scheme has protected 7.5 million workers and almost 1 million businesses. From the start of August 2020, employers will be asked to pay a percentage towards the salaries of their furloughed staff. Will businesses be able to re-employ all their furloughed workers or will we see a significant number of them being made redundant?
Privacy Notices: Upstream and Downstream Processes
Posted Fri 29th May 2020
GDPR demands that before personal data is requested from a data subject a Privacy Notice must be presented to the data subject or consent gained depending on the situation. We recommend that each Business Process Owner should consider whether their process needs to present a Privacy Notice or not.
Accountabilities & Responsibilities
Posted Thu 21st May 2020
All organisations have a duty, via their DPO or Privacy Manager to ensure that all folk within their organisation are aware of their accountabilities and responsibilities.
Have I been Pwnd? A Database of Data Breaches
Posted Tue 5th May 2020
The GDPR was introduced to provide EU citizens with greater protections and control over their personal data. It achieved this by introducing new rights for individuals and by imposing stricter data protection requirements on organisations. But what happens if your personal data was part of a data breach before the GDPR was introduced?
Data Sharing Agreements: What is the Best Practice?
Posted Wed 11th Mar 2020
The ICO states that ‘…whenever a controller uses a processor, there must be a written contract (or other legal act) in place...’ The GDPR sets out what needs to be included in the contract. But what happens if you are a controller sharing data with another controller? You need a Data Sharing Agreement.
Are Privacy Notices Just about GDPR?
Posted Tue 18th Feb 2020
Posted Wed 12th Feb 2020
Why do we need an external assessment if we do our own internal audits? It's a common question that can be heard. It can be understood that audits are seen as expensive, time consuming and invasive. GDPR is a legal requirement that must be fulfilled and it does have indirect benefits. Clearly though, time spent on GDPR is not time spent on other activities that add business value. So the focus on external assessment or audit is put to one side.