https://www.prodataprotection.co.uk/training/video/introduction-data-protection https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/762.mp4 Course introduction Welcome to the Data Protection Online Course Your Data Protection Responsibilities Discover the essentials of data protection in this comprehensive online course provided by ProTrainings. Course Overview Explore key aspects of data protection and learn how to effectively comply with your data handling responsibilities. Course Structure This course offers flexibility and accessibility: Video-Based Learning: Watch a series of informative videos. Knowledge Review: Test your understanding with knowledge review questions. Completion Test: Assess your knowledge with a final completion test. Flexible Progress: Start and stop the course at your convenience, picking up right where you left off. Multi-Device Compatibility: Access the course on any device, from computer to smartphone or tablet. Video Pinning: Pin the video to the top of your screen for easy simultaneous viewing of text content. Subtitles: Enable subtitles by clicking the CC icon for text support while watching videos. Additional Help: Receive guidance if you encounter questions you answer incorrectly. Completion Certificate: Obtain a completion certificate and access downloads upon passing the test. Resource Hub: Explore a wealth of resources and links on the course homepage to support your training. Ongoing Support ProTrainings is dedicated to your success: Course Updates: Check regularly for new course materials and updates. Extended Access: Enjoy access to the course for eight months, even after test completion. Company Solutions: Contact us for information on free company dashboards and workplace staff training solutions. Weekly Updates: Receive Monday morning emails to keep your skills sharp, discover new videos, and stay informed about blog news. Get Started We hope you find this course valuable. Thank you for choosing ProTrainings, and we wish you the best of luck in your training journey. https://d3imrogdy81qei.cloudfront.net/video_images/2005/Course_introduction-01.jpg Yes 142 https://www.prodataprotection.co.uk/training/video/information-commissioners-office https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1079.mp4 The Information Commissioner's Office Exploring the Information Commissioner's Office (ICO) and GDPR The ICO: Upholding Information Rights Discover the pivotal role of the Information Commissioner's Office (ICO), also known as the ICO, as the UK's independent authority. Mission and Mandate The ICO's primary objectives: Information Rights: Uphold information rights in the public interest. Promoting Openness: Promote transparency among public bodies. Data Privacy: Safeguard individuals' data privacy. ICO's Regulatory Authority Enforcement and Oversight The ICO enforces and oversees key legislations: Data Protection Acts: Encompassing the 1998 and 2018 versions. General Data Protection Regulations (GDPR): Implementation and enforcement. Freedom of Information Act 2000: Ensuring compliance. Investigation and Fines The ICO possesses the authority to: Investigate Data Controllers: Examine data handling practices. Report Breaches: Address and report data breaches. Levy Fines: Impose fines on non-compliant organizations. Guidance and Support The ICO offers valuable guidance and support: Advice: Providing advice on data protection and privacy. Website Resources: Information for individuals and organizations. Case Insights: Details on past actions and resolutions. Gearing Up for GDPR Compliance Understanding Data Controllers Under GDPR, businesses and individuals who handle personal data as Data Controllers: Annual Fees: Data Controllers must pay a fee to the ICO. Fees Structure: Fees vary based on staff count and turnover. Fee Tiers Fee structure under GDPR: Micro Organizations: Starting from £40 per year. Small and Medium-sized Businesses: £60 per year. Others: £2,900 per year. Exemptions and Consultation Exemptions are limited, and consultation with the ICO is advisable: Personal or Household Activity: GDPR exemptions for individuals. Specific Organizational Exemptions: Verify eligibility with the ICO directly. Help Resources: ICO's website and small business helpline. https://d3imrogdy81qei.cloudfront.net/video_images/1995/The_Information_Commissioner's_Office-01.jpg Yes 151 https://www.prodataprotection.co.uk/training/video/public-authoritys-and-freedom-of-information https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1091.mp4 Public authorities and Freedom Of Information Understanding the Freedom of Information Act: Obligations and Guidelines Introduction The Freedom of Information Act mandates every public authority to develop a publication scheme approved by the Information Commissioner's Office (ICO) and to disclose information covered by the scheme. This scheme outlines the authority's commitments to routinely provide specific categories of information, including policies, minutes of meetings, annual reports, and financial data. Publication Scheme The publication scheme represents the minimum amount of information that must be disclosed by public authorities. If a member of the public requests information not listed in the scheme, they have the right to ask for it. Most public authorities make their publication scheme available on their websites under the freedom of information. Codes of Practice There are two codes of practice associated with the Freedom of Information Act: Section 45 Code of Practice: Provides recommendations for public authorities on handling requests, offering advice and assistance, implementing complaints procedures, and managing relationships with other public bodies or third parties. Section 46 Code of Practice: Covers good record management practices, emphasizing the obligation of public authorities to maintain organized records in compliance with the Public Records Act. While these codes are not legally binding, failure to adhere to them may result in breaches of the act. Public authorities must ensure that their staff, contractors, and customers understand how the act affects them. Compliance with Other Laws The Freedom of Information Act may intersect with other legislation, such as the Data Protection Act and laws like the Disability Discrimination Act 1995 and the Welsh Language Act 1999. When handling requests for information containing personal data, the balance between transparency under the Freedom of Information Act and privacy rights under the Data Protection Act must be carefully considered. Additional Guidance Detailed guidance on compliance with the Freedom of Information Act and related laws can be found on the Information Commissioner's Office website, providing comprehensive support for public authorities. https://d3imrogdy81qei.cloudfront.net/video_images/1991/Public_authorities_and_Freedom_Of_Information-01.jpg Yes 152 https://www.prodataprotection.co.uk/training/video/credit-card-data https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1923.mp4 Data Protection and Credit Card Details Secure Handling of Credit and Debit Card Payments: A Guide Handling credit and debit card payments is a critical task that demands a keen understanding of your company's policies and procedures related to card data security. Adhering to card scheme rules and ensuring the secure storage and processing of card data is paramount. Furthermore, any information obtained from the cardholder should strictly be used for the related transaction only. Why Writing Credit Card Information on Paper is a No-go Recording credit card information in diaries, notepads, or loose pieces of paper for later processing poses significant security risks. This is not considered secure data handling and should be avoided at all costs. Key Requirements for Secure Credit Card Payment Handling Install and maintain firewalls: Firewalls are essential for protecting customers' data. Use robust passwords: Avoid using vendor-supplied defaults for system passwords. Regularly changing passwords enhances security. Protect stored cardholder data: Implement measures to ensure the secure storage of cardholder data. Update antivirus software regularly: Keeping your antivirus software and other programs up-to-date is critical for data security. Regularly maintain systems and applications: This can help protect against potential security breaches. Restrict access: Limit access to customers' card data strictly on a need-to-know basis. Every user should have a unique ID, and access to network resources and credit card data should be meticulously tracked. Regularly check security systems and processes: Regular checks can help identify and rectify potential weaknesses in your security setup. Consequences of Inadequate Card Data Security Leaving customer card data vulnerable to fraudulent access or misuse can lead to serious consequences. These include business losses, bad publicity, decreased sales, card scheme fines, and most significantly, loss of customer trust and reputational damage. The expenses for corrective measures, potentially including forensic investigation costs, can run into tens of thousands of pounds. Responsibilities as a Data Handler When customers use their credit or debit cards for transactions, they trust that the organisation will securely process the payment and protect their data. As a data handler, you have a responsibility to ensure maximum security for the customer's data that you process. This commitment to security helps build customer trust and protects your business's reputation. https://d3imrogdy81qei.cloudfront.net/video_images/3499/Data_protection_and_credit_card_details-01.jpg Yes 131 https://www.prodataprotection.co.uk/training/video/data-protection-course-overview https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1971.mp4 Course overview Course Overview: Introduction to Data Protection Course Structure Categories and Videos: The course is organized into categories, each containing multiple videos. You can pause and review any video at your convenience. Regular Updates: Our courses are regularly updated with new content and replacements, ensuring you stay current with the latest information. Support: Contact us via phone, email, or online chat if you have any questions during the course. Course Content In the first section, we will cover: Introduction to Data Protection: Basic concepts and principles Information Commissioner's Office (ICO): Overview of the regulatory body Freedom of Information Act: Understanding access to information laws We will then explore: Data Protection Regulations and Acts: Overview of relevant laws Myths and Realities: Common misconceptions about data protection Credit Card Payments: Security measures and best practices Data Protection Principles: Fundamental guidelines for handling data Finally, we will discuss: Subject Access Request (SAR): Understanding and responding to SARs https://d3imrogdy81qei.cloudfront.net/video_images/3949/Course_overview-01.jpg Yes 69 https://www.prodataprotection.co.uk/training/video/the-rights-in-relation-to-automated-decision-making https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3827.mp4 The rights in relation to automated decision making Understanding GDPR Provisions on Automated Decision-Making Overview GDPR regulates automated decision-making and profiling, ensuring transparency and fairness in data processing. Automated Decision-Making Automated decision-making involves: Definition: Decisions made solely by automated means without human intervention. Examples: Online loan approvals, recruitment aptitude tests. GDPR Compliance Automated decision-making is allowed only under specific circumstances: Necessity: For contract entry, explicit consent, or legal authorization. Responsibilities Organizations conducting automated decision-making must: Transparency: Inform individuals about the processing and their rights. Human Intervention: Allow individuals to request human intervention or challenge decisions. Regular Checks: Ensure system accuracy and functionality through regular assessments. Data Protection Impact Assessment (DPIA) Due to the high risk, organizations must conduct a DPIA: Risk Assessment: Identify and address risks associated with automated decision-making. Privacy Statement All relevant information should be included in the privacy policy: Inclusion: Specify details of processing and lawful basis in the privacy statement. Compliance: Ensure alignment with GDPR privacy principles. https://d3imrogdy81qei.cloudfront.net/video_images/6879/Automated_decision_making-01.jpg Yes 113 https://www.prodataprotection.co.uk/training/video/cybercrime https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2591.mp4 Cybercrime Cybercrime Awareness: Protect Yourself Online The Threat of Cybercrime Understanding the Risk: Explore how cybercriminals target individuals and organisations online. Wide Range of Targets Diverse Victims: Cybercrime poses a threat to both businesses and private individuals, leading to potential reputation damage, financial loss, or data extortion. Varying Levels of Expertise Criminal Proficiency: Cybercriminals range from those with basic technical skills to highly sophisticated operators. Rise of Online Tools Technological Evolution: Accessible tools in online criminal marketplaces facilitate the growth and evolution of cybercrime. Impact in the UK National Statistics: Over one million cybercrime cases were reported to Action Fraud in the UK last year. Types of Cyber Attacks Recognizing Threats: Learn about common cyber threats such as phishing, ransomware, malware, and their potential consequences. Increasing Ransomware Attacks Ransomware Threat: Data is seized and held for ransom, with criminals often threatening to publish sensitive information or block access to vital data. Protective Measures Preventing Victimisation: Discover strategies to mitigate the risk of falling victim to cybercrime. https://d3imrogdy81qei.cloudfront.net/video_images/4913/Cybercrime-01.jpg Yes 77 https://www.prodataprotection.co.uk/training/video/phishing https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2592.mp4 Phishing and Malware Protect Yourself from Phishing and Malware Attacks Understanding Phishing Email Deception: Phishing schemes utilize deceptive emails, often appearing genuine, to trick recipients into opening attachments or clicking on links. Phishing Attachments Disguised Content: Phishing emails may contain attachments disguised as invoices or delivery notices, often created with Microsoft Word or Excel, containing malicious "Macros" that download malware upon execution. Link-Based Phishing Exploitative Links: Clicking on links in phishing emails can lead to seemingly legitimate websites exploiting computer vulnerabilities or tricking users into disclosing personal information. Targeted Attacks Sophisticated Strategies: Some attackers conduct directed attacks, researching recipients' information to tailor phishing attempts, while others cast a wide net to ensnare as many victims as possible. Recognizing and Preventing Malware Understanding Malicious Software: Malware can damage data, steal information, and hijack internet activity, remaining undetected for extended periods. Signs of Malware Presence Hidden Threats: Malware can operate covertly, compromising data, spying on activities, and intercepting internet banking sessions, posing significant risks to individuals and businesses alike. Risks to Businesses Theft or Encryption of Sensitive Data Hardware Damage Internet Banking Fraud Financial Loss Protective Measures Implementing Security Measures: Employ robust antivirus software, keep systems updated, and educate staff on identifying and avoiding suspicious attachments and links. Use reputable antivirus software and keep it updated Avoid opening dubious attachments or links Avoid downloading software from unknown sources Restrict access to necessary internet sites Limit use of external devices in the business environment Control employee access to financial data Establish strong recovery and backup processes Train staff to recognize and avoid risky online behavior Implement password security measures https://d3imrogdy81qei.cloudfront.net/video_images/4917/Phishing_and_Malware-01.jpg Yes 235 https://www.prodataprotection.co.uk/training/video/text-and-phone-scams https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2595.mp4 Text and phone scams Protecting Against Vishing and Smishing Scams The Rise of Vishing and Smishing New Threats: Criminals are increasingly using texts and phone calls to perpetrate theft and fraud, exploiting vulnerabilities in communication channels. Understanding Vishing and Smishing Vishing: Also known as Phone Call Phishing, vishing involves fraudulent calls aimed at inducing recipients to make payments or disclose financial details under false pretences. Smishing: Short for Text Phishing, smishing employs text messages to lure recipients into clicking malicious links, allowing Trojans to steal sensitive data, including passwords. The Modus Operandi Cost-Effective Tactics: Vishing and smishing require minimal technical expertise and are often conducted as high-volume campaigns using automated dialling systems and broadband connections. Fear Tactics: These scams typically exploit fear-based responses, such as alarming victims about bank fraud, then soliciting detailed card information in response. Rise of Smishing: Smishing is gaining traction due to the surge in text banking and the vulnerability of individuals unaccustomed to receiving spam texts, often urging urgent action to facilitate data theft. Protective Measures Increasing Awareness: Educate individuals about the potential risks associated with vishing and smishing, empowering them to recognise suspicious texts and calls. Exercise Caution: Never feel pressured to make hasty decisions in response to urgent requests, especially in unfamiliar or unexpected communications. Stay Vigilant: Refrain from clicking on links in texts from unknown sources, particularly if unsolicited or unexpected. https://d3imrogdy81qei.cloudfront.net/video_images/4919/Text_and_phone_scams-01.jpg Yes 88 https://www.prodataprotection.co.uk/training/video/business-email-compromise https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2594.mp4 Business Email Compromise Protecting Your Business from Email Compromise Fraud Understanding Business Email Compromise New Threat: Business Email Compromise (BEC), also known as CEO or Chairman Fraud, poses significant risks, particularly for small and medium-sized businesses. How BEC Works Fraudulent Scheme: Fraudsters target businesses by sending deceptive emails to the payment department, often impersonating contractors or suppliers and requesting payment redirection to new accounts. Impersonation Tactics: Fraudulent emails closely resemble legitimate addresses or are sent from compromised accounts, making detection challenging. CEO Impersonation: In some cases, scammers impersonate CEOs, instructing payment department staff to set up beneficiaries and authorize payments, leading to financial losses when the fraud is discovered. Preventing Business Email Compromise Key Strategies: Implement proactive measures to safeguard against BEC fraud and mitigate potential financial losses. Verify Changes: Never implement payment changes based solely on email instructions; always verify changes through a two-step verification process. Two-Step Verification: Establish a two-step payment verification process where changes to bank details are confirmed via telephone or formal letter. Verify Email Addresses: Always scrutinize email addresses and avoid making assumptions about sender authenticity. https://d3imrogdy81qei.cloudfront.net/video_images/4915/Business_Email_Compromise-01.jpg Yes 93 https://www.prodataprotection.co.uk/training/video/minimising-risks-and-holding-data-securely https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3584.mp4 Minimising risks and holding data securely Minimising Risks to Data: Best Practices Introduction Protecting data integrity is crucial for all organisations. Implementing best practices reduces the risk of data breaches and ensures compliance with regulations. Key Strategies 1. Clear Desk Policies Secure Storage: Personal data should be locked away securely when not in use. Restricted Access: Limit access to personal data to authorised employees only. 2. Computer Security Lock Workstations: Always lock your computer when leaving your workstation. Suspicious Emails: Report any suspicious emails to the IT department immediately. 3. Data Destruction Policy Compliance: Ensure data destruction follows company policies. 4. Device Security Safe Storage: Keep business devices secure and implement adequate security measures. Prevent Unauthorised Access: Never leave devices unattended. 5. Password Management Confidentiality: Avoid sharing passwords with colleagues. Security: Do not write down passwords where they can be easily accessed. 6. Email Considerations Forwarding Limitation: Limit the forwarding of emails, especially containing personal data. Data Verification: Ensure correct recipients are selected and sensitive data is not included in emails. 7. Policy Adherence Compliance: Always adhere to employer policies regarding data processing and email usage. Respect: Treat personal data with utmost respect and consider its protection as you would want for your own data. Data Destruction Policies All organisations must have robust policies for securely destroying data, whether through cross shredding or certified shredding services for obsolete documents. https://d3imrogdy81qei.cloudfront.net/video_images/6411/Minimising_risks_and_holding_data_securely-01.jpg Yes 122 https://www.prodataprotection.co.uk/training/video/data-transfers https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3583.mp4 Data Transfers Data Transfer Agreements: Controllers and Processors Ensuring Data Protection in Transfers Controllers must establish agreements with processors to safeguard data integrity and compliance. Importance of Agreements Contractual Obligations: Controllers transferring data to processors must ensure the existence of a comprehensive agreement. Adherence to Instructions Instruction Compliance: Processors are obligated to handle data in accordance with the controller's instructions. Standard Processor Agreements Some processors, such as email providers or customer relationship management systems, may offer standard agreements to their clients. Thorough Review Evaluation: Controllers should meticulously review any standard processor agreements provided to ensure alignment with their specific requirements. Custom Agreements for Specific Services For services like local bookkeeping or virtual assistance, custom processor agreements are necessary. https://d3imrogdy81qei.cloudfront.net/video_images/6415/Data_Transfers-01.jpg Yes 165 https://www.prodataprotection.co.uk/training/video/the-principles-and-lawful-basis-for-processing https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3587.mp4 Lawful Basis for Processing Lawful Bases for Data Processing under GDPR Introduction Under the General Data Protection Regulations (GDPR), organisations must identify lawful bases for data processing. Importance of Lawful Bases Requirement: All organisations must identify lawful bases to process data. Consequence: Without a lawful basis, data cannot be processed lawfully. Inclusion: Lawful bases should be stated in the organisation's privacy policy. Six Lawful Bases Consent: Individuals have control over their data and can withdraw consent at any time. Contract: Data processing is limited to fulfilling contractual obligations. Legal Obligation: Data processing is necessary to comply with the law. Vital Interest: Processing is necessary to protect someone's life. Public Task: Processing is carried out in the public interest by public authorities. Legitimate Interest: Flexible basis but must balance interests and privacy risks. Elaboration on Lawful Bases Consent Allows individuals control over their data; can withdraw consent at any time. Contract Data processing is limited to fulfilling contractual obligations. Legal Obligation Necessary processing to comply with legal requirements. Vital Interest Processing necessary to protect lives, especially in health-related cases. Public Task Processing carried out by public authorities in the public interest. Legitimate Interest Flexible basis requiring balance between interests and privacy risks. Organisations must conduct legitimate interest assessments and document decisions. https://d3imrogdy81qei.cloudfront.net/video_images/6417/Lawful_Basis_for_Processing-01.jpg Yes 179 https://www.prodataprotection.co.uk/training/video/roles-within-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3581.mp4 Roles within GDPR Data Protection Officer, Controller, and Processor: Overview Data Protection Officer (DPO) Role: The Data Protection Officer oversees GDPR compliance. Requirement: Small organizations handling minimal data may not need to appoint a DPO. Appointment Criteria: A DPO is necessary if: You are a public authority. You conduct large-scale systematic monitoring of individuals. You process large-scale special categories of data. Responsibilities: Hold relevant qualifications and detailed GDPR knowledge. Report to top management and be fully involved in data protection matters. Cannot be penalized for carrying out their duties. Data Controller Definition: The entity determining the purposes and means of data processing. Examples: Individuals, organizations, companies, agencies, or public authorities. Data Processor Definition: The entity processing personal data on behalf of the controller. Examples: Individuals, organizations, companies, agencies, or public authorities. Role: Processes data without decision-making authority. Examples: Accountants handling payroll, online service providers like Salesforce. Distinguishing Factor: Processors do not control or make decisions about the data they process. Entities can fulfill both controller and processor roles, depending on the context. https://d3imrogdy81qei.cloudfront.net/video_images/6401/Roles_within_GDPR-01.jpg Yes 132 https://www.prodataprotection.co.uk/training/video/does-gdpr-apply-to-me https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3580.mp4 Does GDPR apply to me Understanding GDPR Rights for Employees and Individuals GDPR Rights for Employees Under GDPR, every individual, including employees, is covered by data protection regulations. As an employee, your employer holds your personal data, granting you the same rights as any other data subject. Employee Responsibility As an employee, you also bear responsibility to ensure that you do not contribute to any breach of personal data within your organisation. Data security measures will be discussed further in the course. GDPR Rights for Individuals GDPR provides individuals with enhanced rights, including: The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling These rights empower individuals to: Be informed about the collection and usage of their data Request access to their personal data held by an organisation Providing Information Organisations must provide clear, concise information about data collection and usage, typically outlined in a privacy policy. This information should be easily accessible through various means, such as email attachments, printed notices, or website privacy policies. Individuals can request information from organisations regarding their personal data, granting them greater control over its processing. https://d3imrogdy81qei.cloudfront.net/video_images/6399/Does_GDPR_apply_to_me-01.jpg Yes 102 https://www.prodataprotection.co.uk/training/video/data-breaches https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3582.mp4 Data Breaches Data Breach Management: Procedures and Responsibilities Understanding Data Breaches It's crucial to comprehend what constitutes a data breach and how to handle it effectively. Definition of a Data Breach A data breach is defined as any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Employee Responsibilities Every employee plays a vital role in promptly addressing and reporting data breaches. Immediate Notification If you become aware of a breach or potential breach of data, notify the designated data protection personnel in your organisation without delay. This enables swift action to mitigate risks. Organisational Procedures Organisations must have robust procedures in place to manage and report data breaches effectively. Reporting to Regulatory Authorities Notification Timeframe: If a breach poses a risk to data subjects, notify the Information Commissioner's Office (ICO) within 72 hours. High-Risk Breaches: Individuals affected by high-risk breaches must also be notified within the same timeframe. Exemptions: Some exemptions apply, such as if the data is rendered unintelligible or if other measures negate the high risk. Required Information for Reporting Nature of the Breach: Describe the breach and the categories of data subjects and records affected. Consequences: Outline the likely consequences of the breach. Contact Information: Provide the name and contact details of the data protection officer or relevant person. Measures Taken: Detail the measures taken or proposed to address the breach and mitigate adverse effects. Internal Breach Register An internal breach register should be maintained to document all personal data breaches, including relevant details and actions taken. This documentation serves to demonstrate compliance to regulatory authorities. https://d3imrogdy81qei.cloudfront.net/video_images/6413/Data_Breaches-01.jpg Yes 160 https://www.prodataprotection.co.uk/training/video/the-right-of-access https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3821.mp4 The right of access - SAR Subject Access Requests: Understanding Your Rights Overview of Subject Access Requests (SAR) Individuals have the right to request confirmation of data processing and access to their personal data, known as a Subject Access Request (SAR). Accessibility of SARs Accessibility: SARs can be made verbally, in writing, or even via social media, without the need for formal terminology. Staff Awareness Training: It's crucial for all staff to recognize SARs and understand the appropriate response process. Organisational Policies Policy Implementation: Establish procedures to record and address SARs, including verbal or in-person requests. Scope of SARs Personal Data: SARs only entitle individuals to their own personal data, not information concerning others, unless authorized. Handling SARs Relating to Children Special considerations apply to SARs regarding data of minors. Child's Rights Child's Entitlement: SARs concerning a child's data should be addressed directly to the child if deemed mature enough to understand. Age and Maturity Assessment Assessment: In Scotland, individuals aged 12 or above are presumed mature enough to exercise their rights. Similar considerations may apply elsewhere. https://d3imrogdy81qei.cloudfront.net/video_images/6867/The_right_of_access_-_SAR-01.jpg Yes 147 https://www.prodataprotection.co.uk/training/video/privacy-principles-under-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3833.mp4 Privacy Principles under GDPR Understanding GDPR Principles for Data Processing Changes in Data Processing Principles under GDPR The General Data Protection Regulation (GDPR) has introduced changes to the principles governing data processing, notably expanding individuals' rights and introducing separate provisions for international transfers. Importance of GDPR Principles The GDPR principles serve as the cornerstone for compliance, and understanding and adhering to them are crucial to avoid potential substantial fines. Consideration of Data Subjects' Rights Before making any decisions regarding data processing, it's essential to refer to the GDPR principles and consider the perspective of the data subject. Documentation of Processing Activities Whether formal documentation of processing activities under GDPR is necessary depends on the size of the organisation and its processing activities. While many small businesses may not be obligated to do so, it's advisable to verify this information on the Information Commissioner's website. In our experience, creating a mapping document detailing the types of data processed, its source, purpose of processing, lawful basis, retention period, and sharing details has been instrumental in ensuring compliance and facilitating data review. Data Inventory Spreadsheet A downloadable spreadsheet to assist in creating a data inventory is available in our download area, alongside checklists and other valuable resources. https://d3imrogdy81qei.cloudfront.net/video_images/6895/Privacy_Principles_under_GDPR-01.jpg Yes 95 https://www.prodataprotection.co.uk/training/video/the-right-to-erasure https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3823.mp4 The right to erasure Understanding Right to Erasure Overview The right to erasure, also known as the "right to be forgotten," applies in specific circumstances. Conditions for Erasure Personal Data No Longer Necessary: Data can be erased if it's no longer needed for the purpose it was collected or processed. Withdrawal of Consent: Erasure is applicable if consent, the lawful basis for processing, is withdrawn by the individual. Objection to Legitimate Interests: If an individual objects to processing based on legitimate interests, erasure may apply unless there's an overriding legitimate interest. Other Circumstances: Erasure applies in cases of direct marketing, processing of data for children, unlawful processing, or compliance with legal obligations. Exceptions to Erasure The right to erasure does not apply if data processing is necessary for: Freedom of expression and information Legal obligations or public tasks Archiving or scientific research Establishment, exercise, or defence of legal claims For special category data, exceptions include processing for public health or preventive medicine. Request Process Submission: Requests for erasure can be made verbally or in writing to any part of the organisation. Response Time: Organisations have 28 days to respond to requests. Refusal of Request Organisations can refuse to comply with a request if it's deemed manifestly unfounded or excessive. In such cases: A "reasonable fee" can be requested to process the request. Organisations must justify their decision if refusing to deal with the request. https://d3imrogdy81qei.cloudfront.net/video_images/6871/The_right_to_erasure-01.jpg Yes 233 https://www.prodataprotection.co.uk/training/video/the-right-to-restrict-processing https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3824.mp4 The right to restrict processing Understanding Right to Restrict Processing Overview The right to restrict processing allows individuals to control how organisations use their data. Conditions for Restricting Processing Alternative to Erasure: Individuals can choose to restrict processing instead of requesting data erasure. Limitation: Organisations can store data but cannot process it further without consent, except in specific circumstances. Notification: If data is shared with another organisation, they must be informed of the restriction. Refusal of Restriction If an organisation wishes to refuse to comply with a restriction request: Justification: The request must be proven to be manifestly unfounded or excessive, considering its repetitiveness. Reasonable Fee: A fee can be requested to process the request, or the request can be refused, with justification provided. The relevant individual must be informed of the reasons for not taking action, allowing them to lodge a complaint with the ICO or another supervisory authority. https://d3imrogdy81qei.cloudfront.net/video_images/6873/The_right_to_restrict_processing-01.jpg Yes 102 https://www.prodataprotection.co.uk/training/video/the-right-to-data-portability https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3825.mp4 The right to data portability Understanding Right to Data Portability Overview The right to data portability enables individuals to access and reuse their personal data across different services. Benefits This right allows individuals to: Transfer Data: Move, copy, or transfer personal data securely and conveniently between IT systems. Retain Usability: Ensure that data remains usable after being transferred to another environment. Conditions The right to data portability applies under the following conditions: Individual's Provided Data: Applies to information provided directly by the individual to the controller. Lawful Basis: Relevant when the organization's lawful basis is consent or for the performance of a contract. Automated Processing: Applicable when processing is carried out by automated means. https://d3imrogdy81qei.cloudfront.net/video_images/6877/The_right_to_data_portability-01.jpg Yes 55 https://www.prodataprotection.co.uk/training/video/the-right-to-object https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3826.mp4 The right to object Understanding Right to Object under GDPR Overview All individuals possess the right to object under the GDPR, with specific conditions and considerations. Direct Marketing Objection to data usage for direct marketing is an absolute right: Mode of Objection: Verbal or written objection is acceptable. Response Time: Organizations must respond within one month of receiving the objection. Recognizing and Handling Objections It's crucial for organizations to: Recognize Objections: Implement policies to identify and understand objections. Dealing with Objections: Have procedures in place to address objections effectively. Refusal of Objections In some cases, objections may be refused if: Compelling Reason: There exists a compelling reason to reject the objection, with proper justification provided. Considerations When processing data for legitimate interests or public tasks: Weight of Objection: Consider the impact on the individual, especially if substantial damage or distress is claimed. Balance of Interests: Balance individual rights with organizational interests before making a decision. Communication and Resolution If objection refusal occurs: Inform Individual: Provide clear explanation for refusal and inform them of their rights to complaint and judicial remedy. Special Consideration for Direct Marketing For direct marketing objections: Suppression List: Consider adding individual's information to a suppression list to respect objection while maintaining compliance. https://d3imrogdy81qei.cloudfront.net/video_images/6875/The_right_to_object-01.jpg Yes 140 https://www.prodataprotection.co.uk/training/video/the-right-to-be-informed https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3820.mp4 The right to be informed GDPR Compliance: Providing Information to Individuals Importance of Providing Information Every individual has the right to understand how their personal data is processed and who has access to it. To comply with GDPR regulations, data controllers must furnish individuals with details about their data processing activities. Direct Collection of Data When collecting data directly from an individual: Inform at Time of Collection: Explain the data processing intentions at the point of collection. Methods of Notification: Provide privacy policy information through email links, attachments, or hard copies via post. Indirect Collection of Data If data is collected from another source: Timely Disclosure: Provide privacy policy information either at the first instance of data usage or within one month of obtaining the data. Prior to Disclosure: Ensure information is given to the individual before sharing the data with any other recipient. Components of Privacy Policy Your privacy policy should contain: Organisation Details: Name, contact information, and representative's details. Data Protection Officer: Contact details if appointed. Data Processing Information: Reasons for processing, lawful basis, and legitimate interests (if applicable). Information Sharing: Recipients and categories of shared data. International Transfers: Details of transfers to third countries. Data Retention: Duration of data retention. Individual Rights: Information about rights regarding data processing. Withdrawal of Consent: Procedure for withdrawing consent, particularly relevant for marketing purposes. Complaint Process: How individuals can lodge complaints with supervisory authorities. Automated Decision-making: Existence and details of any automated decision-making or profiling. If data is collected from a third party, details of the source should be provided. Ensuring Accessibility Make individuals aware of your privacy policy by: Placement: Include the policy on your website. Active Notification: Actively inform individuals and provide easy access to the policy. https://d3imrogdy81qei.cloudfront.net/video_images/6947/The_right_to_be_informed-01.jpg Yes 170 https://www.prodataprotection.co.uk/training/video/dealing-with-a-sar https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3885.mp4 Dealing with a SAR Understanding Subject Access Requests (SARs) Individual Rights and SARs Right to Request: Every individual has the right to confirm data processing and obtain copies of their personal data, including supplementary information. Recognition and Reporting Recognition: It's crucial to identify SARs promptly and report them to the appropriate department without delay. Forms of Request SARs can come in various forms: Telephone calls In-person requests Emails Letters Social media messages Recognition Criteria Identification: SARs may not explicitly mention "Subject Access Request" but must clearly indicate a request for personal data. Record the individual's full name and, if possible, another identifying detail like email or postcode. Timely Reporting Procedure: Note the time, date, and details of the SAR, then report it promptly to the relevant authority within your organization. Response Time and Conditions Deadline: Organisations have one calendar month to respond to SARs. Charges and Refusals: In most cases, no fee can be charged, and requests cannot be refused unless they are repeated, excessive, or manifestly unfounded. https://d3imrogdy81qei.cloudfront.net/video_images/6979/Dealing_with_a_SAR-01.jpg Yes 90 https://www.prodataprotection.co.uk/training/video/privacy-principles https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3890.mp4 Privacy Principles Understanding Data Protection Principles This guide offers an insight into the fundamental principles of data protection, crucial for organisations to comply with the General Data Protection Regulations (GDPR). Principle of Lawfulness, Fairness, and Transparency Organisations must identify a lawful basis for data processing. This principle ensures that individuals are not misled or deceived when providing their data. Organisations should be open and honest about their data practices, including collection, usage, storage, deletion, and sharing. An accessible, clear, and easy-to-understand privacy policy is essential for compliance. Purpose Limitation and Data Minimisation Data should only be processed for the intended purpose and not for any incompatible reasons. Organisations must limit data storage duration to what is necessary and justify the retention of data. Storage Limitation and Data Security This principle mandates that personal data should not be kept longer than necessary. Organisations are required to implement appropriate security measures to protect data from unauthorised access, accidental loss, destruction, or damage. Principle of Accountability Organisations must not only comply with GDPR but also demonstrate their compliance. This includes taking responsibility for adhering to all data protection principles. Note: This guide provides an overview of data protection principles as outlined in the GDPR. It is intended for informational purposes and should be supplemented with comprehensive legal advice where necessary. https://d3imrogdy81qei.cloudfront.net/video_images/6981/Privacy_Principles-01.jpg Yes 115 https://www.prodataprotection.co.uk/training/video/the-right-to-rectification https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3822.mp4 The right to rectification Understanding Right to Rectification Overview The individual’s right to rectification ensures accuracy in personal data processing. Request Process Submission: Individuals can request correction or completion of inaccurate personal data verbally or in writing. Response Time: Organisations must respond within one calendar month. Policy Duration: Consider implementing a 28-day policy to cover requests received in any calendar month. Verification and Response Identity Verification: Verify the identity and accuracy of data before processing the request. Notification: If data is accurate, notify the individual and explain the decision. Inform them of their right to complain to the Information Commissioner’s Office or other supervisory authority. Organisational Policy Policy Establishment: Develop and implement a policy for handling and recording rectification requests. https://d3imrogdy81qei.cloudfront.net/video_images/6869/The_right_to_rectification-01.jpg Yes 80 https://www.prodataprotection.co.uk/training/video/data-subject-and-personal-data-under-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3588.mp4 Data Subject and Personal Data under GDPR Data Protection and GDPR: Understanding Data Subjects and Processing Introduction A data subject refers to a living individual who can be directly or indirectly identified by specific information. This definition has evolved to accommodate technological advancements. Identifying Data Subjects An online identifier, such as an IP address, cookie identifiers, RFID tags, or MAC addresses, when combined with unique identifiers and other server-received information, can create individual profiles and facilitate identification. Personal Data under GDPR Under GDPR, personal data encompasses any information pertaining to an identified or identifiable person. This includes their name, address, social media posts, photographs, email addresses, medical records, banking details, online identifiers, or computer IP addresses. If the data being processed can uniquely identify an individual, it qualifies as personal data. This is often evident when possessing their name and address, corporate email address containing their full name, or similar identifying information. Further guidance on identifying individuals is available on the Information Commissioner's website. Sensitive Personal Data GDPR also recognizes sensitive personal data, which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, trade union memberships, medical conditions, and information regarding criminal convictions or offences. This category requires heightened protection. Understanding Processing under GDPR Processing, as defined under GDPR, encompasses any action performed on personal data, whether manual or automated. This includes data collection, storage, and deletion. Merely storing data without active manipulation still qualifies as processing under GDPR regulations. https://d3imrogdy81qei.cloudfront.net/video_images/6407/Data_Subject_and_Personal_Data_under_GDPR-01.jpg Yes 140 https://www.prodataprotection.co.uk/training/video/gdpr-compliance https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3579.mp4 GDPR Compliance Welcome to our GDPR Awareness Course Demystifying General Data Protection Regulations (GDPR) Gain crucial insights into GDPR and its implications for your organization. This course offers clarity and guidance on GDPR compliance. The Varied Paths to GDPR Compliance Recognize that each organization faces unique challenges on its journey to GDPR compliance. Decisions and strategies may differ. Course Overview Building Blocks of GDPR Acquire a solid foundation by grasping essential GDPR terminology, principles, and basic rules. Your Responsibility Understand that achieving GDPR compliance in your workplace rests with you. This course equips you with knowledge, but application and decision-making are your prerogatives. A Continuous Process GDPR is not a one-time endeavor; it's an ongoing commitment to data protection. Regular review and improvement of data security are vital. The GDPR Era The Effective Date GDPR officially came into force on May 25, 2018, replacing the Data Protection Act. It introduces a single, unified set of rules for all EU citizens. Key Changes Explore the significant GDPR changes: Consent: Stricter rules on obtaining and managing consent. Transparency: Enhanced transparency requirements. Personal Data: Expanded scope of personal and special categories of data. Children's Data: Special provisions for children's data. Breach Communication: Mandatory breach reporting and communication. Data Protection by Design: Integration of data protection into processes and systems. Enhanced Data Subject Rights: New rights for data subjects, including access, portability, and erasure. Organizational Obligations: Requirements placed on organizations. Penalties: Fines of up to 20 million euros or 4% of annual revenue for non-compliance. Stay Informed, Stay Compliant Regularly update your knowledge to ensure ongoing GDPR compliance, mitigating risks, and safeguarding data. https://d3imrogdy81qei.cloudfront.net/video_images/6403/GDPR_Compliance.jpg Yes 124 https://www.prodataprotection.co.uk/training/video/course-summary- https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/4803.mp4 Course Summary Completing Your Course and Taking the Test with ProTrainings Congratulations on completing your course! Before taking the test, review the student resources section and refresh your skills. Student Resources Section Free student manual: Download your manual and other resources. Additional links: Find helpful websites to support your training. Eight-month access: Revisit the course and view any new videos added. Preparing for the Course Test Before starting the test, you can: Review the videos Read through documents and links in the student resources section Course Test Guidelines No time limit: Take the test at your own pace, but complete it in one sitting. Question format: Choose from four answers or true/false questions. Adaptive testing: Unique questions for each student, with required section passes. Retake option: Review materials and retake the test if needed. After Passing the Test Once you pass the test, you can: Print your completion certificate Print your Certified CPD statement Print the evidence-based learning statement Additional ProTrainings Courses ProTrainings offers: Over 350 courses at regional training centres or your workplace Remote virtual courses with live instructors Over 300 video online and blended courses Contact us at 01206 805359 or email support@protrainings.uk for assistance or group training solutions. Thank you for choosing ProTrainings and good luck with your test! https://d3imrogdy81qei.cloudfront.net/video_images/8553/Course_Summary-01.jpg Yes 127 https://www.prodataprotection.co.uk/training/video/sms-scams https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/5845.mp4 SMS Scams Protect Yourself from Mobile Phone Scams Introduction Stay Vigilant: With the rise of mobile phone usage, it's crucial to be aware of various scams targeting users through texts and calls. Types of Text Scams Delivery Text Scam: Fake messages from delivery services like Royal Mail or DHL, claiming a missed parcel and urging recipients to click a tracking link, which can lead to fraud. Always use official delivery service websites to track parcels. "Hi Mum" Scam: Fraudsters posing as family members via text or WhatsApp, requesting money due to a lost or damaged phone. Verify their identity before transferring money. Energy Bill Support Scam: Scam messages or emails appearing to be from government bodies or energy providers, falsely claiming eligibility for energy bill support. Never provide personal information or click on links in such messages. Broadband/Mobile Phone Scams: Scammers offering enticing deals or compensation for slow internet speeds, often requesting bank details. Hang up and contact the provider directly. Bank Fraud Team Scam: Scammers posing as bank representatives, claiming account compromise and requesting money transfer. Always verify with your bank via official channels. Actions to Take Report Suspicious Messages: Forward suspicious texts to 7726 for free to investigate and block malicious senders. You can also block and report scam WhatsApp messages. Contact Your Bank: If you've shared personal banking information or fallen victim to a scam, contact your bank immediately and report the incident to Action Fraud. https://d3imrogdy81qei.cloudfront.net/video_images/10422/SMS_Scams-01.jpg Yes 279 https://www.prodataprotection.co.uk/training/video/freedom-of-information-act-2000 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1090.mp4 The Freedom of Information Act 2000 Understanding the Freedom of Information Act 2000 The Freedom of Information Act 2000 (FOIA) is a significant piece of legislation in the United Kingdom that allows the public to access information held by public authorities. This article delves into the objectives and coverage of the Act and explains how it promotes transparency and accountability in public bodies. Objectives of the FOIA The primary aim of the FOIA is to foster openness and trust between public authorities and the public. The access to information held by these bodies enables the public to hold them accountable for their decisions and actions, as these often impact taxpayers and significantly influence their lives. The disclosure of official data also bolsters public debate, making it more informed and constructive. Coverage of the Act The FOIA mandates public authorities to publish specific details about their operations. This includes government departments, local authorities, the NHS, state schools, and police forces. However, the Act doesn't necessarily cover all organisations funded by public money, such as certain charities receiving grants and private sector organisations carrying out public duties. Under the Act, recorded information encompasses various formats like printed documents, computer files, emails, photos, sound and video recordings. Notably, the Act does not extend to personal data, such as health records or credit reference files. For individuals wishing to access such personal data held by public authorities, a subject access request must be made under the Data Protection Act 1998. Special Provisions for Scotland While the FOIA covers England, Wales, and Northern Ireland, and UK-wide public authorities based in Scotland, information held by Scottish public authorities falls under the purview of Scotland's own Freedom of Information Scotland Act 2002. Public Right to Request Information The FOIA asserts the public's right to request information, and this privilege is not limited to UK residents. If a person believes that a public authority holds certain information, they may send a freedom of information request to that authority. Interestingly, the person requesting the information doesn't need to provide a reason for their inquiry. In fact, it's the public authority that must justify any refusal to disclose the requested information. Limitations and Exemptions While promoting transparency, the Act also recognises the need for certain information to be kept confidential. These exemptions are defined in the Act and require a valid reason for withholding the information. It's also important to note that the Act doesn't prevent public authorities from voluntarily providing information to individuals outside the provisions of the Act. Response to Information Requests Upon receiving an information request, it's the public authority's responsibility to respond accordingly. The FOIA mandates these authorities to not only reply to requests but also to proactively publish certain information. This coverage extends to all recorded information held by public authorities, including drafts, emails, notes, telephone conversation recordings, CCTV footage, and even letters from the public. The Impact of the FOIA on Public Trust A report by the Information Commissioner's Office in 2016 indicated that 85% of the public considered the FOIA vital for holding public authorities to account, with 76% believing it had boosted transparency in public organisations. Ultimately, the main principle behind the freedom of information legislation is that people should be informed about public authorities' activities unless there's a valid reason to keep them in the dark. https://d3imrogdy81qei.cloudfront.net/video_images/1999/Freedom_of_information_act-01.jpg Yes 239 https://www.prodataprotection.co.uk/training/video/who-holds-personal-information https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1017.mp4 Who holds personal information Data Protection: Understanding the Importance of Personal Data Regulation Introduction From the earliest stages of life, various organisations and bodies collect data about individuals. This information is gathered from a wide array of sources, including: Airlines Banks Car repairers Schools Doctors Clubs and associations Credit card providers Dentists Estate agents Gas and electric companies Hospitals Inland revenue Insurance companies Employers Supermarkets And many more While much of the information held about individuals is considered highly confidential, it is essential to control and regulate personal data to prevent unwanted disclosures and safeguard privacy. The Data Protection Act The Data Protection Act establishes a framework of rights and duties aimed at safeguarding the collection and usage of personal data by organisations. It ensures a balance between business needs and individual privacy rights, prohibiting the release or sharing of personal information without prior consent. Under the Act, data refers to information collected or intended to be held on a computer, including data recorded on paper for computer input or held in a structured format, such as part of a filing system. This encompasses various records, including health, education, housing, and social services. Types of Data The Data Protection Act categorises data into two main types: Personal Data: Information from which an individual can be identified, including opinions and intentions regarding the individual. Sensitive Data: Personal data containing sensitive information, such as racial or ethnic origin, religious beliefs, political opinions, trade union membership, physical or mental health, or sexual life. Sensitive data receives increased legal protection under the Act, with specific obligations outlined for its handling and processing. https://d3imrogdy81qei.cloudfront.net/video_images/2001/Who_holds_personal_information-01.jpg Yes 119 https://www.prodataprotection.co.uk/training/business-managers/video/entering-your-personal-data-on-a-website https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/5141.mp4 Entering your personal data on a website Registering Online: Safeguarding Personal Data Importance of Data Security Protect Your Personal Information: Safeguard your personal details to prevent unwanted solicitations and reduce the risk of identity theft. Registering with Tesco Online Creating an Account: Follow the steps to register on Tesco's website while ensuring data security. Password Requirements: Ensure your password meets the specified criteria for security. Providing Personal Details: Enter accurate information, including title, name, contact number, and postcode. Opting into Marketing Communications: Choose your preferences regarding receiving marketing materials and newsletters. Account Validation: Verify your email address by following the instructions sent to you. Understanding Data Requests Selective Information Sharing: Only provide necessary information and avoid disclosing sensitive details if not required. Date of Birth Requests: Assess the necessity of providing your date of birth based on the website's requirements and your comfort level. Conclusion Exercise Caution: Be mindful of the information you share online and prioritize your data security at all times. https://d3imrogdy81qei.cloudfront.net/video_images/9276/Entering_your_personal_data_on_a_website-01.jpg Yes 319 https://www.prodataprotection.co.uk/training/business-managers/video/accountability https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3840.mp4 Accountability Accountability in GDPR Compliance Overview Accountability is the final principle in GDPR compliance, requiring organisations to demonstrate adherence to General Data Protection Regulations. Responsibilities Organisations must fulfil several responsibilities to ensure accountability: Record-keeping: Maintain records of processing activities, clearly outlined in the privacy policy. Compliance: Understand and comply with all processing principles outlined in GDPR. Contracts: Establish contracts with data processors and implement adequate security measures. Rights Management: Have policies in place to handle and document individuals' requests to exercise GDPR rights. Consent Management: Maintain records of consent details, including how, when, and to what individuals consented. Data Breach Response: Develop a policy to address, investigate, record, and report data breaches when necessary. Special Requirements Certain organisations have additional obligations: Data Protection Officer (DPO): Appoint a DPO for public authorities or organisations conducting large-scale monitoring or processing of sensitive data. Registration: Register with the Information Commissioner's Office and pay the annual fee. Employee Training and System Maintenance Additional measures for ensuring compliance: Password Management: Regularly review password systems for security. Training: Provide comprehensive training to employees on password management and system security. System Monitoring: Monitor systems regularly to detect and address security vulnerabilities. Policy Review: Review all policies periodically to ensure continuous compliance with GDPR. https://d3imrogdy81qei.cloudfront.net/video_images/6969/Accountability-01.jpg Yes 115 https://www.prodataprotection.co.uk/training/business-managers/video/what-is-a-data-inventory https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3699.mp4 What is a data inventory Documenting Data Processing: Importance and Guidelines Understanding Documentation Requirements Factors Affecting Documentation: The need for formal documentation depends on organisational size, data volume, and type of data processed. Comprehensive Recording: Documenting all processed data is essential for transparency and compliance. Benefits of Data Inventory Valuable Exercise: Despite not being mandatory for smaller organisations, creating a data inventory proves highly beneficial. Identification of Processing: The inventory aids in identifying all processing activities and the corresponding data held. Facilitating Policy Review: Helps significantly during privacy policy reviews by providing necessary compliance information. Components of a Data Inventory Inclusive Data: The content of a data inventory varies based on processing activities and data types. Data Source: Identify where the data originates, e.g., individuals or employers. Data Categories: Categorise the data subjects, such as employees, customers, or suppliers. Data Types: Specify the types of personal data processed, like contact information or financial records. Purpose of Processing: Define the purpose, such as supplying goods, payroll, or marketing. Lawful Basis: Document the legal basis for processing, whether contract, consent, or legitimate interest. Sensitive Data: Indicate if the data includes special category/sensitive personal data. Data Volume: Record the volume of data processed. Retention Period: Specify the duration for which the data is retained. Third-Party Recipients: List any third parties receiving the data. Data Transfer Safeguards: Ensure appropriate safeguards for data transfer. Individual Rights: Detail the rights available to individuals, such as access, rectification, or erasure. Accessing an Example Inventory An example data inventory template is available for download on the homepage. https://d3imrogdy81qei.cloudfront.net/video_images/6625/What_is_a_data_inventory-01.jpg Yes 124 https://www.prodataprotection.co.uk/training/business-managers/video/lawful-basis https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3696.mp4 Lawful Basis Understanding GDPR Lawful Basis for Data Processing Identifying Lawful Basis Under GDPR: Identifying the lawful basis for processing data is crucial. Different Basis for Different Activities: Six lawful bases exist, with four commonly applicable to businesses. 1. Consent Real Choice and Control: Consent gives individuals control over their data. Withdrawal: Individuals can withdraw consent at any time. Considerations: Assess whether you'd be willing to delete all their data upon request. 2. Contract Fulfilling Contracts: Used when processing data to fulfill contractual obligations. Limitations: Data can only be used for contract fulfillment. 3. Legal Obligation Compliance: Relied upon to meet legal obligations. Statutory Requirements: Applies to common law or statutory obligations. 4. Legitimate Interest Flexibility: Flexible but must not override individual interests. Balancing Test: Conduct a balancing test before processing. 5. Vital Interests Life Protection: Used when processing data to protect someone's life. 6. Public Task Official Authority: Relates to processing tasks in the public interest as set out in law. Choosing the Right Basis Compatibility: Ensure processing activities align with chosen lawful basis. Multifaceted Approach: Utilize multiple lawful bases if necessary. Consent in Direct Marketing: Consent is the most suitable basis for direct marketing. GDPR Compliance Tips Granular Consent: Provide clear options for consent, such as for newsletters or marketing emails. Immediate Compliance: Cease processing data upon withdrawal of consent. Easy Unsubscribe: Provide visible unsubscribe links in emails. Record Unsubscribers: Maintain records to prevent accidental recontacting. Privacy Policy Link: Include a link to the privacy policy in all communications. Building trust through transparency and providing control over data enhances customer relationships. ``` This HTML document provides detailed information on GDPR lawful basis for data processing, including the six lawful bases, considerations for choosing the right basis, and compliance tips for businesses, especially regarding consent and direct marketing. It emphasizes the importance of transparency, immediate compliance with withdrawal requests, and providing easy unsubscribe options to build trust with customers. https://d3imrogdy81qei.cloudfront.net/video_images/6619/Lawful_Basis-01.jpg Yes 381 https://www.prodataprotection.co.uk/training/business-managers/video/subject-access-requests---part-1 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3697.mp4 Subject Access Requests - Part 1 Changes to Handling Subject Access Requests (SARs) under GDPR New Timeframe for Response Extended Deadline: You now have one calendar month to respond to a Subject Access Request (SAR). Considerations: Response deadline adjusts for varying days in different months. Practical Approach: Many companies opt for a simplified 28-day response policy for compliance certainty. Recognition of Requests Diverse Channels: SARs can be received via various channels including telephone, email, mail, online, social media, or face to face. Staff Training: All customer-facing staff need to be trained to identify SARs. Accessible Forms: Offer SAR submission forms on the website, but individuals can request through any means. Fee Policy Changes No Charging by Default: Charging a fee for SARs is prohibited unless deemed "manifestly unfounded or excessive." Justification: Businesses must justify fees, especially for high-volume or repeated requests. Compliance: In most cases, businesses must provide information without charging a fee. https://d3imrogdy81qei.cloudfront.net/video_images/6621/Subject_Access_Requests_-_Part_1-01.jpg Yes 215 https://www.prodataprotection.co.uk/training/business-managers/video/data-breaches-2 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3693.mp4 Data Breaches Data Breach Prevention Understanding Data Breaches Scope: Data breaches can vary from small incidents to massive breaches with severe consequences. Examples: A large-scale hack resulting in millions of compromised user data is a significant breach, while sending an invoice to the wrong recipient constitutes a smaller breach. Handling Breaches Internal Recording: Record all breaches for internal documentation, even if they are deemed small and pose no immediate risk to individuals. Reporting: Small breaches may not require reporting to the Information Commissioner's Office unless they involve sensitive data. Dealing with Sensitive Data Special Category Data: Special category data, such as health or biometric information, requires heightened security measures due to its sensitivity. Risks: Breaches involving special category data pose a significant risk to individuals' rights and freedoms. Preventive Measures Secure Handling: Keep personal data secure at all times, whether in physical or digital form. Device Protection: Ensure laptops and handheld devices are protected from malware and password-secured. Immediate Notification: Notify the ICO promptly of breaches with a high risk to individuals' rights. Individual Notification: Individuals affected by significant breaches should be informed as soon as possible. Conclusion Understanding the gravity of data breaches and implementing robust preventive measures is crucial for safeguarding individuals' personal information and complying with data protection regulations. https://d3imrogdy81qei.cloudfront.net/video_images/6617/Data_Breaches-01.jpg Yes 203 https://www.prodataprotection.co.uk/training/business-managers/video/subject-access-requests---part-2 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3698.mp4 Subject Access Requests - Part 2 Guidelines for Handling Subject Access Requests (SARs) under GDPR Verification of Identity Essential Checks: Verify the identity of the requester to avoid data breaches. Known Customers: If the requester is a known customer, additional proof may not be required. Third-Party Requests: Requesters acting on behalf of others must provide legal proof of entitlement. Refusal Protocol Reasons for Refusal: Only refuse requests if they are manifestly unfounded or excessive. Consultation: Seek guidance from the Information Commissioner's Office before refusal. Notification: If refusal occurs, inform the individual and provide avenues for appeal and complaint. Information Provision Data Disclosure: Provide all personal data held about the requester, including identifying information. Comprehensive Details: Furnish information about your company, data processing purposes, retention periods, and lawful basis. Delivery Methods Ideal Approach: Utilize an online portal for secure and convenient access to data, recommended by the ICO. Alternative Methods: If a portal is unavailable, provide data via email attachments or printed documents. Format Preference: Honour format requests; respond in the requested format, be it printed or electronic. Social Media Requests Cautious Response: Responding via social media may risk data breaches; confirm identity and switch to email for secure communication. Data of Third Parties Consent Requirement: Obtain consent from third parties before disclosing their personal data. Anonymization Option: Anonymize data if feasible; avoid disclosing identifiable information of third parties without consent. https://d3imrogdy81qei.cloudfront.net/video_images/6623/Subject_Access_Requests_-_Part_2-01.jpg Yes 366 https://www.prodataprotection.co.uk/training/business-managers/video/gdpr-and-the-small-business https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3694.mp4 GDPR and the small business GDPR Compliance for New Businesses Understanding GDPR for New Businesses Scope: GDPR applies to all businesses processing personal data for business purposes, irrespective of size or structure. Data Controller: The entity determining how and why data is processed is known as the Data Controller, and ensuring GDPR compliance is their responsibility. Considerations for Startups Advantage of Startups: New businesses can set up processing activities to comply with GDPR from the outset. Documentation: Document decisions regarding data collection, retention, and sharing to create a comprehensive data inventory. Online Systems: Choose online systems that meet GDPR requirements and provide adequate safeguards. Key Points in GDPR Compliance Definition of Personal Data: Personal data includes information identifying an individual, such as names, addresses, and contact details. Data Security: Personal data must be securely held and used only for the purpose provided by the individual. Transparency: Inform individuals about data processing activities through a clear and concise Privacy Policy or Statement. Steps for GDPR Compliance Register with the ICO and pay the registration fee. List the personal data you need to collect. Identify lawful bases for data processing. Determine data retention periods and create a retention policy. Ensure online systems comply with GDPR. List entities with whom data will be shared and establish suitable agreements. Create a Privacy Policy. Establish a data breach register and policy. Create a register for subject access requests and policy for handling them. Provide adequate training on privacy principles and data subjects' rights. Cost of GDPR Compliance GDPR compliance costs vary depending on business specifics. Understanding privacy principles and applying them diligently is crucial for compliance. For additional information and assistance, businesses can visit the Information Commissioner's Office website or contact their helpline. https://d3imrogdy81qei.cloudfront.net/video_images/6629/GDPR_and_the_small_business-01.jpg Yes 432 https://www.prodataprotection.co.uk/training/business-managers/video/the-right-to-erasure https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3823.mp4 The right to erasure Understanding Right to Erasure Overview The right to erasure, also known as the "right to be forgotten," applies in specific circumstances. Conditions for Erasure Personal Data No Longer Necessary: Data can be erased if it's no longer needed for the purpose it was collected or processed. Withdrawal of Consent: Erasure is applicable if consent, the lawful basis for processing, is withdrawn by the individual. Objection to Legitimate Interests: If an individual objects to processing based on legitimate interests, erasure may apply unless there's an overriding legitimate interest. Other Circumstances: Erasure applies in cases of direct marketing, processing of data for children, unlawful processing, or compliance with legal obligations. Exceptions to Erasure The right to erasure does not apply if data processing is necessary for: Freedom of expression and information Legal obligations or public tasks Archiving or scientific research Establishment, exercise, or defence of legal claims For special category data, exceptions include processing for public health or preventive medicine. Request Process Submission: Requests for erasure can be made verbally or in writing to any part of the organisation. Response Time: Organisations have 28 days to respond to requests. Refusal of Request Organisations can refuse to comply with a request if it's deemed manifestly unfounded or excessive. In such cases: A "reasonable fee" can be requested to process the request. Organisations must justify their decision if refusing to deal with the request. https://d3imrogdy81qei.cloudfront.net/video_images/6871/The_right_to_erasure-01.jpg Yes 233 https://www.prodataprotection.co.uk/training/business-managers/video/contract https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3816.mp4 Contract Legal Basis: Contract Understanding Contract as a Legal Basis Contractual Relationship: Contract serves as the second legal basis for data processing, typically applicable when there's an existing contract with the individual. Application of Contract Fulfillment of Contract: Personal data processing may be necessary to fulfill contractual obligations or provide requested information about services. Third-Party Involvement: When processing another individual's data under a contract, consider using a different lawful basis. Initiative Contact: Initiating contact based on third-party suggestions may not align with the contract as a lawful basis. Limitations of Contractual Basis Scope of Processing: Processing under contract should strictly align with fulfilling the terms of the contract. Contacting customers for additional services may require a different lawful basis. https://d3imrogdy81qei.cloudfront.net/video_images/6859/Contract-01.jpg Yes 77 https://www.prodataprotection.co.uk/training/business-managers/video/introduction-data-protection https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/762.mp4 Course introduction Welcome to the Data Protection Online Course Your Data Protection Responsibilities Discover the essentials of data protection in this comprehensive online course provided by ProTrainings. Course Overview Explore key aspects of data protection and learn how to effectively comply with your data handling responsibilities. Course Structure This course offers flexibility and accessibility: Video-Based Learning: Watch a series of informative videos. Knowledge Review: Test your understanding with knowledge review questions. Completion Test: Assess your knowledge with a final completion test. Flexible Progress: Start and stop the course at your convenience, picking up right where you left off. Multi-Device Compatibility: Access the course on any device, from computer to smartphone or tablet. Video Pinning: Pin the video to the top of your screen for easy simultaneous viewing of text content. Subtitles: Enable subtitles by clicking the CC icon for text support while watching videos. Additional Help: Receive guidance if you encounter questions you answer incorrectly. Completion Certificate: Obtain a completion certificate and access downloads upon passing the test. Resource Hub: Explore a wealth of resources and links on the course homepage to support your training. Ongoing Support ProTrainings is dedicated to your success: Course Updates: Check regularly for new course materials and updates. Extended Access: Enjoy access to the course for eight months, even after test completion. Company Solutions: Contact us for information on free company dashboards and workplace staff training solutions. Weekly Updates: Receive Monday morning emails to keep your skills sharp, discover new videos, and stay informed about blog news. Get Started We hope you find this course valuable. Thank you for choosing ProTrainings, and we wish you the best of luck in your training journey. https://d3imrogdy81qei.cloudfront.net/video_images/2005/Course_introduction-01.jpg Yes 142 https://www.prodataprotection.co.uk/training/business-managers/video/credit-card-data https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1923.mp4 Data Protection and Credit Card Details Secure Handling of Credit and Debit Card Payments: A Guide Handling credit and debit card payments is a critical task that demands a keen understanding of your company's policies and procedures related to card data security. Adhering to card scheme rules and ensuring the secure storage and processing of card data is paramount. Furthermore, any information obtained from the cardholder should strictly be used for the related transaction only. Why Writing Credit Card Information on Paper is a No-go Recording credit card information in diaries, notepads, or loose pieces of paper for later processing poses significant security risks. This is not considered secure data handling and should be avoided at all costs. Key Requirements for Secure Credit Card Payment Handling Install and maintain firewalls: Firewalls are essential for protecting customers' data. Use robust passwords: Avoid using vendor-supplied defaults for system passwords. Regularly changing passwords enhances security. Protect stored cardholder data: Implement measures to ensure the secure storage of cardholder data. Update antivirus software regularly: Keeping your antivirus software and other programs up-to-date is critical for data security. Regularly maintain systems and applications: This can help protect against potential security breaches. Restrict access: Limit access to customers' card data strictly on a need-to-know basis. Every user should have a unique ID, and access to network resources and credit card data should be meticulously tracked. Regularly check security systems and processes: Regular checks can help identify and rectify potential weaknesses in your security setup. Consequences of Inadequate Card Data Security Leaving customer card data vulnerable to fraudulent access or misuse can lead to serious consequences. These include business losses, bad publicity, decreased sales, card scheme fines, and most significantly, loss of customer trust and reputational damage. The expenses for corrective measures, potentially including forensic investigation costs, can run into tens of thousands of pounds. Responsibilities as a Data Handler When customers use their credit or debit cards for transactions, they trust that the organisation will securely process the payment and protect their data. As a data handler, you have a responsibility to ensure maximum security for the customer's data that you process. This commitment to security helps build customer trust and protects your business's reputation. https://d3imrogdy81qei.cloudfront.net/video_images/3499/Data_protection_and_credit_card_details-01.jpg Yes 131 https://www.prodataprotection.co.uk/training/business-managers/video/privacy-principles-under-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3833.mp4 Privacy Principles under GDPR Understanding GDPR Principles for Data Processing Changes in Data Processing Principles under GDPR The General Data Protection Regulation (GDPR) has introduced changes to the principles governing data processing, notably expanding individuals' rights and introducing separate provisions for international transfers. Importance of GDPR Principles The GDPR principles serve as the cornerstone for compliance, and understanding and adhering to them are crucial to avoid potential substantial fines. Consideration of Data Subjects' Rights Before making any decisions regarding data processing, it's essential to refer to the GDPR principles and consider the perspective of the data subject. Documentation of Processing Activities Whether formal documentation of processing activities under GDPR is necessary depends on the size of the organisation and its processing activities. While many small businesses may not be obligated to do so, it's advisable to verify this information on the Information Commissioner's website. In our experience, creating a mapping document detailing the types of data processed, its source, purpose of processing, lawful basis, retention period, and sharing details has been instrumental in ensuring compliance and facilitating data review. Data Inventory Spreadsheet A downloadable spreadsheet to assist in creating a data inventory is available in our download area, alongside checklists and other valuable resources. https://d3imrogdy81qei.cloudfront.net/video_images/6895/Privacy_Principles_under_GDPR-01.jpg Yes 95 https://www.prodataprotection.co.uk/training/business-managers/video/consent-gdpr-2019 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3815.mp4 Consent Consent for Data Processing Understanding Consent Importance of Consent: Consent serves as one legal basis for data processing, offering individuals control over their data. However, it's vital to note that individuals can object or withdraw consent at any time, impacting data processing. Key Considerations for Consent Opt-In Requirement: Consent should require a clear, positive action to opt in. Pre-ticked or opt-out boxes are not compliant with GDPR. Clear Information: Individuals must be clearly informed of what they are consenting to, ensuring transparency in data usage. Separate Consent for Marketing: Marketing consent must be separate from other consents, providing individuals with the choice to opt in or out of receiving marketing materials. Information Required: When requesting consent, provide details such as your organisation's name, purpose of data collection, data usage, and any third parties involved. Withdrawal Option: Clearly state that individuals can withdraw consent at any time, and ensure it is easy for them to do so. Record-Keeping Record of Consent: Maintain records of who consented, when, how, and to what they consented. This helps demonstrate compliance with GDPR requirements. Explicit Consent for Children Child Consent: Children have the same data rights as adults. If consent is sought for children under 13, parental or guardian consent is necessary. Express Confirmation: Explicit consent must be expressly confirmed in words, not through pre-selected options. https://d3imrogdy81qei.cloudfront.net/video_images/6861/Consent-01.jpg Yes 170 https://www.prodataprotection.co.uk/training/business-managers/video/data-protection-and-gdpr-level-3-course-overview https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3870.mp4 Data Protection and GDPR level 3 for Managers and Business course overview Welcome to Our Data Protection and GDPR Course Course Overview Before we delve into the course content, let's provide you with a comprehensive overview of what you can expect during this training. Course Structure The course is structured into distinct categories, each containing a series of informative videos. Flexible Learning Enjoy the flexibility to pause, rewind, and revisit any video throughout the course to enhance your understanding. Regular Updates We regularly update our courses, ensuring you have access to the latest content, including replacements and newly released videos. Support Channels If you have any questions or require assistance during the course, feel free to reach out to us via phone, email, or our online chat facility on our websites. Course Content Section 1: Introduction to Data Protection and GDPR In this section, we provide a foundational understanding of Data Protection and GDPR. We delve into the Information Commissioner's Office and relevant data protection regulations. Section 2: Data Protection and GDPR in Detail Explore data protection and GDPR in greater depth. We examine entities holding personal information, credit card data, and public authorities. Additionally, we discuss the Freedom of Information Act. Section 3: Data Protection Risk Assessments Learn about the importance of data protection risk assessments and their role in GDPR compliance. Section 4: Data Protection Principles under GDPR Gain insights into GDPR's core principles, including lawfulness, fairness, and transparency. We also cover topics like data minimization, data security, and accountability. Section 5: General Data Protection Regulation This section explores various aspects of GDPR, such as its applicability, roles within GDPR, lawful basis, data breaches, data transfers, special data categories, and more. Section 6: Understanding Lawful Basis Delve deeper into the lawful basis for processing data, including aspects like consent, contracts, and legitimate interest. Section 7: Rights of the Data Subject Learn about the rights of data subjects, including the right to be informed, the right of access, the right to rectification, and other crucial rights associated with data handling. Section 8: Keeping Data Online Safe Discover strategies for safeguarding data online to prevent potential data breaches. Section 9: Data Protection Consultation Engage in discussions on data protection issues with an expert in the field. https://d3imrogdy81qei.cloudfront.net/video_images/6993/Course_Overview-01.jpg Yes 138 https://www.prodataprotection.co.uk/training/business-managers/video/the-right-to-rectification https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3822.mp4 The right to rectification Understanding Right to Rectification Overview The individual’s right to rectification ensures accuracy in personal data processing. Request Process Submission: Individuals can request correction or completion of inaccurate personal data verbally or in writing. Response Time: Organisations must respond within one calendar month. Policy Duration: Consider implementing a 28-day policy to cover requests received in any calendar month. Verification and Response Identity Verification: Verify the identity and accuracy of data before processing the request. Notification: If data is accurate, notify the individual and explain the decision. Inform them of their right to complain to the Information Commissioner’s Office or other supervisory authority. Organisational Policy Policy Establishment: Develop and implement a policy for handling and recording rectification requests. https://d3imrogdy81qei.cloudfront.net/video_images/6869/The_right_to_rectification-01.jpg Yes 80 https://www.prodataprotection.co.uk/training/business-managers/video/information-commissioners-office https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1079.mp4 The Information Commissioner's Office Exploring the Information Commissioner's Office (ICO) and GDPR The ICO: Upholding Information Rights Discover the pivotal role of the Information Commissioner's Office (ICO), also known as the ICO, as the UK's independent authority. Mission and Mandate The ICO's primary objectives: Information Rights: Uphold information rights in the public interest. Promoting Openness: Promote transparency among public bodies. Data Privacy: Safeguard individuals' data privacy. ICO's Regulatory Authority Enforcement and Oversight The ICO enforces and oversees key legislations: Data Protection Acts: Encompassing the 1998 and 2018 versions. General Data Protection Regulations (GDPR): Implementation and enforcement. Freedom of Information Act 2000: Ensuring compliance. Investigation and Fines The ICO possesses the authority to: Investigate Data Controllers: Examine data handling practices. Report Breaches: Address and report data breaches. Levy Fines: Impose fines on non-compliant organizations. Guidance and Support The ICO offers valuable guidance and support: Advice: Providing advice on data protection and privacy. Website Resources: Information for individuals and organizations. Case Insights: Details on past actions and resolutions. Gearing Up for GDPR Compliance Understanding Data Controllers Under GDPR, businesses and individuals who handle personal data as Data Controllers: Annual Fees: Data Controllers must pay a fee to the ICO. Fees Structure: Fees vary based on staff count and turnover. Fee Tiers Fee structure under GDPR: Micro Organizations: Starting from £40 per year. Small and Medium-sized Businesses: £60 per year. Others: £2,900 per year. Exemptions and Consultation Exemptions are limited, and consultation with the ICO is advisable: Personal or Household Activity: GDPR exemptions for individuals. Specific Organizational Exemptions: Verify eligibility with the ICO directly. Help Resources: ICO's website and small business helpline. https://d3imrogdy81qei.cloudfront.net/video_images/1995/The_Information_Commissioner's_Office-01.jpg Yes 151 https://www.prodataprotection.co.uk/training/business-managers/video/what-should-you-tell-people-when-you-collect-their-data https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3585.mp4 What should you tell people when you collect their data? Privacy Policy Requirements Direct Data Collection Provide Clear Information: Inform data subjects about data handling practices at the point of collection, typically through a privacy policy link in emails or notices on your website. Key Information to Include: Your company name and address Purpose of data usage Data sharing practices Legal Basis for processing Data retention period Data subject rights Safeguards for EU data transfers Contact information for inquiries Additional processing purposes Complaint procedures Automated decision-making disclosure Legal obligations and consequences Third-Party Data Collection Timely Information Provision: Deliver the Privacy Notice or Policy to data subjects in the following scenarios: First communication with the data subject Within one month of data acquisition Prior to disclosing data to another recipient Important Details to Confirm: Data categories Data source https://d3imrogdy81qei.cloudfront.net/video_images/6409/What_you_must_tell_people-01.jpg Yes 106 https://www.prodataprotection.co.uk/training/business-managers/video/the-privacy-shield https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2590.mp4 EU US Data Privacy Framework https://d3imrogdy81qei.cloudfront.net/video_images/4555/the_privacy_shield-01.jpg Yes 170 https://www.prodataprotection.co.uk/training/business-managers/video/data-security https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3839.mp4 Data Security Data Security Measures: Ensuring GDPR Compliance Overview According to GDPR regulations, personal data must be processed with appropriate security measures to safeguard against unauthorized access, loss, or damage. Security Measures Provide information about the security measures implemented: IT and Storage Services: Ensure use of services with adequate security measures. GDPR Compliance: Choose providers compliant with GDPR regulations in the EU. International Compliance: Use systems outside the EU only if they comply with GDPR and have approved measures in place. Example: If utilizing systems in the US: EU-US Privacy Shield: Ensure compliance with GDPR and EU-US Privacy Shield framework. Documentation: Document the compliance status and include details in privacy policy. Software Providers and Cloud-Based Storage For services: Compliance Verification: Verify compliance of software providers or cloud-based storage services. Standard Contractual Clauses: Ensure correct contractual clauses for countries or organizations lacking adequacy decisions. https://d3imrogdy81qei.cloudfront.net/video_images/6889/Data_Security-01.jpg Yes 97 https://www.prodataprotection.co.uk/training/business-managers/video/gdpr-compliance https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3579.mp4 GDPR Compliance Welcome to our GDPR Awareness Course Demystifying General Data Protection Regulations (GDPR) Gain crucial insights into GDPR and its implications for your organization. This course offers clarity and guidance on GDPR compliance. The Varied Paths to GDPR Compliance Recognize that each organization faces unique challenges on its journey to GDPR compliance. Decisions and strategies may differ. Course Overview Building Blocks of GDPR Acquire a solid foundation by grasping essential GDPR terminology, principles, and basic rules. Your Responsibility Understand that achieving GDPR compliance in your workplace rests with you. This course equips you with knowledge, but application and decision-making are your prerogatives. A Continuous Process GDPR is not a one-time endeavor; it's an ongoing commitment to data protection. Regular review and improvement of data security are vital. The GDPR Era The Effective Date GDPR officially came into force on May 25, 2018, replacing the Data Protection Act. It introduces a single, unified set of rules for all EU citizens. Key Changes Explore the significant GDPR changes: Consent: Stricter rules on obtaining and managing consent. Transparency: Enhanced transparency requirements. Personal Data: Expanded scope of personal and special categories of data. Children's Data: Special provisions for children's data. Breach Communication: Mandatory breach reporting and communication. Data Protection by Design: Integration of data protection into processes and systems. Enhanced Data Subject Rights: New rights for data subjects, including access, portability, and erasure. Organizational Obligations: Requirements placed on organizations. Penalties: Fines of up to 20 million euros or 4% of annual revenue for non-compliance. Stay Informed, Stay Compliant Regularly update your knowledge to ensure ongoing GDPR compliance, mitigating risks, and safeguarding data. https://d3imrogdy81qei.cloudfront.net/video_images/6403/GDPR_Compliance.jpg Yes 124 https://www.prodataprotection.co.uk/training/business-managers/video/data-transfers https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3583.mp4 Data Transfers Data Transfer Agreements: Controllers and Processors Ensuring Data Protection in Transfers Controllers must establish agreements with processors to safeguard data integrity and compliance. Importance of Agreements Contractual Obligations: Controllers transferring data to processors must ensure the existence of a comprehensive agreement. Adherence to Instructions Instruction Compliance: Processors are obligated to handle data in accordance with the controller's instructions. Standard Processor Agreements Some processors, such as email providers or customer relationship management systems, may offer standard agreements to their clients. Thorough Review Evaluation: Controllers should meticulously review any standard processor agreements provided to ensure alignment with their specific requirements. Custom Agreements for Specific Services For services like local bookkeeping or virtual assistance, custom processor agreements are necessary. https://d3imrogdy81qei.cloudfront.net/video_images/6415/Data_Transfers-01.jpg Yes 165 https://www.prodataprotection.co.uk/training/business-managers/video/data-accuracy https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3837.mp4 Data accuracy GDPR Compliance: Accuracy and Up-to-Date Personal Data Overview Under the GDPR regulations, personal data must be accurate and kept up to date: “Personal data shall be accurate and where necessary kept up to date. Every reasonable step needs to be taken to ensure that inaccurate personal data is erased or rectified without delay.” Comparison with the 1998 Data Protection Act Similar to the requirements of the 1998 Data Protection Act, but with a stronger emphasis on the right to rectification for individuals under GDPR. Organisational Responsibilities Organisations should: Accuracy Checks: Have processes to check the accuracy of collected data. Source Verification: Verify the source of the data. Update Procedures: Identify when data needs to be updated and update it as necessary. Recording Mistakes Mistakes in records should be: Clearly Identified: Clearly marked as mistakes. Opinions: Clearly distinguish opinions and any relevant changes to facts. Data Review and Updating Data should be: Periodically Reviewed: Reviewed periodically to ensure fitness for purpose. Contact Information: Information about updating data should be provided in the Privacy Policy. Customer Relations For ongoing relationships: Individual Responsibility: Individuals may be expected to inform organisations of changes, such as a new address. Data Updates: Data should be updated accurately based on information provided by individuals. https://d3imrogdy81qei.cloudfront.net/video_images/6887/Data_accuracy-01.jpg Yes 131 https://www.prodataprotection.co.uk/training/business-managers/video/data-breaches https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3582.mp4 Data Breaches Data Breach Management: Procedures and Responsibilities Understanding Data Breaches It's crucial to comprehend what constitutes a data breach and how to handle it effectively. Definition of a Data Breach A data breach is defined as any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Employee Responsibilities Every employee plays a vital role in promptly addressing and reporting data breaches. Immediate Notification If you become aware of a breach or potential breach of data, notify the designated data protection personnel in your organisation without delay. This enables swift action to mitigate risks. Organisational Procedures Organisations must have robust procedures in place to manage and report data breaches effectively. Reporting to Regulatory Authorities Notification Timeframe: If a breach poses a risk to data subjects, notify the Information Commissioner's Office (ICO) within 72 hours. High-Risk Breaches: Individuals affected by high-risk breaches must also be notified within the same timeframe. Exemptions: Some exemptions apply, such as if the data is rendered unintelligible or if other measures negate the high risk. Required Information for Reporting Nature of the Breach: Describe the breach and the categories of data subjects and records affected. Consequences: Outline the likely consequences of the breach. Contact Information: Provide the name and contact details of the data protection officer or relevant person. Measures Taken: Detail the measures taken or proposed to address the breach and mitigate adverse effects. Internal Breach Register An internal breach register should be maintained to document all personal data breaches, including relevant details and actions taken. This documentation serves to demonstrate compliance to regulatory authorities. https://d3imrogdy81qei.cloudfront.net/video_images/6413/Data_Breaches-01.jpg Yes 160 https://www.prodataprotection.co.uk/training/business-managers/video/the-right-to-be-informed https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3820.mp4 The right to be informed GDPR Compliance: Providing Information to Individuals Importance of Providing Information Every individual has the right to understand how their personal data is processed and who has access to it. To comply with GDPR regulations, data controllers must furnish individuals with details about their data processing activities. Direct Collection of Data When collecting data directly from an individual: Inform at Time of Collection: Explain the data processing intentions at the point of collection. Methods of Notification: Provide privacy policy information through email links, attachments, or hard copies via post. Indirect Collection of Data If data is collected from another source: Timely Disclosure: Provide privacy policy information either at the first instance of data usage or within one month of obtaining the data. Prior to Disclosure: Ensure information is given to the individual before sharing the data with any other recipient. Components of Privacy Policy Your privacy policy should contain: Organisation Details: Name, contact information, and representative's details. Data Protection Officer: Contact details if appointed. Data Processing Information: Reasons for processing, lawful basis, and legitimate interests (if applicable). Information Sharing: Recipients and categories of shared data. International Transfers: Details of transfers to third countries. Data Retention: Duration of data retention. Individual Rights: Information about rights regarding data processing. Withdrawal of Consent: Procedure for withdrawing consent, particularly relevant for marketing purposes. Complaint Process: How individuals can lodge complaints with supervisory authorities. Automated Decision-making: Existence and details of any automated decision-making or profiling. If data is collected from a third party, details of the source should be provided. Ensuring Accessibility Make individuals aware of your privacy policy by: Placement: Include the policy on your website. Active Notification: Actively inform individuals and provide easy access to the policy. https://d3imrogdy81qei.cloudfront.net/video_images/6947/The_right_to_be_informed-01.jpg Yes 170 https://www.prodataprotection.co.uk/training/business-managers/video/stages-7-to-12-of-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2598.mp4 Stages 7 to 12 of GDPR GDPR Compliance: Stages 7-12 Stage 7 - Consent Review Consent: Assess how consent is sought, obtained, and recorded, ensuring compliance with GDPR requirements. Recording Consent: Maintain effective systems for recording consent to establish an audit trail. Stage 8 - Children Age Verification: Implement systems to verify individuals' ages and obtain parental or guardian consent for data processing. Special Protection: Recognize the GDPR's special protection for children's personal data, requiring parental consent for lawful processing. Stage 9 - Data Breaches Procedures: Establish procedures for detecting, reporting, and investigating personal data breaches. Breach Notification: Comply with GDPR breach notification duties, notifying relevant authorities and affected individuals where necessary. Stage 10 - Data Protection by Design and Data Protection Impact Assessments Guidance Familiarization: Familiarize with ICO guidance on Privacy Impact Assessments (PIAs) and integrate them into organizational processes. Legal Requirement: Recognize GDPR's explicit legal requirement for privacy by design and data minimization. Stage 11 - Data Protection Officers Designation: Designate a Data Protection Officer (DPO) if required, ensuring accountability for data protection compliance. Responsibility Assessment: Assess the placement of the DPO within the organization's structure and governance. Stage 12 - International Supervisory Authority: Determine the relevant data protection supervisory authority for international operations. Further Information: Visit the ICO website for additional resources on GDPR compliance. https://d3imrogdy81qei.cloudfront.net/video_images/5253/Stages_7_to_12_of_GDPR-01.jpg Yes 196 https://www.prodataprotection.co.uk/training/business-managers/video/lawful-fairness-and-transparency https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3834.mp4 Lawful, Fairness and Transparency GDPR Compliance: Lawful Processing, Fairness, and Transparency Lawful Processing Organisations and individuals processing data must have valid grounds, known as Lawful Basis, to process personal data. Six Lawful Basis: Under GDPR, there are six Lawful Basis. If no lawful basis applies, processing data would be unlawful and in breach of GDPR principles. Compliance: Deciding on Lawful Basis for data processing is one of the initial steps to GDPR compliance. Multiple bases may be used for different processing purposes. Fairness Fairness in data processing involves: Collection: Ensure data collection is fair. Misleading or deceiving individuals into providing data is unfair. Expectations: Process personal data in a manner reasonably expected by individuals, avoiding negative effects on them. Transparency Transparency entails: Openness: Be open and honest about data collection, processing, sharing, retention, and purposes. Privacy Policy: Provide comprehensive information in your privacy policy, ensuring clarity and conciseness to uphold individuals' right to be informed. https://d3imrogdy81qei.cloudfront.net/video_images/6883/Lawful__Fairness_and_Transparency-01.jpg Yes 101 https://www.prodataprotection.co.uk/training/business-managers/video/the-right-of-access https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3821.mp4 The right of access - SAR Subject Access Requests: Understanding Your Rights Overview of Subject Access Requests (SAR) Individuals have the right to request confirmation of data processing and access to their personal data, known as a Subject Access Request (SAR). Accessibility of SARs Accessibility: SARs can be made verbally, in writing, or even via social media, without the need for formal terminology. Staff Awareness Training: It's crucial for all staff to recognize SARs and understand the appropriate response process. Organisational Policies Policy Implementation: Establish procedures to record and address SARs, including verbal or in-person requests. Scope of SARs Personal Data: SARs only entitle individuals to their own personal data, not information concerning others, unless authorized. Handling SARs Relating to Children Special considerations apply to SARs regarding data of minors. Child's Rights Child's Entitlement: SARs concerning a child's data should be addressed directly to the child if deemed mature enough to understand. Age and Maturity Assessment Assessment: In Scotland, individuals aged 12 or above are presumed mature enough to exercise their rights. Similar considerations may apply elsewhere. https://d3imrogdy81qei.cloudfront.net/video_images/6867/The_right_of_access_-_SAR-01.jpg Yes 147 https://www.prodataprotection.co.uk/training/business-managers/video/special-category-and-criminal-offence-data https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3868.mp4 Special category and criminal offence data Understanding Special Category Data under GDPR Overview of Special Category Data Special category data, akin to sensitive personal data under the 1998 Data Protection Act, now encompasses genetic and some biometric data under GDPR. Determining Lawful Basis and Conditions When processing special category data, organisations must: Determine lawful basis: Identify the appropriate lawful basis for processing such data. Meet Article 9 conditions: Ensure compliance with the most suitable condition under Article 9 of GDPR. Conditions for Processing Conditions for processing special category data may include: Explicit consent: Obtain explicit consent from the data subject. Other relevant conditions: Explore conditions applicable to public health and interests, if relevant. Processing Criminal Offences Data Processing personal data related to criminal offences or convictions is now governed separately: Legal authority: Require both a lawful basis and legal or official authority for processing such data. Compliance with Article 10: Adhere to Article 10 regulations for processing criminal data. Additional Resources For detailed guidance and further information: Visit the ICO website: www.ico.org.uk https://d3imrogdy81qei.cloudfront.net/video_images/6945/Special_category_and_criminal_offence_data-01.jpg Yes 143 https://www.prodataprotection.co.uk/training/business-managers/video/text-and-phone-scams https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2595.mp4 Text and phone scams Protecting Against Vishing and Smishing Scams The Rise of Vishing and Smishing New Threats: Criminals are increasingly using texts and phone calls to perpetrate theft and fraud, exploiting vulnerabilities in communication channels. Understanding Vishing and Smishing Vishing: Also known as Phone Call Phishing, vishing involves fraudulent calls aimed at inducing recipients to make payments or disclose financial details under false pretences. Smishing: Short for Text Phishing, smishing employs text messages to lure recipients into clicking malicious links, allowing Trojans to steal sensitive data, including passwords. The Modus Operandi Cost-Effective Tactics: Vishing and smishing require minimal technical expertise and are often conducted as high-volume campaigns using automated dialling systems and broadband connections. Fear Tactics: These scams typically exploit fear-based responses, such as alarming victims about bank fraud, then soliciting detailed card information in response. Rise of Smishing: Smishing is gaining traction due to the surge in text banking and the vulnerability of individuals unaccustomed to receiving spam texts, often urging urgent action to facilitate data theft. Protective Measures Increasing Awareness: Educate individuals about the potential risks associated with vishing and smishing, empowering them to recognise suspicious texts and calls. Exercise Caution: Never feel pressured to make hasty decisions in response to urgent requests, especially in unfamiliar or unexpected communications. Stay Vigilant: Refrain from clicking on links in texts from unknown sources, particularly if unsolicited or unexpected. https://d3imrogdy81qei.cloudfront.net/video_images/4919/Text_and_phone_scams-01.jpg Yes 88 https://www.prodataprotection.co.uk/training/business-managers/video/business-email-compromise https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2594.mp4 Business Email Compromise Protecting Your Business from Email Compromise Fraud Understanding Business Email Compromise New Threat: Business Email Compromise (BEC), also known as CEO or Chairman Fraud, poses significant risks, particularly for small and medium-sized businesses. How BEC Works Fraudulent Scheme: Fraudsters target businesses by sending deceptive emails to the payment department, often impersonating contractors or suppliers and requesting payment redirection to new accounts. Impersonation Tactics: Fraudulent emails closely resemble legitimate addresses or are sent from compromised accounts, making detection challenging. CEO Impersonation: In some cases, scammers impersonate CEOs, instructing payment department staff to set up beneficiaries and authorize payments, leading to financial losses when the fraud is discovered. Preventing Business Email Compromise Key Strategies: Implement proactive measures to safeguard against BEC fraud and mitigate potential financial losses. Verify Changes: Never implement payment changes based solely on email instructions; always verify changes through a two-step verification process. Two-Step Verification: Establish a two-step payment verification process where changes to bank details are confirmed via telephone or formal letter. Verify Email Addresses: Always scrutinize email addresses and avoid making assumptions about sender authenticity. https://d3imrogdy81qei.cloudfront.net/video_images/4915/Business_Email_Compromise-01.jpg Yes 93 https://www.prodataprotection.co.uk/training/business-managers/video/roles-within-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3581.mp4 Roles within GDPR Data Protection Officer, Controller, and Processor: Overview Data Protection Officer (DPO) Role: The Data Protection Officer oversees GDPR compliance. Requirement: Small organizations handling minimal data may not need to appoint a DPO. Appointment Criteria: A DPO is necessary if: You are a public authority. You conduct large-scale systematic monitoring of individuals. You process large-scale special categories of data. Responsibilities: Hold relevant qualifications and detailed GDPR knowledge. Report to top management and be fully involved in data protection matters. Cannot be penalized for carrying out their duties. Data Controller Definition: The entity determining the purposes and means of data processing. Examples: Individuals, organizations, companies, agencies, or public authorities. Data Processor Definition: The entity processing personal data on behalf of the controller. Examples: Individuals, organizations, companies, agencies, or public authorities. Role: Processes data without decision-making authority. Examples: Accountants handling payroll, online service providers like Salesforce. Distinguishing Factor: Processors do not control or make decisions about the data they process. Entities can fulfill both controller and processor roles, depending on the context. https://d3imrogdy81qei.cloudfront.net/video_images/6401/Roles_within_GDPR-01.jpg Yes 132 https://www.prodataprotection.co.uk/training/business-managers/video/storage-limitation https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3838.mp4 Storage limitation Storage Limitation: GDPR Privacy Principle Overview The fifth privacy principle, known as Storage Limitation, states: “Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Compliance Requirements To comply with this principle: Reasonable Retention: Personal data should not be kept longer than necessary. Justification: Reasons for retaining data must be justified based on processing purposes. Retention Policy: Establish standard retention periods for different processing activities. Periodic Review: Review data periodically to ensure compliance. Data Erasure and Anonymisation Ensure: Erasure: Data is erased or anonymised when no longer needed. Subject Requests: Processes are in place to handle requests for erasure. Benefits of Timely Data Management Timely management: Reduced Risks: Reduces risks of data becoming inaccurate, excessive, or irrelevant. Lawful Basis: Ensures compliance with lawful basis for data retention. Cost and Security: Reduces storage costs and potential security risks. Information Provision Include in Privacy Policy: Retention Periods: Information about how long personal data will be retained. Examples: Provide examples of retention periods based on data types. Importance of Retention Policy Even for small organisations: Documentation: Establish a clear retention policy for data management. Review and Justification: Helps review and justify data retention practices. https://d3imrogdy81qei.cloudfront.net/video_images/6891/storage_limitation-01.jpg Yes 134 https://www.prodataprotection.co.uk/training/business-managers/video/data-subject-and-personal-data-under-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3588.mp4 Data Subject and Personal Data under GDPR Data Protection and GDPR: Understanding Data Subjects and Processing Introduction A data subject refers to a living individual who can be directly or indirectly identified by specific information. This definition has evolved to accommodate technological advancements. Identifying Data Subjects An online identifier, such as an IP address, cookie identifiers, RFID tags, or MAC addresses, when combined with unique identifiers and other server-received information, can create individual profiles and facilitate identification. Personal Data under GDPR Under GDPR, personal data encompasses any information pertaining to an identified or identifiable person. This includes their name, address, social media posts, photographs, email addresses, medical records, banking details, online identifiers, or computer IP addresses. If the data being processed can uniquely identify an individual, it qualifies as personal data. This is often evident when possessing their name and address, corporate email address containing their full name, or similar identifying information. Further guidance on identifying individuals is available on the Information Commissioner's website. Sensitive Personal Data GDPR also recognizes sensitive personal data, which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, trade union memberships, medical conditions, and information regarding criminal convictions or offences. This category requires heightened protection. Understanding Processing under GDPR Processing, as defined under GDPR, encompasses any action performed on personal data, whether manual or automated. This includes data collection, storage, and deletion. Merely storing data without active manipulation still qualifies as processing under GDPR regulations. https://d3imrogdy81qei.cloudfront.net/video_images/6407/Data_Subject_and_Personal_Data_under_GDPR-01.jpg Yes 140 https://www.prodataprotection.co.uk/training/business-managers/video/minimising-risks-and-holding-data-securely https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3584.mp4 Minimising risks and holding data securely Minimising Risks to Data: Best Practices Introduction Protecting data integrity is crucial for all organisations. Implementing best practices reduces the risk of data breaches and ensures compliance with regulations. Key Strategies 1. Clear Desk Policies Secure Storage: Personal data should be locked away securely when not in use. Restricted Access: Limit access to personal data to authorised employees only. 2. Computer Security Lock Workstations: Always lock your computer when leaving your workstation. Suspicious Emails: Report any suspicious emails to the IT department immediately. 3. Data Destruction Policy Compliance: Ensure data destruction follows company policies. 4. Device Security Safe Storage: Keep business devices secure and implement adequate security measures. Prevent Unauthorised Access: Never leave devices unattended. 5. Password Management Confidentiality: Avoid sharing passwords with colleagues. Security: Do not write down passwords where they can be easily accessed. 6. Email Considerations Forwarding Limitation: Limit the forwarding of emails, especially containing personal data. Data Verification: Ensure correct recipients are selected and sensitive data is not included in emails. 7. Policy Adherence Compliance: Always adhere to employer policies regarding data processing and email usage. Respect: Treat personal data with utmost respect and consider its protection as you would want for your own data. Data Destruction Policies All organisations must have robust policies for securely destroying data, whether through cross shredding or certified shredding services for obsolete documents. https://d3imrogdy81qei.cloudfront.net/video_images/6411/Minimising_risks_and_holding_data_securely-01.jpg Yes 122 https://www.prodataprotection.co.uk/training/business-managers/video/legal-obligation https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3817.mp4 Legal obligation, Vital Interests and Public Task Legal Bases for Data Processing 1. Legal Obligation Definition: Legal obligation arises when processing personal data is necessary to comply with the law. Examples: Processing employee salary details for HMRC or complying with court orders. Limitations: Individuals have no right to erasure, data portability, or the right to object when processing under legal obligation. 2. Vital Interests Application: Relevant mainly to health data, vital interests come into play when processing is necessary to protect someone's life. Consideration: If less intrusive means are available to protect vital interests, this basis may not apply. Restriction: Not suitable for health data if the individual can provide consent, even if consent is refused. 3. Public Task Relevance: Pertinent to public authorities or organizations exercising official authority or public interest tasks. Criteria: The underlying task must have a clear legal basis. Example: Private Water Companies may qualify if they carry out public administration functions with legal powers. https://d3imrogdy81qei.cloudfront.net/video_images/6863/Legal_obligation__Vital_Interests_and_Public_Task-01.jpg Yes 107 https://www.prodataprotection.co.uk/training/business-managers/video/the-right-to-restrict-processing https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3824.mp4 The right to restrict processing Understanding Right to Restrict Processing Overview The right to restrict processing allows individuals to control how organisations use their data. Conditions for Restricting Processing Alternative to Erasure: Individuals can choose to restrict processing instead of requesting data erasure. Limitation: Organisations can store data but cannot process it further without consent, except in specific circumstances. Notification: If data is shared with another organisation, they must be informed of the restriction. Refusal of Restriction If an organisation wishes to refuse to comply with a restriction request: Justification: The request must be proven to be manifestly unfounded or excessive, considering its repetitiveness. Reasonable Fee: A fee can be requested to process the request, or the request can be refused, with justification provided. The relevant individual must be informed of the reasons for not taking action, allowing them to lodge a complaint with the ICO or another supervisory authority. https://d3imrogdy81qei.cloudfront.net/video_images/6873/The_right_to_restrict_processing-01.jpg Yes 102 https://www.prodataprotection.co.uk/training/business-managers/video/does-gdpr-apply-to-me https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3580.mp4 Does GDPR apply to me Understanding GDPR Rights for Employees and Individuals GDPR Rights for Employees Under GDPR, every individual, including employees, is covered by data protection regulations. As an employee, your employer holds your personal data, granting you the same rights as any other data subject. Employee Responsibility As an employee, you also bear responsibility to ensure that you do not contribute to any breach of personal data within your organisation. Data security measures will be discussed further in the course. GDPR Rights for Individuals GDPR provides individuals with enhanced rights, including: The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling These rights empower individuals to: Be informed about the collection and usage of their data Request access to their personal data held by an organisation Providing Information Organisations must provide clear, concise information about data collection and usage, typically outlined in a privacy policy. This information should be easily accessible through various means, such as email attachments, printed notices, or website privacy policies. Individuals can request information from organisations regarding their personal data, granting them greater control over its processing. https://d3imrogdy81qei.cloudfront.net/video_images/6399/Does_GDPR_apply_to_me-01.jpg Yes 102 https://www.prodataprotection.co.uk/training/business-managers/video/data-protection-impact-assessment https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3866.mp4 Data protection impact assessment Data Protection Impact Assessment (DPIA) Explained Understanding DPIA A Data Protection Impact Assessment (DPIA) is a crucial process aimed at identifying and mitigating data protection risks associated with a project. When to Conduct a DPIA Organizations should perform a DPIA for processing activities likely to pose a high risk to individuals, including: Systematic and extensive profiling Automated decision-making for significant decisions Processing special category or criminal offence data on a large scale Utilizing new technologies Additional instances requiring a DPIA may include: Processing biometric data Combining, comparing, or matching data from various sources Implementing automated decision-making systems Legal Requirement Privacy by design and data minimization are now explicitly mandated by the GDPR, aligning with existing data protection principles. https://d3imrogdy81qei.cloudfront.net/video_images/6943/Data_protection_impact_assessment-01.jpg Yes 83 https://www.prodataprotection.co.uk/training/business-managers/video/legitimate-interests https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3818.mp4 Legitimate interests Legitimate Interests in Data Processing Understanding Legitimate Interests Overview: Legitimate interests is a flexible lawful basis for processing, but it may not always be the ideal choice. Appropriateness: It's suitable when using personal data in ways individuals would expect with minimal privacy risks. Conducting a Balancing Test Procedure: Before opting for Legitimate interests, conduct a balancing test to ensure your interests don’t override those of the individual. Resource: Access a Legitimate Interest Assessment document in the course's download area. Application Areas Examples: The GDPR cites client or employee data, marketing, fraud prevention, IT security, and intra-group transfers as potential legitimate interests. Reminder: Individuals always retain the right to object to marketing activities. Considerations for Marketing Criteria: Legitimate interests for marketing require showing proportionate use of personal data with minimal privacy impact. Guidance: If potential objections are likely, consider an alternative lawful basis for marketing. Compliance Reminder Regulatory Compliance: Ensure compliance with Privacy and Electronic Communications Regulations even when using Legitimate Interests for marketing. Documentation: Document decisions and complete a legitimate interest assessment for processing activities. https://d3imrogdy81qei.cloudfront.net/video_images/6865/Legitimate_interests-01.jpg Yes 119 https://www.prodataprotection.co.uk/training/business-managers/video/phishing https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2592.mp4 Phishing and Malware Protect Yourself from Phishing and Malware Attacks Understanding Phishing Email Deception: Phishing schemes utilize deceptive emails, often appearing genuine, to trick recipients into opening attachments or clicking on links. Phishing Attachments Disguised Content: Phishing emails may contain attachments disguised as invoices or delivery notices, often created with Microsoft Word or Excel, containing malicious "Macros" that download malware upon execution. Link-Based Phishing Exploitative Links: Clicking on links in phishing emails can lead to seemingly legitimate websites exploiting computer vulnerabilities or tricking users into disclosing personal information. Targeted Attacks Sophisticated Strategies: Some attackers conduct directed attacks, researching recipients' information to tailor phishing attempts, while others cast a wide net to ensnare as many victims as possible. Recognizing and Preventing Malware Understanding Malicious Software: Malware can damage data, steal information, and hijack internet activity, remaining undetected for extended periods. Signs of Malware Presence Hidden Threats: Malware can operate covertly, compromising data, spying on activities, and intercepting internet banking sessions, posing significant risks to individuals and businesses alike. Risks to Businesses Theft or Encryption of Sensitive Data Hardware Damage Internet Banking Fraud Financial Loss Protective Measures Implementing Security Measures: Employ robust antivirus software, keep systems updated, and educate staff on identifying and avoiding suspicious attachments and links. Use reputable antivirus software and keep it updated Avoid opening dubious attachments or links Avoid downloading software from unknown sources Restrict access to necessary internet sites Limit use of external devices in the business environment Control employee access to financial data Establish strong recovery and backup processes Train staff to recognize and avoid risky online behavior Implement password security measures https://d3imrogdy81qei.cloudfront.net/video_images/4917/Phishing_and_Malware-01.jpg Yes 235 https://www.prodataprotection.co.uk/training/business-managers/video/the-right-to-data-portability https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3825.mp4 The right to data portability Understanding Right to Data Portability Overview The right to data portability enables individuals to access and reuse their personal data across different services. Benefits This right allows individuals to: Transfer Data: Move, copy, or transfer personal data securely and conveniently between IT systems. Retain Usability: Ensure that data remains usable after being transferred to another environment. Conditions The right to data portability applies under the following conditions: Individual's Provided Data: Applies to information provided directly by the individual to the controller. Lawful Basis: Relevant when the organization's lawful basis is consent or for the performance of a contract. Automated Processing: Applicable when processing is carried out by automated means. https://d3imrogdy81qei.cloudfront.net/video_images/6877/The_right_to_data_portability-01.jpg Yes 55 https://www.prodataprotection.co.uk/training/business-managers/video/the-rights-in-relation-to-automated-decision-making https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3827.mp4 The rights in relation to automated decision making Understanding GDPR Provisions on Automated Decision-Making Overview GDPR regulates automated decision-making and profiling, ensuring transparency and fairness in data processing. Automated Decision-Making Automated decision-making involves: Definition: Decisions made solely by automated means without human intervention. Examples: Online loan approvals, recruitment aptitude tests. GDPR Compliance Automated decision-making is allowed only under specific circumstances: Necessity: For contract entry, explicit consent, or legal authorization. Responsibilities Organizations conducting automated decision-making must: Transparency: Inform individuals about the processing and their rights. Human Intervention: Allow individuals to request human intervention or challenge decisions. Regular Checks: Ensure system accuracy and functionality through regular assessments. Data Protection Impact Assessment (DPIA) Due to the high risk, organizations must conduct a DPIA: Risk Assessment: Identify and address risks associated with automated decision-making. Privacy Statement All relevant information should be included in the privacy policy: Inclusion: Specify details of processing and lawful basis in the privacy statement. Compliance: Ensure alignment with GDPR privacy principles. https://d3imrogdy81qei.cloudfront.net/video_images/6879/Automated_decision_making-01.jpg Yes 113 https://www.prodataprotection.co.uk/training/business-managers/video/freedom-of-information-act-2000 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1090.mp4 The Freedom of Information Act 2000 Understanding the Freedom of Information Act 2000 The Freedom of Information Act 2000 (FOIA) is a significant piece of legislation in the United Kingdom that allows the public to access information held by public authorities. This article delves into the objectives and coverage of the Act and explains how it promotes transparency and accountability in public bodies. Objectives of the FOIA The primary aim of the FOIA is to foster openness and trust between public authorities and the public. The access to information held by these bodies enables the public to hold them accountable for their decisions and actions, as these often impact taxpayers and significantly influence their lives. The disclosure of official data also bolsters public debate, making it more informed and constructive. Coverage of the Act The FOIA mandates public authorities to publish specific details about their operations. This includes government departments, local authorities, the NHS, state schools, and police forces. However, the Act doesn't necessarily cover all organisations funded by public money, such as certain charities receiving grants and private sector organisations carrying out public duties. Under the Act, recorded information encompasses various formats like printed documents, computer files, emails, photos, sound and video recordings. Notably, the Act does not extend to personal data, such as health records or credit reference files. For individuals wishing to access such personal data held by public authorities, a subject access request must be made under the Data Protection Act 1998. Special Provisions for Scotland While the FOIA covers England, Wales, and Northern Ireland, and UK-wide public authorities based in Scotland, information held by Scottish public authorities falls under the purview of Scotland's own Freedom of Information Scotland Act 2002. Public Right to Request Information The FOIA asserts the public's right to request information, and this privilege is not limited to UK residents. If a person believes that a public authority holds certain information, they may send a freedom of information request to that authority. Interestingly, the person requesting the information doesn't need to provide a reason for their inquiry. In fact, it's the public authority that must justify any refusal to disclose the requested information. Limitations and Exemptions While promoting transparency, the Act also recognises the need for certain information to be kept confidential. These exemptions are defined in the Act and require a valid reason for withholding the information. It's also important to note that the Act doesn't prevent public authorities from voluntarily providing information to individuals outside the provisions of the Act. Response to Information Requests Upon receiving an information request, it's the public authority's responsibility to respond accordingly. The FOIA mandates these authorities to not only reply to requests but also to proactively publish certain information. This coverage extends to all recorded information held by public authorities, including drafts, emails, notes, telephone conversation recordings, CCTV footage, and even letters from the public. The Impact of the FOIA on Public Trust A report by the Information Commissioner's Office in 2016 indicated that 85% of the public considered the FOIA vital for holding public authorities to account, with 76% believing it had boosted transparency in public organisations. Ultimately, the main principle behind the freedom of information legislation is that people should be informed about public authorities' activities unless there's a valid reason to keep them in the dark. https://d3imrogdy81qei.cloudfront.net/video_images/1999/Freedom_of_information_act-01.jpg Yes 239 https://www.prodataprotection.co.uk/training/business-managers/video/who-holds-personal-information https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1017.mp4 Who holds personal information Data Protection: Understanding the Importance of Personal Data Regulation Introduction From the earliest stages of life, various organisations and bodies collect data about individuals. This information is gathered from a wide array of sources, including: Airlines Banks Car repairers Schools Doctors Clubs and associations Credit card providers Dentists Estate agents Gas and electric companies Hospitals Inland revenue Insurance companies Employers Supermarkets And many more While much of the information held about individuals is considered highly confidential, it is essential to control and regulate personal data to prevent unwanted disclosures and safeguard privacy. The Data Protection Act The Data Protection Act establishes a framework of rights and duties aimed at safeguarding the collection and usage of personal data by organisations. It ensures a balance between business needs and individual privacy rights, prohibiting the release or sharing of personal information without prior consent. Under the Act, data refers to information collected or intended to be held on a computer, including data recorded on paper for computer input or held in a structured format, such as part of a filing system. This encompasses various records, including health, education, housing, and social services. Types of Data The Data Protection Act categorises data into two main types: Personal Data: Information from which an individual can be identified, including opinions and intentions regarding the individual. Sensitive Data: Personal data containing sensitive information, such as racial or ethnic origin, religious beliefs, political opinions, trade union membership, physical or mental health, or sexual life. Sensitive data receives increased legal protection under the Act, with specific obligations outlined for its handling and processing. https://d3imrogdy81qei.cloudfront.net/video_images/2001/Who_holds_personal_information-01.jpg Yes 119 https://www.prodataprotection.co.uk/training/business-managers/video/data-minimisation https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3836.mp4 Data minimisation GDPR Compliance: Principle of Data Minimisation Overview The principle of data minimisation states: “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Comparison with the 1998 Data Protection Act Similar to the third principle of adequacy in the 1998 Data Protection Act. Key Differences under GDPR Under GDPR: Demonstration: Must demonstrate appropriate processes to collect only necessary data. Assessment: Assess data held to determine necessity for processing. Unlawful Holding: Holding unnecessary data for longer than necessary may be unlawful. Compliance Guidelines Guidelines for compliance: Assessment: Assess data held to ensure relevance to processing purposes. Collection: Only collect data necessary for processing purposes. Justification: Justify each type of data processed to ensure necessity. Accountability Failure to demonstrate assessment of minimum necessary data may breach the accountability principle. Conclusion Ensure compliance by: Request: Do not request unnecessary information. Documentation: Make a list of processed data and justify each type. https://d3imrogdy81qei.cloudfront.net/video_images/6885/Data_minimisation-01.jpg Yes 87 https://www.prodataprotection.co.uk/training/business-managers/video/public-authoritys-and-freedom-of-information https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/1091.mp4 Public authorities and Freedom Of Information Understanding the Freedom of Information Act: Obligations and Guidelines Introduction The Freedom of Information Act mandates every public authority to develop a publication scheme approved by the Information Commissioner's Office (ICO) and to disclose information covered by the scheme. This scheme outlines the authority's commitments to routinely provide specific categories of information, including policies, minutes of meetings, annual reports, and financial data. Publication Scheme The publication scheme represents the minimum amount of information that must be disclosed by public authorities. If a member of the public requests information not listed in the scheme, they have the right to ask for it. Most public authorities make their publication scheme available on their websites under the freedom of information. Codes of Practice There are two codes of practice associated with the Freedom of Information Act: Section 45 Code of Practice: Provides recommendations for public authorities on handling requests, offering advice and assistance, implementing complaints procedures, and managing relationships with other public bodies or third parties. Section 46 Code of Practice: Covers good record management practices, emphasizing the obligation of public authorities to maintain organized records in compliance with the Public Records Act. While these codes are not legally binding, failure to adhere to them may result in breaches of the act. Public authorities must ensure that their staff, contractors, and customers understand how the act affects them. Compliance with Other Laws The Freedom of Information Act may intersect with other legislation, such as the Data Protection Act and laws like the Disability Discrimination Act 1995 and the Welsh Language Act 1999. When handling requests for information containing personal data, the balance between transparency under the Freedom of Information Act and privacy rights under the Data Protection Act must be carefully considered. Additional Guidance Detailed guidance on compliance with the Freedom of Information Act and related laws can be found on the Information Commissioner's Office website, providing comprehensive support for public authorities. https://d3imrogdy81qei.cloudfront.net/video_images/1991/Public_authorities_and_Freedom_Of_Information-01.jpg Yes 152 https://www.prodataprotection.co.uk/training/business-managers/video/purpose-limitation https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3835.mp4 Purpose limitation GDPR Compliance: Principle of Purpose Limitation Specify Purposes Clearly To comply with the principle of purpose limitation, you must: Specify: Clearly state why you are collecting personal data and what you will do with it. Accuracy: Ensure the information provided is accurate. Compatibility: Process data only in compatible ways. Privacy Policy Transparency Key points regarding purpose limitation in your privacy policy: Clarity: Clearly outline purposes in your privacy policy. Accessibility: Provide easy access to this information on your website and in email correspondence. GDPR Regulations The GDPR Regulations state: “Personal data must be collected for specified explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes.” Building Trust and Accountability Clearly setting out purposes: Accountability: Helps meet accountability requirements. Trust: Builds trust with individuals. Decision-making: Allows individuals to decide if they consent to data processing. Using Data for Different Purposes Considerations when using data for different purposes: Expectations: Evaluate if the individual would expect their data to be used for the new purpose. Sensitive Data: Assess potential consequences, especially for sensitive data. Obtaining Consent If in doubt: Consent: Obtain specific consent from the individual before using or disclosing their data for other purposes. https://d3imrogdy81qei.cloudfront.net/video_images/6893/Purpose_limitation-01.jpg Yes 108 https://www.prodataprotection.co.uk/training/business-managers/video/the-principles-and-lawful-basis-for-processing https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3587.mp4 Lawful Basis for Processing Lawful Bases for Data Processing under GDPR Introduction Under the General Data Protection Regulations (GDPR), organisations must identify lawful bases for data processing. Importance of Lawful Bases Requirement: All organisations must identify lawful bases to process data. Consequence: Without a lawful basis, data cannot be processed lawfully. Inclusion: Lawful bases should be stated in the organisation's privacy policy. Six Lawful Bases Consent: Individuals have control over their data and can withdraw consent at any time. Contract: Data processing is limited to fulfilling contractual obligations. Legal Obligation: Data processing is necessary to comply with the law. Vital Interest: Processing is necessary to protect someone's life. Public Task: Processing is carried out in the public interest by public authorities. Legitimate Interest: Flexible basis but must balance interests and privacy risks. Elaboration on Lawful Bases Consent Allows individuals control over their data; can withdraw consent at any time. Contract Data processing is limited to fulfilling contractual obligations. Legal Obligation Necessary processing to comply with legal requirements. Vital Interest Processing necessary to protect lives, especially in health-related cases. Public Task Processing carried out by public authorities in the public interest. Legitimate Interest Flexible basis requiring balance between interests and privacy risks. Organisations must conduct legitimate interest assessments and document decisions. https://d3imrogdy81qei.cloudfront.net/video_images/6417/Lawful_Basis_for_Processing-01.jpg Yes 179 https://www.prodataprotection.co.uk/training/business-managers/video/cybercrime https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2591.mp4 Cybercrime Cybercrime Awareness: Protect Yourself Online The Threat of Cybercrime Understanding the Risk: Explore how cybercriminals target individuals and organisations online. Wide Range of Targets Diverse Victims: Cybercrime poses a threat to both businesses and private individuals, leading to potential reputation damage, financial loss, or data extortion. Varying Levels of Expertise Criminal Proficiency: Cybercriminals range from those with basic technical skills to highly sophisticated operators. Rise of Online Tools Technological Evolution: Accessible tools in online criminal marketplaces facilitate the growth and evolution of cybercrime. Impact in the UK National Statistics: Over one million cybercrime cases were reported to Action Fraud in the UK last year. Types of Cyber Attacks Recognizing Threats: Learn about common cyber threats such as phishing, ransomware, malware, and their potential consequences. Increasing Ransomware Attacks Ransomware Threat: Data is seized and held for ransom, with criminals often threatening to publish sensitive information or block access to vital data. Protective Measures Preventing Victimisation: Discover strategies to mitigate the risk of falling victim to cybercrime. https://d3imrogdy81qei.cloudfront.net/video_images/4913/Cybercrime-01.jpg Yes 77 https://www.prodataprotection.co.uk/training/business-managers/video/stages-1-to-6-of-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/2597.mp4 Stages 1 to 6 of GDPR GDPR Compliance: 12-Step Process Stage 1 - Awareness Key Considerations: Ensure all key personnel understand GDPR implications. Stage 2 - Information You Hold Documentation: Document data sources, sharing, and accuracy for accountability. Stage 3 - Communicating Privacy Information Review Notices: Review and update privacy notices for GDPR compliance. Stage 4 - Individuals Rights Procedures: Ensure procedures cover individual rights, including data deletion and format provision. Main Rights: Subject access, correction of inaccuracies, data erasure, prevention of direct marketing, prevention of automated decision making. Stage 5 - Subject Access Requests Changes: Be aware of changes to subject access request rules under GDPR. Handling: Handle requests promptly within the one-month timeframe. Refusal Criteria: Manifestly unfounded or excessive requests can be charged for or refused. Stage 6 - Legal Basis for Processing Personal Data Identify: Identify and document legal basis for data processing activities. Privacy Notice: Explain legal basis in privacy notices and responses to access requests. https://d3imrogdy81qei.cloudfront.net/video_images/5255/Stages_1_to_6_of_GDPR-01.jpg Yes 232 https://www.prodataprotection.co.uk/training/business-managers/video/what-to-do-when-you-receive-a-sar-2 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3936.mp4 What to do when you receive a SAR Subject Access Request Policy Importance of Policies and Processes Record Keeping: Having policies and written processes in place aids in handling subject access requests (SARs). Employee Awareness: Ensure all employees are trained to recognize SARs and report them promptly to the relevant department. Handling SARs Request Fulfilment: Individuals have the right to confirmation of data processing and a copy of their data, along with any supplementary information. Request Logging: Maintain a log of all SARs, especially verbal or in-person requests, including the data requested. Verification: If unsure of the requester's identity, ask for necessary information to confirm their identity, but avoid unnecessary delays. Response Procedures Response Time: Respond to SARs within one calendar month; many organizations aim to respond within 28 days to ensure compliance regardless of the month's length. Fee Policy: Do not charge a fee for responding to SARs unless justified as a reasonable administrative cost. Refusal or Delay: Refrain from refusing or delaying SARs unless they are repeated, manifestly unfounded, or excessive. Communication with Data Subjects Informing Data Subjects: Notify data subjects of any decision to charge a fee, refuse, or delay their SAR, and inform them of their right to lodge a complaint with the ICO. https://d3imrogdy81qei.cloudfront.net/video_images/7081/What_to_do_when_you_receive_a_SAR-01.jpg Yes 178 https://www.prodataprotection.co.uk/training/business-managers/video/sars---data-relating-to-others- https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3935.mp4 SARS - Data relating to others Handling Third-Party Data Requests Consent for Third-Party Data Obtaining Consent: If the individual's data includes third-party personal data, consent from the third party is necessary before providing the data. Anonymisation Option: Alternatively, if it's impossible for the requester to identify the third party from the provided information, anonymising the data by removing identifying details is an option. Exceptions for Employee Requests Special Case of Employees: In scenarios like an employee requesting data where they recognize a third party (e.g., their line manager), if consent from the third party is not granted, the data cannot be provided. Requests Made on Behalf of Others Permission Requirement: If individuals make requests on behalf of others, ensure they have obtained permission from the individual whose data is requested. This could be in the form of written authority or a general power of attorney. Sensitive Data Handling: If the data is sensitive, consider responding directly to the data subject themselves. https://d3imrogdy81qei.cloudfront.net/video_images/7079/SARS_-_Data_relating_to_others-01.jpg Yes 69 https://www.prodataprotection.co.uk/training/business-managers/video/sar-information-you-should-provide2 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3934.mp4 SAR-Information you should provide Data Access Request Process Confirmation of Data Access Request Step 1: Upon receiving the request and confirming the individual's identity, provide them with confirmation that their personal data is being processed. Providing Copies of Personal Data Step 2: Furnish the individual with copies of their own personal data. They are only entitled to their data, not others', unless they provide appropriate proof. Supplementary Information Step 3: Include supplementary information such as the purpose of processing, categories of personal data, data retention duration, and other details from your privacy policy. Clarity and Consistency Step 4: Ensure the information provided is clear, concise, and in the requested format. Remote electronic access, preferred by the ICO, is deemed most suitable. https://d3imrogdy81qei.cloudfront.net/video_images/7077/SAR-Information_you_should_provide-01.jpg Yes 61 https://www.prodataprotection.co.uk/training/business-managers/video/invoice-fraud https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/4189.mp4 Invoice fraud Invoice Fraud Prevention Understanding Invoice Fraud New Form of Crime: Invoice fraud poses a data protection risk and is increasingly prevalent. Methods: Fraudsters send fake invoices or manipulate existing business relationships to redirect payments. Risk Factors Universal Threat: All businesses, regardless of size, are susceptible to invoice fraud. Email Risks: Email addresses can be altered, leading to unintentional data transfers to fraudsters. Preventive Measures Vigilance: Employees handling invoices should meticulously scrutinize for irregularities. Verification: Changes to supplier financial details must be verified through established channels. Payment Confirmation: Notify suppliers of payment details to confirm transactions. Bank Statement Review: Regularly monitor bank statements for suspicious activity and report promptly. Validation: When in doubt, verify requests using official contact details to confirm authenticity. Online Presence: Assess the necessity of publicly available supplier information to reduce exposure. Additional Resources For further information and guidance on preventing invoice fraud, refer to HSBC's resources available here. https://d3imrogdy81qei.cloudfront.net/video_images/7513/Invoice_fraud-01.jpg Yes 160 https://www.prodataprotection.co.uk/training/business-managers/video/keeping-on-with-gdpr https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3695.mp4 Keeping on with GDPR Staying Compliant with GDPR: Best Practices Continuous Compliance Keeping Up with Changes: Regularly update your knowledge of GDPR regulations through the ICO website. Responsibility for Implementation: It's the duty of the data protection lead to ensure that any changes or amendments are applied. Monitoring and Review Retention Policy Compliance: Regularly review and monitor data to ensure adherence to retention policies stated in your privacy policy. Data Accuracy: Monitor and update regularly held data to maintain accuracy and relevance. Privacy Policy Updates: Update your privacy policy to reflect any new processing activities or business expansions. Documentation: Maintain copies of previous privacy policy versions for reference. Internal Reviews Data Breach Records: Review internal data breach records to identify areas for improved training or policy changes to mitigate risks. Unsubscribe Monitoring: Monitor unsubscribe data to refine marketing strategies and enhance customer retention efforts. GDPR and Business Practices Valuable Business Tool: GDPR can aid in improving customer relationships and enhancing business practices. Common Misconceptions: Dispel fears of hefty fines by understanding that compliance is achievable with proper knowledge and effort. Understanding Fines and Resources Reality of Fines: Fines are typically imposed for major data breaches, not minor infractions. ICO Assistance: Utilize resources like the ICO small business helpline and website for guidance and information. Compliance is Key: Prioritize compliance by following best practices and treating personal data with respect and responsibility. https://d3imrogdy81qei.cloudfront.net/video_images/6627/Keeping_on_with_GDPR-01.jpg Yes 334 https://www.prodataprotection.co.uk/training/business-managers/video/the-right-to-object https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3826.mp4 The right to object Understanding Right to Object under GDPR Overview All individuals possess the right to object under the GDPR, with specific conditions and considerations. Direct Marketing Objection to data usage for direct marketing is an absolute right: Mode of Objection: Verbal or written objection is acceptable. Response Time: Organizations must respond within one month of receiving the objection. Recognizing and Handling Objections It's crucial for organizations to: Recognize Objections: Implement policies to identify and understand objections. Dealing with Objections: Have procedures in place to address objections effectively. Refusal of Objections In some cases, objections may be refused if: Compelling Reason: There exists a compelling reason to reject the objection, with proper justification provided. Considerations When processing data for legitimate interests or public tasks: Weight of Objection: Consider the impact on the individual, especially if substantial damage or distress is claimed. Balance of Interests: Balance individual rights with organizational interests before making a decision. Communication and Resolution If objection refusal occurs: Inform Individual: Provide clear explanation for refusal and inform them of their rights to complaint and judicial remedy. Special Consideration for Direct Marketing For direct marketing objections: Suppression List: Consider adding individual's information to a suppression list to respect objection while maintaining compliance. https://d3imrogdy81qei.cloudfront.net/video_images/6875/The_right_to_object-01.jpg Yes 140 https://www.prodataprotection.co.uk/training/business-managers/video/course-summary- https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/4803.mp4 Course Summary Completing Your Course and Taking the Test with ProTrainings Congratulations on completing your course! Before taking the test, review the student resources section and refresh your skills. Student Resources Section Free student manual: Download your manual and other resources. Additional links: Find helpful websites to support your training. Eight-month access: Revisit the course and view any new videos added. Preparing for the Course Test Before starting the test, you can: Review the videos Read through documents and links in the student resources section Course Test Guidelines No time limit: Take the test at your own pace, but complete it in one sitting. Question format: Choose from four answers or true/false questions. Adaptive testing: Unique questions for each student, with required section passes. Retake option: Review materials and retake the test if needed. After Passing the Test Once you pass the test, you can: Print your completion certificate Print your Certified CPD statement Print the evidence-based learning statement Additional ProTrainings Courses ProTrainings offers: Over 350 courses at regional training centres or your workplace Remote virtual courses with live instructors Over 300 video online and blended courses Contact us at 01206 805359 or email support@protrainings.uk for assistance or group training solutions. Thank you for choosing ProTrainings and good luck with your test! https://d3imrogdy81qei.cloudfront.net/video_images/8553/Course_Summary-01.jpg Yes 127 https://www.prodataprotection.co.uk/training/business-managers/video/how-do-i-find-what-information-is-held-by-a-company-on-me https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/5153.mp4 Personal Information held online Accessing Your Personal Information: Know Your Rights Exploring Your Rights Legal Entitlement: It's your legal right to access the information a company holds about you. Two Key Methods Accessing Your Data: Discover the two primary ways to access and manage your personal information. 1. Online Account Settings Efficient Solution: Log in to your account and review or modify the data stored about you. View and edit personal details like address, phone number, and email. Delete or remove your account entirely if desired. 2. Direct Contact Communication Channel: Reach out to the company via email or phone to inquire about your stored information. Request changes to your data or address any concerns. Ask for deletion of your data or closure of your account if necessary. Subject Access Request (SAR) Legal Enforcement: Understand the process of submitting a Subject Access Request (SAR) under data protection regulations. Requires the company to provide a copy of the information they hold about you. Used as a last resort due to potential complications and time-consuming nature. Companies must respond within a specified timeframe. Important Considerations Use with Caution: Subject Access Requests should be a last resort due to potential complexities and time requirements. Companies may require permission for releasing personal data of third parties. Information provided will only include personally identifiable data. Choose the preferred format for receiving information, whether by post or email. https://d3imrogdy81qei.cloudfront.net/video_images/9290/Personal_Information_held_online-01.jpg Yes 246 https://www.prodataprotection.co.uk/training/business-managers/video/keeping-your-credit-card-data-safe https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/5142.mp4 Keeping your credit card data safe Securing Online Transactions: Protecting Your Card Details Importance of Card Security Ensure Safe Handling: Safeguard your debit or credit card details to prevent unauthorized access and potential fraud. Verifying Website Security Reputable Stores: Prioritize using established and trusted online stores or those recommended by reliable sources. Check for Security Indicators: Look for the padlock symbol indicating a secure connection when entering payment information. Exercise Caution with Links Avoid Suspicious Links: Be cautious of clicking on links in emails or messages requesting financial transactions; opt to log in directly to the website instead. Prevent Phishing Attempts: Stay vigilant against fraudulent attempts to obtain sensitive information by verifying the authenticity of requests. Choosing Payment Methods Prefer Credit Cards: Utilize credit cards for online purchases to benefit from additional consumer protections against fraudulent transactions. Consider Alternative Platforms: Explore secure payment platforms like PayPal, which offer added security layers by not directly sharing card details with merchants. Exploring Payment Platforms PayPal: Create a secure PayPal account to facilitate online payments without exposing credit card information directly to merchants. Apple Pay: Utilize Apple Pay for convenient and secure transactions using stored card details on mobile devices or Apple Watches. Amazon Pay: Leverage Amazon's payment system for secure transactions across various online platforms, ensuring password security and website trustworthiness. https://d3imrogdy81qei.cloudfront.net/video_images/9280/Keeping_your_credit_card_data_safe-01.jpg Yes 269 https://www.prodataprotection.co.uk/training/business-managers/video/social-engineering https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/5169.mp4 Social engineering Social Engineering: Protecting Yourself from Scams Introduction Understanding Social Engineering: While we've discussed various methods of computer hacking, social engineering involves direct contact with individuals to deceive them into divulging sensitive information or taking harmful actions. Phone Calls from Fraudsters Recognize Suspicious Calls: Be wary of unsolicited calls, especially from purported internet providers or financial institutions. Verify Caller Identity: If unsure about a call's legitimacy, hang up and contact the company directly to confirm the call's validity. Protecting Your Router Avoid Sharing Router Details: Never provide router codes or reference numbers to unknown callers claiming to be from internet service providers. Prevent Unauthorized Access: Refrain from divulging personal information over the phone to prevent unauthorized access to your internet settings. Deceptive Bank Calls Beware of False Bank Calls: Be cautious of calls claiming to be from banks, especially if they request urgent money transfers or account information. Confirm Legitimacy: Verify the authenticity of bank calls by contacting the bank directly using official contact details. Email and Text Scams Exercise Caution: Be vigilant of unsolicited emails or texts requesting personal information or directing you to click on links. Avoid Clicking Links: Refrain from clicking on links or providing sensitive information in response to unexpected emails or texts. Conclusion Stay Alert: Social engineering scams can be sophisticated and convincing. Always verify the legitimacy of communication and refrain from sharing personal or financial information unless absolutely certain. https://d3imrogdy81qei.cloudfront.net/video_images/9350/Social_engineering-01.jpg Yes 233 https://www.prodataprotection.co.uk/training/business-managers/video/identity-theft-and-reducing-the-risk https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/5159.mp4 Identity theft and reducing the risk Protecting Your Personal Identity: Tips to Prevent Identity Theft The Value of Personal Identity Understanding Identity Theft: Learn about the significance of safeguarding your personal identity to prevent fraudulent activities. What Constitutes Personal Identity? Key Components: Your personal identity comprises your name, address, date of birth, bank details, employer details, and other confirming information. Indicators of Identity Theft Warning Signs: Recognize potential indicators of identity theft advised by the Information Commissioner's Office (ICO). You lose important documents like your passport or driving license. Missing mail from your bank or utility provider. Unfamiliar transactions on your bank or credit card statements. Being informed that you are already claiming state benefits when you apply for them. Receiving bills or receipts for unrequested goods or services. Being denied financial services despite a good credit rating. Receiving correspondence from solicitors or debt collectors for debts not incurred by you. Preventing Identity Theft Proactive Measures: Follow recommendations from the ICO to reduce the risk of identity theft. Stay vigilant about unusual financial activities and identity-related anomalies. https://d3imrogdy81qei.cloudfront.net/video_images/9322/Identity_theft_and_reducing_the_risk-01.jpg Yes 244 https://www.prodataprotection.co.uk/training/business-managers/video/how-to-stay-safe-when-shopping-online https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/5171.mp4 How to stay safe when shopping online Tips for Safe Online Shopping Keep Your Computer Secure Update Software: Ensure your computer's operating system, web browsers, and security software are regularly updated to protect against threats. Enable Automatic Updates: Set your security software to automatically update to stay ahead of potential threats. Verify Website Security Check for HTTPS: Look for the "https" in the website URL and a padlock symbol to ensure secure connections. Be Wary of Scam Websites: Beware of fraudulent websites that mimic legitimate ones to deceive users into providing personal information or making payments. Research Website Reputation Read Reviews: Check reviews on independent platforms like Trustpilot or comparison sites to gauge a website's credibility. Scrutinize Returns Policy: Review the returns policy to understand the terms and conditions, ensuring clarity on return procedures. Verify Company Location: Determine the location of the company to manage expectations regarding shipping times and international transactions. Use Secure Payment Methods Use Credit Cards: Opt for credit cards when making purchases as they offer chargeback protection in case of fraudulent transactions. Seek Social Validation Check Social Media: Search for company reviews and feedback on social media platforms to gauge customer experiences and overall reputation. https://d3imrogdy81qei.cloudfront.net/video_images/9364/How_to_stay_safe_when_shopping_online-01.jpg Yes 221 https://www.prodataprotection.co.uk/training/business-managers/video/sms-scams https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/5845.mp4 SMS Scams Protect Yourself from Mobile Phone Scams Introduction Stay Vigilant: With the rise of mobile phone usage, it's crucial to be aware of various scams targeting users through texts and calls. Types of Text Scams Delivery Text Scam: Fake messages from delivery services like Royal Mail or DHL, claiming a missed parcel and urging recipients to click a tracking link, which can lead to fraud. Always use official delivery service websites to track parcels. "Hi Mum" Scam: Fraudsters posing as family members via text or WhatsApp, requesting money due to a lost or damaged phone. Verify their identity before transferring money. Energy Bill Support Scam: Scam messages or emails appearing to be from government bodies or energy providers, falsely claiming eligibility for energy bill support. Never provide personal information or click on links in such messages. Broadband/Mobile Phone Scams: Scammers offering enticing deals or compensation for slow internet speeds, often requesting bank details. Hang up and contact the provider directly. Bank Fraud Team Scam: Scammers posing as bank representatives, claiming account compromise and requesting money transfer. Always verify with your bank via official channels. Actions to Take Report Suspicious Messages: Forward suspicious texts to 7726 for free to investigate and block malicious senders. You can also block and report scam WhatsApp messages. Contact Your Bank: If you've shared personal banking information or fallen victim to a scam, contact your bank immediately and report the incident to Action Fraud. https://d3imrogdy81qei.cloudfront.net/video_images/10422/SMS_Scams-01.jpg Yes 279