• PPP Management

Thursday Thoughts - 18th March 2021

This is the 52nd Edition of Thursday thoughts and in celebration as well as the usual round up of news I thought I’d delve into the archive and provide you with an update on what was happening this time last year and a summary of the fines since then.

In local news the Altrincham and Sale Chamber of Commerce Annual Business Awards was indeed a memorable evening with a simultaneous Zoom and live stream, dignitaries attending virtually and an awesome music ensemble. Congratulations to all those who were nominated, shortlisted and of course to the winners in each category. The eventual winner of Business of the Year Maskell and Josephson also bagged the Professional Services Category and Altrincham HQ who achieved a 1-2-3 with a Win in the Digital Company, Runner Up in the Micro Business and a Highly Commended in Business of the year. There was amazing music from String Infusion and the Keyteq team made sure the event went without a hitch.

Understanding what data is collected about us remains as important this year as last and I was concerned to see the detail of how much data Google and our apps collect and share with third parties. You can see who the worst offenders are and then in case you want to tighten up your settings then I have included links to the NCSC help on that. The most common thing I get asked is whether GDPR applies in a B2B setting – it does! So I have an article on that. There’s a forthcoming probe by the French Authorities into Clubhouse and other news, Just 2 blogs this week (6 pages is enough!)


Blogs of the Week

  • Lucas Miller - 5 Reasons to Make Regular Data Backups a Part of Your Business Plan

  • Altrincham HQ – The silver linings of lockdown


What Personal Data Chrome and Its Apps Collect On You

The App Store now requires apps to let users know the types of data the app may collect, and whether that data is linked to them or used to track them. This means that it's no longer possible for apps and third-party partners to accurately measure the effectiveness of ads without the user opting-in to being tracked. companies can still track users through their own services on a first-party basis, they cannot share that information with third-parties without users' permission. If you want to see what google collects on it’s users you can read more here: https://thehackernews.com/2021/03/google-to-reveals-what-personal-data.html


Which Apps Share The Most Data With Third Parties?

The volume of data that some Apps share about us is quite staggering. This week Jamie Swan shared the top 10 apps that share the most of our information.

1. Instagram (79% of personal data collected)

2. Facebook (57% of personal data collected)

3. LinkedIn (50% of personal data collected)

4. Uber Eats (50% of personal data collected)

5. Trainline (43% of personal data collected)

6. YouTube (43% of personal data collected)

7. YouTube Music (43% of personal data collected)

8. Deliveroo (36% of personal data collected)

9. Duolingo (36% of personal data collected)

10. eBay (36% of personal data collected)


This data came from Komando.com https://www.komando.com/security-privacy/apps-share-your-data/782539/


Advice on Using Social Media Safely

The UK NCSC have step by step guides on how to set up the privacy settings for most types of social media. Links to their guidance can be found at: https://www.ncsc.gov.uk/guidance/social-media-how-to-use-it-safely

Here are the links to set up your privacy settings on the major social media platforms.

· Facebook: basic privacy settings and tools

· Twitter: how to protect and unprotect your Tweets

· YouTube: privacy and safety

· Instagram: privacy settings and information

· LinkedIn: account and privacy settings overview

· Snapchat: privacy settings

Fines Since March 2020

Since this time last year across Europe an average of 28 companies a month have faced fines for breaches. The total amount that organisations have been fined is € 169,219,986.


What really matters though is the reasons for these fines and the sectors most affected. Because this is what we can learn from. The top 5 most common reasons are:

· Insufficient legal basis for processing

· Insufficient technical and organisational

· Non-compliance with data processing principles

· Not fulfilling the data subjects rights

· Providing Insufficient information


The 5 most common sectors to be fined are:

· Media, Telecoms and Broadcasting - € 127,786,365

· Employment - € 47,310,877

· Transportation and Energy - € 34,635,400

· Accommodation and Hospitality - € 20,945,607

· Finance, Insurance and Consulting - € 17,109,885


Followed by Health Care, Industry and Commerce, Public Sector and Education and finally Individuals and Private Associations


Business to Business Marketing

One of the most common questions I get ask is “Does GDPR apply to business-to-business marketing?” – the answer is (of course) Yes! Because GDPR applies whenever personal data is processed and yes now it is called UK GDPR but it is exactly the same as the European version. But you also need to be aware that PECR continues to apply to Marketing.

In the business context that includes where you keep the name and number of a business contact on file, including if you file loose business cards. Personal information also includes a business email address that contains a person’s name. Here what you need to know:

• GDPR does not replace PECR.

• You do not always require consent for marketing under GDPR but you may need consent to comply with the PECR.

• You can rely on legitimate interests for marketing activities only if you don’t need consent under PECR

• IF you use Legitimate interests for marketing you have to be able to demonstrate your use is proportionate, or your marketing has minimal privacy impact or that people would not be surprised or likely to object to what you are doing.

• Sole traders/partnerships may be treated as individuals.

• You must include an opt-out or unsubscribe option in the message.

• You can email or text any corporate body using a generic email address (e.g. “info@”, “hello@”).

You can read more guidance here http://ow.ly/jUbP50xxdfg


French Data Privacy Watchdog Opens Probe Into Clubhouse

Following a petition in France with more than 10,000 signatures the French Watchdog CNIL are looking into potential breaches of privacy by the Clubhouse. These include how Clubhouse, which has "no corporate entity within the European Union" is using members' personal information, and how secure the data was. The CNIL warn "If it is confirmed that the app is not respecting the GDPR, the CNIL will be able in that case to apply its own sanctions".


3 Year Sentence for Hacking high-profile Twitter accounts

A teenager in Florida has been sent to jail for 3 years for hijacking nearly 130 high-profile Twitter accounts pertaining to politicians, celebrities, and musicians, including that of Barack Obama, Kanye West, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Warren Buffett, Uber, and Apple.


Are you Registered with the ICO Yet?

Three years after GDPR came into force there are still companies who are not. This year we have seen an increase in contact from the ICO to the registered office of a limited companies asking why they are not registered. Given that there is a potential fine for failure to register and the registration process is so simple I recommend you don’t wait till the letter arrives before acting. Here is the link to the ICO self-assessment tool https://lnkd.in/deYHCSE


NCSC Update Their Alert from 3 March 2021

The NCSC alert from 3 March 2021 has been updated and contains additional information on installing updates and detection.


UK's Data Protection Laws May Be Reformed

The UK's data protection laws face being reformed to be more business-friendly as the government aims to spur economic growth following the downturn caused by the COVID-19 pandemic. The digital secretary Oliver Dowden said that Britain should take a "slightly less European approach" to privacy, referencing the EU's General Data Protection Regulations (GDPR), "by focusing more on the outcomes that we want to have and less on the burdens".

The digital secretary Oliver Dowden said that Britain should take a "slightly less European approach" to privacy, referencing the EU's General Data Protection Regulations (GDPR), "by focusing more on the outcomes that we want to have and less on the burdens".


Vulnerabilities in several WordPress plugins

A website builder plugin used on more than seven million sites, and WP Super Cache have been found to have a bug. Multiple HTML elements such as Heading, Column, Accordion, Icon Box, and Image Box were found to be vulnerable. IT is therefore highly recommended that users of the plugins update to the latest versions to mitigate the risks.


What was in Last Year’s News

Many of the themes from this time last year are still valid this year. I have therefore summarised the main issues from my blogs at the time.


Breaches

This time last year the following breaches came to light:

· Hanna Andersson/Salesforce.

· Facebook Twitter Account (the route into the account was through a third-party platform and thereby resetting passwords and email addresses).

· Estee Lauder.

· Virgin Media.

Other information from Thursday thoughts from this time last year included:

· A link to some analysis of Cyber Crime in Europe. A useful read for those interested in such things: https://gdpr.report/news/2020/02/25/privacy-ireland-ranked-least-vulnerable-european-country-to-cybercrime/.

· A warning that big tech firms face potentially massive fines following the Irish regulator’s investigations – this has started to play out.

· Comparison between GDPR and the CCPA, also helpful to those who need it: https://lnkd.in/eqtqgAn.

· Facebook Dating Service Postponed.

· Facial Recognition Technology Deployed in Stratford for the first time in UK on 11 February 2020.

· Google Changes UK Users Terms and Conditions.

· Google Intends to Acquire Fitbit.

· have been told of unauthorised attempts to access their accounts.

· News of a fine for biometric processing in a school in Poland relevant to UK schools using biometrics: https://uodo.gov.pl/en/553/1102.

· PayPal Phishing emails circulating.

· Ransomware actors decide to set up 'wiki-leaks' style sites to publish the data of those who do not pay the ransom they demanded.

· Shopping Online Securely (guidance).

· Tesco Clubcard and Boots Advantage Card holders warning.

· The Cyber Security Body of Knowledge (CyBOK) published.

· The Need for Clarity in Breach Disclosure, Subject Access and Privacy Documents.

· The Spanish DPA provide guidance in English for app developers.

· Third-Party Email Apps Scraping data and offering immediate push notifications.

· Tricks and tools for better working from home.


National Cyber Security Centre

· Released a Board Cyber Toolkit.

· Issued advice on Response and Recovery Plans for small businesses: https://www.ncsc.gov.uk/collection/small-business-guidance--response-and-recovery/video-collection.

· Annual Cyber First Girls Competition.

· Provided Advice for IT Managers and Administrators on Email security and anti-spoofing. https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing.

· Blog on Secure Communication Principles.


ICO

· Released a Statement on COVID-19.

· Published Coronavirus and the GDPR – privacy advice for companies https://lnkd.in/gfk57JK.


Blogs of the Week


Lucas Miller - 5 Reasons to Make Regular Data Backups a Part of Your Business Plan

No matter what industry you are in data will be a critical part of your business growth. Using good quality information is the key to success. In these data driven times the ability to use data you have collected to inform your decision-making can be an essential element of business planning. From analysing the success of a social media campaigns to tracking sales numbers and performance. In this blog Entrepreneur Media give five reasons to make regular data backups a part of your business plan: https://www.entrepreneur.com/article/363318


Altrincham HQ – The silver linings of lockdown

Alex’s blog this week is a great exercise in positivity.With so much of the opposite in the media at the moment I share Alex’s top 7 things some things he will be keeping after June 21st.Whether it is living life at a slower pace, less travel, reading fiction or binge listening to favourite music or discovering the joy of walking, running foreign language films it’s a great idea to find our own silver lining and embrace it: https://altrinchamhq.co.uk/the-silver-linings-of-lockdown-reflecting-on-the-last-12-months/

Recent Posts

See All