SARs deadlines

An excellent blog post concerning guidelines from UK ICO on responding to SARs.

In short the important bits are:

  1. You have a single month to respond to the SAR from the date of receipt until the same date the following month, if it’s the last day of the month, it is the last day of the following month.
  2. Or/and a single month from date of ID verification
  3. If the deadline falls on a non-working day, the deadline can be extended until the first working day the following week.

i.e. it is a SAR request even without the ID verify part. There is no point in deciding that you can wait 3 months to respond (1), and then the official SARs process only starts following ID verify (2).

There, how difficult is that?


Cookies has always been a topical subject. If you are overweight and eating a cookie, ‘shame on you’, although the blue cookie monster, basically made cookies eating, in whatever way fashionable much to our relief. Although one could liken the way the cookie monster eats his cookies to the way cookies are haphazardly thrown onto our digital devices as though there are no rules.

However, there are rules, it is just they are not well understood, basically missing valuable guidance, in a non-technical way on ‘cookie management’. The .ICO has come up with some great detailed guidance, and have even implemented a super example of how cookies should be used. I am just wondering what type of coding was required to achieve this, because I know that the platform we are using doesn’t support this.

This brings me to another subject privacy by design. I often get asked the question, when I provide advice “but is this database GDPR compliant?”. I almost laugh, because we are in an in-between phase right now. Apart from ripping out what we have today and replacing with ‘state-of-the-art’, which the GDPR states is not necessary…It is only those platforms which have been built using privacy by design principles, of which there aren’t many right now, which are pure-bred GDPR-compliant. Clearly if your system is running on an operation system from the 1980s and doesn’t support encryption, and other security mechanisms, you could be having problems sleeping right now 😉

In main, the technology needs to be made good enough if certain mitigations are implemented, which are normally not technical, they are more to do with locking down processes and education of employees.

This is not a PbD approach, it is bolted on privacy, things can still go wrong if we need to depend on humans following processes. So until embedded privacy is the default in all technology, the beautiful privacy notice on the .ICO website, I guess I will need to wait for until I can get a technical guy in to make this happen for Privasee.

Unless anyone knows how they did it? I’ll love to know…

Digital discrimination is a reality whereby cash is no longer king

As with any form of discrimination, you are deprived of choice, and the right to choice is a human right.

The “cash is king” society is being replaced with digital money. What this means is that a large mass of individuals are marginalised because they don’t have money in the bank, but they may have money in their wallet.

Ha, you say now, it is only criminals which have something to hide? Well then that places me in a class of criminal in your mind: as I count the pennies in my wallet, -hoping that I have got a salary this month, to pay the faceless mr Taxman as much as I can, and take the rest out in cash- so I have enough money to pay for food for my family to survive.

When I first stepped into these new clothes of, what feels like a fugitive, I found that in Sweden, I couldn’t pay for the bus or buy a cup of coffee. Although I am learning to find out how to make it work, it is complicated. Hence I needed to work out out how to survive without money in the bank, even if I had cash in my wallet. I have opened my eyes up to a whole new world whereby cash is not king, whereby if you don’t have cash you are marginalised. Sweden is pretty advanced on the ‘cashless society’ vision.

It got me thinking again about bitcoin, not through my privacy eyes, but through the eyes of a marginalised individual, as a means as an alternative to money because ‘untraceable’ is built within its DNA, which I guess (as a non bitcoin guy) makes it an acceptable alternative to money.

Clearly bitcoin is a preferred currency for criminal networks because of this, and there are efforts to find a way to make bitcoin traceable to combat money laundering, and other shady stuff going on.

My marginalised hat hopes they don’t succeed. I hope that there is a future when the world is completely digitised that it is possible to survive when you have no money in your bank account. Today I can still find a coffee shop, and purchase metro/bus tickets at main stations, but tomorrow, I can’t imagine how it will be for those marginalised individuals and their families in a cashless world.

What’s next? is being asked by Porto Business School

And Porto Business School is in Portugal, and myself (with Privasee of course ;)) are spending some time together… and it’s quite exciting. This School is on its way up in the global rankings, and they are just buzzing with energy that is terribly exciting.

Here you can listen to a series of podcasts geared to innovation and business, the podcast with myself is clearly on privacy and GDPR… in a run-up to their new executive programs starting in the fall this year targeted at executives. However, you should listen to them all, they are interesting.

Seeing is believing?

One year on from GDPR enactment and the market has stabilised. The panic of 2018 settled down in 2019. So much so that consulting friends of mine in UK, Ireland, Denmark and Sweden have commented to me that there is less demand for pure privacy/GDPR consulting as in-house competences have matured. This is how it should be in order to achieve ‘data protection by design by default’ across every business function.

In Sweden it has become very laid back after a frenzied panic of 2018. No fines yet, although the Datainspektion is promising us some action during the next 12 months. Seeing is believing I say and the latest news on Klarna may change this. The Datainspektion needs to make an example of some organisation which is not compliant, and soon, or they will not be taken seriously. The latest news on fines has been in Denmark, to a taxi company. Each Supervisory Authority is accountable to enforcement of the GDPR for their respective countries. If they do not then they need to answer to the EU level… even they could be penalised, yes Datainspektion can be penalised!

What’s cool is how the businesses are on the road seem to understanding that GDPR is not a pure legal problem, it is the whole business, and as such engagement of privacy champions across every business function is happening which I find very exciting. In fact the more employees who get what this is about, the more likely it is that the organisation will succeed without feeling that it inhibits innovation, in fact quite the opposite!

If you want to get privacy champions in your organisation engaged at the right level, you can’t do much wrong to enroll them for the Privasee EAGLE online training, costs only €285 and it’s on a gamification platform so its actually fun!! Some of the larger organisations I’ve worked with have 100 spread out across every business function. IMHO every business should have at least one, if they have 5+ employees.

Sorry for the marketing plug here.. but Privasee needs to start making money on its products, and every training we sell helps us to continue the good work.. now we are challenged with cashflow during summer months…I’m a great privacy advocate and innovator but not interested in money per se. I wish I was then we wouldn’t have cashflow challenges.

If you love what we do, please either buy or recommend an EAGLE and get your privacy champions engaged in time for Autumn. Those who have done the training love it! If you do this please Comment or send a message so we can be sure to send a thank you token direct! If you want to resell Privacy products, we want to hear from you, unfortunately our ‘go-to-market’ sucks, reminding me of Novell who I worked for 7 years. We need to sell 100 EAGLEs to be flying again, if we sell 200 maybe I’ll be able to treat myself to haircut and a new pair of jeans 🙂


Your data, your digital mirror

Came across this super interesting article on bbc about a researcher who decided to exercise their rights as a data subject. The exercise included 20 companies.

Although the article starts by drawing a picture on the sort of data which can be collected on us, while we live in passive ignorance… my words not hers 😉


My experience on both sides of the wall,, and I say ‘wall’ because despite the good intentions of the GDPR, it seems that in general organisations are NOT making it easy for you and I as private persons to exercise their rights.

There are 4 types of data subjects exercising their rights.. at least those I’ve had exposure to: 1) angry/upset/worried individuals, I call them “mr Angry from Radio 1“; 2) employees or ex-employees, 3) applicants for jobs, which have been refused, 4) interested individuals doing research, such as the one represented in this article. As to yet, I have not received requests from individuals who are purely exercising their rights, and are happy before starting the process.

There are 2 approaches by organisations: 1) organisations which see GDPR and the potential of additional interaction with their ecosystem, i.e. customers, etc., in a similar content to ‘social responsibility’ and are building into their branding message; the other extreme, 2) do the minimum required, and even make it difficult for the private person to exercise their rights.

In the process there are 2 parts when it comes the request itself: 1) the interaction between the data subject (requester) and the DPO, or the SARs specialist, and 2) interactions with the internal organisation required in order to respond… which is in these baby GDPR days complex.

So what’s my conclusion? We have a long way to go in reaching the GDPR Nirvana for the data subject exercising their rights IMHO 😉

Knock knock … join our religion -and btw GDPR doesn’t apply to us!

I just loved this case decision in Finland whereby Jehovah’s Witnesses must comply with GDPR, determined by EU court.  In 2013 Finland’s Data Protection Supervisor prohibited the Jehovah’s Witnesses religious community from collecting or processing personal data in the course of door-to-door preaching by its members unless Finnish data protection legislation was observed.

Jehovah’s Witnesses created maps from which areas are allocated between the members who engage in preaching and by keeping records about preachers and the number of the Community’s publications distributed by them. In essence they are collecting and processing personal data.

In its judgment, the European Court of Justice considered that the Jehovah’s Witnesses’ door-to-door preaching is not covered by the exceptions laid down by EU Law on the protection of personal data.

  1. There is the fact that the door-to-door preaching is protected by the fundamental right of freedom of conscience and religion enshrined in Article 10(1) of the Charter of Fundamental Rights of the European Union; but this does not,
  2. Confer an exclusively personal or household character on that activity because it extends beyond the private sphere of a member of a religious community who is a preacher.

For those newbies here, this is about something called ‘material scope’ in the GDPR. You can liken ‘material scope’ (and there is also ‘territorial scope’) as scoping parameters for the GDPR.

Think about it as a project scope … and it is almost cool to know that even legal documents have a scope just as any project you may have driven or been a part of. What this means is that all the legal text in the GDPR is only relevant if personal data falls within the scope defined in Articles 2 and 3.

Material scope (Article 2)

The GDPR applies to the processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system.

Now back to the case.

  1. The Jehovah’s Witnesses used ‘household exception’, hence exempt from GDPR. This was overruled, stating that the JW organisation and those knocking on doors collecting personal data were joint controllers.
  2. What material scope also states is that data needs to be part of a ‘filing system’ of some kind, and it was stated that even though data was collected manually, just the ordering, e.g. by address during collection, which made retrieval easier, placed it in scope.

So there you have it… lovely example for the classroom IMHO 🙂