GDPR pingball

I feel as though I’m in the middle of a ping-ball machine with all legal parties -on behalf of their clients/controllers mainly- are busy sending DPAs to all the processors. And many of the processors who are also controllers are scratching their heads, wondering what to do with these agreements. Wondering what they are? Controller or processor? This is all very confusing for those who haven’t yet started, or have only just started this year!

Face recognition Facebook

Should I be disappointed that Facebook still hasn’t understood the ‘Privacy by Default’ principal in Privacy by Design? The user shouldn’t need to do anything to protect their privacy!

No, of course they don’t, why waste my energy ranting on this!? Just now when accepting the new privacy policy, it enabled as the default ‘facial recognition’ when I was going through this on my mobile device. Maybe I was clumsy in clicking Accept, but it was easier to click this button rather than the No choice. I then needed to find the setting and switch off. It wasn’t difficult, just annoying.

Privacy Icons are the rage

Privacy icons are going to be all the rage with GDPR efforts to bring privacy communications into a format for those of us, who don’t eat ‘legal speak’ for breakfast. Apple say that this symbol will pop-up when a function is going to use your personal data. And I really love the icon!


I’ve also received some communications from others who liked what they saw, and in Swedish. Well done Apple!

GDPR gold rush

I have never been so overwhelmed in my whole life. The GDPR gold rush is here.

I wish I could be excited by the fact, after all I have been predicting this since 2015 even? However, I am terrified by significant shortage of expertise on the market, those who really know what it is all about, versus the false gods. So much false news, and so much GDPR theatre, I just want this to stop, step back and, just stop panicking.

In Privasee, we are struggling to meet the demand, the panic. Our approach is to empower our partners with expert knowledge so they can do what is right for their clients. We are lucky to have Nebu as our Swedish consulting partner, learning partner is Cornerstone, we have other partners also in both Portugal and Malta! We want to make GDPR knowledge accessible to all! We call our consulting partners OWLs, because they have reached a level of expertise (we should know as we’ve trained them) to be able to run this race without Privasee, except for our methods (which are rapidly becoming privacy industry best practices).


My dream is to empower our customers with knowledge, so they are NOT dependant upon us.

My dream is to  demystify this GDPR monster, so that it becomes something we know.

And IMHO dreams are still possible 🙂

Facebook fined €1.2 m in Spain

Facebook (FB, -2.34%) collects data on people’s ideologies and religious beliefs, sex and personal tastes—from its own services and those of third parties—without clearly telling its users what it will do with this information. Read more here.

“In a statement, Facebook claimed the Spanish data protection authority (DPA) was wrong to say it showed people advertising based on sensitive personal data. It said ad-targeting was instead based on the interest people express by “liking” certain content on the social network.”

Of course this is rubbish what FB claim. When I was researching my first book I did some extensive clicking to see what would happen. Hence, if adverts pop-up on my profile proposing that I maybe interested in buying ‘incontinence pads’ as not sensitive personal data, what is?


A book for GDPR practitioners

This is the book that Filip Johnssén and myself wrote. Book launch is tomorrow by IAPP in Washington.


SARs ex-employee fishing expeditions

An interesting post by By Sarah Thompson, employment lawyer, McGuireWoods.

By Sarah Thompson, employment lawyer, McGuireWoods.

SARs are often used by employees or former employees as a “fishing expedition” to obtain information in the context of disciplinaries, grievances and litigation, rather than for verifying/correcting their personal data. Previous court decisions have held that making an SAR in this context was an abuse of process and not the purpose of the legislation. However, recent cases and the ICO Code have clarified that an employee’s purpose for making the request is not relevant and employers need to respond regardless of whether the employee has an ulterior motive for making an SAR.

  • Disproportionate effort

Employers can refuse to provide information where doing so would involve disproportionate effort. Difficulties throughout the process (from finding, analysing and providing the data) can be taken into account. However, employers must be able to show that they have taken all reasonable steps to comply with the request and, as the ICO Code notes, “should be prepared to make extensive efforts to find and retrieve the requested information.