Hypnotic Outcomes

30/04/2025

Most breaches of the GDPR are civil matters, but the accompanying Data Protection Act 2018 designates three matters as criminal offences and the ICO has the power to prosecute.

24/04/2025

ICO issues a £90,000 fine for unlawful telephone marketing.

Remember, if you engage in marketing using email, phone, text, social media (or fax, but no-one uses that any more), you have to comply with the Privacy & Electronic Communications Regulations (PECR) as well as the GDPR.

We have fined AFK Letters Co Ltd (AFK) £90,000 for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service (TPS), in a clear breach of electronic marketing laws.  AFK Letters is a company which writes letters seeking compensation and refunds f...

21/04/2025

18/04/2025

ICO fines Merseyside law firm for data security breach. One of my former colleagues (he was way more senior than me) explains the obligations of data controllers to keep personal data secure.

I cover data security in my online trainings and can advice how it applies to you specifically.

We have fined Merseyside-based DPP Law Ltd (DPP) £60,000, following a cyber attack that led to highly sensitive and confidential personal information being published on the dark web.

09/04/2025

When logging into the free Wifi at Morrison's recently, the disclaimer reminded me of an important data security principle I cover in my online GDPR training. Always be aware that public Wifi networks are less secure than private, password protected Wifi.

It can be quick and convenient to use a free Wifi network if you're out and about (particularly if it's in a café with decent coffee and you want to take the weight off your feet for a while) but think carefully about sending any confidential or sensitive data as the security risk is potentially higher.

When I worked for the ICO, staff travelling outside the office had to use an ICO issued secure portable Wifi router and were not permitted to log onto public networks.

07/04/2025

The GDPR says that Privacy Information should be provided "...in a concise, transparent, intelligible and easily accessible form, using clear and plain language..."

How do you think this Privacy Notice (from a small hotel whose identity I am protecting) complies with that requirement?

If you were a guest reading this without any particularly knowledge of the GDPR, would you have a clue what it means?

02/04/2025

Ok, folks.

I saw in the news today that Asda is trialling facial recognition technology in a number of stores to identify Persons of Interest (POIs) from previous experiences. See attached image.

Those of you familiar with the GDPR will recognise that this is use of biometric information for purposes of identification, and therefore constitutes a form of Special Category Data.

"What are their conditions for processing this Special Category data?" I wondered, so I went to look at their Privacy Notice to see if it had been updated to reflect this trial.

You can see from the attached image that their Article 6 Lawful Basis (required for processing ANY type of personal data) is Legitimate Interest. Their additional category to allow them to process Special Category data is one of the Substantial Public Interests conditions from Schedule 1 of the Data Protection Act 2018 - "Preventing or detecting unlawful acts".

It is likely they will have an Appropriate Policy Document to accompany use of this Substantial Public Interest condition and they should also have carried out a Data Protection Impact Assessment (DPIA) prior to proceeding with this pilot scheme.

If YOU are using Special Category data - information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health, s*x life or s*xual orientation - bear in mind you need a Lawful Basis AND an additional condition to do so lawfully.

Here endeth the lesson!

02/04/2025

"It's ok. I understand the GDPR so I store all my records in a locked cupboard."

If you understand the GDPR, you will:

- Know what a Data Controller, Data Subject, Data Processor and Sub-processor are,
- Know the Principles of the GDPR,
- Know what has to go in a Privacy Notice and when it has to be provided,
- Understand your Lawful Basis and communicate it to data subjects,
- Know when it's unwise to use Consent as your Lawful Basis,
- Know if you are using Special Category Data and your additional conditions to use it lawfully,
- Have a retention schedule and adhere to it,
- Know if you are using Data Processors and have GDPR compliant contracts in place with them,
- Recognise and know how to understand GDPR Individual Rights requests,
- Know when you have to report a data security breach to the ICO and how long you have to do so,
- Understand what is required to make an International Transfer of personal data lawfully,
- Be registered with the ICO

and much, much more.

If all if this is going over your head, you DON'T understand the GDPR.

23/03/2025

A quick word on using Consent under the GDPR.

ICO guidance is that - where appropriate - consent should be 'granular', allowing data subjects the option to consent to certain uses of their data, whilst declining consent for others.

Particularly nice to chance upon good GDPR practice when browsing luxury hotels :-)

Gisborough Hall's eZine subscription pop-up allows subscribers to choose the form in which they want to receive marketing material.

Also notice consideration of the Principle of Data Minimisation. The only required field is an email address.

08/03/2025

Hello all.

Some years ago I set up a YouTube channel and was playing around with making some videos. Looking back I am a little embarrassed at my efforts but there is a saying:

"If your first digital product was perfect, you released it too late."

I hope to be generating more content soon (and hopefully it might look a little better) but I think the content of the two videos already on the channel is still worth listening to.

None of this relates to the lovely testimonial from my friend and former student, Warren York, who has recently been rated as the Number 1 hypnotherapist in Belfast.

Please feel free to look at the Hypnotic Outcomes channel and subscribe.

Thanks,

Damian

Del dine videoer med venner, familie og verden