Skip to main content

Month: March 2020

Coronavirus (COVID-19) service update from Calligo

Written by Brendan Walsh on . Posted in Blog. No Comments on Coronavirus (COVID-19) service update from Calligo

Our principal concerns during this Coronavirus (COVID-19) pandemic are the health and wellbeing of our staff and their families, whilst maintaining our service operations to you, our customers. 

 
Precautionary Measures 

As the virus continues to spread, so we now need to take further precautionary measures to limit its impact upon our teams across our various locations. These measures include: 

Introducing Remote Working

Until further notice, we have implemented a ‘working from home first’ stance in order to help minimise the impact of the virus on all staff. We are ensuring that all staff members have the equipment, connectivity, space and environment at home to deliver the service you expect.
For certain roles and functions where office presence is currently required, teams have been split to work from the office on a rota basis. We are also ensuring that hygiene and distancing protocols are observed, and are working with our landlords to introduce more frequent and extensive cleaning.
We are fully prepared so that as circumstances and guidance change, we can immediately move to have all staff work remotely from their own home until such time as we deem it safe to fully return to their office

Ceasing Travel and Off-site Events

With immediate effect we are ceasing all inter-office travel until further notice. We are also cancelling all off-site training and events, so as to limit staff exposure to populous places, such as travel hubs and conference centres.

Limiting Client Site Visits

To reduce the risk to you, our customers, and our own staff, we are adopting a ‘remote first’ approach for all on-premise support and all client consultancy service meetings until further notice. This includes the suspension of Network Admin monthly on-site visits.

What this means for your service

The aim of these measures is to help ensure that there is not a drop in the level of service provided to you. However there will be slight adjustments to how the services are delivered, as we look to limit the in-person contact to only what is absolutely essential.

All of our teams can operate remotely and securely. Our remote working capabilities are tested regularly throughout the year to validate our Business Continuity Plan and we are prepared for our entire workforce to work remotely for an extended period.

The services and data centres operated by Calligo are redundant and built on a multiple site configuration, with flexibility to scale should there be an increased demand for resources.

Based on current information, we expect the Coronavirus pandemic will last for several months. It is therefore vital that we are prepared for action that will last for an extended period.

We will continue to actively monitor the situation and local government advisories and will provide further updates as the position changes. It is our intention to return to normal working practices as soon as it is safe to do so.

Should you have any questions on the above, please reach out to your usual Calligo contact.

The 5 Top Questions Around Data Privacy

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy, Data Protection, Glossary. No Comments on The 5 Top Questions Around Data Privacy

Businesses can no longer ignore the importance of data privacy. In this blog post, we round up the questions our data privacy services team hear most often, combined with data from Google Trends, to reveal the most prevalent concerns and areas of most confusion.

Q1: What is the significance of the CCPA, and when does it come into effect?

The California Consumer Privacy Act (CCPA) is a bill aimed at increasing the privacy rights and consumer protection for residents of California, United States of America. The bill was signed into law on June 28, 2018 and became effective on January 1, 2020.

The aims of the Act include allowing individuals to

  • Find out if, and what, personal data has been collected about them.
  • Find out if their personal data is sold or disclosed to a third party.
  • Find out who their personal data has been sold or disclosed to.
  • Put a stop to the sale of their personal data.
  • Access their personal data.
  • Ask a business to delete any personal information they have about them.
  • Not be discriminated against for upholding their privacy rights.

The significance of the CCPA is threefold.

Firstly, the companies that are in scope are inherently larger ones. The data privacy law affects all companies that serve California residents and meet any of the following criteria:

  • Exceed $25 million in annual revenue.
  • Hold personal data on at least 50,000 people.
  • Collect more than half their yearly revenues from selling personal data.

It’s important to note that the law applies to any companies that “serve California residents”, meaning that the companies affected can be located anywhere in the world as long as they provide their services in California.

Secondly, the law is significant because of its jurisdiction. Some of the world’s largest companies (Google, Apple, Disney) are based in California, and their handling of sensitive data will now be under intense scrutiny.

Thirdly, it is currently “the nation’s most far-reaching online privacy law and a potential model for other states”, according to the Washington Post. This means that while its impact and enforcement will be closely monitored for other states to follow, the very fact that it will likely create disparate data privacy laws from state to state may accelerate the ongoing conversation about the need for a federal data privacy law to avoid data privacy becoming a blocker to business. If you’d like to find out more about CCPA or how we can help you, click here.

Q2: Who has been fined under GDPR so far?

Since the General Data Protection Regulation (GDPR) came into force on May 25, 2018, businesses across the world serving European citizens have been held to new standards of data handling.

The steep financial penalties possible under GDPR have provided an incentive for companies, big and small, to introduce new policies and infrastructures to ensure their ongoing adherence to GDPR. Many have also taken the decision to contract  GDPR-qualified experts and Data Protection Officers to help them navigate this difficult change. However, not all businesses have implemented the necessary changes in time, and have thus faced heavy fines from the Information Commissioner’s Office (ICO). These businesses include:

  • Google – fined €50m for a ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation’ according to the French data regulator CNIL.
  • TIM – Telecom Provider – fined €27,802,946 for unlawful data processing and a non-compliant aggressive marketing strategy, among other unlawful data collection processes.
  • Austrian Post – fined €18,000,000 for using customer data, including ages and addresses, to calculate the probability of which political party they might support, before selling this information to third parties.

…but there have also been far smaller fines handed to SMEs, undermining the argument that the Supervisory Authorities are only targeting large corporates. Examples include a 9,000 euro fine of a Spanish business that was using video surveillance of its employees without consent, a similar fine for a Cypriot government agency for allowing the police access to personal data without sufficient security, and an 18,000 euro fine for a Swedish school that used facial recognition for monitoring attendance, but did not provide suitable opt-out processes.

Q3: Who does GDPR apply to?

A common misunderstanding is that GDPR only applies to companies with offices or employees in companies belonging to the European Union. GDPR is designed to protect EU data subjects from unacceptable uses of their data, whether the company holding their data is based in the EU or not.

The real test is whether a business is offering services to the EU market, or is monitoring an EU data subject’s behaviour within the EU. if so, then their activities fall within the scope of GDPR regardless of their geographical location.

“Offering services to the EU market” is admittedly not clear and open to misinterpretation. To help, the European Data Protection Board (EDPB) has provided some examples of indicators of which territories an organisation is targeting, including:

  • Accepted currencies for payments
  • Languages of marketing materials
  • The locations where services can and cannot be shipped to

Q4: Why is data privacy important?

Data privacy is one of the fastest growing business issues on the planet, encompassing businesses of all shapes and sizes across every industry. Data has never been a more powerful or valuable commodity, and the proper handling of data (consent, notice, and regulatory obligations) is becoming increasingly regulated.

This is because the issue of data privacy has become a highly emotive and sensitive topic for data subjects, as the uses of data become more and more adventurous, personalised and at times, intrusive.

In fact, the importance of data privacy lies, for many, in its morality; keeping private data safe is seen as the ‘right thing to do’. Data ethics dictates that individuals should have agency over how their data, including how well it is protected, how much is given away, under what circumstances and for how long – much like physical property.

For data-intensive businesses, it has had some dramatic effects on their data regimes and, in some cases, even restricting their business models, such as curtailing the free use of automation or the collection and exploitation of data for marketing purposes.

Nevertheless, data privacy also brings massive opportunity. If data privacy is done right – or more specifically, if privacy by design is rolled out – then there are significant opportunities that come from a better understanding of the condition, location, source, use, importance and sensitivity of every piece of data.

By making your data well structured, visible and based on firm ethical and regulatory grounding, you can be more confident in your authority to use it and apply it to achieve your goal. The applications of data are endless, and if privacy is implemented by design then the business can leverage it in automation and machine learning experiments that improve marketing, sales and general business operations.

Q5: What is Privacy By Design?

Privacy by Design is a concept designed to guide businesses into becoming more proactive regarding data privacy. Built on seven principles, the concept sets the standards for how data privacy should be built into projects, processes and everyday activities. These seven principles are:

  • Proactively anticipating privacy-invasive events .
  • The maximum degree of privacy should be delivered by default .
  • Privacy should be incorporated from initial designs rather than added retrospectively.
  • Data privacy should not come at the expense of full functionality.
  • IT security across the entire lifecycle, from data collection, through to storage and eventual deletion.
  • Transparency at all times. All stakeholders should be informed of how data will be processed, stored and erased.
  • Data subjects should be given every opportunity to uphold their privacy rights .

Privacy by Design is important because it is not simply a framework to aspire to, but rather a necessary guideline for complying with privacy laws such as GDPR and CCPA. Public bodies like the ICO mandate that data privacy be upheld to the highest degree at every stage of a project, else face heavy financial penalties.

By incorporating these seven principles, businesses can ensure that they are treating their data subjects legally, fairly and ethically. Whether you are building a new IT system for storing personal data, developing policies that have privacy implications or looking to share data more actively with third-parties, Privacy by Design ensures that you remain privacy compliant from the very start.