| Home | About | Insights | 0
  • Your Shopping cart is empty.


des lyon blog vendor contracts

With the recent ruling by the Courts of Justice for the European Union (CJEU) that website operators who install Facebook “Like” buttons means that Facebook are a joint controller with the website operator*, this post looks more closely at the contractual relationship between website operators and 3rd party technology solutions that collect personal information from an operator’s website, with a few tips for both brands and 3rd parties so as to help foster a trustworthy (and compliant) user experience.


For those still wondering why this ruling is so important, if you – the website operator (such as an e-commerce brand/retailer, or a publisher/news site) – have a Facebook “Like” button on your website (for example either on a news story or a product page) and a user clicks on that “Like” button, then that user’s personal information is being sent to Facebook who then have control of that user’s personal information and can determine what happens with that user’s information (such as inform that user’s friends via their news feed that the user clicked “Like” on a product or news content). There is also the capability of Facebook collecting all of that user’s “Like” activity in order to create a profile of him/her and then serve targeted ads or content (and possibly sell that users profile to other advertisers who are looking for a similar profile to serve their ads to). All of this is possible from what seems like an innocent act of appreciation for a product or news story that was published on the website operator site (the e-commerce brand/publisher/news site) who (as soon as the user interacts with any tracking or plugin) has no control as to what happens with that users information.


The CJEU ruling is also significant in that it doesn’t just apply to Facebook. The website operator is ultimately accountable for any Advertising /Marketing technology tracking and/or social media plug-in that is deployed on its website (that collects personal information) that collects personal information – either on its own right (such as IP address) or if overlaid with other data (for example “click reference/id”+”source”+”device id”+”location”+”products viewed”+”other websites visited” + “order ID”) on an electronic device (such as desktop, mobile/handheld or any other form of device) through:

  • Sponsored Search Engine (Pay Per Click) listings
  • Content Ads (for example – like those “Sponsored Links” that you often see on news/media sites)
  • Product Listings Adverts on Search Engine Shopping channels and comparison shopping engines/sites
  • Affiliate Marketing & influencer (blogger) marketing ads and text links
  • Social Media sharing
  • Display advertising
  • Behavioural Targeting & Re-targeting adverts


Using an advertising agency doesn’t shield you from responsibility

Even if a website operator outsources their marketing/advertising activity to an agency, and allows that agency complete free reign in how they achieve commercial & marketing objectives, it is the responsibility of the website operator to know what information has been collected about a user from those marketing channels, and what subsequent processing takes place with that users information so as to inform the user of who that website operator is working with that collects data.


How can website operators ensure they’re working towards compliance? 

Before commencing the relationship with any 3rd party vendor, whether that be for marketing/advertising technology solutions/social plugins or agency management for marketing strategy & activity, there needs to be a written agreement in place that defines the boundaries and where responsibility begins and ends in accordance with Article 26 (Joint Controllers) of the official GDPR text, and include the rights of the website operator within these agreements. The agreement (also known as a “controller:controller” agreement) needs to include the contact details of the joint controller, purposes of the joint controllers’ processing, categories of data being processed, details of where that data will be transferred to (if outside of the EEA – and safeguards being applied), how long that data will be kept for, and a description of the technical & organisational measures taken by that joint controller.


What else does the website operator need to do?

The website operator also needs to fully inform users in accordance with the lawfulness, fairness and transparency principle (as per Article 5) of the tracking/social media plugins on their site that will collect their data if they interact with (click on or “Like”) them. The website operator will need to list exactly what data is collected, the purposes for which it collected and processed, and include the contact details of the social media/3rd party tracking/plugin provider/agency for any queries or to obtain access to their information (as per the users’ rights to information, access, rectification, erasure, restrict use, or not to be subject to automated decision making such as profiling, the right to object, or to have their moved/ported to another provider/competitor as stated in Articles 12-22).


The website operator will have to obtain a lawful basis for the advertising/marketing technology provider and/or agency collecting and processing that data also have to obtain explicit, unambiguous, freely given and informed Consent from the user in order for the website operator and joint controller to collect and process that information. Legitimate Interest will not suffice as a Legitimate Interest Assessment proves quite clearly that the benefit to the user is outweighed by the commercial interests of the website operator.


Ignoring these requirements when it comes to Joint Controller or Controller:Processor agreements could leave the website operator completely exposed to the maximum financial penalty or possibly be faced with a stop order (which could be even worse than the fine for most organisations). It is vital that those 3rd party contracts are reviewed and updated to reflect Data Protection Laws and Regulations. 


Of course – if the 3rd party is acting only on the strict instruction of the website operator then that would be a “Controller:Processor” relationship and that requires a differently worded agreement but still requires the processor to have adequate security measures, policies and processes in place to protect user data if it of a personal nature.


For further information and guidance on 3rd party Contracts (Controller:Controller, Controller:Proessor, and Processor:Processor), email info@deslyon.com today.


(*ref: http://curia.europa.eu/juris/document/document.jsf;jsessionid=A06E0AB5DBF21253C4907DDCE5A5DDDB?text=&docid=216555&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=7104636)



Photo: https://pixabay.com/es/photos/cadena-articulada-apretón-de-manos-2853046/ 

deslyon blog post travel tips

It’s that time of year when people are packing those flip flops and shorts to enjoy their summer holidays or simply take time out of the office.


If you’re going abroad – depending on where you go – there are data protection laws that you have to comply with when collecting or processing (i.e. accessing) personal data that is used in a commercial capacity (i.e. customer, employee or business partner emails for example). You don’t know who is monitoring the internet access in the location that you are in. If you’re taking paper documents with you then how do you know who has access to your hotel room? What controls are in place to prevent access to personal information that is on a portable device that you’ve left in your hotel room whilst you were out on the beach?


If you’re checking emails and need to respond to one that cannot wait until you return or is labelled “urgent”, and you’re using free wifi access, then this poses a significant risk as these networks can be particularly vulnerable.


Even if you’re not checking emails and you use your device for work and personal use, and you happen to be browsing websites when a pop-up appears on your screen (and you don’t recognise the language but feel compelled to click the green button or tick the box) this could lead to malware being installed that could lay dormant for days or weeks and then when you’re back home could activate the malware so that it now affects your home network or even the company network and possibly grant unrestricted access to the hacker.


Techniques such as “Phishing” are becoming increasingly common and even more sophisticated, so if you’re asked by customs or a government official to hand over your device for examination, it is likely that they will require access to the device and its contents before they approve your entry to their country.


So, what can you do to prevent a situation from occurring that might lead to a compromise of personal data whilst you’re on the beach supping that 6th/7th/8th(maybe you’ve lost count) Pina Colada?  Here’s a few tips to help you get started:


  1. The obvious advice is don’t take work devices with you if you don’t need to.
  2. If you do have to take the device, make sure that any information relating to work or personal data of employees, customers, business partners is removed from the device (you can uninstall work applications and email accounts and re-install when you return).
  3. Do not open files or attachments from people you don’t know and do not click on links in emails from unknown senders.
  4. If you have to have personal information and records that include personal information on your device whilst on holiday, make sure you complete a full backup and leave it somewhere safe (in the office perhaps?) before your leave, in case the data is lost during your vacation.
  5. Depending on the level of sophistication of your IT infrastructure, you may want to run your device in a virtual environment whilst you’re on holiday, as that will ensure that any issues or viruses are contained within the virtual environment.
  6. A password management policy should already be in place within your organisation but if it isn’t then it is worth changing your passwords for when you’re on holiday, and changing them back when you return (or even better – change to new unused password).
  7. If you don’t need to have your Bluetooth or wi-fi on, then turn it off!


Martin de Bruin, CEO suggests that you do not leave your device unattended at any time:

“Whilst the lure of another cocktail as you’re sat by the pool or sea running on ice-cubes and are in urgent need of a refill might seem appealing, keep your device with you! Also, if you lose your device or if it’s stolen you will need to report it immediately to your employer and company Data Protection Officer, stating exactly which customers’ information was accessible on the device and/or employees or business partners personal data as well. It may require a notification to the Information Commissioner’s Office or even to the users whose data has been affected.”

For further information or advice on how to creating and implementing appropriate policies around information security and data protection or device management for your organisation, contact info@deslyon.com today.

blog post etc fine facebook $5bn (FFS!)

In a week that has seen more “intents” than a field in Glastonbury, the latest and greatest fine to-date was just announced as the US Federal Trade Commission approved a $5bn fine to Facebook as a result of the 2018 Cambridge Analytica scandal (source: https://www.cnbc.com/2019/07/12/ftc-fines-facebook-5-billion-for-privacy-lapses.html)


The Facebook–Cambridge Analytica data scandal was a major political scandal in early 2018 when it was revealed that Cambridge Analytica had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes. The method used was via an application under the guise of a “personality quiz” called “thisisyourdigitallife”, and data was collected not only from users who took part in the quiz, but also from friends of those users – all without the consent of either the user nor of course their friends. It is alleged that around 87milion users were affected by the scandal.


The FTC began probing Facebook in March 2018 following reports that political consulting firm Cambridge Analytica had accessed the data of 87 million Facebook users. The agency was concerned that Facebook had violated the terms of a 2011 agreement, where Facebook agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public (source: https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep). The settlement required Facebook to give users very clear notifications when their data was being shared with third parties.


The settlement will now be reviewed by the Department of Justice (reports say), but the message being sent out by both the US and UK regulators (the latter intending to issue a £183.3m and £99m fine to British Airways and Marriott International Inc respectively) is that infringement of data subjects privacy (or by being in breach of data protection laws), will be treated with the utmost severity in terms of punishment for ignorance and systematic abuse of peoples’ personal information or by neglecting information security principles around Confidentiality, Integrity & Availability of personal data.


Of course, in addition to this, the UK Information Commissioner’s Office is also looking into the digital advertising industry – in particular behavioural advertising, retargeting and Real-Time-Bidding Auctions (of which big tech firms have a significant commercial interest in) so it is highly likely that this will not be the last time we see familiar faces and household names in the news for being in breach of Data Protection Regulations & Privacy laws for not obtaining users’ consent.


There will also likely be cases brought to the attention of regulators where companies fail to implement the appropriate technical and organisational measures, such as having an appropriate information security policy or not deploying the required training for their staff.


Martin de Bruin, CEO of Deslyon says:


This week we’re starting to see the consequences of failure to comply with Data Protection laws and Privacy regulations. Companies feel that they can take a laissez-faire approach when it comes to their obligations whilst we have constantly disagreed with their consensus. Now it is clear to see that doing nothing or skipping over data protection/privacy obligations is no longer an option.


News outlets report that Facebook declined to comment, however, if you are looking for guidance and advice on how to comply with Data Protection regulations and privacy laws for your organisation, contact info@deslyon.com.



Image source: https://www.flickr.com/photos/stockcatalog/26406050097/in/album-72157695350251185/

blog 2 out of 3 hotel websites leak data

With the recent announcement the UK Commissioner’s Office is intending to issue a fine of more than £99 million to Marriott Hotels group, a recent study by Symantec* shows some of the serious consequences that can result from unauthorised access, such as unauthorised cancellations, and access to personally identifiable information including name, postal address and passport numbers.


The study involved testing multiple websites, including more than 1,500 hotels in 54 countries, and found that 67% of these sites are inadvertently leaking booking reference codes to 3rdparty sites such as advertisers and analytics companies (even though all of the sites had a “privacy policy” but none of them mentioned this behaviour explicitly.


Types of personal information leaked included data such as:

  • Full name
  • Email address
  • Postal address
  • Mobile phone number
  • Last 4 digits of credit card, card type and expiration date
  • Passport Number


It is suggested that the cause of these leaks could stem from confirmation emails sent to the customer, which includes a link to the booking, allowing the user to go straight to their reservation without having to login.


Martin de Bruin, CEO of Deslyon comments:

“Whilst this is incredibly distressing, it isn’t really a surprise. What if the customer entered the wrong email address, and the booking confirmation was sent to someone else? The can of worms that could have been opened if the email address was shared by a couple!”


The study goes on to state that this information – which can be passed through the email confirmation link by the browser – can also be visible to unauthorised 3rdparties well-known social networks, advertisement and search engines, and all it takes is a rogue employee to use the information collected for their own nefarious purposes for a major incident to occur, which could affect the rights and freedoms of that individual.


It is worth remembering Recital 30 of the EU GDPR which states that ‘Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them’.


“Accountability is the underlying principle under the EU GDPR yet still thousands of companies still seem to think that they avoid their obligations when it comes to privacy and Data Protection, whilst we continue to vehemently be of a different opinion. Companies who do not demonstrate compliance by taking the appropriate technical & organisational measures will be subject to fines and sanctions similar to what we’ve seen in the last 48hours.  Prevention really is better than trying to find a cure after you’ve suffered a breach.” Martin concludes.


If you are looking for guidance and advice on how you can take steps towards data protection compliance and privacy regulations, contact info@deslyon.com today.


(*source: https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data)

Photo by Krys Amon on Unsplash

blog post boardroom clip wings

The intention to fine a record amount to British Airways (as reported by the ICO* on Monday 9thJuly 2019) may have come as a shock to quite a few. However, these levels of fines and other significant penalties may start to become more familiar as more companies become exposed in their negligence of protecting personal information.


The 2018 Cyber Governance Health Check** report into the top FTSE 350 companies released by HM Government in March 2019 revealed some interesting findings, which should cause concern for boardrooms across all businesses that collect and process personal data – whether its customers, employees, or business partners/suppliers. The key findings from the report show that:


  • Less than two thirds (60%) of the FTSE 350 list of companies report that their appetite for risk (the extent and type of risk the business is willing to take) is agreed and written down. Therefore, for more than a third (40%) of businesses, there is a risk that not all staff members share the same vision as the board regarding the level and type of risk that they are willing to take.
  • 77% of FTSE 350 businesses do not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.


The report also states that only around 1 in 5 boards of FTSE 350 businesses have undertaken a crisis simulation on cyber risk in the last 12 months, which – when you take into consideration that in 2017, 70% of large companies (and 74% of SME’s) reported that they had suffered a cyber breach*** this suggests that we’ll see a lot more exposure of cyber weaknesses in what are perceived to be credible brands and organisations who lead the public to believe that they deliver exemplar business practice.

Martin De Bruin, CEO at Deslyon suggests a few tips to help boardrooms start and navigate their way through their privacy strategy:

“First and foremost, the Board (including the CEO) has to decide on the company’s mission when it comes to Data Protection & Privacy. Then they can develop their strategy in accordance with the mission and form the team to steer the strategy. The framework should be based on the organisation’s needs as there isn’t really a one-size-fits-all. More often than not, the biggest risk in any organisation comes from internal, so it is vital that training & awareness is steered by the top. Communication is essential if all employees are expected to follow the company’s lead.”

If the words of Elizabeth Denham, UK Information Commissioner didn’t read loud and clear before, then maybe the following quote from her will make boardrooms across the country take notice:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage, or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”


To discuss your compliance requirements or to understand your obligations when it comes to privacy and Data Protection, email info@deslyon.com without delay.

(*source: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-ico-announces-intention-to-fine-british-airways/)

(**source: https://www.gov.uk/government/publications/cyber-governance-health-check-2018) 

(***source: (https://www.export.gov/article?id=United-Kingdom-Cyber-Security)

Photo by Joshua Sortino on Unsplash

Deslyon cyber risk

A recent article by smeweb.com (http://www.smeweb.com/2019/06/18/beware-cyber-attack/) states that more than half of British firms have been the victim of a cyber-attack in 2019. It is highly likely that insurance will only part cover the costs of recovering back to Business as Usual, so how can insurance providers help their clients understand what it takes to ensure appropriate measures are being taken towards achieving compliance?

Businesses of all sizes, across almost every location in the world and in every business sector rely on technology and digital in order to perform its (even most basic) functions. However, whilst more and more businesses seek to maximise the opportunity that this “4th industrial revolution” brings, the threats to businesses are even greater and (through lack of awareness) even easier than in previous times.

Let’s add the level of accountability that sits at the top of the organisation into the mix, and we can quickly ascertain this as a defining time for organisations and ultimately those who do not adapt to these seismic changes will soon give way to those organisations that have the appropriate measures in place to defend their business when the situation arises.

A common misconception is that cyber insurance will cover organisations against data breaches or cyber attacks to the organisation. What these providers often leave within the small print for organisations to find out for themselves is that the insurer will state that organisation must have appropriate measures in situ in the first place before a payout will be considered.

The question is – who is providing the relevant checks and balances to those who underwrite such policies in order to help identify the risks and vulnerabilities that they should be checking with their customers prior to offering the policies?What intelligence can be drawn from previous incidents (not just for the organisation but also those linked to the business such as suppliers, vendors, business partners etc) to ensure that the right questions are being asked prior to a decision on a policy (and adequate excess fee/cover)?

Given the recent introduction of regulations and legislation – particularly around Data Protection – means that Cyber security is establishing itself firmly at the top of the agenda across most board rooms. This isn’t a surprise when you consider the amount of information that is being collected, processed and stored by organisations (as well as their supply chain) cross many internet entry points, and on a range of inter-connected devices (not just mobile phones & laptops but also smart meters, door bells, speakers, vehicles, televisions, games consoles to name but a few) and the fact the new regulations, legislation and industry compliance frameworks hold those at the top of the organisation ultimately accountable for non-compliance. Terms like “spear-phishing”, “SMiShing”,“Vishing”, “Malware”, “Ransomware” are now established terms that are discussed more frequently now than they were 10 (possibly even 5) years ago.

It is more important now than at any time before to not only understand the cyber security strategy of an organisation, but to ensure that insurance providers are offering business solutions and guidance to help businesses understand how they can protect their organisation from such threats which can only benefit the providers and policy holders alike.

For more information and guidance on compliance controls and an assessment of your business, contact info@deslyon.com today.

Deslyon blog remote policies

Just 1 in 5 businesses have a Remote Working or Bring Your Own Device policy in place!

  • even though over 4 in 10 say that staff in their organisation regularly use a personal device such as a non-work laptop for business purposes!

The 2019 Cyber Security Breaches Survey for the DDCMS shows that whilst businesses  have taken considerable actions to improve their stance on cyber security, there are still areas that require significant development by implementing the appropriate policies.

Remote working isn’t a new concept. In fact, there’s an article posted by flexjobs.com about the history of working from home, which you can find on the following link: (https://www.flexjobs.com/blog/post/complete-history-of-working-from-home/),

However, what has changed significantly (in the last 10 years or so) has been the interconnectivity of devices that extend beyond a desktop computer or a laptop. In fact, since the launch of the i-phone in April 2007 (possibly even the Blackberry 5810 which launched even earlier in 2002), this led to fundamental change in the manner in which people perform their work duties, and the need for being based in the office.

Whilst there have been rapid advancements in technology that have increased the flexibility of remote working, what seems to have been left behind are the controls and policies set by the employer when it comes to the technical and physical security of devices when working from home or on the road.

This is an area that will likely come under further scrutiny since the EU GDPR and UK Data Protection Act 2018 came into force.

By having a company policy in place that covers your employees who work from home or remotely could significantly reduce the risk of any information on those devices being compromised.

Staff who use their personal mobiles for company use will often install applications and programmes that are probably not likely to be on the company “whitelist” of acceptable apps. Company staff may travel overseas – possibly to a different continent. The way in which they access the internet may require certain restrictions (i.e. they may not be permitted to use the hotel/coffee shop free wifi).

Martin De Bruin, CEO of Deslyon comments:

“You Just need to go to trade shows and industry events where you’ll see company representatives with laptops unattended, and sometimes even unlocked. How many stories do you hear where staff leave laptops in their cars and then the become the victim of a break-in? It doesn’t take long to work out what the consequences might be if company confidential information ends up in the hands of an opportunist.”

Of course if personal devices are being used in the work place, this can often mean that other family members use the same laptops/tablets/even home computers, so it is imperative that companies have a policy in place that covers the technical and physical security of information and assets, which staff understand and are aware of their responsibilities when it comes to their own devices, and the content within those devices.

For guidance on creating policies within your organisation or for more information about Deslyon services, contact info@deslyon.com

Deslyon blog Testing the Chain Reaction of Your Supply Line

Auditing your suppliers and ensuring that their business practices align with your own organisation’s compliance can be a daunting task – even for those with minimal supply chains. What if your supply partner is based in another country, or another continent? What if your supply partner requires you to go through bureaucratic hurdles and hoops so as to get them to fulfil your request? Where does one even start to question their suppliers?

The 2019 Cyber Security Breaches Survey shares a range of interesting comments from businesses as to why companies do not carry out supplier compliance requests. “Trust”, “lack of resources” and “lack of guidance/knowledge” seems to be the key takeaways as reasons for not carrying out checks and balances across the supply chains.  Typical responses include;

We just trust them. They’ve been in business for a long time They run huge events. They are world renowned and respected. We have faith based on that.


You don’t know what to ask. I would just trust that my suppliers wouldn’t breach anything. So, it would help to get some guidance.

These were just some of the responses to this question in the survey.  Below are a few tips to help organisations ask the right questions:

Tip 1: What Access Controls Are In Place?

How does your supplier prevent unauthorised access to information processed on your behalf, or exchanged between you and them? How do they audit access checks? What about Physical Access Controls? If they’re part of a larger organisation what controls are in place to prevent data being leaked to other units outside of what has been contracted?

Tip 2: Assessing Data Protection obligations.

What Data Protection Laws apply to the supplier who you are working with? What other laws does your supplier have to comply with in order to operate their business function?

 Tip 3: Documenting any Accreditations/standards that the supplier conforms to.

For example, are the information security policies & procedures that your supplier conforms to in accordance to Information Security Management Systems as defined in ISO27001? (If so – when were they last audited?)

Tip 4: Revisiting your existing contract and wording.

Does it include specific Responsibilities and Service Level Agreements that the supplier will adhere to in the event of a security breach/compromise that affects information between them and your organisation?

Tip 5: Hiring & Training of Staff.

Is there a need for your supplier to carry out the same checks and balances as your organisation does with internal staff if those members of staff are working as your outsourced representative?


Of course, these are just a few suggestions and are designed to spark the conversation within your organisation. What also needs to be taken into consideration is how the organisation monitors its supply chain.

Martin De Bruin, CEO of Deslyon comments

The challenge faced by many organisations is that with new laws, regulations and an ever-changing compliance landscape, appropriate resource and expertise is needed  in order to ask the right questions. For example, Accountability under the EU GDPR means that organisations must  implement appropriate technical & organisation measures in order to fulfil their governance obligations.

To discuss how Deslyon can help your business deploy the appropriate technical & organisation measures, email info@deslyon.com.


With recent news surrounding major Mergers & Acquisitions within the digital industry, questions will be raised around what due diligence is being applied to ensure legal obligations around the collection and processing of personal (sometimes sensitive) data under the acquirer.

There may be many legal and compliance aspects which need to be factored in as well as new controls which the acquirer has to put in place as a result of their new acquisition.

Industry Codes of Conduct such as PCI DSS become a subject matter for consideration where the business transacts online via credit card payments. If the new acquisition means that the acquirer enters into a new industry such as Health (and the acquirer has historically been within say – consumer electronics), then regulations relating to health and other sensitive information have form part of the privacy strategy moving forward, and possibly data relating to children.

Geographically, there may be a number of challenges that present themselves. For example, say a US company acquires a business in Europe, then it has to implement appropriate measures and governance that is relevant to each of the local markets, the cultural norms, as well as local regulations. If that seems challenging, then it gets even more interesting when one discovers that the General Data Protection Regulation is adapted differently depending on each EU market.

For example, in the UK, the UK Data Protection Act 2018 states that there are further exemptions (that are not included within the official GDPR text) when responding to a Data Subject Access Request. In Germany, there are amendments to the official text with regards to processing Special Categories of Data, amongst other variations. InSpain, Article 37 (designation of a Data Protection Officer – DPO) carries further obligations than what is in the official text, and there is an additional function for the DPO, in that the DPO may intervene in case of a complaint against a controller or processor with a supervisory authority and communicate to the complainant the organisations resolution within 2 months of the receipt of such complaint (before the complaint is submitted to the supervisory authority *source: iapp.org).

What if your company is divesting a business?

Again, a relevant question given that there are real-world examples of this actually taking place. When divesting a business, there may well be risks associated with the data that is being released, and therefore a thorough assessment of the infrastructure of all, or any part of the entity being divested prior to event must be undertaken to ensure that unauthorised access of any personal information/data is prevented as part of the divestiture process (unless there are specific exceptions – in which case they need to be documented).

It is worth remembering that an organisation can be exposed to unnecessary corporate risk by acquiring companies with differing regulatory obligations. A privacy checklist is a useful tool to help ensure this process is carried out effectively.

For further information on how mergers, acquisitions or divestitures could affect your organisation, feel free to contact us at info@deslyon.com.


Following the news that a security researcher discovered millions of unsecured Facebook user information on an Amazon server that had been stored by a 3rd party Application called Cultura Colectiva, this news story raises questions as to how 3rd party developers and Applications providers are vetted by Facebook, as well as what obligations Facebook instil upon 3rd parties when it comes to the confidentiality of its members’ information.

Cultura Colectiva describe themselves as “a digital platform that inspires audiences through content created with data and technology…. The largest digital platform in Mexico and Latin America with significant reach in Argentina, Chile, Columbia, and Spain” – which of course is in the EU, meaning that Cultura Colectiva are subject to the EU GDPR not only due to their reach extending into an EU territory, but it is also highly likely that EU data subjects access and interact with their app and their website from a number of destinations around the world. Cultura Colectiva then sent that data for storage into a remotely managed services provider (aka the Cloud) and failed to protect that data by leaving it unsecured.

Under the EU GDPR, an entity has 72 hours to report a data breach to a supervisory authority. If that data is likely to harm or affect the rights & freedoms of data subjects then that entity is legally required to inform that data subject without delay, yet it took several months for any action to be taken once the breach was discovered by a security researcher (the breach was initially flagged on the 1st February and it took 3 weeks for someone from Amazon to respond saying that they were “looking into the situation” and the data was finally removed on April 3rd– by Facebook, not by Cultura Colectiva – source: https://www.bloomberg.com/news/articles/2019-04-03/amazon-cloud-storage-dilemma-exposed-in-facebook-s-latest-leak).

It is worth remembering that when data is sent into the cloud, you are at the mercy of that 3rd party’s security controls and systems.

If that data has been sent into the cloud by a 3rd party (Cultura Colectiva are a 3rd party who stored the data on a server provided by a 3rd party- Amazon) who hasn’t taken appropriate security measures to ensure that the data is protected or secured, that is highly likely to lead to complete loss of control of that data, which could lead to catastrophic circumstances if the data is of a personal nature. What’s more is that the initial collector of that data is – as data controller – ultimately responsible for allowing that data to be accessed by a 3rd party. Therefore it is vital that contracts and agreements reflect the responsibilities where there are “joint-controllers” (Article 26 of the EU GDPR).

It is also vital that data subjects are aware of how their data will be processed and what protections are in place with partners of that 3rdparty, so that individuals can provide explicit, freely given, affirmative authorisation for their data to be used in the exact way as described by the controller.

Therefore an update of privacy notice(s) and internal policies that take into account in local laws and regulations of members/customers/users of that company needs to be actioned. For example, if your company HQ is in Mexico, and you are collecting EU data subject data and are processing it by storing it remotely in the US then you are bound not only by Mexican Data Protection Laws but also the Data Protection Laws of the US and the EU, as well as the local laws of the users’ nationality.