Data Privacy Regulations for Businesses

Personal data accessed by an employee out of 'curiosity'- does it amount to violation of Data Privacy Legislation? Point to note is that the said employee has access to that data in order to carry out day to day activities. The Slovenian DPA answered it stating that: 'Any access that goes beyond these limits, for example, viewing someone else's personal data for personal interest or curiosity, constitutes unlawful processing and thus a violation of data protection legislation. Even if an employee is given technical access to personal data, this does not necessarily mean that they also have the right to view it. Viewing the data is only permitted if it is necessary for the performance of a specific work task.' https://lnkd.in/g7YvEsMa Training and sensitization of the people processing personal data is a must. #Dataprivacy #workplace #employement #personaldata

One recurring theme across all of the BetterCloud State of SaaS reports has been IT’s fear of sensitive data being exposed from their SaaS applications. That fear is 100% warranted. Here are just some of the examples of what I’ve seen over the last decade: A senior partner at a prominent VC firm left but kept access to the firm’s Dropbox, which contained deal docs, internal notes, and memos. The firm had set it up using personal Gmail accounts and never removed access. The partner joined another firm in the same space and used that Dropbox for almost two years. They even won deals by offering better terms based on information from those files. An employee who suspected they were about to be fired (and had super admin access that they didn’t need) created an internal email alias that looked like their CEO’s address. They set up forwarding from the CEO’s inbox to the alias and then to their personal email. After being fired, they continued receiving emails and eventually used the information to blackmail the CEO. A company preparing to go public had consultants from an outside firm in their Slack. When the contract ended, no one removed them. Those consultants were later hired by a competitor and used the Slack messages to inform their strategy. A Chief Strategy Officer at a fast-growing startup left for a competitor. Before leaving, she shared three key strategy documents to her new work email. These were living documents that were actively updated. It took nearly a year for her previous company to realize she still had access and had been viewing them. A head of sales at a national gym chain downloaded the entire member database before leaving for a nearby competitor. It included contact details, personal info, and membership histories. Over time, they used that list to target and poach former members. These are just a handful of examples. I’ve heard and seen many more. This kind of thing happens every day across every industry, at companies of every size. The reality is that some of this is malicious (i.e. the claims in the Rippling vs Deel case) and many times it’s unintentional (i.e. too many settings and features that expose data that users don’t understand leading to misuse/misconfiguration). In a couple of weeks we’re going to be unveiling the 2025 State of SaaS report and findings. This year we’re going to be talking about the challenges IT is facing but also solutions to those challenges. There is so much in this report. One of the things I never appreciated was how valuable the trending data over 10+ years of doing this would be. Register here: https://lnkd.in/e6WkPiyn

In a decision that should serve as a wake-up call to marketing teams, the Office of the Data Protection Commissioner ordered Goodtimes Africa to pay Ksh 700,000 to a complainant for sending unsolicited promotional messages without their consent. 👉The Issue Goodtimes Africa was found to have sent promotional messages to Dennis Gathara without obtaining prior consent, violating the complainant's data protection rights. Despite attempts to unsubscribe, the complainant was unable to opt out due to the absence of a functional opt-out mechanism. Investigations by the ODPC confirmed that Goodtimes Africa failed to provide a simple and effective method to stop receiving marketing communications. 👉The Regulatory Findings The data commissioner emphasized that 📌Data subjects have the unconditional right to object to the processing of their data for direct marketing purposes 📌 Organizations must provide clear, accessible, and effective opt-out mechanisms for data subjects to exercise this right. What are the best practices for Opt-Out Mechanisms? Implement the following: 📌Ensure opt-out instructions are clearly visible and easy to understand, such as embedding an unsubscribe link in promotional emails. 📌 Mechanisms should require minimal time and effort from the data subject. 📌 Provide accessible channels, such as a dedicated email address, for opt-out requests. 📌Opt-out should be free or incur only a nominal cost for the data subject. 📌Mechanisms must be inclusive and accessible to individuals with disabilities. Here are some additional measures to help you stay compliant: 📌Maintain a record of all opt-out or consent withdrawal requests to ensure personal data is not used for future marketing. 📌Regularly update and clean your marketing databases to reflect consent preferences accurately. #dataprotection #dataprivacy #compliance Do you enjoy such content? Follow me for weekly updates.

🚨 Community Warning: Hackers are using compromised corporate email accounts to socially engineer access to cybersecurity platforms. On August 9th, a threat actor requested a free preview API key from Hudson Rock using the email address pmm.cussetvichy-assistant.fct@def.gouv.fr. After the request, we confirmed that they were indeed the owner of that email address. We provided a free API key that does not display any sensitive information (we actually had it public until a week ago when it started being abused). As a standing principle, we do not show anyone private data until we've had a call with them and verified that they hold a relevant position in the company they claim to represent. As part of our routine checks for suspicious activities, we noted that the free key we provided was used extensively over a period of 24 hours. Along with another pre-scheduled task, we discovered that the email pmm.cussetvichy-assistant.fct@def.gouv.fr is associated with a computer that was infected by an Infostealer that same week. This confirmed our suspicion that the email address was in the possession of a threat actor. We immediately shut down their limited access and ensured that no one at our company accidentally granted them uncensored access. A scenario I can imagine was about to unfold is the threat actor trying to push the team to give them uncensored access because they "really want to close a deal but just need to check some data first" or some other excuse to cause urgency. Bottom line: we successfully fended off this attack before it materialized into anything significant. We also provided the French authorities with the data. Important Lessons: - Our policy of not providing uncensored access until a Zoom call is conducted has proven to be highly important. A simple email exchange isn’t enough; additional verification steps, such as video calls or cross-referencing with known contacts, should be employed. - The discovery of the compromised email account was partly due to routine checks and monitoring of usage patterns. Continuous monitoring and anomaly detection are vital for identifying unusual activity that could indicate a security breach. Always check if prospects are signing up with email addresses that have been involved in Infostealer infections. This is how threat actors often gain access. You can ask VX-Underground how many emails they receive from compromised email addresses belonging to government employees around the world; it is highly common. - The decision to provide a limited API key, which only exposed non-sensitive information, eliminated the potential damage. Restricting access to sensitive data and only granting it after thorough verification is a best practice. As a side note, just this week a threat actor acquired a commercial license to cybersecurity firm Socradar which led to a leak of 330,000,000 emails. It is evident that cybersecurity firms are being targeted by hackers and it's important to stay alert.

Privacy Theater, Performed by AlphaSights and JuWay Pak Today’s episode: “We Take Data Protection Seriously… Until You Actually Ask Us To.” As a Chief Privacy Officer, I don’t give out my personal email address lightly. So imagine my surprise when AlphaSights — a company that connects professionals with consulting opportunities — contacted me using an email address I’ve never once used publicly. Worse? The version they used was one created by data scrapers, not me. A fraudulent alias. When I challenged them, they told me: “Well, Gmail treats dotted and undotted versions as the same.” Yes — internally Google does. That’s irrelevant to external identity validation. #Privacy law isn’t about how Google routes mail — it’s about data accuracy, transparency, and consent. They also blamed their vendor, ContactOut, and told me to go chase them down myself — despite being the ones who paid for and used the bad data. Let me be clear: 📌 Publicly available data, IF that were the case here it wasn't, is not a blanket excuse for lazy or unlawful processing. 📌 You can’t push #GDPR obligations onto your vendor just because they “passed your due diligence.” 📌 And no, I’m not going to submit more personal information just to opt out of something I never opted into. If you’re a company that buys data, you’re responsible for the accuracy and the impact. FULL STOP! This kind of behavior isn’t just sloppy — it’s dangerous. It enables impersonation, spam, and misrepresentation. If you’re in the privacy, compliance, or cybersecurity world, keep a sharp eye on vendors and platforms like AlphaSights and ContactOut. 🛑 If you’re going to claim “legitimate interest” as your basis for contact, then you better get it legitimately. #PrivacyMatters #DataProtection #GDPR #DigitalIdentity #Infosec #Cybersecurity #DarkPatterns #AlphaSights #ContactOut #Accountability #PrivacyTheater

📱 𝐖𝐨𝐫𝐤 𝐃𝐚𝐭𝐚 𝐨𝐧 𝐏𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐃𝐞𝐯𝐢𝐜𝐞𝐬: 𝐃𝐨 𝐄𝐦𝐩𝐥𝐨𝐲𝐞𝐫𝐬 𝐇𝐚𝐯𝐞 𝐭𝐡𝐞 𝐑𝐢𝐠𝐡𝐭? As remote work continues to thrive, a key question arises: Do employers have a right to access work-related data on personal devices without explicit policies? 𝘊𝘢𝘴𝘦 𝘓𝘢𝘸 𝘐𝘯𝘴𝘪𝘨𝘩𝘵𝘴 🇬🇧 United Kingdom: 𝑷𝒉𝒐𝒏𝒆𝒔 4𝑼 𝒗 𝑬𝑬 𝑳𝒕𝒅 [2021] EWCA Civ 116 This case highlights the complexities of employer access to work-related data on personal devices. The Court of Appeal examined whether employers could access communications on employees’ personal devices during litigation. The ruling confirmed: 1️⃣ Employers may request access to work-related data during legal proceedings if the data is within their “control” - the court clarified that work-related communications could fall within the employer’s control, even if on personal devices. The key factor is whether the employee created or received the documents during employment. 2️⃣ However, personal devices are protected by Article 8 of the European Convention on Human Rights (ECHR), which guarantees privacy. Any intrusion must be proportionate and limited to what is necessary. 3️⃣ Safeguards are critical: the court emphasized involving independent third parties (e.g., IT consultants) to separate work-related data from personal content, which can be highly sensitive and personal and if abused, subject the employee to unlawful embarassment. The court noted the increasing use of personal devices for work, but cautioned that any order involving personal devices must carefully balance privacy rights and the administration of justice. 🇸🇬 Singapore: 𝑺𝒑𝒂𝒄𝒆𝑺𝑨𝑻𝑺 𝑷𝒕𝒆 𝑳𝒕𝒅 𝒗 𝑪𝒉𝒂𝒏 𝑪𝒉𝒊𝒂 𝑺𝒆𝒓𝒏 [2023] SGHC 40 The court ordered the delivery of personal devices for compliance. However, the absence of written grounds on this issue limits its value. While the Personal Data Protection Act 2012 applies to employers, its protection is limited to personal data, and unlikely to prevent court orders for disclosure of work-related data on personal devices. The Verdict: 𝑵𝒐 𝑨𝒖𝒕𝒐𝒎𝒂𝒕𝒊𝒄 𝑹𝒊𝒈𝒉𝒕 ❌ Courts are clear: Employers cannot automatically access personal devices. Privacy protections take precedence unless justified by policies, agreements, or legal proceedings. 𝐊𝐞𝐲 𝐓𝐚𝐤𝐞𝐚𝐰𝐚𝐲𝐬: 1️⃣ 𝑬𝒎𝒑𝒍𝒐𝒚𝒆𝒓𝒔: Issue work devices or draft clear bring-you-own device (“BYOD”) policies outlining access rights and safeguards. 2️⃣ 𝑬𝒎𝒑𝒍𝒐𝒚𝒆𝒆𝒔: Know your rights and clarify expectations when using personal devices for work. The Phones 4U case is a wake-up call: employers must balance their need for access with employees’ fundamental right to privacy. Clear policies are essential to avoid disputes. ⚠️ Disclaimer: This post provides general insights and is not legal advice. What’s your view? Should companies instead issue work devices, or rely on robust policies? #EmploymentLaw #Technology #Privacy #BYOD #LegalIssues #Litigation

Anyone who tells you that you always need consent to send marketing to people in the UK... is wrong. I mean, the GDPR specifically calls out direct marketing as a potential legitimate interest. So where does this consent stuff come from then? A law (that should be better known amongst both DP professionals and wider business people alike) called the Privacy and Electronic Communications Regulations 2003. (2003! You've had 20 years to learn about it. No excuses.) The PECR, as you may have guessed, mentions direct marketing via electronic means. This is includes things like emailing, texting, and pre-recorded telephone calls e.g.: ("our records show that you've recently been in an acci-" "F*ck off") When sending direct marketing to private individuals in the UK electronically - this includes sole traders and partners - you almost always need to ask for consent before sending them electronic marketing. Why? Because the PECR (not the GDPR) says so. But there is an exception to the consent rule under PECR and this is known as the "soft opt-in". This means you can rely on legitimate interests and send electronic marketing without consent if: - You obtained the contact details in the course of a sale (or negotiations for a sale) of your product; AND - You are only marketing your own similar products or services; AND - You provided a simple opportunity to refuse or opt out of marketing, both when first collecting the details and in every message after that. Bonus points for recognising that this is all about electronic marketing. Posting marketing materials? No need for consent to do that (but don't forget to check the MPS) Live phone calls? Also no need for consent to do that (but don't forget to check the TPS) Et cetera. So, with no consent, what could you rely on in these cases? Legitimate interests. That does mean that people can opt-out (just like with the soft-opt in). It also means that you should do a legitimate interests assessment. Simple, really.

🍪🇫🇷 CNIL - Commission Nationale de l'Informatique et des Libertés has published draft guidelines on using #tracking #pixels in emails, aiming to clarify the legal obligations under the lou GDPR and the French implementation of the ePrivacy Directive. The CNIL confirms that embedding tracking pixels in emails constitutes an operation of storing information on a user’s terminal and thus falls under the rules requiring user consent—except in narrowly defined cases. 📍According to the draft, senders of tracked emails act as data controllers, even when email dispatch is outsourced. Emailing service providers typically qualify as processors, though they may become joint controllers if they use pixel-derived data for their purposes. Consent is required for individual-level tracking to measure open rates, personalise content, segment users, or detect fraud. Exemptions apply only when tracking serves strict security functions (e.g. password reset verification) or when aggregate open rates are collected using non-individualized pixels. The CNIL emphasises that consent must be freely given, specific, informed, and unambiguous. It should be collected at the point of email address collection or via a consent request email containing no tracking elements if it is not feasible. 📍Perhaps most notably, the CNIL seems to stress that even when email content may be legally sent without consent (e.g. transactional messages), the tracking pixel still requires separate opt-in. This reinforces the principle that the surveillance layer of communication must be independently justified, not merely piggyback on lawful messaging. 📍The draft is open for public comment and signals a strong regulatory stance on email tracking practices. Will other DPAs or authorities responsible for enforcing national transpositions of the privacy Directive follow CNIL? #rodo #privacy #marketing

Can I send that cold marketing email without consent?   Just this month, I was asked the same question by three very different people: a general counsel, a privacy leader, and a head of marketing   And since it's a super common question, and one that holds up email marketing campaigns around the globe - we created the Email Marketing Compliance Guide.   Because when companies work across borders with privacy regulations like CAN-SPAM, GDPR, ePrivacy, CASL, Australia’s Spam Act, and Brazil’s LGPD, every country has a different take on what’s allowed.   Some say you need opt-in consent. Others say you don’t.   And then companies might question what even counts as a marketing email.   Yet if companies don’t understand global compliance rules as they enter new markets (or send marketing emails to the ones they already do business in), companies are risking more than just poor performance.   They could be violating the law.   And damaging consumer trust.   That's not a risk businesses can afford to take.   So we created the Email Marketing Compliance Guide to help companies guide decisions and answer questions on whether or not they can send that cold email.   Inside our guide, companies will get clarity on: ✔ Privacy laws and email marketing requirements across the US, Canada, EU, UK, Australia, and Brazil ✔ How to spot the differences between commercial and transactional messages ✔ Tips on consent requirements, opt-out rules, and how to avoid misleading email content ✔ Steps for creating a compliant email marketing program ✔ The importance of a preference center ✔ And more!   It’s written for marketers and leaders who need to move fast and stay compliant.   No guesswork. No fluff. Just clear, actionable guidance.   Whether your company is scaling into global markets or refining current email marketing programs, our guide will help you meet compliance obligations, respect your audience, and build trust.   And our Email Marketing Guide comes to you ungated. No name or email required.   Download it here today (no email required) https://lnkd.in/edJAW6WV ♻️ Share the guide with your marketing and privacy friends!

Data Protection and Privacy Best Practices in Marketing Data protection in marketing ensures that data is handled responsibly and in line with data protection laws. Below is a highlight of some best practices in marketing regarding data privacy: 1. Lawful basis of processing personal data. - Consent. Marketers must obtain clear and explicit consent before using personal data. To achieve this apply: Opt in mechanisms instead of pre checked boxes. Granular consent, allow individuals to choose types of marketing communications the want to receive. 2. Transparency and information disclosure. Have a privacy notice in placed that clearly explains how personal data is collected, processes and used for marketing. When collecting data through forms or pop-ups, clearly explain the marketing purpose and how data will be used. 3. Data minimization and purpose limitation. Collect personal data necessary for the specific marketing activity. And on purpose limitation, personal data collected for one purpose cannot be reused for marketing without proper consent. 4. Data Subject Rights in marketing. Right to withdraw consent: provide a clear and easy to use unsubscribe or opt out mechanism in every marketing communication. Right to object; Right to access; Right to erasure; etc. Ensure processes are in place to respect these and other rights promptly. 5. Cookies Display cookie banners informing users of the type of cookies in use and allow them to choose which categories they consent to. 6. Third Party Advertising platforms. When working with third party advertising platforms such as Google, ensure their data practices align with privacy laws and you are transparent with data subjects about how data is shared with these platforms. 7. Data Retention. Personal data for marketing purposes should not be retained for longer than necessary. Establish processes to delete data once its no longer needed. Remember, do not repurpose the data. 8. Profiling and Automated Decision making. If you use automated decision making eg. targeted ads based on online behavior, ensure data subjects are aware and provide informed consent. Additionally limit the use of personal data in automated decision making to what is necessary and justified. Post Script: I hope this helps, feel free to add any other that I may have left out/ expound further on any of the listed ones. #dataprotection #privacy #privacyinmarketing #datagovernance #cybersecurity