…Or why Castlebridge take an Enterprise Ontology approach to ROPAs.
One of the documentation requirements that organisations have been getting their heads around since GDPR came in is the “Register of Processing Activities” or “ROPA” required in Article 30.

Back in 2017 when some of our clients were first looking into making sure they had this new “register of processing activities”, one of the first things we did was look at the documentation they already had to

Yesterday afternoon, Facebook’s most recent whistleblower Frances Haughen spoke to the Oireachtas Joint Committee on Tourism, Culture, Arts, Sport and Media on Online Disinformation and media literacy (Disinformation and misinformation on online platforms).




I listened in with interest not just because I’ve been publicly critical of Facebook’s ethics washing and exploitative practices since 2016 (that whitepaper almost never got published because just as I was about to finish Facebook did another awful thing!), but also because

On October 8, the White House Office of Science and Technology Policy published an OpEd in Wired magazine calling for a “Bill of Rights for an AI-Powered World” and opening a public consultation. This is significant signalling from the White House, and it could be seen as sign of hope that that the continually stalled attempts for a much needed reform of US Federal privacy laws may see some movement once again. A strong signal

The Irish DPC published a decision highlighting need for ongoing investment in GDPR Training. This blog post examines the implications for organisations and highlights the need to adopt a data literacy approach to the continuous development of data protection skills and competencies in organisations through effective data education for all staff.

Data driven decision making seems intuitively a great idea. Basing your organisational strategy on sound information and having concrete figures supporting your decision are likely to be a much stronger foundation for good decisions and good outcomes than unsupported opinion or gut feeling. However, there are limits to this idea, and my question to you is who’s really driving? Do you want a data driven decision making or data informed decision making?

There’s a fundamental conception

I'm hearing a bit of confusion regarding "cookies" on websites (again), so it’s time to walk through The Cookie Question in some detail.
It’s not all about GDPR!
First of all, this isn’t all about GDPR, and the laws about cookies and consent predate GDPR. The law regulating use of "cookies" in Ireland is S. I. 336 of 2011, which implements the EU ePrivacy directive (Directive 2002/58/EC  amended in 2009) (That's right, it's not actually a GDPR

“Data Literacy” is a very current buzzword. It’s been identified as a strategic necessity for data driven organizations, and an essential competency for employees.  But, as usual with many popular words, it’s not always very clear what people mean when they talk about “literacy”. The definition is unclear.  Are we all talking about the same thing?  If Gartner describes it as the ability to “speak data” as if it’s a second language, what do they

We talk a lot in Castlebridge about how trust is essential. Understanding the value of data and communicating the benefits of the outcomes of your process or programme are very important to get people to buy in to your vision. Whether your vision is your data strategy, building Data Governance in your organization, or getting people to consent to you processing their personal data.  Today, it’s nice to be able to look at a success

Data Literacy is becoming a thing, and there is an increasing focus in a number of areas on the question of certification and accreditation of skills. As a consultancy and training company Castlebridge has been at the forefront of Data Protection and data management training for over a decade, and we are proud of our record. In addition to helping skills and expertise through public, tailored and bespoke training to meet our clients’ needs in

In the just over two years since GDPR has come into full effect, we’ve seen a significant rise in a particular kind of jobsworth blocking, where people and organizations with a clear lack of understanding of Data Protection law claim that the they can’t do their jobs because of GDPR. In a very large number of these claims, I end up ranting that “No, GDPR actually requires you to do the thing you are saying

I’m one of the 600,000 or over 1,000,000 people who is currently boiling the kettle to brush my teeth.  Wait . . . how many people?  That’s the question.  Is it approximately 12% or 20% of the of the population of Ireland that has been without clean water for the past couple days?  That’s a big difference in numbers.  Why the confusion?  This is an example of something I call the "Princess Bride Effect".



https://twitter.com/IrishWater/status/1186701954111672320

Yesterday the Irish Times had an interesting article on the Department for Children and Youth Affairs’ new National Childcare Scheme, which is likely to cause some trouble for the department. It turns out that the department has gone live with a system to apply for the National Childcare Scheme that only works with the Public Services Card (or more accurately, the “MyGovID” database that the PSC is a physical token for.)  If you have a

RTÉ Investigates’ exposé of, yet again, serious failings in our childcare system has this week prompted an ill-informed and frankly distracting discussion around the use of CCTV in Ireland’s creches. The suggestion of putting CCTV in creches to “solve” the serious failures in Tusla’s oversight of early childhood care is a bait and switch that distracts us from the real issues of regulation and enforcement. It’s the equivalent of pointing over our shoulders and yelling

I’ve been thinking a lot about balance lately.

The General Data Protection Regulation (GDPR) is human rights-based legislation and we constantly talk about balancing fundamental human rights or balancing the rights and freedoms of individuals with the interests of the data controller.  Data Protection Impact Assessments require balancing tests in the context of risks to rights and freedoms.  Relying on Legitimate Interests requires a “balancing test”.  But what do we mean when we talk about “balance”? 

I was invited last Tuesday to a radio interview along with Mark Smyth of the Psychological Society of Ireland and Ivan Yates on Newstalk to talk about “The Momo Challenge” and how to protect your children from cyberbullying. Happily, I think it was a positive and constructive discussion. I figured I’d elaborate on my points a little here.

What is the “Momo Challenge“? It’s basically a recent iteration of games children play to scare themselves. Mark Smyth mentioned

Data Breaches happen all the time. It’s difficult to get a clear statistic on exactly how exactly how common they are (a recent survey suggests that over %50 of organizations have had a breach in the past year). Last year nearly 2,300 data breaches were reported to the Office of the Data Protection Commissioner. This is only reported breaches, of course. A good number of smaller breaches would not have required notifying the DPC, and

In our analysis of the information available on UK charity scandal the other day, one of the main points we focused on was the use of legitimate interests as a legal grounds for processing personal data. This condition for processing is currently being visited in trilogue discussion of Chapter II of the EU Data Protection Regulation.

As we noted yesterday, EU Council of Ministers draft of the Data Protection Regulation proposes expanding the potential scope for

The Register of Electors needs overhaul, but it’s not just a tech problem An article in the Irish Examiner yesterday reported that “The Government ‘Ignored Calls’ on Improving the Voter Register”. Seán McCárthaigh reports that the city and county management association have been warning the Government that “the practices used to maintain the register were outdated and in need of urgent improvements” for the past three years. McCárthaigh notes the following reforms have been proposed:

I'm currently ploughing through the 630 pages three-way comparison papers for the draft EU data protection Regulation as it stands currently, and I've spotted a problem in the definitions that raises some interesting questions.

Currently, the European Parliament's wording for "Special Categories of Data" (i.e. sensitive personal data) is:
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or philosophical beliefs, sexual orientation or gender identity, trade-union membership and activities, and the