Privacy and Data Protection in Your Pocket: Personal Data Breaches

The book’s foreword sets out its stall immediately. It is ‘mostly for everyone who isn’t a privacy or a data protection professional, and who hasn’t had any legal training’. On the face of it, therefore, its main target readership will be almost exclusively those least likely to read a book review in the publication of record of solicitors in England and Wales.

In reality, of course, quite a large proportion of those who work in law firms, and who have responsibility for dealing with large amounts of personal data will not have a legal qualification; and would certainly not fall into the categories of either privacy or data protection professionals.

Their knowledge of data protection, however, will often be dependent on training provided by those who do have such qualifications or roles. And therein lies the problem. It is often the case that once somebody has trained their neural pathways to fire in the kind of sequences needed to make that person an effective lawyer, it can be difficult for them to put themselves in the shoes of those who have not yet gone over to the dark side, or who simply don’t get the same buzz from being able to quote the precise piece of legislation applicable in any specific situation.  

The first four chapters explain (in non-legalistic terms) what constitutes a data breach; what, how, when and to whom breaches should be reported; how to identify the root cause of a breach; and how to avoid breaches occurring in the first place. Any GDPR novice will be taken on a short data protection journey without any real risk of intellectual motion sickness en route. The remaining chapters are aimed mostly at those who may have had their data breached, although there is a useful ‘know it when you see it’ definitions section for identifying different types of personal data.

If you are responsible for putting together the data protection training within your firm, but have undergone the kind of neural rerouting referred to previously, there are many ideas in this book which you could use (and/or expand upon) to help explain in basic (although never patronising) terms the kinds of data protection concepts which, to you, may come as second nature. At just £11.99, it may even be worthwhile purchasing a copy of this book for each member of staff who needs to be trained in data protection. Setting a short quiz on its key contents may yield a better understanding of the subject rather than simply relying on online training (or your own internal PowerPoint presentations).

While those who practise in the complex area of data protection law will be unlikely to learn anything new from this book, those charged with translating such law into language that all staff can understand should find it a very useful aid.

Sean Gordon is a non-practising solicitor and former COLP & DPO