Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
How-to guides, top tips and other handy resources for getting the most out of your security & compliance
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Articles 13 and 14 of the GDPR state that information must be provided where personal data has been obtained directly from a data subject, or where personal data has not been collected directly from the data subject, respectively.
We often see that clients are fully compliant with Article 13 and know it’s a high priority item to have in place. But when it comes to GDPR Article 14, we frequently see confusion, especially around understanding the privacy notice and when you are required to provide one. This is because it’s easy to assume that by obtaining personal data from third parties, data subjects have already been informed, which is not always the case. A privacy notice is a public document that explains how an organisation processes personal information and applies data protection principles. To remain compliant to the GDPR, it’s crucial for organisations to be transparent with data subjects on how their personal data has been obtained, especially if it’s via a third party.
In this blog, we discuss when businesses should provide an Article 14 privacy notice, what a privacy notice should contain, conducting supplier due diligence when acquiring personal data from third parties, and the importance of documenting the source of personal data.
Understanding when you need to provide an Article 14 privacy notice is the first step in complying with Article 5’s principle on fairness and transparency. The regulation states that data controllers must provide data subjects with an Article 14 privacy notice where personal data has not been obtained from the data subject.
personal data has not been obtained from the data subject
Recital 60 explains this further stating, principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes and that data controllers should provide the data subject with any further information necessary to ensure fair and transparent processing.
principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes
data controllers should provide the data subject with any further information necessary to ensure fair and transparent processing
In most businesses it is the sales and marketing team who obtain personal data from a third party. This could be from marketing campaigns on social media, purchasing mailing lists, or in some cases web scraping tools, such as plug-ins. All these sources are third parties and require you to comply with Article 14 by providing a privacy notice to the data subject.
The privacy notice should be provided at the first point of contact or within 30 days of obtaining the personal data. If you are contacting the data subject by phone, you should provide them with information on who you are, where you obtained their personal data, for what purpose you will be using it for, and in further communication, provide them with the privacy notice in writing.
It is important to note that prior to contacting the data subject, you should first cross check the data against the Telephone, Mailing, and Corporate Preference Service to ensure their details are not registered there, otherwise you will be in breach of their data subject rights.
The ICO has provided a helpful guide on what to include in your Article 14 privacy notice. It is essentially a copy of your Article 13 privacy notice but with additional information on the source of the personal data.
It is important to understand that when using third parties to purchase personal data, there needs to be adequate supplier due diligence carried out. As a data controller, it is your responsibility to process personal data in a lawful manner. For instance, ensuring that you are only using third parties who can verify they have collected the personal data lawfully and are GDPR compliant.
To keep track of the different sources of personal data, it’s helpful to document them. The Records of Processing Activities (ROPA) document found in Article 30 is one way to keep track of personal data that has been collected. You can use ROPA as a tool to understand the data flow between parties you share the information with, and for understanding which processes require you to provide an Article 14 privacy notice.
The Polish data protection authority (UODO) fined Swedish data aggregation company Bisnode €220,000 for a GDPR violation of Article 14. Bisnode were found to have collected personal data from the public records and databases of approximately 700,000 data subjects without providing a privacy notice. Bisnode decided they were exempt from Article 14 because notifying over 6 million data subjects, for whom they did not have an email address, would be disproportionate saying that it would cost the company €7.7 million. The UODO however, ruled against this since approximately 12,000 of those data subjects had already objected to the processing of their personal data.
disproportionate
Ali is a seasoned GDPR Consultant who's written insightful articles on the subjects of GDPR compliance and data protection.
Our experienced team of DPOs can take the stress of compliance out of your hands
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.