Download as PDF
Blog Article
The Article 29 Working Party have conducted a brief consultation on draft guidance on Automated Processing that, surprisingly, reverses all previous legal interpretations I've found. GDPR Article 22 is one of several that begin "The data subject shall have the right", in this case:
Blog Article
[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)]
Blog Article
Last week I spoke at the UCISA CISG-PCMG conference on some of the tools we have been using within Jisc to apply the requirements of the GDPR. UCISA has now published a recording of the session, as well as a copy of my slides.
Blog Article
The Article 29 Working Party's draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I've been warning since 2012, giving priority to notification.
Blog Article
Education Technology have just published an article I wrote (though I didn't choose the headline!) on how security and incident response fit into the General Data Protection Regulation. It aims to be an easy read: if you want something more challenging follow the "incident response protects privacy" link to get the full legal analysis.
Blog Article
Although privacy notices are an important aspect of the General Data Protection Regulation, it seems unlikely that we will have final guidance from regulators for several months.
Blog Article
The Article 29 Working Party of European data protection supervisors has published the final version of its Guidelines on Data Protection Impact Assessments (DPIAs). These build on the long-standing concept of Privacy Impact Assessments, being similar to normal risk assessments but looking at risks to the individuals whose data are being processed, rather than to the organisation doing the processing.
Blog Article
I've been asked how universities can share students' details with their students union. Since there doesn't seem to be any law giving universities "special powers" to do that, the choice seems to be between the six normal legal bases under the General Data Protection Regulation (GDPR).
Blog Event
I'll be doing a presentation on how Information Lifecycles can help you with the General Data Protection Regulation, security and effective use of information
Manchester
Wednesday, November 8, 2017 - 09:00 to Thursday, November 9, 2017 - 17:00
Blog Article
It's pretty clear from the context and implications that when European legislators wrote "public authority" into the General Data Protection Regulation they didn't mean the same as the drafters of the UK's Freedom of Information Acts. "Public authority" isn't defined in the Regulation and I've not been able to find it in any other European law, so I'm grateful to David Erdos for pointing out the case where the concept and reason for it, if not the actual phrase, were discussed.
