GDPRdevelopment

The Article 29 Working Party of European data protection supervisors has published the final version of its Guidelines on Data Protection Impact Assessments (DPIAs). These build on the long-standing concept of Privacy Impact Assessments, being similar to normal risk assessments but looking at risks to the individuals whose data are being processed, rather than to the organisation doing the processing.

8 December 2017 at 10:10am

GDPR/Data Protection Bill: public authorities and legitimate interests

Data Protection Bill

[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)]

12 June 2017 at 10:19am

GDPR: Public Authorities and Legitimate Interests

I was interested to spot that the Article 29 Working Party visited the question of "public authorities" back in 2014, on page 23 of their Opinion on Legitimate Interests.

9 May 2017 at 10:44am

DCMS call for views on GDPR derogations

research

The Department for Culture, Media and Sport has called for views on how the UK should use the "derogations" (i.e. opportunities and requirements for national legislation) contained within the General Data Protection Regulation. The main area where derogations, or the lack of them, could affect the Jisc community is in the application of the GDPR to research data. We have therefore recommended that the UK Government should:

19 April 2017 at 9:36am

Article 29 Working Party support security and incident response

Having had my own concerns that the European Commission's draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it's very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities.

19 April 2017 at 9:40am

GDPR: A new kind of consent

Consent

GDPRprocess

While some have viewed the General Data Protection Regulation's approach to consent as merely adjusting the existing regime, the Information Commissioner's draft guidance suggests a more fundamental change: "a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away".

19 April 2017 at 9:39am

What's the data protection difference between public and private sectors?

[UPDATE] a slightly revised version of this post formed our response to the ICO consultation.

19 April 2017 at 9:42am

ePrivacy Regulation: a risk for website security?

Last October the European Court of Justice confirmed that websites do have a legitimate interest in security that may justify the processing of personal data. That case (Breyer) overruled a German law that said websites could only process personal data for the purpose of delivering the pages requested by users. As far as I know, everywhere else in Europe the use of logs to secure websites is accepted as lawful.

19 April 2017 at 9:42am

Portability right: a data protection challenge

Information Security