GDPRtopics

18 December 2017 at 1:20pm

GDPR: Processing notification and protecting security

Andrew Cormack
Data Protection Regulation
incident response
GDPRtopics
Concern has sometimes been expressed whether the General Data Protection Regulation’s (GDPR) requirement to notify individuals of all processing of their personal data would cause difficulties for security and incident response teams. These activities involve a lot of processing of IP addresses, which the GDPR and case law seem to indicate will normally count as personal data. But a law that required us to tell attackers how much we knew about their activities would help them far more than us.
Read more
15 December 2017 at 9:16am

Article 29 WP draft on Consent

Andrew Cormack
Data Protection Regulation
GDPRtopics
GDPRprocess
The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR.
Read more
3 November 2017 at 10:21am

Article 29 WP draft on Breach Notification

Andrew Cormack
Data Protection Regulation
incident response
Breach Notification
GDPRtopics
The Article 29 Working Party's draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I've been warning since 2012, giving priority to notification.
Read more
26 October 2017 at 4:23pm

GDPR and "cyber security"

Andrew Cormack
Data Protection Regulation
incident response
GDPRtopics
Education Technology have just published an article I wrote (though I didn't choose the headline!) on how security and incident response fit into the General Data Protection Regulation. It aims to be an easy read: if you want something more challenging follow the "incident response protects privacy" link to get the full legal analysis.
Read more
23 October 2017 at 4:28pm

GDPR - Privacy Notices

Andrew Cormack
Data Protection Regulation
GDPRprocess
GDPRtopics
Although privacy notices are an important aspect of the General Data Protection Regulation, it seems unlikely that we will have final guidance from regulators for several months.
Read more
9 October 2017 at 9:11am

GDPR: Student Unions

Andrew Cormack
Data Protection Regulation
GDPRtopics
I've been asked how universities can share students' details with their students union. Since there doesn't seem to be any law giving universities "special powers" to do that, the choice seems to be between the six normal legal bases under the General Data Protection Regulation (GDPR).
Read more
20 September 2017 at 11:29am

European Law on Public Authorities

Andrew Cormack
Data Protection Regulation
GDPRtopics
It's pretty clear from the context and implications that when European legislators wrote "public authority" into the General Data Protection Regulation they didn't mean the same as the drafters of the UK's Freedom of Information Acts. "Public authority" isn't defined in the Regulation and I've not been able to find it in any other European law, so I'm grateful to David Erdos for pointing out the case where the concept and reason for it, if not the actual phrase, were discussed.
Read more
11 September 2017 at 9:35am

GDPR: Backups, Archives and the Right to Erasure

Andrew Cormack
Data Protection Regulation
GDPRtopics
I was recently asked how the GDPR's Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn't happen.
Read more
29 August 2017 at 3:12pm

GDPR: Recording Phone Calls

Andrew Cormack
GDPR
GDPRtopics
Most of us are familiar with the recorded messages at the start of phone calls that warn "this call may be recorded for compliance and training purposes". Some may recognise it as meeting the requirement to notify callers under the snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. But the data protection implications of call recording are perhaps more interesting.
Read more
1 August 2017 at 8:58am

GDPR: Wifi access

Andrew Cormack
Data Protection Regulation
GDPRtopics
eduroam
Many, perhaps most, wifi access services want to perform some sort of authentication of people who use them (for those providing connectivity via Janet, it's a requirement of the Eligibility Policy).
Read more
Subscribe to GDPRtopics