Data Protection Regulation

This is Jisc's response to the ICO's request for feedback on Profiling under the General Data Protection Regulation. 1. When, how and why does your organisation carry out profiling? Do you agree that there has to be a predictive element, or some degree of inference for the processing to be considered profiling?
3 September 2018 at 12:03pm
[Updated Sep.18 to repair links broken by the demise of the Article 29 WP website] [Updated Oct.17 to include an example where multiple justifications are appropriate]
5 May 2017 at 8:48am
Most universities maintain databases of alumni, for purposes including keeping them informed about the organisation, offering services and seeking donations. These activities have a lot in common with other charities, so the Information Commissioner's guidance is relevant.
19 April 2017 at 9:38am
A couple of organisations have asked me recently whether the General Data Protection Regulation (GDPR) requires them to get some sort of external recognition of their incident response team. Here's why I don't think it does. Recital 49 of the Regulation says:
The Guidance makes a surprisingly broad distinction between public and private sector organisations, even when they process the same data for the same purposes. This would remove important protections when personal data are processed by the public sector, and does not appear to be required by the General Data Protection Regulation that the Guidance aims to implement.
19 April 2017 at 9:40am
While some have viewed the General Data Protection Regulation's approach to consent as merely adjusting the existing regime, the Information Commissioner's draft guidance suggests a more fundamental change: "a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away".
19 April 2017 at 9:39am
[UPDATE] a slightly revised version of this post formed our response to the ICO consultation.
19 April 2017 at 9:41am
Recently I've been doing some work with Niall Sclater on how education organisations might inform students about the use of learning analytics, and when they might seek students' consent. The resulting blog post is at
These are Jisc's comments on the Article 29 Working Party's Guidelines on the Right to Data Portability (WP242).
19 April 2017 at 9:43am
After (too) many years, I’ve turned the ideas from my original TF-CSIRT documents into a formal academic paper, which has just been published in the open access law journal, SCRIPTed: Andrew Cormack, "Incident Response: Protecting Individual Rights Under the General Data Protection Regulation", (2016) 13:3 SCRIPTed 258
Subscribe to Data Protection Regulation