Regulatory Developments

Last updated: 
2 weeks 3 days ago
Blog Manager

One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks.

Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers.

NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Filter by tags:

Group administrators:

Blog Article

The General Data Protection Regulation's Article 4(1) establishes six principles for any processing of personal data. It's interesting to compare how federated authentication – where a student authenticates to their university/college, which then provides relevant assurances to the website they want to access – performs against those principles when compared with traditional direct logins to websites.

Blog Event

[UPDATE] A recording of the webinar is now available

The General Data Protection Regulation (GDPR) will require all organisations to examine their processing of personal data. Understanding why and how data are being processed, and what the appropriate legal basis is for the processing, will be essential if organisations are to meet the GDPR’s requirements for information provision and data subject rights.

Online
Friday, March 16, 2018 - 12:30
Blog Article

I was recently invited by EDUCAUSE to present a webinar on GDPR to their community of mostly North American universities and colleges. The number of participants indicates that European data protection law is a topic of interest. But the most common question was why, as non-EU organisations, they should care about GDPR. So I wrote a blog post, which EDUCAUSE have now published...

Blog Article

Collections of free text – whether in database fields, documents or email archives – present a challenge both for operations and under data protection law. They may contain personal data but it's hard to find: whether you're trying to use it, to ensure compliance with the data protection principles, or to allow data subjects to exercise their legal rights. Some level of risk is unavoidable in these collections, but there are ways to reduce it.

Blog Article

When incident response teams (CSIRTs) detect an attack on their systems, they normally report details back to the network or organisation from which the attack comes. This can have two benefits for the reporter: in the short term, making the attack stop; in the longer term helping that organisation to improve the security of its systems so they are less likely to be used in future attacks.

Blog Article

The Article 29 Working Party's guidance on Breach Notification suggests some things we should do before a security breach occurs. The GDPR expects data controllers, within 72 hours of becoming aware of any security breach, to determine whether there is a risk to individuals and, if so, to report to the national Data Protection Authority. It seems unlikely that an organisation that hasn't prepared is going to be able to manage that.

Blog Article

Article 22 of the GDPR contains a new, and oddly-worded, "right not to be subject to a decision based solely on automated processing". This only applies to decisions that "produce[] legal effects … or similarly significantly affect[]" the individual. Last year, the Article 29 Working Party's draft guidance on interpreting this Article noted that an automated refusal to hire a bicycle – because of insufficient credit – might reach this threshold.

Prev | Next