Data Protection Regulation

5 January 2018 at 1:24pm
One of my guidelines for when consent may be an appropriate basis for processing personal data is whether the individual is able to lie or walk away. If they can, then that practical possibility may indicate a legal possibility too.
18 December 2017 at 1:34pm
The Article 29 Working Party has published its draft guidelines on transparency. For those of us who have already been working on GDPR privacy notices, there don’t seem to be any surprises: this is largely a compilation of the relevant sections of the Regulation and other guidance.
18 December 2017 at 1:20pm
Concern has sometimes been expressed whether the General Data Protection Regulation’s (GDPR) requirement to notify individuals of all processing of their personal data would cause difficulties for security and incident response teams. These activities involve a lot of processing of IP addresses, which the GDPR and case law seem to indicate will normally count as personal data. But a law that required us to tell attackers how much we knew about their activities would help them far more than us.
15 December 2017 at 11:35am
For those who couldn't make it to the Jisc GDPR conference last week (and those who did, but want a refresher) the slides are now available.
15 December 2017 at 9:16am
The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR.
12 December 2017 at 8:37am
The Forum of Incident Response and Security Teams (FIRST) invited me to write a piece on how GDPR affects security and incident response. Summary: it makes them pretty much essential :)
8 December 2017 at 11:12am
The Article 29 Working Party have conducted a brief consultation on draft guidance on Automated Processing that, surprisingly, reverses all previous legal interpretations I've found. GDPR Article 22 is one of several that begin "The data subject shall have the right", in this case:
4 December 2017 at 10:25am
Last week I spoke at the UCISA CISG-PCMG conference on some of the tools we have been using within Jisc to apply the requirements of the GDPR. UCISA has now published a recording of the session, as well as a copy of my slides.
3 November 2017 at 10:21am
The Article 29 Working Party's draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I've been warning since 2012, giving priority to notification.
Subscribe to Data Protection Regulation