5 January 2018 at 1:24pm
One of my guidelines for when consent may be an appropriate basis for processing personal data is whether the individual is able to lie or walk away. If they can, then that practical possibility may indicate a legal possibility too.
18 December 2017 at 1:20pm
Concern has sometimes been expressed whether the General Data Protection Regulation’s (GDPR) requirement to notify individuals of all processing of their personal data would cause difficulties for security and incident response teams. These activities involve a lot of processing of IP addresses, which the GDPR and case law seem to indicate will normally count as personal data. But a law that required us to tell attackers how much we knew about their activities would help them far more than us.
15 December 2017 at 9:16am
The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR.
3 November 2017 at 10:21am
The Article 29 Working Party's draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I've been warning since 2012, giving priority to notification.
26 October 2017 at 4:23pm
Education Technology have just published an article I wrote (though I didn't choose the headline!) on how security and incident response fit into the General Data Protection Regulation. It aims to be an easy read: if you want something more challenging follow the "incident response protects privacy" link to get the full legal analysis.
23 October 2017 at 4:28pm
Although privacy notices are an important aspect of the General Data Protection Regulation, it seems unlikely that we will have final guidance from regulators for several months.
9 October 2017 at 9:11am
I've been asked how universities can share students' details with their students union. Since there doesn't seem to be any law giving universities "special powers" to do that, the choice seems to be between the six normal legal bases under the General Data Protection Regulation (GDPR).
20 September 2017 at 11:29am
It's pretty clear from the context and implications that when European legislators wrote "public authority" into the General Data Protection Regulation they didn't mean the same as the drafters of the UK's Freedom of Information Acts. "Public authority" isn't defined in the Regulation and I've not been able to find it in any other European law, so I'm grateful to David Erdos for pointing out the case where the concept and reason for it, if not the actual phrase, were discussed.
11 September 2017 at 9:35am
I was recently asked how the GDPR's Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn't happen.
29 August 2017 at 3:12pm
Most of us are familiar with the recorded messages at the start of phone calls that warn "this call may be recorded for compliance and training purposes". Some may recognise it as meeting the requirement to notify callers under the snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. But the data protection implications of call recording are perhaps more interesting.
Subscribe to GDPRtopics