The Article 29 Working Party ("WP29") has recently adopted new General Data Protection Regulation ("GDPR") Guidance, this time focusing on Data Protection Impact Assessments ("DPIAs"). The Guidelines aim to clarify when a DPIA is required and provide criteria for the lists of the kind of processing operations which are subject to the requirement for a DPIA, to be adopted by Data Protection Authorities under Article 35(4) of the GDPR. Although the guidance has been formally “adopted”, the WP29 is welcoming comments from stakeholders until 23 May 2017, so it is possible that elements may be modified in the near future. The guidance is significant as it represents EU data protection authorities’ collective interpretation of this important new compliance requirement. Any comments on the guidelines can be sent to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and email@example.com by 23 May 2017. What is a Data Protection Impact Assessment? DPIAs are not a formal requirement … Continue Reading ››
Impact of Brexit on data protection: EU Home Affairs Sub-Committee hears evidence The EU Home Affairs Sub-Committee continues to hear evidence from various experts on the implications of Brexit on the "EU data protection package". Particularly notable are the comments of Elizabeth Denham, the UK's Information Commissioner, regarding her hopes for the UK post-Brexit. Unsurprisingly for Denham and perhaps reassuringly for business, "the right way forward… is to fully adopt the general data protection regulation". However should the UK do so, questions persist as to the ICO's role, particularly in relation to its standing with the European Data Protection Board (EDPB). Denham was keen to emphasise that the Government should do anything it can to ensure the ICO has "some status" on the EDPB. Should it not, the UK will be at the mercy of the Board's decisions, but be without influence over its policy. Lord O'Neil of Clackmannan, a Labour peer, was … Continue Reading ››
This week, the ICO published the latest version of its paper on big data, AI and machine learning. Though not an official GDPR guidance document or code of practice, the paper sets out the ICO's views on the issues and has been updated to show how big data, AI, machine learning relate to the GDPR (however not the new draft PEC Regulation). Of note to Datonomy readers are the six key recommendations the Paper gives to help organisations achieve data protection compliance in a "big data world". The ICO states that organisations should…
- Carefully consider whether the big data analytics to be undertaken actually requires the processing of personal data. Often, this will not be the case; in such circumstances organisations should use appropriate techniques to anonymise the personal data in their dataset(s) before analysis.
- Be transparent about their processing of personal data by using a combination of innovative approaches in order … Continue Reading ››
Yesterday the ICO published its much anticipated guidance on consent under the GDPR for public consultation. This is a key practical area of compliance for all businesses. The new test for consent under the GDPR is higher than under the current rules and the penalties for failing to obtain valid consent potentially much harsher; organisations will need to review their data collection notices and opt ins and potentially make changes to websites and apps to ensure they are compliant by May 2018. The guidance sits alongside the ICO's Overview of the GDPR and explains its recommended approach to compliance and what counts as valid consent. On the tricky issue of verifiable parental consent to children's use of social media, the ICO has promised further guidance at a later date. The consultation will run from now until 31 March 2017, and any comments on the guidelines should be sent … Continue Reading ››
Last week, as part of Olswang's GDPR readiness and Talking Retail webinar series', lawyers from the firm's data protection and retail sector teams hosted a webinar looking at the implications of the GDPR on the use of data by the retail industry during an online transaction. In this session our speakers looked at the following:
- Targeted and non-targeted advertising
- Privacy policies
- Processing customer payment details
- Post purchase analysis
- Data breaches
- GDPR implementation
- Sven Schonhofen, an associate in the Commercial Team of the Munich office. He specializes in advising clients in all areas of IT law, in particular on data protection law.
- Emily Dorotheou, an associate in the Commercial Team who has experience of working on procurement, technology and logistics contracts for a variety of retail and technology clients.
The Information Commissioner's Office (ICO), the UK's data protection regulator, is cracking down on the online gambling sector's use of personal data to promote online gambling. It has contacted around 400 companies to threaten them with fines of up to £500,000 if they are found to be collecting and using personal data for marketing in a manner which does not comply with the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). In its press release, the ICO said it is writing to over 400 companies, all believed to be egaming marketing affiliates, demanding they set out how they use people’s personal details and send marketing texts, including where they got people’s personal information from and how many texts they sent. What is the ICO worried about? The ICO has expressed concern that the prolific use of affiliate marketing is resulting in a lack of accountability, … Continue Reading ››