The complexity of the EU General Data Protection Regulation is often alleviated by the guidance of regulatory authorities who contribute their practical interpretation of the black letter of the law and provide welcome certainty. However, the latest draft guidelines issued by the Article 29 Working Party on automated decision-making has thrown up a particular curve ball which bears further investigation. It relates to whether Article 22(1) of the GDPR should be read as a right available to data subjects or as a straightforward prohibition for controllers.
Laws that place restrictions on the ‘profiling’ of individuals do not just apply to data processing completed entirely automatically, EU data protection authorities have said.
With eight months until the introduction of the General Data Protection Regulations (GDPR), the countdown is well and truly on but businesses are not ready, writes Mike Cherry.
Two in five company directors in the UK do not know whether new EU data protection laws will apply to their business, a new survey has found.
Businesses will be considered ‘aware’ of data breaches under GDPR when their data processors notice the breach
Businesses that outsource the processing of personal data to other companies will be said to be aware of data breaches experienced by those processors as soon as the processors themselves recognise the breach, according to proposed new guidance.
There’s no question the GDPR has anyone who’s paying attention “on their feet.” Talk to any privacy consultant or vendor and they’ll tell you: Business is good these days. But there’s one group in particular that’s got both a lot at stake and a lot of unknowns to contend with ahead of May 2018, and that’s the ad tech industry. That was clear at yesterday’s session, “What Third-Party Compliance Will Look Like for Ad Tech” at the IAPP’s PSR conference in San Diego, California. The disruption the new privacy regimes in Europe will cause is largely triggered by the ad tech space’s heavy reliance on third-party data sharing.
The EU’s General Data Protection Regulation imposes stricter obligations on data controllers and processors to ensure the security of personal data. One of the new mechanisms introduced to reach this objective is data breach notification, a concept familiar to U.S.-based privacy professionals, but still relatively new to the EU.
This third annual study of data governance in organizations, surveying modern privacy operations about the present and future of the privacy profession, reflects significant changes in privacy programs globally in response to the GDPR. An astonishing 95 percent of survey respondents, more than 75 percent of whom are located outside of the European Union, say the GDPR applies to their organization.
The Article 29 Working Party has published this week its “last revised” guidelines on data protection impact assessments and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR.
The concept of joint controllers in EU law, in contrast to a distinction between controllers and processors, has not been seen thus far as particularly controversial nor widely discussed. However, it is now explicitly provisioned by the GDPR that joint controllers are two or more controllers that jointly determine the purposes and means of processing.