The review of artificial intelligence argues a new AI council should be created but it wouldn’t be in charge of regulating systems.
Businesses will be considered ‘aware’ of data breaches under GDPR when their data processors notice the breach
Businesses that outsource the processing of personal data to other companies will be said to be aware of data breaches experienced by those processors as soon as the processors themselves recognise the breach, according to proposed new guidance.
There’s no question the GDPR has anyone who’s paying attention “on their feet.” Talk to any privacy consultant or vendor and they’ll tell you: Business is good these days. But there’s one group in particular that’s got both a lot at stake and a lot of unknowns to contend with ahead of May 2018, and that’s the ad tech industry. That was clear at yesterday’s session, “What Third-Party Compliance Will Look Like for Ad Tech” at the IAPP’s PSR conference in San Diego, California. The disruption the new privacy regimes in Europe will cause is largely triggered by the ad tech space’s heavy reliance on third-party data sharing.
The EU’s General Data Protection Regulation imposes stricter obligations on data controllers and processors to ensure the security of personal data. One of the new mechanisms introduced to reach this objective is data breach notification, a concept familiar to U.S.-based privacy professionals, but still relatively new to the EU.
The Article 29 Working Party has published this week its “last revised” guidelines on data protection impact assessments and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR.
The Office of the Australian Information and Privacy Commissioner has published draft resources for the Notifiable Data Breaches scheme, asking for public comment.
Data Protection Impact Assessment (DPIA) is a useful tool that can help organizations to understand the risks related to processed data . DPIA helps to find the right balance and proportions, identify risks, assess the necessity and proportionality and generally help with risk management.
The concept of joint controllers in EU law, in contrast to a distinction between controllers and processors, has not been seen thus far as particularly controversial nor widely discussed. However, it is now explicitly provisioned by the GDPR that joint controllers are two or more controllers that jointly determine the purposes and means of processing.
The first joint annual review of the Privacy Shield is underway and the European Commission is preparing its report to be issued later this month. Separately, the EU DPAs are also conducting an assessment on how the arrangement is working.
Controller-processor contracts and liabilities don’t seem destined for any guidance from the Article 29 Working Party, at least according to the WP29’s published work programs/roadmaps to date. However, some national regulators have picked up the baton. On September 13, the U.K. Information Commissioner’s Office issued draft guidance, Contracts and liabilities between controllers and processors.