Tag Archives for " guidance "

Polish DPA’s guidance on data protection in the workplace partially “controversial”

The Polish data protection authority (‘UODO’) issued, on 4 October 2018, guidance for employers on data protection in the workplace, under the General Data Protection Regulation (‘GDPR’), following a public consultation on the same. In particular, the Guidance focuses on the processing of employee data during recruitment, selection and the employment period, as well as distinguishes between different types of employment contracts, such as those concerning temporary and permanent workers.

Full article: Poland: UODO’s guidance on data protection in the workplace partially “controversial”

UK DPA releases data protection self-assessment checklist for sole traders

The ICO has launched a self-assessment checklist that will help sole traders and self-employed individuals to assess their compliance with new data protection laws. The checklist is aimed at improving understanding of data protection and making sure sole traders are keeping people’s personal data secure. It shows sole traders how compliant they are by generating a rating based on their responses and provides handy links to relevant ICO guidance and further information. It also includes practical suggestions of how to stay in line with the law.

Source: New data protection self-assessment checklist for sole traders | ICO

French Data Protection Authority’s Latest Newsletter Includes Assessment of First Four Months of GDPR & Several Guidelines

The French Data Protection Authority (the CNIL) published its assessment of the first four months of GDPR and several guidelines, including one on how to make a GDPR compliant blockchain.

Full article: French Data Protection Authority’s Latest Newsletter Includes Assessment of First Four Months of GDPR & Several Guidelines

EDPB: ICO too strict on data protection impact assessments

The opinion, issued by the European Data Protection Board (EDPB), differs from guidance the UK’s Information Commissioner’s Office (ICO) has issued on DPIAs. Businesses planning to process biometric, genetic or location data do not automatically have to carry out a data protection impact assessment (DPIA) first to comply with the General Data Protection Regulation (GDPR), an EU privacy watchdog has said.

The ICO is not bound to update its guidance in light of the EDPB’s opinion, but must justify its reasons for not doing so if “it does not intend to follow this opinion, in whole or in part”, the EDPB said

Source: EDPB: ICO too strict on data protection impact assessments

How to draft a GDPR-compliant retention policy

You need to be able to clearly define the period for which personal data will be stored or, if not possible, criteria to determine that period. Most organizations implementing the GDPR consider retention policies or retention rules necessary to achieve this. At first it seems a daunting task, but by considering the goals and GDPR requirements you can reach some reasonable level of granularity that is still operational and possible to implement.

Full article: How to draft a GDPR-compliant retention policy

How to comply with the right to erasure

Now that the General Data Protection Regulation has come into force, organizations need to be able to process requests to erase the personal data of individuals. To establish this capability, changes to a variety of policies and procedures across the organization need to be implemented.

For one, the systems, applications and databases need to be calibrated to allow the easy identification and deletion of data related to the requesting individual. Then, policies and procedures need to be in place for the data protection officer and other stakeholders to follow the full lifecycle of the data erasure request. Finally, the DPO should maintain oversight of the effectiveness of every step of the way to the deletion and communicate timely to the data subject.

Full article: How to comply with the right to erasure (if you haven’t already!)

UK’s DPA Clarifies Position in Respect of International Transfers Under the GDPR

The UK’s supervisory authority for data protection, the Information Commissioner’s Office (“ICO“), has published guidance in relation to international transfers under the GDPR. Of particular interest is the ICO’s stated position that a transfer of personal data to a non-EEA data importer does not constitute a restricted transfer in cases where the General Data Protection Regulation (“GDPR“) applies directly to the processing which will be undertaken by that data importer.

Source: Uk: Ico Clarifies Position In Respect Of International Transfers Under The Gdpr

Three frequently asked questions about data breach reporting

One of the key reasons that organisations are anxious about the General Data Protection Regulation (GDPR) is its strict data breach notification requirement, specified in Articles 33-34, stating that organisations have only 72 hours to report a breach to supervisory authorities, which is easier said than done.

Three most asked questions about data breach reporting are:

  1. What processes need to be in place in order to respond to a personal data breach?
  2. How do you report a breach to the supervisory authority?
  3. How should I inform individuals about the breach?

Read article: Three frequently asked questions about data breach reporting

Classified: The Art of Restricting Personal Data

Despite our hesitation, we routinely provide the very same personal information to both critical and noncritical requests. We shouldn’t. Personal information is a top commodity in today’s digital world, and sharing it should be based on trust, not convenience.

Read full article: Classified: The Art of Restricting Personal Data – The Firewall – Medium

1 2 3 23
>