Free tools and resources for Data Protection Officers!

Tag Archives for " guidance "

DP Impact Assessments: EDPB Differs Slightly from ICO Position

The European Data Protection Board (EDPB) has recently published its Opinion on the (United Kingdom) Information Commissioner’s list of processing activities which would require a Data Protection Impact Assessment under the GDPR.

In its Opinion, the EDPB appears to be moving away from the idea that processing of genetic or loca­tion data, on its own, might be enough to trigger the mandatory DPIA requirements of the GDPR. This news will perhaps come as a relief to organi­sations currently struggling to come to grips with the “new” DPIA process and the resources and time that it demands. But, should we be surprised by the EDPB’s Opinion and will it have a significant impact in practice on the way organisations consider and conduct DPIAs?

Full article: DP Impact Assessments: EDPB Differs Slightly from ICO Position

New EDPB Guidelines on the territorial scope of the GDPR

On 26 November 2018, the WP29’s successor, the European Data Protection Board (EDPB) published, Guidelines on the territorial scope of the GDPR (Art. 3). The proposed Guidelines are open for public consultation until 18 January 2019. The Guidelines provide some clarification around the boundaries of what constitutes an establishment in the EU, the status of tourists and factors that determine whether data subjects in the EU are being targeted.

The EDPB also provides some guidance on the conditions of appointment of an EU representative for non-EU controllers and processors. However, the Guidelines do not address other key interpretive questions arising from Art. 3 and Chapter V (transfer restrictions) and leave many key legal questions open.

Full article: EU: New EDPB Guidelines on the territorial scope of the GDPR

You probably have more personal data, in more systems, than you think.

There’s lots of guides on the internet to consent and so-forth, but relatively few that dive into hands-on implementation details. Often, legal teams possess a strong understanding of regulatory requirements and the goals of company operations, but they don’t share the same knowledge of systems and data movements implemented across marketing and sales.

Full article: You probably have more personal data, in more systems, than you think.

Irish watchdog clarifies record keeping and DPIAs interaction under GDPR

Ireland’s data protection authority has clarified how record keeping obligations under the General Data Protection Authority (GDPR) interact with the duties of businesses to carry out data protection impact assessments (DPIAs).

Full article: GDPR: Irish watchdog clarifies record keeping and DPIAs interaction

CNIL Publishes DPIA Guidelines and List of Processing Operations Subject To DPIA

On November 6, 2018, the French Data Protection Authority (the “CNIL”) published its own guidelines on data protection impact assessments (the “Guidelines”) and a list of processing operations that require a data protection impact assessment (“DPIA”).

Source: CNIL Publishes DPIA Guidelines and List of Processing Operations Subject To DPIA

CNIL issues guidaince on Blockchain and the GDPR

When a blockchain contains personal data, the GDPR is applicable. The architecture and characteristics specific to blockchains will, however, have consequences on how personal data is stored and processed. To address this matters, French data protection authority CNIL recently published guidelines “Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data“.

Source: Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data | CNIL

CNIL Details Rules On Audience and Traffic Measuring In Publicly Accessible Areas

On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers ( i.e. , media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas.

Full article: CNIL Details Rules On Audience and Traffic Measuring In Publicly Accessible Areas

The road to GDPR certifications won’t be a short one

The EU General Data Protection Regulation has been in effect for five months, and yet there has not been much progress on the certification front. Companies are waiting to see what form certification will look like under Articles 42 and 43 of the GDPR, and tech vendors are coming out with solutions to help organizations display their GDPR compliance efforts in the interim.

While GDPR certifications have not yet appeared, plenty of regulatory bodies have come out with guidance on the subject. With all the guidance that’s emerged from global regulatory bodies, there remains controversy surrounding GDPR certifications. Under Article 42 of the GDPR, certification mechanisms will be issued to data controllers and processors.

Full article: The road to GDPR certifications won’t be a short one, it seems

Sensitive personal data in HR functions: climbing the ladder of legal bases

The GDPR’s entry into force has forced HR teams across the US and EU to re-evaluate the ways in which they justify the use of personal data relating to their employees, applicants and contractors.

Whilst compliance priorities will vary between businesses, all US headquartered organizations with a presence or personnel in the UK should be particularly mindful of their enhanced obligations to satisfy multiple conditions under both the GDPR and the UK’s new Data Protection Act 2018 (“DPA 2018“) before collecting certain special categories of personal data.

Full article: Sensitive personal data in HR functions: climbing the ladder of legal bases

Privacy International published Data Protection Guide

“Keys to Data Protection” has been developed by Privacy International to help organisations and activists fight for better data protection standards across the globe. The guide provides a framework to analyse most common principles and provisions of (draft) data protection legislations.  

Source: Privacy International published Data Protection Guide

>