fbpx

Free tools and resources for Data Protection Officers!

Tag Archives for " guidance "

Council of Europe issues recommendation on health-related data

On March 28, 2019, the Council of Europe issued a new Recommendation on the protection of health-related data.

The Recommendation calls on all Council of Europe member states to take steps to ensure that the principles for processing health-related data (in both the public and private sector) set out in the Appendix of the Recommendation are reflected in their law and practice.

Source: Council of Europe issues recommendation on health-related data

How to achieve digital governance?

Digital governance is corporate oversight of technologies that use personal or sensitive information, make autonomous decisions or exercise human-like responsibilities. The concept addresses disruptive technologies including artificial intelligence (AI), connected devices (IoT, cars, ubiquitous sensors, etc), and machine learning.

To establish digital governance programmes, companies must:

  1. first structure themselves accordingly,
  2. have a full picture of what they are doing,
  3. create an organisational culture that values fair digital practices.

Full article: Data Protection & Cybersecurity 2019 | Global Practice Guides | Chambers and Partners

Europe introduces IoT Cybersecurity standard

ETSI, the European Telecommunications Standards Institute has released a new cybersecurity standard for consumer Internet of Things devices in February 2019 (TS 103 645). These rules are intended to apply to consumer devices that are connected to network infrastructures.

The standard describes thirteen recommendations to realise the goal of ensuring safer IoT devices and to bridge the safety gap. The standard is not mandatory and remains a good practice document.

Source: Europe – Keeping your connected devices secure: Europe introduces IoT Cybersecurity standard

The 4 Ps of leveraging data privacy for enhanced investment

Recent research shows over half (55 percent) of M&A professionals have had deals fall through due to concerns over GDPR and target firms’ data practices, and 66 percent of those M&A professionals believe GDPR will increase acquirers’ scrutiny of data protection policies and processes of target firms.

Just as financial information and cyber risk realities have long required organizations to employ accountants and cybersecurity professionals to conduct frequent audits and implement proactive monitoring, data privacy now requires a unique level of organizational data diligence, in addition to the appointment of personnel such as data protection officers (DPOs) to serve as advocates for the plethora of consumer and employee data companies collect, store and manage.

given today’s ever-evolving data privacy realities, companies should abide by the four “Ps” rule to show suitors that their company is a safe bet:

  • Policy,
  • People,
  • Process,
  • Product.

Full article: The 4 Ps of leveraging data privacy for enhanced investment | TechRadar

How to report a data breach under GDPR

Data breach notification requirements are now mandatory and time-sensitive under GDPR.

While the details of what an organization needs to report in the event of a breach is defined within the legislation, when to report a data breach and which authority you should report the incident to are not as clear.

Read full article: How to report a data breach under GDPR

EDPB clarifies the interaction between the GDPR and ePrivacy Directive

The European Data Protection Board (EDPB) met for their eighth plenary session on 12 and 13 March 2019. On the session EDPB adopted:

During session EDPS also adopted:

Belgian DPA Publishes Updated List of Processing Activities Requiring DPIA

The Belgian Data Protection Authority recently published (in French and in Dutch) the updated list of the types of processing activities which require a data protection impact assessment (“DPIA”).

Article 35(4) of the EU General Data Protection Regulation (“GDPR”) obligates supervisory authorities to establish a list of the processing operations that require a DPIA and transmit it to the European Data Protection Board (the “EDPB”).

The Belgian DPA asserts that this list is neither exhaustive nor final and could be modified in the future.

Source: Belgian DPA Publishes Updated List of Processing Activities Requiring DPIA

EDPS Guidelines on assessing the proportionality of measures that limit privacy

The European Data Protection Supervisor (EDPS) intends to issue Guidelines for assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data.

EDPS aims at assisting EU institutions and bodies in the task of ensuring that any limitation of the fundamental right to the protection of personal data is compliant with the requirements of EU primary law.

Before issuing the Guidelines in their final version, the EDPS is launching a stakeholders’ consultation on the draft version of the Guidelines. The deadline for receiving your input is 4 April 2019. The replies to the consultation should be sent to the Policy and Consultation Unit of the EDPS: POLICY-CONSULT@edps.europa.eu

Access draft guidelines

How opt-in consent really works

Consent is only one of several lawful bases for data processing available under the EU General Data Protection Regulation. Nonetheless, sometimes consent is the most appropriate — or only — basis for personal data processing.

The GDPR requires consent to be opt-in. It defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”

Full article: How opt-in consent really works

>