The UK’s data protection watchdog has raised concerns that proposed new UK laws threaten its ability to operate independently of the government.
Businesses that provide services designed to show that electronic data is authentic and can be trusted have been issued with new UK guidance that outlines their obligations on security and breach reporting.
On November 20, 2017, the UK Information Commissioner’s Office (“ICO”) published an article on its blog containing advice on applications for Binding Corporate Rules (“BCRs”) to comply with requirements under the EU General Data Protection Regulation (“GDPR”).
National data protection authorities seem to get the most attention when they impose fines and penalties for violations of data protection laws and regulations. Consider, for example, the Italian DPA, which imposed the highest privacy fine ever issued by a European authority in the amount of 5,880,000 euros on a U.K. company for its violation of Italian laws on consent.
The guidance, issued on 21 November, puts together information about guidance previously issued by the ICO, and links to guidance by the EU Article 29 Working Party.
People working with personal information have been warned they have to obey strict privacy laws after a charity worker was prosecuted for making his own copies of sensitive data.
It will become harder for data brokers to sell personal data to businesses in a way that complies with the law when the General Data Protection Regulation (GDPR) begins to apply.
Most privacy notices displayed on websites and mobile apps do not explain to consumers the country in which collected personal data is stored, according to a study carried out by data protection authorities based around the world.
Businesses will be considered ‘aware’ of data breaches under GDPR when their data processors notice the breach
Businesses that outsource the processing of personal data to other companies will be said to be aware of data breaches experienced by those processors as soon as the processors themselves recognise the breach, according to proposed new guidance.
Controller-processor contracts and liabilities don’t seem destined for any guidance from the Article 29 Working Party, at least according to the WP29’s published work programs/roadmaps to date. However, some national regulators have picked up the baton. On September 13, the U.K. Information Commissioner’s Office issued draft guidance, Contracts and liabilities between controllers and processors.