Categories
Tools

GDPR: what’s your justification?

One of the key steps in preparing for the General Data Protection Regulation is to know why you are processing each set of personal data, and which of the six legal justifications applies: consent, contract, legal obligation, vital interest, public interest or legitimate interest. The Regulation significantly tightens the rules on when consent can be […]

Categories
Tools

EDPB on (not) Necessary for Contract

The European Data Protection Board’s (EDPB) latest Guidelines further develop the idea that we should not always expect relationships involving personal data to have a single legal basis. Although the subject of the Guidelines is the legal basis “Necessary for Contract”, much of the text is dedicated to pointing out the other legal bases that […]

Categories
Tools

Revised DPIA cribsheet

Shortly after we did out first Data Protection Impact Assessments, on the Janet Security Operations Centre and the Jisc Learning Analytics Service, the ICO published its DPIA guidance. This contained a few minor additions, which have been added to this new version of our information gathering cribsheet: In section (a) the nature of processing should […]

Categories
Articles

GDPR: 12 Steps Illustrated

I’ve been trying to produce a visual image to capture the twelve steps to GDPR compliance. For details of the individual steps see: Awareness Data Protection by Design Information Lifecycle Audit Breach Notification Process [Article 29 Working Party guidance] Legal Basis [Information Commissioner guidance] Privacy Notices [Article 29 Working Party guidance] Individual Rights Processes (inc.subject […]

Categories
Articles

ICO guidance on Consent and GDPR

The Information Commissioner’s new guidance on Consent under the General Data Protection Regulation contains some useful guidance for universities and colleges in particular. On the question of which legal bases are available to universities and colleges – in particular whether they are included within the GDPR’s disapproval of consent and legitimate interests being used by […]

Categories
Tools

DPIAs: First Attempts

Article 35 of the General Data Protection Regulation introduces a requirement to conduct a formal Data Protection Impact Assessment (DPIA) for any processing that may involve a high risk to individuals. The Article 29 Working Party’s DPIA guidance contains a helpful list of nine factors that may give rise to a high risk. Any activity […]

Categories
Articles

Data Breaches: Be Prepared

The Article 29 Working Party’s guidance on Breach Notification suggests some things we should do before a security breach occurs. The GDPR expects data controllers, within 72 hours of becoming aware of any security breach, to determine whether there is a risk to individuals and, if so, to report to the national Data Protection Authority. […]

Categories
Articles

Article 29 WP draft on Transparency

The Article 29 Working Party has published its draft guidelines on transparency. For those of us who have already been working on GDPR privacy notices, there don’t seem to be any surprises: this is largely a compilation of the relevant sections of the Regulation and other guidance. In particular, it seems to have been strongly […]

Categories
Articles

Article 29 WP draft on Consent

The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR. The first message is […]

Categories
Articles

GDPR/Data Protection Bill: public authorities and legitimate interests

[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)] The new Data Protection Bill seems to bring clarity to the question of which legal bases will be available to educational institutions under the General Data Protection Regulation: Clause 6(1) of the Bill states that […]