Posts particularly relevant to applying the GDPR to institutional practice
Although privacy notices are an important aspect of the General Data Protection Regulation, it seems unlikely that we will have final guidance from regulators for several months. Since we need to start rolling out GDPR-friendly privacy notices for Jisc services sooner than that, we’re using what information we have – the GDPR itself, the Information […]
The Article 29 Working Party of European data protection supervisors has published the final version of its Guidelines on Data Protection Impact Assessments (DPIAs). These build on the long-standing concept of Privacy Impact Assessments, being similar to normal risk assessments but looking at risks to the individuals whose data are being processed, rather than to […]
It’s pretty clear from the context and implications that when European legislators wrote “public authority” into the General Data Protection Regulation they didn’t mean the same as the drafters of the UK’s Freedom of Information Acts. “Public authority” isn’t defined in the Regulation and I’ve not been able to find it in any other European […]
Jisc provides a lot of different services: too many for us to look at each one from scratch before the General Data Protection Regulation comes into force next May. Instead, we’ve identified four different patterns that seem to cover the majority of services. We hope that having a common set of expectations for each pattern […]
The Article 29 Working Party has produced new guidance on data processing in the workplace, to account for the very significant changes that have occurred since their previous guidance in 2001. Although the focus is on “employee monitoring”, it is likely to be relevant to other situations where an organisation has significant power over those […]
I was interested to spot that the Article 29 Working Party visited the question of “public authorities” back in 2014, on page 23 of their Opinion on Legitimate Interests. There they note that there are two possible interpretations of the (then draft) General Data Protection Regulation’s (GDPR) rule that public authorities may not use legitimate […]
To mark one year to go till the General Data Protection Regulation comes into force, we’ve published an article on “How Universities and Colleges Should be Preparing for New Data Regulations” on the Jisc website.
Some of the General Data Protection Regulation’s requirements on data controllers apply no matter which legal basis for processing is being used. For example there are common requirements on information given to data subjects; breach notification and rights of access and rectification will normally apply to all personal data. However other requirements are specific to […]
The Article 29 Working Party’s final guidance on implementing the right to portability is a significant improvement on the previous draft. The Working Party appear to have recognised the significant risk involved in making large collections of personal data available through on-line interfaces, and that other approaches will be more suitable for most data controllers. […]
[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR] Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, […]