While some have viewed the General Data Protection Regulation‘s approach to consent as merely adjusting the existing regime, the Information Commissioner’s draft guidance suggests a more fundamental change: “a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away”. […]
[UPDATE] a slightly revised version of this post formed our response to the ICO consultation. The Information Commissioner’s draft guidance on consent makes a surprisingly broad distinction between public and private sector organisations, even when they process the same data for the same purposes. This risks removing important protections when personal data are processed by […]
A couple of organisations have asked me recently whether the General Data Protection Regulation (GDPR) requires them to get some sort of external recognition of their incident response team. Here’s why I don’t think it does. Recital 49 of the Regulation says: The processing of personal data to the extent strictly necessary and proportionate for […]