Categories
Articles

Article 29 WP draft on Transparency

The Article 29 Working Party has published its draft guidelines on transparency. For those of us who have already been working on GDPR privacy notices, there don’t seem to be any surprises: this is largely a compilation of the relevant sections of the Regulation and other guidance. In particular, it seems to have been strongly […]

Categories
Articles

GDPR: Processing notification and protecting security

Concern has sometimes been expressed whether the General Data Protection Regulation’s (GDPR) requirement to notify individuals of all processing of their personal data would cause difficulties for security and incident response teams. These activities involve a lot of processing of IP addresses, which the GDPR and case law seem to indicate will normally count as […]

Categories
Presentations

Jisc GDPR conference

For those who couldn’t make it to the Jisc GDPR conference last week (and those who did, but want a refresher) the slides are now available. Presenters were told to ensure they gave lots of practical advice, so whether you want ideas on GDPR in Further Education or Research; need to work on an asset […]

Categories
Articles

Article 29 WP draft on Consent

The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR. The first message is […]

Categories
Publications

Security, Incident Response, Privacy and Data Protection

The Forum of Incident Response and Security Teams (FIRST) invited me to write a piece on how GDPR affects security and incident response. Summary: it makes them pretty much essential 🙂

Categories
Closed Consultations

Article 29 WP draft on Automated Processing

The Article 29 Working Party have conducted a brief consultation on draft guidance on Automated Processing that, surprisingly, reverses all previous legal interpretations I’ve found. GDPR Article 22 is one of several that begin “The data subject shall have the right”, in this case: The data subject shall have the right not to be subject […]

Categories
Articles

GDPR/Data Protection Bill: public authorities and legitimate interests

[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)] The new Data Protection Bill seems to bring clarity to the question of which legal bases will be available to educational institutions under the General Data Protection Regulation: Clause 6(1) of the Bill states that […]

Categories
Presentations

Implementing the GDPR

Last week I spoke at the UCISA CISG-PCMG conference on some of the tools we have been using within Jisc to apply the requirements of the GDPR. UCISA has now published a recording of the session, as well as a copy of my slides. The previous day, I did a more detailed presentation on one […]