The Article 29 Working Party of European data protection supervisors has published the final version of its Guidelines on Data Protection Impact Assessments (DPIAs). These build on the long-standing concept of Privacy Impact Assessments, being similar to normal risk assessments but looking at risks to the individuals whose data are being processed, rather than to […]
Tag: Data Protection Regulation
Posts related to the General Data Protection Regulation. There are a lot of these, so if you want to find out how GDPR affects a particular topic, it’s better to use the topic tag; if you want to know about implementing GDPR, then try “GDPR Howto”
European Law on Public Authorities
It’s pretty clear from the context and implications that when European legislators wrote “public authority” into the General Data Protection Regulation they didn’t mean the same as the drafters of the UK’s Freedom of Information Acts. “Public authority” isn’t defined in the Regulation and I’ve not been able to find it in any other European […]
I was recently asked how the GDPR’s Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn’t happen. […]
GDPR: Recording Phone Calls
Most of us are familiar with the recorded messages at the start of phone calls that warn “this call may be recorded for compliance and training purposes”. Some may recognise it as meeting the requirement to notify callers under the snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. But the data protection […]
GDPR: Wifi access
Many, perhaps most, wifi access services want to perform some sort of authentication of people who use them (for those providing connectivity via Janet, it’s a requirement of the Network Connection Policy). Since authentication involves some processing of personal data, it’s worth reviewing how different ways of doing that might be affected (or not) by […]
GDPR: Service Categories
Jisc provides a lot of different services: too many for us to look at each one from scratch before the General Data Protection Regulation comes into force next May. Instead, we’ve identified four different patterns that seem to cover the majority of services. We hope that having a common set of expectations for each pattern […]
GDPR: Web forms and consent
Looking at yet another of those web registration forms that seems to collect more data than required, it occurred to me that there might be quite a neat way to meet the General Data Protection Regulation’s requirements for positive, recorded consent. First step, as with anything under the GDPR, it to think about which information […]
Article 29 WP on Workplace Monitoring
The Article 29 Working Party has produced new guidance on data processing in the workplace, to account for the very significant changes that have occurred since their previous guidance in 2001. Although the focus is on “employee monitoring”, it is likely to be relevant to other situations where an organisation has significant power over those […]
GDPR: Attendance Monitoring
A question recently arose about monitoring students’ attendance at lectures and tutorials, and how this fitted into data protection law. Since the main purpose of such monitoring seems to be to identify and assist students who don’t attend, and whose presence is therefore not recorded or processed, there seem to be a number of both […]
I was interested to spot that the Article 29 Working Party visited the question of “public authorities” back in 2014, on page 23 of their Opinion on Legitimate Interests. There they note that there are two possible interpretations of the (then draft) General Data Protection Regulation’s (GDPR) rule that public authorities may not use legitimate […]