News
Latest on risk management, professional indemnity and compliance issues.
Filter:
-
March 26, 2024
ICO Data Protection Fining Guidance
See here.
-
September 22, 2023
The Data Protection (Adequacy) (United States of America) Regulations 2023
These Regulations specify the United States of America as a country which provides an adequate level of protection of personal data for certain transfers for the purposes of Part 2 of the Data Protection Act 2018 and the UK GDPR.
See here.
-
May 09, 2023
F.F. v Österreichische Datenschutzbehörde, Case C 487/21
Decision of the Court of Justice of the European Union (‘CJEU’), holding that data subject access rights to copies of personal data include a right to copies of extracts from documents or even entire documents or extracts from databases containing those data.
See here.
-
March 16, 2023
ICO – updated Guidance on AI and data protection
See here.
-
January 17, 2023
ICO Guidance on direct marketing using electronic mail
See here.
-
July 19, 2022
Data Protection and Digital Information Bill – Explanatory notes
See here.
-
February 01, 2022
International data transfer agreement, addendum and provisions laid before Parliament | ICO
The Information Commissioner’s Office has laid the International data transfer agreement (IDTA), the International data transfer addendum to the European Commission’s standard contractual clauses (Addendum) and a document setting out transitional provisions as to the use of the current standard data protection clauses for international transfers before Parliament. They came into force on 21 March 2022.
See here.
-
October 21, 2021
Rolfe & Others [2021] EWHC 2809 (QB)
Summary judgment for the defendant solicitors on a claim under GDPR and the Data Protection Act 2018 arising from an email sent to the wrong address. There was no credible case that distress or damage over a de minimis threshold.
See here.
-
October 01, 2021
European Data Protection Supervisor’s Opinion 12/2021 on the AML/CFT package of legislative proposals
European Data Protection Supervisor’s Opinion 12/2021 on the anti-money laundering and countering the financing of terrorism (AML/CFT) package of legislative proposals. See here.
-
September 03, 2021
Elliott v. Pubmatic, Inc. (4:21-cv-01497), California Northern District Court
Claim for damages under UK GDPR in the US courts was dismissed as the UK courts were the appropriate forum. See here.
-
August 27, 2021
New Office 365 “report phishing” button
National Cyber Security Centre announcement of innovation in reporting phishing scams through Microsoft Office 365 accounts.
See here.
-
August 25, 2021
Cost of a Data Breach Report 2021
See here.
-
August 20, 2021
The Sedona Conference Commentary on the Enforceability in U.S. Courts of Orders and Judgments Entered Under GDPR – article in The Sedona Conference Journal, Vol. 22 (2021), 277-344
See here.
-
August 16, 2021
Information Commissioner’s Office (ICO) consultation on draft international data transfer agreement (IDTA) and guidance to replace Standard Contractual Clauses (SCCs)
See here.
-
August 09, 2021
Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)
Claims for breach of confidence, misuse of private information, and common law negligence arising from a data breach were struck out, leaving a claim for breach of the Data Protection Act 1998, in relation to the seventh data protection principle.
See here.
-
June 29, 2021
European Commission adopts adequacy decisions for the UK (press release with links)
See here.
-
June 25, 2021
European Data Protection Board Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
See here.
-
June 07, 2021
The European Commission approved new Standard Contractual Clauses for international data transfers on 4 June 2021
See here.
-
June 02, 2021
Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB)
A representative appointed under Art. 27 of GDPR was held to have no liability to the claimant for alleged breaches of GDPR in connection with a database providing information for anti-money laundering compliance.
See here.
-
May 25, 2021
Data protection: MEPs urge the Commission to amend UK adequacy decisions
European Parliament resolution calls on the Commission to modify its draft decisions on whether or not UK data protection is adequate and data can safely be transferred here.
See here.
-
April 28, 2021
Sophos report: The State of Ransomware 2021
The report addresses the prevalence and costs associated with ransomware. Of the companies which paid up, whether for speed of recovery or inadequacy of backups, on average, only 65% of the encrypted data was restored after the ransom was paid. 4 per cent of victims who paid up received nothing in return, and only 8% claim to have recovered everything after submitting to the blackmail.
Perhaps the biggest risk identified in the report, however, is not the loss of confidential data but having it exposed on the internet.
See here.
-
April 14, 2021
European Parliamentary Research Service report on EU-UK private-sector data flows after Brexit
The report analyses the proposed European Commission adequacy decisions under the GDPR and the Law Enforcement Directive, in particular criticisms which have been levelled at UK surveillance, the immigration exemption and the Digital Economy Act 2017, levels of enforcement by the UK Information Commissioner’s Office, onward transfer of data; and the UK’s level of commitment to EU data protection standards.
See here.
-
February 26, 2021
IBM Cost of a Data Breach report 2020
See here.
-
February 22, 2021
Data protection: draft UK adequacy decision
See here.
-
February 11, 2021
European Data Protection Board (EDPB) Guidelines 01/2021 on Examples Regarding Data Breach Notification (version for public consultation)
This contains numerous case studies which will be of interest in relation to UK GDPR as well as (EU) GDPR.
See here.
-
January 21, 2021
ICO analysis of the transfer of personal data from UK based firms to the US Securities and Exchange Commission for organisations
See here.
-
January 13, 2021
The Sedona Conference Commentary on the Enforceability in U.S. Courts of Orders and Judgments Entered under GDPR
See here.
-
January 04, 2021
Information Commissioner’s Office – Updated guidance on international transfers post-Brexit
See here.
-
November 17, 2020
Draft Standard Contractual Clauses for the transfer of personal data to third countries
The European Commission has published a draft implementing decision on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR, along with its draft set of new SCCs (see Annex).
See here.
-
November 16, 2020
European Data Protection Board – public consultation on measures to supplement transfer tools for international data transfers following the Schrems II decision
The Information Commissioner’s Offices has announced that it is reviewing the draft recommendations and also reviewing the European Commission’s new GDPR Standard Contractual Clauses.
See here.
-
November 02, 2020
Marriott International Inc – ICO Monetary Penalty Notice
The ICO decision notice fining Marriott £18.4m for data breaches contains some important points on the technical aspects which gave rise to the breaches and the risks of acquisition of other businesses, in this case Starwood, which may have undiscovered security vulnerabilities.
Multifactor authentication (MFA) issues featured significantly, though these were not taken into account in fixing the penalty due to assurances on which Marriott had relied. Factors considered included insufficient monitoring of privileged accounts, insufficient monitoring of databases, control of critical systems (through whitelisting), and lack of encryption of payment card data and passport numbers.
Marriott’s submission that Article 33 of GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO was rejected: instead, a data controller must be able reasonably to conclude that it is likely a personal data breach has occurred.
See here.
-
October 22, 2020
Revised ICO guidance on Right of Access and Subject Access Requests
This provides additional guidance on stopping the clock for clarification, what is a manifestly excessive request, and what can be included when charging a fee for excessive, unfounded or repeat requests.
See here.
-
October 16, 2020
British Airways: ICO £20m penalty notice for information security breaches
This contains some useful insights, albeit heavily redacted, for managing security in professional firms into the security breaches which gave rise to the loss of personal data. They include failure to use multi-factor authentication, failure to address known Citrix security issues, failure to apply user access management (the principle of least privilege) and failure to implement application whitelisting or blacklisting. Other measures which could have been implemented included penetration testing and logging access to certain files, monitoring of failed log in attempts and monitoring of guest accounts.
See here.
-
October 02, 2020
ICO launches consultation on draft Statutory guidance | ICO
See here.
-
September 14, 2020
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
The European Data Protection Board has published Guidelines 07/2020 on the concepts of controller and processor in the GDPR for consultation. It invites comments by 19 October 2020. Of particular interest, the guidelines contain a useful summary in relation to joint controllers.
See here.
-
September 11, 2020
The Information Commissioner’s Office blog posting has announced the launch of the Accountability Framework as a ‘beta’ product
See here.
-
August 27, 2020
European Data Protection Board (EDPB): Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems
See here.
-
July 24, 2020
The Sedona Conference Commentary on Law Firm Data Security
This new publication includes model clauses for engagement letters and a sample law firm information security questionnaire, see here.
-
July 21, 2020
Information Commissioner’s Annual Report 2019-20
See here.
-
July 16, 2020
Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
Judgment of the Court of Justice of the European Union in Case C-311/18.
The Court of Justice has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. However, of considerable practical significance, it considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.
See here.
-
June 29, 2020
Explaining decisions made with AI: The Information Commissioners’ Office has finalised its guidance
See here.
-
June 29, 2020
European Commission’s evaluation report of the General Data Protection Regulation (GDPR), published 24 June 2020
See here.
-
May 27, 2020
European Data Protection Board annual report 2019
European Data Protection Board annual report 2019. This advises that in 2020, the EDPB will aim to provide guidance on data controllers and processors, data subject rights and the concept of legitimate interest. See here.
-
May 12, 2020
European Data Protection Board – Guidelines 05/2020 on consent under Regulation 2016/679
See here.
-
May 11, 2020
New York Attorney General James secures new protections, security safeguards for all Zoom users
The New York Attorney General has reached an agreement with Zoom Video Communications on provision of improved privacy and security protection for the platform’s users.
See here.
-
April 16, 2020
The ICO’s regulatory approach during the coronavirus public health emergency
See here.
-
April 01, 2020
WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12
Supreme Court allowed an appeal by WM Morrison Supermarkets, holding that they were not vicariously liable for a data breach committed by a rogue employee. See here.
-
March 12, 2020
Dawson-Damer v Taylor Wessing LLP [2020] EWCA Civ 352
Successful appeals on two points under the Data Protection Act 1998, holding on the facts that solicitors’ files were not a ‘relevant filing system’ and that legal professional privilege did not apply.
See here.
-
March 06, 2020
Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, Case C-61/19
Advocate General’s opinion on the meaning of “consent” under GDPR and the previous Data Protection Directive (95/46/EC).
See here.
-
March 05, 2020
ICO monetary penalty notice – Cathay Pacific fined £500,000 for data breach
The notice identifies many system failures which form a useful reminder for law firms, including inadequate patch management, out of date software, user access privileges and failure to use multi-factor authentication.
See here.
-
February 10, 2020
STEP Guidance Note: the effect of the GDPR on trusts and estates
See here.
-
January 10, 2020
Data protection: £500,000 fine on DSG Retail Ltd
This was the maximum fine for breaches pre-GDPR. Issues identified in the ICO monetary penalty notice include failures in relation to patching, permissions, and logging and monitoring incident response.
See here.
-
August 20, 2019
Timescales for responding to a subject access request | ICO
Revised ICO Guidance on calculating time limits.
See here.
-
December 20, 2019
Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems. Opinion of the Advocate General
See here.
-
December 20, 2019
According to Advocate General Saugmandsgaard Øe, Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries is valid
Advocate General’s Opinion in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems – Court of Justice of the European Union, press release relating to the standard contractual clauses for the transfer of personal data to processors established in third countries.
See here.
-
July 30, 2019
Information Commissioner’s Office blog: AI auditing framework
The blog discusses how artificial intelligence (AI) can require trade-offs between data protection principles, and what organisations can do to assess and balance them.
See here.
-
July 26, 2019
European Commission Report on GDPR
See here.
-
November 28, 2019
European Data Protection Board Guidelines 3/2018 on the territorial scope of the GDPR
See here.
-
July 05, 2019
Guidance on the use of cookies and similar technologies | ICO
ICO Guidance on the use of cookies and similar technologies (Updated)
See here.
-
October 29, 2019
e-Privacy Regulation – Revised draft published by the European Council
This includes clarification on consent, in line with GDPR and the Planet 49 judgment.
See here.
-
June 17, 2019
ICO Data Protection Audit Report on the Legal Ombudsman (June 2019)
The report contains some potentially useful pointers for law firms and others.
See here.
-
June 12, 2019
Green v Group Ltd & Others [2019] EWHC 954 (Ch)
Claim arising from the processing of data by Cambridge Analytica. Joint Administrators were not data controllers and were therefore not personally responsible for compliance with the provisions of the Data Protection Act 1998 in respect of the data processed by the company, including but not limited to Subject Access Requests.
See here.
-
June 07, 2019
ICO Report – GDPR: One year on
See here.
-
May 24, 2019
Dawson-Damer v Taylor Wessing [2019] EWHC 1258 (Ch)
High Court decision (following Court of Appeal decision) determining (1) whether paper files formed part of a relevant filing system, (2) application of legal professional privilege and waiver of privilege), (3) whether solicitors had carried out reasonable and proportionate searches for the claimants’ personal data under section 7 of the Data Protection Act 1998 and (4) whether the solicitors had breached their obligations under section 7 by redacting or withholding non-exempt data. (Lawtel subscriber link.)
See here.
-
October 11, 2019
Manifestly unfounded and excessive requests | ICO
ICO guidance on manifestly unfounded and excessive requests
-
October 10, 2019
Data protection and no-deal Brexit – updated guidance from The Law Society
See here.
-
April 25, 2019
M, R (on the application of) v The Chief Constable of Sussex Police & Anor [2019] EWHC 975 (Admin) (15 April 2019)
Judgment on lawfulness of sharing of sensitive personal data relating to a 16 year old child, including bail conditions, under an information-sharing agreement between the police and a local business crime reduction partnership. The decision also determined that the parties to the agreement were joint controllers of the data, rather than controller and processor respectively, and held that the defendant had implemented ‘appropriate technical and organisational measures’ by using a secure intranet, which was encrypted and password protected. See here.
-
April 18, 2019
Campbell v Secretary of State (Information rights – Data protection) [2018] UKUT 372 (AAC)
Appeal relating to data subject access rights did not survive death of the data subject.
See here.
-
April 12, 2019
Rudd v Bridle & Anor [2019] EWHC 893 (QB) (10 April 2019)
Consideration of various issues in relation to a Subject Access Request under the Data Protection Act 1998, including an unsuccessful claim of legal professional privilege and what constitutes ‘personal data’.
See here.
-
September 03, 2019
Civil Procedure Rules
Civil Procedure Rule changes to CPR 35 relating to privacy and data protection claims with effect from 1 October 2019, requiring more detailed pre-action protocol letters, and all claims for data protection and misuse of private information will be required to be brought in the High Court in London.
See here.
-
April 08, 2019
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
These Regulations make provision in relation to Brexit.
http://www.legislation.gov.uk/uksi/2019/419/contents/made
-
September 03, 2019
Brexit: Updated Law Society guidance on data protection
See here.
-
April 08, 2019
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019
These Regulations make amendments in relation to the application of the EU-US Privacy Shield to the UK post-Brexit.
http://www.legislation.gov.uk/uksi/2019/485/pdfs/uksi_20190485_en.pdf
-
August 30, 2019
EPDB-EDPS Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection | European Data Protection Board
Advice from the European Data Protection Board and European Data Protection Supervisor on compliance with GDPR when responding to requests by US law enforcement authorities under the US CLOUD Act.
See here.
-
August 30, 2019
Mircom International Content Management & Consulting Ltd & Ors v Virgin Media Ltd & Anor [2019] EWHC 1827 (Ch)
A Norwich Pharmacal order requiring disclosure of IP addresses would result in the Applicants becoming “recipients” of personal data but not “controllers”, and therefore not subject to the more onerous obligations on “controllers”.
See here.
-
April 03, 2019
EDPB Review of implementation of GDPR
See here.
-
March 27, 2019
Advocate General’s opinion on cookie consent
See here.
-
March 19, 2019
Opinion on the interplay between the ePrivacy Directive and the GDPR
The European Data Protection Board have published Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities. See here.
-
February 26, 2019
Finjan, Inc. v. Zscaler, Inc.
Californian District Court decision ordering disclosure of emails despite objection based on GDPR.
See here.
-
February 19, 2019
Data Protection Commission
Brexit – Data Protection Commission (Ireland) Guidance on Transfers of Personal Data from Ireland to the UK in the Event of a ‘No-Deal’ Brexit
See here.
-
February 08, 2019
Brexit and GDPR – HM Government guidance: Using personal data after Brexit
See here.
-
February 05, 2019
European Commission infographic: GDPR in numbers
See here.
-
January 18, 2019
No-deal Brexit guidance: Data protection – The Law Society
See here.
-
January 18, 2019
Data protection and Brexit | ICO
See here.
-
January 11, 2019
Law Society advice: GDPR in practice: ICO enforcement powers
See here.
-
January 11, 2019
Guide to Data Protection | ICO
The ICO’s Guide to Data Protection covers the Data Protection Act 2018 and the GDPR as it applies in the UK. The guide combines the existing ICO guides to the GDPR and Law Enforcement Processing, with the addition of new pages on intelligence services processing and key data protection themes.
See here.
-
January 03, 2019
Privacy Shield and the UK FAQs | Privacy Shield
Brexit: The US Department of Commerce has published guidance on its Frequently Asked Questions page on the application of the Privacy Shield to data transfers from the UK post-Brexit. It addresses both the deal and no-deal positions, and outlines steps which, in the case of no deal, must be taken by 29 March 2019.
See here.
-
January 03, 2019
EU-US Privacy Shield | European Commission
The European Commission has published its second review of the EU-US Privacy Shield. The Commission concludes that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States, though some steps have only recently been implemented and developments need to be monitored.
See here.
-
January 03, 2019
Brexit: The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DRAFT)
Draft regulations to maintain the legislative framework post-Brexit have been published.
See here.
-
December 17, 2018
The GDPR | ICO
Brexit: The ICO has issued updated guidance as the prospect of a withdrawal with no deal appears increasingly likely.
See here.
-
December 20, 2018
GDPR in practice: Cross-border data flows and Brexit – guidance from The Law Society
See here.
-
December 13, 2018
Department of Homeland Security (DHS) report on US Customs and Border Protection (CBP) Searches of Electronic Devices at Ports of Entry
See here.
-
December 12, 2018
What’s new | ICO
The Information Commissioner’s Office has published expanded guidance on contracts, published guidance on controllers and processors and published detailed guidance on controllers and processors and contracts and liabilities.
See here.
-
November 27, 2018
EDPB Guidelines on Territorial Scope of GDPR
See here.
-
November 20, 2018
IBA Cyber-security guidelines
See here.
-
November 16, 2018
ICO publishes detailed guidance on encryption
See here.
-
November 14, 2018
Law Society guidance – No deal: Brexit and data protection
See here.
-
November 02, 2018
The ICO guidance has been updated in relation to (1) Passwords in online services and (2) Encryption
For Passwords in online services, see here.
For Encryption, see here.
-
October 31, 2018
Emma Bate speech
Speech by Emma Bate, General Counsel, ICO, covering recent action and ICO’s latest thinking on international data transfers.
See here.
-
October 23, 2018
Wm Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339
Morrisons’ unsuccessful appeal against a finding of vicarious liability for a data breach by a rogue employee, despite the adequacy of its data security measures.
See here.
-
October 10, 2018
Lonsdale v National Westminster Bank Plc [2018] EWHC 1843 (QB)
Disclosure of a Suspicious Activity Report ordered under CPR 31.14 in an action for defamation and breach of contract. Suspicious Activity Reports are subject to qualified, not absolute, privilege. Discussion as to entitlement to receive copies following a Subject Access Request under the Data Protection Act 1998 (pre-GDPR).
See here.
-
October 10, 2018
Monetary Penalty Notice – Heathrow Airport
The Information Commissioner has fined Heathrow Airport £120,000 following loss of an unencrypted USB stick containing personal data, some of it sensitive personal data. Only 2% of staff had received data protection training and there were inadequate controls over downloading data onto USB sticks. The matters in question pre-date the implementation of higher penalties under GDPR.
See here.
-
October 10, 2018
Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018)
Consent: Successful appeal against monetary penalty notice imposed by the Information Commissioner relating to direct marketing by electronic communications contrary to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Note: The facts predate the changes to the definition of ‘consent’ introduced by GDPR.
See here.
-
September 27, 2018
The ICO has updated the guidance on exemptions, including legal professional privilege
See here.
-
September 21, 2018
Points to take from ICO fining Equifax £500,000
The ICO decision notice fining Equifax £500,000 for data breaches contains some important points not only on the technical aspects which gave rise to the breaches but also on the compliance requirements when using standard contractual clauses.
https://ico.org.uk/media/action-weve-taken/mpns/2259808/equifax-ltd-mpn-20180919.pdf
-
September 14, 2018
Data protection if there’s no Brexit deal – GOV.UK
Brexit – Government guidance on data protection, see here.
-
September 11, 2018
International transfers | ICO
The ICO guide to GDPR has been updated today (11 September 2018) to reflect the decision of the EEA Joint Committee that the GDPR applies to the EFTA states (Iceland, Norway and Liechtenstein) with effect from 20 July 2018.
See here.
-
August 03, 2018
International transfers | ICO
The ICO has published updated guidance on international transfers.
See here.
-
July 25, 2018
U.S. Customs And Border Protection – CBP Directive No. 3340-049A guidance on Border Search Of Electronic Devices
See here.
-
July 24, 2018
Information Commissioner’s Annual Report and Financial Statements 2017-18
See here.
-
July 18, 2018
Data protection: The Court of Justice of the European Union in Case C-25/17
Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta, has applied a broad interpretation (a) to what constitutes a filing system and (b) concerning joint controllers under Directive 95/46/EC.
See here.
-
July 05, 2018
Data Adequacy after Brexit: Commons Select Committee Report
See here.
-
June 25, 2018
Secretary of State for the Home Department & Anor v TLU & Anor [2018] EWCA Civ 2217
Liability for data breach to claimants not identified directly, definition of ‘personal data’, damages for distress.
See here.
-
June 07, 2018
The European Data Protection Board has issued guidance on international transfers – Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
Article 29 Working Party, see here.
-
May 25, 2018
What is personal data? | ICO
GDPR is in full effect from today, and the ICO has published updated guidance on What is personal data?
See here.
-
May 23, 2018
Data Protection Act 2018
The Data Protection Act 2018 has received Royal Assent.
See here.
-
May 23, 2018
What’s new | ICO
The ICO have expanded their guidance on data protection by design and default, and published detailed guidance on automated decision-making and profiling.
The ICO have also published a new page on codes of conduct, and a new page on certification.
See here.
-
May 17, 2018
The right to be informed | ICO
The ICO has published detailed guidance on the right to be informed.
See here.
-
May 15, 2018
The ICO has updated the guidance on Right of access
See here.
and Right to object, see here.
-
May 15, 2018
The ICO has published detailed guidance on Data Protection Impact Assessments (DPIAs).
See here.
-
May 10, 2018
The ICO has published detailed guidance on consent
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/
-
May 02, 2018
Bar Council guidance: Signing Controller-Processor Agreements with Solicitors’ Firms
The Bar Council has advised that barristers should not generally be agreeing contracts with solicitors under which they are identified as data processors. See here.
-
May 01, 2018
Corrigendum to GDPR
The EU has published some minor corrections to GDPR in a Corrigendum – see pages 90-98 for the English provisions.
See here.
-
April 30, 2018
Security | ICO
The ICO has issued updated guidance on Security.
See here.
-
April 30, 2018
Accountability and governance | ICO
The ICO has issued updated guidance on Accountability and governance.
See here.
-
April 25, 2018
The Article 29 Working Party’s Guidance on Transparency under GDPR has been published
See here.
-
April 25, 2018
The Article 29 Working Party’s final Guidance on Consent under GDPR has been published
See here.
-
April 23, 2018
Preparing for the GDPR: A guide for law firms – The Law Society
The Law Society has published Preparing for the GDPR: A guide for law firms.
See here.
-
April 20, 2018
Article 29 Working Party publishes derogations from the obligation to maintain records of processing activities
See the Working Party 29 Position Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR here.
-
April 17, 2018
ARTICLE29 Newsroom – Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors (wp263rev.01) – European Commission
The Article 29 Working Party has published a Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors.
See here.
-
April 17, 2018
The Article 29 Working Party has published its guidance on consent
See here.
-
April 16, 2018
The Data Protection (Charges and Information) Regulations 2018 provide for fees payable to the Information Commissioner’s Office
See here.
There is also an explanatory memorandum http://www.legislation.gov.uk/uksi/2018/480/pdfs/uksiem_20180480_en.pdf. There are three tiers of charges in this new instrument: Tier 1 (Micro Organisations), £40; Tier 2 (Small and Medium Organisations), £60; and Tier 3 (Large Organisations, £2900). There is a £5 discount applied to each tier for data controllers paying by direct debit. The Tier 3 level is a substantial increase from the current £500.
Existing data controllers (at the time when these Regulations come into force) are not required to pay a charge or provide information during the period of 12 months since their most recent fee, under the existing scheme, was received by the ICO.
-
April 11, 2018
Lawful basis interactive guidance tool | ICO
GDPR: The ICO has added a Lawful Basis Interactive Guidance Tool to the website.
See here.
-
April 09, 2018
Security | ICO
The ICO has issued updated guidance on information security under GDPR.
See here.
-
March 28, 2018
What’s new | ICO
The ICO has expanded the GDPR guidance on Data protection impact assessments.
See here.
-
March 22, 2018
The ICO has published guidance on ‘Legitimate Interests’
See here.
-
March 22, 2018
The ICO has published a consultation on Data Protection Impact Assessments (DPIAs) guidance
See here.
-
March 15, 2018
Data protection officers | ICO
The ICO has expanded its guidance on Data Protection Officers.
See here.
-
March 19, 2018
Right to be informed | ICO
The ICO has issued further guidance on the right to be informed.
See here.
-
March 12, 2018
The ICO has published an introduction to the Data Protection Bill
See here.
-
February 26, 2018
FATCA (Foreign Account Tax Compliance Act)
The Article 29 Working Party letter on the impact of FATCA on accidental American citizens and compliance with data protection legislation.
See here.
-
February 22, 2018
Guide to the data protection fee | ICO
The Government has announced a new charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO)
See here.
-
February 08, 2018
2018 reform of EU data protection rules | European Commission
EU General Data Protection Regulation (GDPR) website launched.
See here.
-
February 07, 2018
CCBE Guidance on the main new compliance measures for lawyers regarding the General Data Protection Regulation GDPR)
See here.
-
February 07, 2018
Children | ICO
The ICO has updated their guidance on children.
See here.
-
January 30, 2018
2018 reform of EU data protection rules | European Commission
The European Commission has published guidance on GDPR.
See here.
-
January 16, 2018
European Commission note on the impact of Brexit on data transfers
See here.
-
January 03, 2018
The Article 29 Working Party has published draft guidance on transparency under GDPR.
See here.
-
December 19, 2017
The Article 29 Working Party has published guidelines on consent under Regulation 2016/679.
Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment.
See here.
-
November 28, 2017
The Information Commissioner has added a What’s New page to her website
See here.
-
October 24, 2017
Report From The Commission To The European Parliament And The Council
The Report From The Commission To The European Parliament And The Council on the first annual review of the functioning of the EU–U.S. Privacy Shield confirms that the Privacy Shield provides adequate protection.
See here.
-
October 20, 2017
GDPR: The Article 29 Working Party has published guidance on data breach notification
See here
-
October 18, 2017
Data Protection Bill, House of Lords second reading – ICO Briefing Released
See here
-
October 09, 2017
Joint Press Statement from US Secretary of Commerce Ross and Commissioner Jourová on the EU-U.S. Privacy Shield Review
See here.
-
September 18, 2017
The Information Commissioner’s Office has published draft GDPR guidance on Contracts and liabilities between controllers and processors
See here.
-
September 15, 2017
The Data Protection Bill: the first reading took place on 13 September 2017.
See here.
-
August 07, 2017
Government has announced its plans for a new Data Protection Bill
The Government has announced its plans for a new Data Protection Bill to bolster the protection provided by the General Data Protection Regulation (GDPR). The Bill proposes tougher rules on consent, rights to access, rights to move and rights to delete data.
-
July 14, 2017
The Article 29 Working Party has issued an Opinion on data processing at work
The Article 29 Working Party has issued an Opinion on data processing at work aiming to provide guidance on balancing employee privacy expectations in the workplace with employers’ legitimate interests in processing employee data.
-
July 05, 2017
Updated ICO Subject Access Code of Practice
See here. This has been amended to take account of the decisions in two Court of Appeal judgments – Dawson-Damer & Ors v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford [2017] EWCA Civ 121
-
June 28, 2017
Warning to SMEs as firm hit by cyber attack fined £60,000
See here.
-
March 30, 2017
ICO guidance on AI (Artificial Intelligence) and data protection
See here.
-
March 17, 2017
Fine for lawyer who stored client files on home computer
See ICO Monetary Penalty Notice here.
-
March 06, 2017
ICO consultation on consent under the GDPR
See here.
-
February 17, 2017
Solicitors ordered to comply with a subject access request which was made for the collateral purpose of assisting in litigation
Dawson-Damer & Ors v Taylor Wessing LLP & Ors [2015] EWHC 2366 (Ch) – the court ordered solicitors to comply with a subject access request under the Data Protection Act 1998 which was made for the collateral purpose of assisting in litigation. The court considered legal professional privilege issues.
-
October 11, 2016
The Information Commissioner’s new Privacy Notices Code of Practice
The Information Commissioner has published its new Privacy Notices Code of Practice containing guidance and examples. See here.