background preloader

GDPR Guidance and Models

Facebook Twitter

German DPAs Issue DPIA Blacklists; Many Companies Likely to be Affected. Most GDPR emails unnecessary and some illegal, say experts. The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week.

Most GDPR emails unnecessary and some illegal, say experts

Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing. But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal. “Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. . … we have a small favour to ask.

FCA and ICO publish joint update on GDPR. A Tale of Two Breaches. Peter is having an extremely bad day.

A Tale of Two Breaches

As Data Protection Officer (DPO) at a large company, he’s just taken a frantic phone call from the CIO who has informed him of a massive data breach. Details are still very sketchy, but potentially thousands of customer records, including personal data (PD) and payment card data has been compromised – and no-one knows what to do next. Simplybusiness.co. Much GDPR prep is a waste of time, warns PwC. Many organisations are focusing their preparation for compliance with the EU’s General Data Protection Regulation (GDPR) on the wrong things due to a failure to understand the real risks, according to a top legal adviser.

Much GDPR prep is a waste of time, warns PwC

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. “If you do not focus on the technology stack over the next seven months, and you are responsible for a GDPR programme, you know where the pain is coming from,” Stewart Room, global lead cyber security and data legal protection services at PwC, told attendees of the IP Expo Europe 2017 in London. “Because of those false assumptions, we will end up in inevitable failure,” he said.

Quantum of illegality Coping mechanisms. What is the current status of GDPR incorporation in the EU's 28 Member States? [Ongoing updates] Having looked, in my previous post, at what Article 82(1) of the General Data Protection Regulation says and means in each of the EU’s 24 official languages, I’m interested in this post in the related question of the current status of incorporation of the GDPR in each of the EU’s 28 Member States.

What is the current status of GDPR incorporation in the EU's 28 Member States? [Ongoing updates]

I am interested in particular in whether provision has been made in any incorporating legislation or draft for an express claim for compensation or damages to give effect to Article 82 GDPR. The list below is the current state of play so far as I have been able to find out. I would be grateful if you correct any errors and help me fill in the blanks – via the comments below, via email, or via the contact page on this blog – I would very grateful indeed.

It seems that incorporations in various jurisdictions are taking differing positions on Article 82 GDPR. Bulgaria A Bill is not expected before September 2017. Microsoft Benchmark Tool. BayLDA - The Data Protection Authority of Bavaria for the Private Sector. GDPR for marketers: Five examples of 'Legitimate Interests' You probably found this blog post because you know what the General Data Protection Regulation (GDPR) is, and are concerned about its impact on your day-to-day work as a marketer.

GDPR for marketers: Five examples of 'Legitimate Interests'

When the GDPR comes into effect on 25 May 2018, marketers in the EU (or serving people in the EU) will need to be better aware of the privacy rights for individuals and the lawful grounds for processing their personal data. One of the six lawful grounds for personal data processing is the 'legitimate interests of the controller or third party', and this is the area we'll be examining in this article, with plenty of help from the excellent Legitimate Interests Guidance produced by the Data Protection Network (sign up to download it here). We'll look at general examples of legitimate interests and more specific examples, too. GDPR and B2B Email Marketing: The Need to Know. Tim Holt Managing Director Recently, a long standing client asked why we had been selling illegal B2B email marketing data.

GDPR and B2B Email Marketing: The Need to Know

Naturally, we hadn’t, but we were very curious to know why they thought we had. GDPR Records of Processing Template (Article 30) CNIL-PIA-2-Tools. Top 5 Priorities to Prepare for EU GDPR. When the European General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, its impact will extend beyond the borders of the European Union (EU).

Top 5 Priorities to Prepare for EU GDPR

It will apply to all companies processing and holding the personal data of EU residents, regardless of the company’s location. “The GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe,” said Bart Willemsen, research director at Gartner. “With the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”

Despite a lot of recent attention around these regulations, Gartner predicts that, on the date of effectuation, more than half of companies affected by the GDPR will not comply fully with its requirements. Get Smarter. When and how shall a privacy impact assessment be run? When and how shall a privacy impact assessment be run?

When and how shall a privacy impact assessment be run?

A privacy impact assessment represents an obligation under the EU Data Protection Regulation in case of high risk data processing activities, but how and when shall it be done? Updated on 18 October 2017 after the publication of the final version of the WP29 Guidelines on the data protection impact assessment As part of the series of blog posts on the major changes introduced by the EU Data Protection Regulation, here is an article on how the privacy impact assessment, when it is mandatory and how it shall be run. How can companies prove privacy compliance? The EU Data Protection Regulation requires to put in place “appropriate technical and organisational measures to ensure a level of security appropriate to the risk“ Such requirement puts companies in a very hard position.

“process for building and demonstrating compliance“. When is a privacy impact assessment necessary? How to Know if The GDPR Will Affect Your Charity — LIKECHARITY. This a guest post from Clare Deegan of Sytorus To mark exactly one year to go before the GDPR becomes enforced, the Irish Data Protection Data Protection Commissioner, Helen Dixon, took the airways of Morning Ireland in May to warn companies who still believe that the GDPR won’t impact their organisation.

How to Know if The GDPR Will Affect Your Charity — LIKECHARITY

It has been our experience that charities have felt most impacted by the GDPR yet many charities still believe the GDPR won’t impact them. Ms Dixon stated that ‘90% of small and medium sized business’ will be impacted by the GDPR and ‘fewer than half of these businesses being aware’; many small companies who believed the GDPR did not impact them sat up and took note. Ms Dixon’s position was clear ‘doing nothing means you are automatically out of compliance’ and ‘it won’t be possible to get ready in a few months’. GDPR controls frameworks - how do you know if they are any good? - Data protection and privacy global insights. By Stewart Room Follow @StewartRoom It might be surprising to know that despite a very long history of laws, regulations and operational practices - nearly 50 years in Europe - there is no consensus on what a good controls framework for Personal Data Protection actually looks like.

GDPR controls frameworks - how do you know if they are any good? - Data protection and privacy global insights

This blog attempts to shine some light on what good looks like, or more accurately where a good one comes from. Let’s sort out this profiling and consent debate once and for all. - Privacy, Security and Information Law Fieldfisher. In a post last week, I said that “There’s a perpetuated misconception that all profiling needs consent. It doesn’t, end of.”

Since this seems to have been an area of much confusion under the GDPR, I thought it worth taking the time to elaborate on this point. What is “profiling”? EU: Snooping on job applicants could soon be illegal. The GDPR “General Data Protection Regulation” Daily. The great unsolved data protection challenges of our time (at least for now) - Privacy, Security and Information Law Fieldfisher. Far from the heady statements made at the time that the draft GDPR was first proposed, that we would soon usher in a new era of data protection uniformity, certainty and reduced red tape (a kind of data protection utopia, if you will), it is increasingly apparent as we canter towards May 2018 that several significant areas of data protection uncertainty remain and that these present head-on challenges to business - challenges for which there is little, if any, legislative or regulatory clarity at present.

I’m sure everyone has their own personal list of these issues, but to identify the “top 5” that keep hitting my desk: 1. Just how is controller and processor liability supposed to work in practice? As everyone knows by now, the GDPR will introduce direct, statutory liability for data processors. Controllers will no longer be solely on the hook. What if both parties are partially at fault? EU Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work. The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context (available here). GDPR: The essentials for fundraising organisations. 4 May 2017 On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into effect in the UK. This will replace the current Data Protection Act and introduce new and different requirements for all sectors and organisations.

To help fundraisers understand the key parts of GDPR in relation to direct marketing and how you can lawfully contact your supporters, we have produced this guidance in partnership with Bircham Dyson Bell to take you through the main questions. Your download should start automatically. GDPR likely to mean '50 or 60 changes to Code of Fundraising Practice'  How GDPR Will Drive Marketing To Social - Digital Leadership Associates. By Ian Moyse | @imoyse Marketers, you have a problem – and it’s not a small one. In addition to the much discussed changes in buyer behaviour and research showing the demise of traditional marketing approaches, GDPR (General Data Protection Regulation) is now looming over us. This will be enforced from May 25th 2018 and changes what you can and cannot do with data that identifies an individual. A recent DMA Survey found that 70% of marketers were most concerned about how GDPR would affect marketing consent. More concerning is that only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant by the deadline.

You must review your marketing activities quickly to ensure data and processes are compliant or close enough to avoid any risk of complaints and fines. Here are some key areas marketing must address: Subject access requests: revised guidance from the ICO - Panopticon Panopticon. As Panopticon devotees will know, the early months of 2017 brought a flurry of judgments about subject access requests – most importantly, in the Dawson-Damer and Ittihadieh/Deer cases. The principles from those judgments have now been incorporated into a revised ICO Code of Practice on subject access requests, published last week. The revised Code is important not only because it reflects up-to-date caselaw, but also because it tells us how the ICO expects to see subject access requests dealt with in practice. HR data and GDPR: what you need to know about consent (and why not to rely on it) When B2B data is personal data and what that means with the GDPR. Does retargeting use personal data and how will GDPR impact it?

ICO less likely to fine charities for data breaches if they show staff training. The Information Commissioner's Office has said that in the event of a data breach it would be less likely to issue a monetary penalty to charities which had taken “reasonable steps” to prevent it, including staff training. When asked whether the Information Commissioner would be more likely to fine organisations who could not show evidence that at least 80 per cent of its staff were trained in data protection, a spokeswoman for the ICO said it would take “full account of the facts” in any investigation.

A marketer's guide to the looming EU Global Data Protection Regulation. GDPR processor clauses and why they can't wait - Privacy, Security and Information Law Fieldfisher. GDPR for the boardroom. Will GDPR Change the World? event. IntroductionThank you. Let me take a moment to thank TechUK for putting together this event and for offering me the platform to speak with you this morning.Our Commissioner, Elizabeth Denham, has been clear that the ICO’s vision – of increasing data trust and confidence among the UK public – can only be achieved by working in partnership with the private, public and third sectors.An important part of that is developing key relationships with representative or umbrella organisations as multipliers and amplifiers for our engagement with different constituencies.

Dentons Boekel - GDPR Update: Rights of the data subjects (information notices) Data watchdogs called on to clarify organisations duties on consent under GDPR. Opt in versus opt out. Two letters from the regulator. Worry 1 Fundraising regulation may seem boring and complicated but it’s also massively important. General Data Protection Regulation (GDPR) and the Enterprise Technology Landscape « Thoughts from the Systems front line.... Recently at the London Metropolitan University, hosted by the students Union, I presented an example in which the introduction of new legislation would impact my version of the Enterprise Architectural Stack.

Subsequently after reading all 80+ pages of the General Data Protection Regulation (GDPR) I thought I would blog additional information and playback what I highlighted during the presentation, as I consider this an important game changing piece of legislation for those of us in Europe who design, deliver and manage Enterprise Systems. Arthur J. Gallagher - Are You Ready For The GDPR? Share this: 'Charities should not feel pressured into opt-in model under GDPR', says DMA. Wanted: evidence base to underpin a children’s rights-based implementation of the GDPR. ICO: Open banking 'a key way' for banks to meet data portability duties under the GDPR. Facebook users will be given new legal right to delete all posts they made as teenagers, Tories announce. A holistic three-step approach to manage GDPR compliance - BearingPoint Sweden. Beware of the phish – how to stay ahead of the scammers.

Responses to ICO GDPR consent consultation highlight adtech quandary. Many companies lack GDPR plan, PwC data shows. European Privacy Regulation Guidelines from the Italian Data Protection Authority. The GDPR and your data protection obligations - Speaking of Security - The RSA Blog. Watchdog queries scope of rules on 'profiling' under the GDPR.

Human resources jobs, news & events - People Management. More GDPR questions answered: new guidelines on DPIAs. GDPR Myth: What happens in the EU must stay in the EU. Sanity check: One year until GDPR. Data protection and Brexit - an update. It’s time to wake up and figure out how GDPR affects you! WP29’s final word on DPOs, data portability, and the one-stop shop. WP29 proposes DPIA guidelines, shedding light on “high risk” processing. 2,224 data security breaches reported in 2016, says Data Protection Commissioner. GDPR: How to win the data privacy war. GDPR awareness, readiness and compliance in the US, UK and Belgium. UK Businesses Passing The Buck When It Comes To GDPR. GDPR Compels Next-Generation Compliance Efforts. European Commission: EU-US Privacy Shield complies with the requirements of the General Data Protection Regulation.

New privacy risks for tech suppliers? Free guide to GDPR and data protection for charities published today. UK’s GDPR law will not be judged “adequate” if it contains provisions that made the DPA inadequate - Hawktalk. 10 tips to a perfect data protection policy. GDPR and your data: check you comply . . . then check again. New data rules mean it can't be 'business as usual' - Helen Dixon. German EU General Data Protection Regulation. What does the General Data Protection Regulation (GDPR) mean to me and my Salesforce.com CRM? - Desynit.

EU trying to salvage US deal on data privacy. UK to repeal sections of the Data Protection Act as part of GDPR reform process, says minister. Untitled. GDPR: Privacy law gives advertisers a tough cookie – Todd Ruback – Medium. Make consent less boring. No Longer the Same Check Boxes – Achieving Compliance and Data Security with EU GDPR -David Clarke & Stealthbits. Data Breach Notifications: What's Optimal Timing? Data security and breach notification in Japan. 3 options for GDPR after Article 50. Getting to know the GDPR, Part 9 – Data transfer restrictions are here to stay, but so are BCR - Privacy, Security and Information Law Fieldfisher. The unfathomable cost of getting in the FCA’s bad books on data handling issues. New regulations are not just a tech problem - now everyone must act in protecting consumers' data. Managing unlimited demands for unlimited liability in GDPR contracts - Privacy, Security and Information Law Fieldfisher.

Characteristics of Governing Data. Preparing for the EU GDPR - 360 Business Law. Data Portability: how will your organisation unlock this right? - Data protection and privacy global insights. How the new privacy data portability right impacts your industry. Territorial scope of the GDPR (Flowchart) Cloud industry body sets up new data protection code. DPO and organizational models in the company – Europrivacy. 32016R0679. Which Data Is in Scope for GDPR? How GDPR impacts a data controller based outside the EU. New obligations for data processors under the GDPR. 10 tips to stop your charity breaking the law. Why charities need to prepare for GDPR. The impact of the General Data Protection Regulation (GDPR) - Lawyer Issue.

Firms warned building trust vital under new EU data protection rules.