Data Protection Regulation

3 November 2017 at 10:21am

Article 29 WP draft on Breach Notification

Andrew Cormack
Data Protection Regulation
incident response
Breach Notification
GDPRtopics
The Article 29 Working Party's draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I've been warning since 2012, giving priority to notification.
Read more
26 October 2017 at 4:23pm

GDPR and "cyber security"

Andrew Cormack
Data Protection Regulation
incident response
GDPRtopics
Education Technology have just published an article I wrote (though I didn't choose the headline!) on how security and incident response fit into the General Data Protection Regulation. It aims to be an easy read: if you want something more challenging follow the "incident response protects privacy" link to get the full legal analysis.
Read more
23 October 2017 at 4:28pm

GDPR - Privacy Notices

Andrew Cormack
Data Protection Regulation
GDPRprocess
GDPRtopics
Although privacy notices are an important aspect of the General Data Protection Regulation, it seems unlikely that we will have final guidance from regulators for several months.
Read more
14 October 2017 at 8:12am

GDPR: Data Protection Impact Assessments

Andrew Cormack
Data Protection Regulation
GDPRdevelopment
The Article 29 Working Party of European data protection supervisors has published the final version of its Guidelines on Data Protection Impact Assessments (DPIAs). These build on the long-standing concept of Privacy Impact Assessments, being similar to normal risk assessments but looking at risks to the individuals whose data are being processed, rather than to the organisation doing the processing.
Read more
9 October 2017 at 9:11am

GDPR: Student Unions

Andrew Cormack
Data Protection Regulation
GDPRtopics
I've been asked how universities can share students' details with their students union. Since there doesn't seem to be any law giving universities "special powers" to do that, the choice seems to be between the six normal legal bases under the General Data Protection Regulation (GDPR).
Read more

Jisc Security Conference 2017

Andrew Cormack
21 September 2017 at 1:06pm
Data Protection Regulation
I'll be doing a presentation on how Information Lifecycles can help you with the General Data Protection Regulation, security and effective use of information
Read more
20 September 2017 at 11:29am

European Law on Public Authorities

Andrew Cormack
Data Protection Regulation
GDPRtopics
It's pretty clear from the context and implications that when European legislators wrote "public authority" into the General Data Protection Regulation they didn't mean the same as the drafters of the UK's Freedom of Information Acts. "Public authority" isn't defined in the Regulation and I've not been able to find it in any other European law, so I'm grateful to David Erdos for pointing out the case where the concept and reason for it, if not the actual phrase, were discussed.
Read more
8 December 2017 at 10:10am

GDPR/Data Protection Bill: public authorities and legitimate interests

Andrew Cormack
Data Protection Regulation
Data Protection Bill
GDPRdevelopment
[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)]
Read more
11 September 2017 at 9:35am

GDPR: Backups, Archives and the Right to Erasure

Andrew Cormack
Data Protection Regulation
GDPRtopics
I was recently asked how the GDPR's Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn't happen.
Read more
1 August 2017 at 8:58am

GDPR: Wifi access

Andrew Cormack
Data Protection Regulation
GDPRtopics
eduroam
Many, perhaps most, wifi access services want to perform some sort of authentication of people who use them (for those providing connectivity via Janet, it's a requirement of the Eligibility Policy).
Read more
Subscribe to Data Protection Regulation