Pragmatism

Are the ICO waking up, this seems a bit rough, … as it fines Flybe and Honda. There are two stories here, two large firms wanted to confirm that they had consents and so wrote to their list to ask if the consents remain in place …. they have been fined; the ICO considered this to be an un-consented bulk email. I wonder if it’s possible to perform this check legally. …

Restrictions

Just looking at my notes from the BCS Legal Day and while some are still hanging on for Brexit saving them from the GDPR, which it won’t, it becomes necessary to understand the wiggle room left by the GDPR.

Firstly, there is the competency limitations of Union itself, it cannot legislate for national & public security nor for the criminal justice system, these exclusions are stated in Article 23 Restrictions and also include (or exclude if that’s how you see it), the management of professions and the pursuit of civil justice. The Restrictions clause does however require the member state to act proportionately and respect the Charter of Fundamental Rights. In addition, there is room for national, member state, variances on the protection of employee data and the definition of public sector, impacting the need for a DPO. …

Fines, Enforcement and good faith

Fines, Enforcement and good faith

We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR),  which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection. …

An overview of issues with the GDPR

An overview of issues with the GDPR

At the BCS legal day,  a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),

“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.

Jan Albrecht MEP”

It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances.  …

BCS Legal Day

BCS Legal Day

I attended the BCS ISSG Legal day where the priority was the coming General Data Protection Regulation. I believe that the day was held under Chatham House rules, which means that comments cannot be attributed. I prefer to work on more open terms; it allows me to attribute credit to those who have informed me or changed my mind but the notes have been anonymised. The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement.  The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement.  I have written these notes over the last week, and backdated them to the day of occurrence. These are a bit less polemic than my recent articles here, but for various reasons I have been reminded that that’s how they once were; I hope these articles are useful to my more technical readers. Some of the discussions and issues may interest those that follow me for politics. …

A note on the coming GDPR

A note on the coming GDPR

In a blog at my employer’s site I looked at how to become compliant with the EU’s General Data Protection Regulation. Regulations are the Law in all the member states, and members of the European Economic Area. The article looks at the issues of consent, the new data subject rights, privacy by design, the meaning of adequate protection and new public accountability via the duty to report breaches and to appoint a professional data protection officer. …

Coming Privacy Law

Coming Privacy Law

Yesterday, attended a session convened by the BCS North London branch, called “Data Privacy – How Private is IT?” The presentation was given by two PWC staff members in two parts, the first was a forward looking review at the proposed EU Data Protection Regulation by Kyrisia Sturgeon and the second part a scenario based exploration of good data protection practice led by Pragasen Morgan. To me the coming key changes in the law are that all companies will need to have a qualified data protection officer, and it implements a right to be forgotten, or more accurately a right to be unindexed. …