Privacy Compliance & Data Security

Information on Data Breach Prevention and the Appropriate Response

The GDPR that stole communion… Some schools in Ireland have been banning photographs at communion, citing GDPR. The Irish Data Protection Commission clarified in a guidance titled “Taking Photos at School Events: Where Common Sense Comes Into Play” that this is not mandated by GDPR. Taking a photo in public is generally fine; it’s what you do with that photo that can potentially become a data protection issue. If a school is seeks consent from…
The “data lemon,” a company you acquire without sufficient data protection due diligence that turns out to be rife with issues, is really more like “data lemon ice cream.” Once it melts, and you uncover a serious breach, it will not return to its original state again. Read the Harvard Business Review’s take on the importance of thorough data security due diligence in mergers and acquisitions.…
The Dutch Data Protection Authority makes six recommendations on drafting your data protection policy, based on its audits of privacy policies of blood banks, IVF clinics and political parties. A good data protection policy shows the individuals and the Supervisory Authority that it complies with GDPR. Three mandatory components were examined: a description of the (categories of) personal data a description of the purposes of data processing the rights of data subjects. Recommendations: Assess whether…
“Rather than view data protection as a box-ticking exercise, it should be a key priority and integrated into every aspect of the business to ensure comprehensive coverage and consistency.” “Regulation can only go so far – if businesses focus on best practices for cybersecurity, data protection and combine this with compliance they will be giving themselves the best chance of business success, whilst protecting their customers and their data.” Businesses “should strive to have an…
“I have long advocated for privacy protections that include the principles of knowledge, notice and the right to say ‘no’ to companies that want our information. But it is increasingly clear that a true 21st-century comprehensive privacy bill must do more than simply enshrine notice and consent standards,” said Sen. Edward Markey (D-Mass.), the author of the Privacy Bill of Rights Act. Markey said the bill was crafted in response to the continuing number of…
The French Data Protection Agency CNIL received 11,077 complaints in 2018, up 32.5 percent compared to 2017. Other highlights from the CNIL 2018 report CNIL carried out 310 investigations in 2018, of which 204 were onsite, 51 online and 51 on the basis of documentation. 49 orders were adopted in 2018, of which five were in the insurance sector; and four concerned companies specialized in advertising targeting via a technology (Software Development Kit) installed in…
“What my bill aims to do is to provide a little bit more regulation, a little bit more oversight, into the information that is being collected on us, about us, every single day without our knowledge — a lot of times without our permission — and is being used in ways that can negatively affect our credit scores, our health insurance premiums, or car insurance premiums, and even what kind of cars and hotels you’ll…
“Where the sponsor processes personal data of data subjects in the EU, including in the context of managing the clinical trial, GDPR is fully applicable, including the obligation to designate a representative in the EU.” The European Commission has updated FAQs on the interplay between the forthcoming Clinical Trials Regulation (CTR) and GDPR. Key Takeaways: Each trial subject should receive information related to the clinical trial as required by the CTR as well as GDPR.…
The “agree button is one of the biggest lies on the internet. This is not consent. This is not notice,” said U.K. Information Commissioner’s Office Executive Director for Technology Policy and Innovation Simon McDougall. People are now living in an “age of unhappiness” and are not feeling empowered, says McDougall. With large tech companies, the balance of power has shifted, and “people are feeling unhappy about that.” “But at the same time… people are still…
The European Data Protection Board (EDPB) has issued draft guidelines on the GDPR legal basis of “necessary for the performance of a contract”. Key takeaways: You must specify the purpose of the processing and avoid vague or general purposes Necessary for the performance of a contract is not a legal basis for “special categories of data”. Necessity covers only situations where the processing is objectively necessary for the performance of a purpose that is integral…