The last couple of years has seen a steady increase in enforcement action and prominent court cases involving subject access requests (“SARs”) under the Data Protection Act 1998 (“DPA”).
Organisations are also starting to prepare for the new EU General Data Protection Regulation (“GDPR”), which will change some key aspects of how SARs need to be handled as from May 2018.
This article therefore provides a summary of the recent cases and the upcoming GDPR changes, with some guidance to assist data controllers in deciding how to deal with some of the tricky issues arising.
Business use of social media leads to increased challenges for organisations in protecting their proprietary content, business information, brand and reputation.
On 28 June 2016, the ICO launched its annual report, containing details of its activities and financial statements between April 2015 and March 2016.
Over the last year, the Information Commissioner’s Office (ICO) has stepped up enforcement action for breaches of data protection and privacy rules relating to direct marketing. Action has arisen from unlawful marketing by telephone (live or automated), SMS and email, and from the unlawful sale of marketing lists. This article highlights some key themes arising from these cases.
Following four years of deliberation, the EU General Data Protection Regulation (“GDPR”) was published in the EU’s Official Journal on 4 May 2016, coming into force 20 days later. Organisations will need to comply with the new law by 25 May 2018. This article is an alphabetical guide to some key provisions of the GDPR.
On 2 February 2016 the EU Commission announced that it had reached political agreement with the US Department of Commerce on new EU-US data transfer arrangements. The new framework is called the EU–US Privacy Shield and is a substitute for the previous Safe Harbour scheme which was declared invalid on 6 October 2015.
New EU–US data transfer arrangements have today (2 February 2016) been approved by the EU Commission. The new framework is known as the “EU-US Privacy Shield” and is a substitute for the previous “Safe Harbour” scheme which was declared invalid on 6 October 2015.
The compromise text of the EU General Data Protection Regulation (GDPR) was published on 15 December 2015. At the time of writing, it is expected to have final approval soon, and then come in force into two years. Article 33(1) contains the new obligation for conducting impact assessments.