On 12 September 2018, the UK Deputy Information Commissioner, James Dipple-Johnstone, made a speech to the CBI Cyber Security: Business Insight Conference   in which he discussed recent data breach reporting trends in the UK.

The Deputy Commissioner noted that since the GDPR came into effect on 25 May 2018, the ICO has received approximately 500 calls per week to its breach reporting line. After a discussion with the ICO’s officers, roughly one third of these organisations decide that their breach does not meet the reporting threshold.  The Irish Data Protection Commission has also been reported as having received a massive increase in breach notifications since the introduction of the GDPR.

Continue Reading ICO receiving 500 breach notification calls a week

New Regulations require organisations to obtain an individual’s explicit consent in advance of processing personal data for health research purposes.  The Regulations, known as the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (SI 314/2018), set out a number of mandatory suitable and specific safeguards to be put in place when processing personal data for health research purposes. The Regulations came into effect on 8 August 2018.

Continue Reading Explicit consent required to use personal data for health research purposes

​New court rules were introduced on 1 August 2018 which will give members of the media permission to access court documents. These measures, which apply in both the civil and criminal courts, will formalise the media’s access to information. The rules give effect to Section 159 (7) of the Data Protection Act 2018 to facilitate fair and accurate reporting of court proceedings.

Read more

The European Parliament has voted for the suspension of the Privacy Shield unless the U.S. complies by 1 September 2018. The non-binding resolution was passed 303 to 223 votes, with 29 abstentions. Parliament takes the view that the current Privacy Shield arrangement does not provide the adequate level of protection required by EU data protection law and the EU Charter as interpreted by the European Court of Justice (CJEU). It considers that, if the US is not fully compliant by 1 September, then the Commission has failed to act in accordance with Article 45(5) GDPR  and the Commission should suspend the Privacy Shield until the US authorities comply with its terms. Continue Reading Parliament calls on US to comply with Privacy Shield by September

The Data Protection Commission (DPC) has published Guidelines to support the Government with drafting future regulations restricting the rights of individuals afforded by the GDPR. Whilst the GDPR strengthens the rights of individuals, Article 23 allows Member States or the EU to restrict the scope of individuals’ rights and controllers’ obligations in certain circumstances.  Section 60 of the Irish Data Protection Act 2018 (the Act), which came into effect alongside the GDPR, provides for a number of such restrictions, as well as allowing Government Ministers to make regulations further restricting individuals’ rights. It is a mandatory requirement that the Government Minister consults with the DPC before making such regulations.

Continue Reading New guidelines issued by DPC on limiting data subjects’ rights

The Data Protection Commission (DPC) has revamped its website and published online forms to help organisations comply with their new obligations under the GDPR.

The website contains a new Data Protection Officer (DPO) Notification Form, which must be completed by organisations to inform the DPC of their DPO’s contact details.   The GDPR requires the appointment of a DPO in the following circumstances: (i) where the processing is carried out by public bodies or authorities; (ii) where an organisation’s core activities consist of large-scale regular and systematic monitoring of data subjects; and (iii) where an organisation’s core activities involve large-scale processing of special categories of data (i.e. sensitive data) or personal data relating to criminal convictions and offences. A DPO may also be appointed on a voluntary basis.  However, organisations should be aware that a DPO designated on a voluntary basis will be subject to the same obligations and tasks under the GDPR as if the designation had been mandatory.

Continue Reading Data Protection Commission publishes online DPO and Data Breach Notification Forms

Ireland succeeded in enacting the Data Protection Act 2018 prior to today’s GDPR deadline, with the President signing the Act into law yesterday. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.  This briefing note analyses the key provisions under the Act and its likely impact on businesses operating from Ireland.

Go to Publication

The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data.  In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records.

The position paper makes it clear that all organisations, without exception, must maintain a record of processing in regard for human resources (HR) data, as such processing is carried out regularly, and cannot be considered “occasional“. Accordingly, all organisations must ensure they can present records relating to HR data to their supervisory authority post-May 2018, if requested. This will entail keeping a record of the types of HR data processed, the categories of data subjects (i.e. employees, ex-employees, candidates, consultants), the purposes of the processing, the recipients of such data (e.g. any third party service providers), the data retention periods for each type of HR data processed, details of any non-EEA transfers of HR data, and the security measures in place to protect such data.

Continue Reading WP29 issues position paper on GDPR record-keeping obligation