New reciprocal adequacy decision allows free flow of personal data between Japan and the EEA

On 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on a reciprocal finding of an adequate level of data protection by both sides.

Under the General Data Protection Regulation (“GDPR”) which became effective across Europe on 25 May 2018, an adequacy decision adopted by the Commission is one of the ways which allows personal data to be transferred outside the European Economic Area (“EEA”). An adequacy decision is adopted if the Commission, after its assessment of the level of protection in the recipient jurisdiction, decides that the recipient jurisdiction ensures an adequate level of protection to the personal data of EU data subjects.

This is the first time the Commission and a third country have agreed on reciprocal recognition in respect of data protection adequacy. The other countries or territories which have been assessed by the Commission as having an adequate level of protection of personal data are all based on the Commission’s unilateral decisions (e.g. New Zealand, Canada and Switzerland). Reciprocal recognition means that not only can personal data be transferred from the EEA to Japan in compliance with the GDPR, it can also be transferred from Japan to the EU in compliance with the Japanese law.

Continue reading

Leave a Comment

Filed under Brexit, Data Protection, Data subject rights, Extra-territoriality, GDPR

Court makes permanent injunction against unknown parties preventing disclosure of confidential information unlawfully removed from computer

In the cases of Clarkson Plc v Person(s) Unknown (“Clarkson”) and PML v Person(s) unknown (“PML”), the court has created a new tool in the fight against cyber attackers. The defendants who are unknown person(s) gained unauthorised access to the claimants’ IT systems and acquired a considerable quantity of information. The unknown defendant(s) then threatened to publicise the information unless a substantial sum was paid. Despite not being able to identify the attackers directly the court was prepared to grant an injunction. Continue reading

Leave a Comment

Filed under Cyber Security

NIS Directive and Regulations now in force

The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.

The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy. Continue reading

Leave a Comment

Filed under Cyber Security, Data Protection, National privacy law

Data breaches: new Article 29 Working Party guidance

In anticipation of the GDPR, various guidance has been published by the Article 29 Working Party, the body of national EU data regulators.

Of most relevance in the cyber context is the guidance on personal data breach notifications; the Article 29 Working Party issued its initial guidance in October 2017 and published a final version of the guidelines (which remained mostly unchanged) in February 2018.

This guidance relates to the new requirement under the GDPR for all controllers to notify the appropriate data protection authority of a personal data breach, following a cyber attack for example. This will include providing the regulator with a significant amount of information about the breach and marks a change from the previous regime (under the Data Protection Act 1998) where notification to the ICO was not mandatory, although the ICO encouraged notification for serious breaches.

The key areas addressed by the guidance include further clarity on what constitutes awareness of a breach, when notification is and is not required in respect of examples of different types of breaches, when the clock starts running in relation to the 72 hour deadline and how to manage conflicting requirements of the GDPR and those of law enforcement authorities outside of the EU. For further information, a copy of the guidance can be found here.

Continue reading

Leave a Comment

Filed under Controllers, Data breach, Data Protection, GDPR, Guidance, National privacy law

Internet of Things – ICO’s six reasons why businesses should be thinking about data protection and the DCMS’s Secure by Design Report

In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.

Continue reading

Leave a Comment

Filed under Data Protection, DPIAs, GDPR, Guidance, IT and Technology, National privacy law, Uncategorized

Compliant or not: the GDPR is here

The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.

With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.

For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:

  1. The GDPR: the “whole of business” issue at the top of your board agenda
  2. The rise of the intelligent business: spotlight on employers
  3. Extending the long arm of the law: Extra-territoriality and the GDPR
  4. Data use – protecting a critical resource
  5. Supply Chain Arrangements: The ABC to GDPR Compliance

Continue reading

Leave a Comment

Filed under Cyber Security, Data breach, Data Protection, Extra-territoriality, GDPR, Guidance

Supply chain arrangements: The ABC to GDPR compliance

With increased outsourcing to the cloud or other third party external service providers and an increasingly complex supply chain for businesses, modern strategies for leveraging data can bring significant business efficiencies, competitive edge and growth opportunities, but also a range of risks that need to be understood and mitigated.

This has been mapped by a rise in the increased relevance of data protection and associated regulation. In the words of the Information Commissioner, the EU General Data Protection Regulation (the “GDPR”) represents an “evolution” rather than a “revolution” in data protection regulation. Whilst existing data protection obligations have certainly been “tightened up” a notch, fundamentally, the current underlying data protection principles remain largely unchanged.

The new EU data protection framework does, however, introduce some key changes that are giving rise to closer scrutiny of the supply chain protections in place between controllers and processors and, in turn, we are seeing a shift in the approach adopted by both parties in negotiating and implementing data processing arrangements.

Continue reading

Leave a Comment

Filed under Contractual clauses, Controllers, Data Protection, GDPR

Extending the long arm of the law – Extra-territoriality and the GDPR

We are living in an increasingly inter-connected digital society where the services of many organisations are global in nature, and yet internet activities are still being tackled by national laws and regulations. The online world does not respect physical or geographical boundaries, often giving rise to the question of which law is applicable in the case of online activities. In the data protection and privacy space, the new General Data Protection Regulation (“GDPR“) seeks to tackle this online transnational data and privacy issue through its extra-territorial application.

Click here for the full briefing.

Continue reading

Leave a Comment

Filed under Data Protection, Extra-territoriality, GDPR

Data use: Protecting a critical resource

Described by some as the “new oil” for the digital economy, there is no doubt that data are now seen as critical for organisations to succeed. Data are a powerful and lucrative fuel for productivity. If not adequately protected, data are vulnerable to leaks that can cause widespread damage, and their true value is only realised once they have been processed and refined. They are, however, an almost infinite resource when compared with the finite supply of oil.

Data affect all businesses and industries, and dealing with data is an issue for the whole business as it affects every team within an organisation. In this article we examine:

  • Market trends in the ballooning use of data worldwide.
  • Some of the legal implications of dealing with data, particularly in light of the General Data Protection Regulation (679/2016/EU) (GDPR) which will apply from 25 May 2018, including in particular, GDPR compliance, cyber security and employee monitoring.

Click here for the full briefing.

A version of this article was first published as the lead feature in the January/February 2018 issue of PLC Magazine.

Continue reading

Leave a Comment

Filed under Data Protection, GDPR, IT and Technology

The rise of the intelligent business: Spotlight on employers

This briefing is the second in our multi-disciplinary GDPR series which aims to help you successfully navigate the GDPR as 25 May 2018 approaches. Here we place the spotlight on key compliance considerations in the employment sphere.

Data is ubiquitous in the employment context: it is processed from the point at which a job application or CV is received if not before (such as profiling of potential candidates through LinkedIn, for example), right through to beyond the termination of employment (for example when references are given). The employer will handle “core” categories of employee data on an employee’s personnel file (for example, their address, national insurance number, performance appraisals, grievance and disciplinary records), but also data generated and processed in the context of pension schemes and share plans, as well as in liaising with third party providers such as insurers, payroll providers and occupational health professionals. It is worth noting that whilst we refer to “employees” in this briefing, the contents apply equally to employees, workers and self-employed contractors.

In particular, we consider some of the key requirements of the GDPR in the employment context, together with practical tips on how to implement the required changes.

Please read our full briefing for more on the following issues:

  • Identifying a legal basis for processing employee data;
  • Employee rights under the GDPR;
  • How to transition to the new regime;
  • Sensitive personal data;
  • Monitoring and profiling; and
  • Training and awareness.

Click here for the full briefing.

 

Continue reading

Leave a Comment

Filed under Data Protection, Data subject rights, GDPR