dcsimg

GDPR: third-party data processors’ responsibilities

Under the GDPR (General Data Protection Regulation), your organisation’s compliance requirements depend on whether you are a data controller or data processor.  A data controller is the person or organisation that determines how and why personal data is processed.  A data processor is the person or organisation that processes personal data on behalf of a data controller.  Many … [Read more...]

Polish school fined for processing children’s biometric data

A primary school in Gdańsk, Poland, has been fined PLN 20,000 (about €4,600) for collecting biometric data from its students without a legal basis. The GDPR (General Data Protection Regulation) defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the … [Read more...]

Highlights from the Data Protection Commission’s 2020 GDPR report

On 20 February 2020, Ireland’s DPC (Data Protection Commission) published its second Annual Report under the GDPR (General Data Protection Regulation), and the first covering a full calendar year of the Regulation.  Detailing the DPC’s work in 2019, the report revealed that last year:  7,215 complaints were received – a 75% increase on 2018 (4,113 complaints) and a staggering 173% increase … [Read more...]

The GDPR: Legitimate interest – what is it and when does it apply?

The GDPR (General Data Protection Regulation) outlines six conditions under which organisations can process personal data. Contractual requirements, legal obligations, vital interests and tasks carried out in the public interest are all relatively self-explanatory, leaving consent and legitimate interest that need to be unpacked in more detail. We’ve covered consent before, so our focus here will … [Read more...]

How much does GDPR compliance cost in 2020?

We’ve come a long way since the panic and scepticism that accompanied the introduction of the GDPR (General Data Protection Regulation). Several high-profile fines and the continued warnings from regulators have led to a sharp uptick in the number of organisations addressing their compliance requirements. But that doesn’t mean their job is done as far as the GDPR goes; organisations must continue … [Read more...]

The GDPR: How to perform due diligence of Cloud service providers

One overlooked aspect of the GDPR (General Data Protection Regulation) is that it’s now much harder for organisations to pass the blame when a third party suffers a data breach. Data controllers – the organisations that dictate what information is processed – must give instructions for how data processors – the service providers – handle personal information. Unless the third party has explicitly … [Read more...]

A breakdown of the GDPR’s six data processing principles

The Regulation stipulates that infringements of “the basic principles for processing, including conditions for consent” are subject to the highest possible administrative fines – up to €20,000,000 or 4% of global annual turnover, whichever is greater. If any detail can get the attention of the people who need to understand this, it is likely that potential fines of that scale will do the job.  The … [Read more...]

Half of small businesses still aren’t GDPR compliant

It’s been more than 18 months since the GDPR (General Data Protection Regulation) took effect, and yet millions of small businesses across Europe have major compliance gaps, a study has found.  The GDPR Small Business Survey, which polled 716 organisations in Ireland, the UK, Spain and France, found that only 56% of organisations were confident that they obtained a lawful basis for processing … [Read more...]

The GDPR: How the right to be forgotten affects backups

The GDPR (General Data Protection Regulation) is a big, complex law, and, as it’s only natural that some elements appear to contradict each other.  One of those apparent contradictions involves arguably the most notorious aspect of the GDPR: the right to erasure (also known as the ‘right to be forgotten’).  This right – one of eight enshrined in the GDPR – allows individuals to request that … [Read more...]

3 reasons you should give your DPO specialist training

Organisations that appoint a DPO (data protection officer) will have a significantly different approach to information security than those that don’t.  The person who fills the position is responsible for monitoring the organisation’s data protection practices and helping staff understand their regulatory requirements, amongst other things.  Under the GDPR (General Data Protection Regulation), … [Read more...]