The Data Protection (Charges and Information) Regulations 2018 came into force in May 2018. Generally, these Regulations mean that Controllers must pay the ICO an annual data protection fee unless they are exempt. The exemptions are relatively limited. The requirement to pay an annual fee replaces the previous requirement to register with the ICO. The fee ranges from £40 to £2900, depending on the tier of organisation. The fee helps to fund the ICO. Continue Reading
Direct marketing has been a focus of the UK data protection regulator, the Information Commissioner’s Office (ICO), for the last several years. Direct marketing for these purposes includes promotional messages that are sent directly to an individual recipient electronically (email or text), by post or communicated by phone. Such messages are considered to be unsolicited communications, as opposed to marketing messages that were specifically requested by individuals. Continue Reading
In Illinois, the courts are grappling with an issue akin to the Article 3 standing issues that courts have been analyzing in post-breach cases for years, that is, whether a plaintiff must claim actual harm as a result of a statutory violation or whether the violation is sufficient by itself to support standing to sue.
The European Data Protection Board (EDPB) has finally published its long-awaited draft guidelines 3/2018 on the territorial scope of GDPR (article 3) (“Draft Guidelines”). These are now subject to consultation until 18 January 2019.
These Draft Guidelines are pertinent to companies outside of the EU seeking to determine whether the General Data Protection Regulation “GDPR” applies to them. The Draft Guidelines are just as important for companies that must comply with the GDPR in their business dealings with non-EU organisations. Continue Reading
It was bound to happen. In France and elsewhere organizations have been receiving phishing emails and correspondence Continue Reading
Since 25 May 2018, controllers experiencing a personal data breach must – as a general rule – notify it to the appropriate supervisory authority. Not all breaches will require notifications: those that do not pose a risk to the rights and freedoms of natural persons will generally fall under the radar. However, if such risk shall exist, the data controller will be required to notify a given breach to the relevant supervisory authority as well as to the natural persons concerned – if the likelihood of risk is high. Continue Reading
The Food and Drug Administration (FDA) has recently issued several cybersecurity and medical device initiatives as part of the agency’s increased focus on digital health. These initiatives include draft cybersecurity guidance for medical devices, increased coordination with the Department of Homeland Security, and the promotion of artificial intelligence. Elliot Golding and Jennifer Tharp provided an overview of recent developments in a post on our sister blog, Triage Health Law.
Pursuant to Article 35.4 of the RGPD (GDPR), the CNIL has published a list of 14 categories of processing activities for which it deems it necessary to perform a Data Protection Impact Assessment (DPIA). On its website, the CNIL also provides examples of the types of processing activities for each of these categories.
In May this year, the General Data Protection regulation (GDPR) brought with it a new Data Subject Access Requests (DSAR) regime. We expect that the ICO will update its Code of Practice shortly. Until then, Andrew Peters of our Labour & Employment team has prepared a five-part blog series which discusses practical concerns for UK employers receiving DSARs post-GDPR. Continue Reading
To any good lawyer, the answer is ‘both’ are important. However, most in-house counsel know the answer is which receives the limited available budget. Compliance budgets usually follow the greatest risks for the company. Therefore, in Europe, where the EU’s General Data Protection Regulation is the scariest new compliance issue, it stands to reason that data privacy will take a larger portion of the budget than cybersecurity. However, in the US, where the penalties for poor cybersecurity can be huge (from governmental penalties, to class action and shareholder derivative lawsuits), I believe it is generally the opposite. Continue Reading