Personal Data Breach Notification Obligations Arise from Various Sources, not Only the GDPR

Since 25 May 2018, controllers experiencing a personal data breach must – as a general rule – notify it to the appropriate supervisory authority. Not all breaches will require notifications: those that do not pose a risk to the rights and freedoms of natural persons will generally fall under the radar. However, if such risk shall exist, the data controller will be required to notify a given breach to the relevant supervisory authority as well as to the natural persons concerned – if the likelihood of risk is high.  Continue Reading

Digital Health Update: Recent FDA Cyber Initiatives

The Food and Drug Administration (FDA) has recently issued several cybersecurity and medical device initiatives as part of the agency’s increased focus on digital health. These initiatives include draft cybersecurity guidance for medical devices, increased coordination with the Department of Homeland Security, and the promotion of artificial intelligence. Elliot Golding and Jennifer Tharp provided an overview of recent developments in a post on our sister blog, Triage Health Law.

Digital Health Update: Recent FDA Cyber Initiatives

 

The CNIL Has Published Its List of Processing Activities Requiring a DPIA

Pursuant to Article 35.4 of the RGPD (GDPR), the CNIL has published a list of 14 categories of processing activities for which it deems it necessary to perform a Data Protection Impact Assessment (DPIA).   On its website, the CNIL also provides examples of the types of processing activities for each of these categories.

Continue Reading

GDPR’s Impact on Employee Data Subject Access Requests in the UK

In May this year, the General Data Protection regulation (GDPR) brought with it a new Data Subject Access Requests (DSAR) regime.  We expect that the ICO will update its Code of Practice shortly.   Until then, Andrew Peters of our Labour & Employment team has prepared a five-part blog series which discusses practical concerns for UK employers receiving DSARs post-GDPR. Continue Reading

Data Privacy or Cybersecurity: Which is More Important?

To any good lawyer, the answer is ‘both’ are important.  However, most in-house counsel know the answer is which receives the limited available budget.  Compliance budgets usually follow the greatest risks for the company.  Therefore, in Europe, where the EU’s General Data Protection Regulation is the scariest new compliance issue, it stands to reason that data privacy will take a larger portion of the budget than cybersecurity.  However, in the US, where the penalties for poor cybersecurity can be huge (from governmental penalties, to class action and shareholder derivative lawsuits), I believe it is generally the opposite.  Continue Reading

GDPR’s Impact on Advertising Practices

The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as related to obtaining consent from competition participants.

For further information on the forthcoming update to the CAP Code and its expected impact on advertising, please read the post prepared by my colleagues Carlton Daniel, Ailin O’Flaherty and me, which has published on Squire Patton Boggs  Global IP & Technology Law Blog.

California Passes First Cybersecurity Law Regulating IoT Devices

California has become the first state in the US to adopt a cybersecurity law governing Internet of Things (IoT) devices, or those capable of connecting to the internet. In this rapidly growing industry, the law is a first step toward developing regulations to improve the security of IoT.  While it does require manufacturers to equip devices with “reasonable” security features, it is short on details as to the type of security features that are expected. The bill will go into effect January 1, 2020.

Read more about the first US law guiding the security of IoT devices here.

EDPB Tries to Sort Out the DPIA Disaccord

Article 35(4) of the EU General Data Protection Regulation (“GDPR”) states that the supervisory authorities of the EU Member States (“SAs”) shall establish, publish and communicate to the European Data Protection Board (“EDPB”) a list of processing operations that are subject to a requirement for a data protection impact assessment (“DPIA”) under the GDPR.

Continue Reading

Data Protection Compliance: Do You Have an Appropriate Policy Document in Place?

Just because 25 May 2018 has passed does not mean that data protection compliance has ended! The Data Protection Act 2018 (“DPA”) works with the GDPR, and introduces additional requirements that businesses will need to watch out for; there are however a number of derogations that are intended to better accommodate business needs. Continue Reading

Why the ICO Fined Equifax £500,000

On 19th September 2018, the Information Commission Officer (“ICO”) fined credit reference agency Equifax Limited £500,000 for breaching the Data Protection Act 1998 (“DPA”). Finding that Equifax Limited failed to protect the personal data of up to 15 million UK individuals, the ICO awarded the maximum penalty for a breach under the DPA.

The ICO found that of the eight data protection principles established in the DPA, Equifax breached five. The finding considered how Equifax handled personal data, the purpose of processing the personal data and the transfer of the UK data to the US. Continue Reading

LexBlog