ICO Wants to Hear Your Views on the Design of its New Accountability Toolkit

In an October 28, 2019 blog post, Director for Regulatory Assurance, Ian Hulme, announced that the UK Information Commissioner’s Office (“ICO”) is developing a new ‘accountability toolkit’ which it plans to launch next year. The aim of the toolkit will be to support organisations in demonstrating their compliance with the ‘accountability principle’ under the GDPR[1]. It will enable organisations to understand the ICO’s expectations and to take responsibility for designing their own accountability programs. The ICO wants the toolkit to be ‘user-led’ and, as a result, it believes that gathering the views of organisations is essential.

The ICO seeks the views of a wide range of organisations in different sectors on matters such as their current practices relating to accountability and how the ICO could support them in the development of their own accountability programs.

Any thoughts on the development of the accountability toolkit can be provided on the ICO’s dedicated consultation page or provided by email to accountability.ico.org.uk. The consultation closes at 17:00 on 9 December 2019.

Mr. Hulme made it clear that compliance with the accountability obligation is about “putting data protection at the heart” of all personal data processing. It includes being “crystal clear” about data protection responsibilities throughout the organisation, data protection being a “boardroom issue” and not just the responsibility of the Data Protection Officer, managing risk pro-actively and being transparent to people about the processing of their personal data. He recognised that many organisations are working hard to get this right and stated that the ICO is keen to support those efforts, in light of the substantial work and culture change that can be required.

The consultation page lists a number of measures which the ICO says could enable organisations to demonstrate their compliance with the accountability principle, including implementing data protection policies, taking a data protection by design and default approach, reporting data breaches where required and carrying out data protection impact assessments.

Please contact our Data Privacy & Cybersecurity team members for assistance with GDPR compliance, including putting in place measures to fulfil your organisation’s accountability obligation.

[1] This is a specific obligation under Article 5(2) of the GDPR (EU General Data Protection Regulation 2016/679)

Ransomware Attacks – Why it Should Matter to Your Business

Gone are the days when ransomware attacks inflicted the unlucky few.  Today, all companies and organizations are susceptible to attack, no matter their size or industry.  In a client alert, our Data Breach Response team discusses the rising trends in ransomware attacks, the implications of becoming a victim, and what you can do to protect your business or organization.

I’m a Financial Institution – What Do I Need to Do Under the CCPA?

This post is part of our series highlighting key compliance issues under the California Consumer Privacy Act (CCPA). For a broader look at the CCPA, please see prior posts from members of our Data Privacy & Cybersecurity  regarding applicability, gap assessments, and the recent amendments. Stay tuned for further posts in this series.


Since the CCPA was enacted in June 2018, financial institutions have been considering whether and how the new law will apply to them. The CCPA provisions include certain exemptions for personal information (“PI”) that is regulated pursuant to the Gramm-Leach-Bliley Act (“GLBA”) [1], the California Financial Information Privacy Act (“CalFIPA”) [2] or the Fair Credit Reporting Act (“FCRA”). These exemptions are not absolute, however, and almost all financial institutions collect and use various types of PI that is not regulated by GLBA, CalFIPA or the FCRA. Financial institutions should therefore carefully consider their exposure to the CCPA. This post provides an overview of the recent amendments to the CCPA that bear on financial services and examines the overall impact. Continue Reading

EU Webinar Series – DPIAs – What You Need to Know

Padlock and EU flag

On Thursday, November 7, we will host the second webinar of our EU Webinar Series, “DPIAs – What You Need To Know.”

Data Protection Impact Assessments are required under the GDPR and are indented to help organizations identify data security risks. Many data protection authorities have issued guidelines on when and how to conduct a DPIA.

Partner Annette Demmel and associate Mareike Lucht of our Data Privacy & Cybersecurity Practice, will explain DPIA guidelines, including:

  • Actors in a DPIA process
  • When to perform a DPIA and planning
  • What method to use
  • How to conduct a DPIA
  • Implement the results

This webinar will go live 4:00 p.m. CET, 3:00 p.m. GMT, 10:00 a.m. EST and 7:00 a.m. PST.

Register here. A recording of the webinar will be sent to registrants.

EU Webinar Series – EU Cookie Rules and Tracking Walls

On Tuesday, October 29, we will host the first webinar of our EU Webinar Series, “The Latest on EU Cookie Rules and Tracking Walls.”

Topics will include:

  • The impact of the GDPR on the cookie consent requirement
  • The recent guidelines issued by the EU data protection authorities on cookie rules
  • The recent case law and its impact on business practices around cookies

Padlock and EU flag

The discussion will be led by Rosa Barcelo, the European chair of our Data Privacy & Cybersecurity Practice, who joined us last October from the European Commission, after having led the Commission’s legislative efforts on the draft e-Privacy Regulation. Rosa will be joined by and Asel Ibraimova, an associate in our London office, who has advised extensively on cookie requirements.

The webinar will go live at 5:00 p.m. CET, 4:00 p.m. GMT, 12:00 p.m. EDT, 9:00 a.m. PDT.

Register here.

When is it ‘Necessary’ to Process Personal Data to Perform a Contract?

The European Data Protection Board has adopted final Guidelines on the processing of personal data using the “necessary perform a contract” lawful basis under Article 6(1)(b) of the GDPR, in the context of the provision of online services.

Article 6(1)(b) of the GDPR provides a lawful basis for the processing of personal data to the extent that the processing is:

  • Necessary for the performance of a contract to which the data subject is a party; or
  • In order to take steps at the request of the data subject prior to entering into a contract.

The Guidelines outline the elements of lawful processing under Article 6(1)(b) and focus in particular on the concept of ‘necessity’. They begin by examining the interaction between this lawful basis and other obligations under the GDPR. Continue Reading

Claims Against the CNIL’s Decision to Grant an Adaptation Period for Compliance on Cookie Consent Rules Dismissed

The French Council of State considers legal, the Commission Nationale de l’Informatique et des Libertés (CNIL), decision to engage in a consultation to define the new practical modalities of expression of consent in the matter of targeted advertising, and to grant a period of adaptation to the stakeholders.


Pending the finalization of the new ePrivacy Regulation, there have recently been several material changes in the local regulations applying to cookies and tracking devices. The ePrivacy Directive requires consent types of cookies and tracking devices, and several national data protection authorities (including in France, Germany, the Netherlands and the UK) have started to change their guidance on cookies to take into account the changes brought by the General Data Protection Regulation (GDPR) on what constitutes valid consent.

In addition, the Court of Justice of the European Union (CJEU) announced, on 1 October 2019, its decision in the Planet49 case on the very issue of consent for cookies. An analysis of this decision may be found on our blog, Security & Privacy // Bytes. Continue Reading

Proposed CCPA Regulations: Initial Overview and Highlights

On October 10, 2019, the California Attorney General (California AG) issued the long-awaited California Consumer Privacy Act (CCPA) Regulations (Proposed Regulations), along with an Initial Statement of Reasons (ISOR) explaining the Proposed Regulations. These Proposed Regulations not only fill in statutory gaps, but also create several substantive new requirements. Companies may submit comments through December 6, 2019, and several public hearings will be held in the first week of December. Our Data Privacy & Cybersecurity Practice can assist you in drafting comments to the California AG during this public comment period. Continue Reading

I’m an Employer – What Do I Need to Do under CCPA?

Welcome to our post highlighting key compliance issues under the California Consumer Privacy Act (CCPA). For a broader look at CCPA, please read our prior posts regarding applicability, gap assessments, and the recent amendments, and remember to register for our upcoming webinar covering the final requirements of the law on October 17, 2019. Stay tuned for our next post, “I’m a B2B Company – What Do I Need to Do under CCPA?”


If CCPA applies to your organization and you employ California residents, you may be rejoicing after the recently passed amendments. On September 13, 2019, the California Senate and Assembly passed bills including a limited moratorium for specific types of worker data (as defined below) and the bills are expected to be signed by the Governor soon.

The carve-out is generous, but it is not unlimited. In short, using worker data for any purpose other than employment-related purposes will likely result in the data falling outside of the scope of the exemption, and employers are still required to provide notice.

Unless the moratorium is extended or a permanent carve-out is adopted in the next legislative session, CCPA will apply in full to all worker data effective January 1, 2021. Continue Reading

Déjà Vu:  New California Ballot Initiative Seeks to Strengthen Data Privacy Further

California RibbonEven though the California Consumer Privacy Act (“CCPA”), enacted in June 2018, radically transformed data privacy regulation in the US, it appears that some privacy advocates in California are seeking to strengthen consumers’ data privacy rights even further.  Californians for Consumers Privacy, the group behind the ballot initiative that led to the CCPA, announced this week that it would seek to gain approval for a new ballot initiative that would be voted on by Californians in the November 2020 general election.  The new proposal, filed on September 26; 2019, would, among other things, create new rights around the use of “sensitive” personal information, enhance protections for minors, and impose transparency obligations connected with automated decision-making. It would also create a new authority, the California Privacy Protection Agency, which would take over the role currently assigned to the Office of the Attorney General of California to enforce the law and provide guidance to the industry and consumers. Continue Reading