UK Data Protection Bill

The Data Protection Bill (HL Bill 66) was introduced into the House of Lords on 13 September 2017.
The published Bill.
The press release from the Department for Digital, Culture, Media & Sport.

The Bill implements the EU General Data Protection Regulation (GDPR) and will replace the Data Protection Act 1998.

4th busting myths from the ICO

Here’s the 4th myths from the ICO.

Myth #4

GDPR is an unnecessary burden on organisations.

Fact

The new regime is an evolution in data protection, not a revolution.

Read the ICO blog on GDPR is an evolution in data protection, not a burdensome revolution

Consent for GDPR compliance?

2nd and 3rd busting myths from the ICO

Myth #2

You must have consent if you want to process personal data.

Fact:

The GDPR is raising the bar to a higher standard for consent.

Myth #3

I can’t start planning for new consent rules until the ICO’s formal guidance is published.

Fact:

I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.

The ICO’s blog on consent is not the silver bullet for GDPR compliance

Busting Myths & Fake (GDPR & data protection & privacy) news – from ICO

Keeping up with ICO’s activities over the coming weeks, months & years!

UK DP Bill – GDPR into UK

GDPR fines

I’ve posted some GDPR stuff on Jyutsu.com

My high-level map of GDPR fines (pdf)

Although my PhD research is not on GDPR fines, the outcome from my research should help organisations to be better prepared to respond to data breach incidents.

Not notifying affected data subjects when ordered by the data authority (ICO) fall under the high 1st level of fines i.e. 4% or EUR20M. However, failure to notify the data breach to the data authority (ICO) and to data subjects exposed organisations to the 2nd level of fines i.e. 2% or EUR10M. In essence be prepared to be fined when you failed to comply with the breach notification requirements, Art 33 and Art 34.

Note that when organisations have a security breach i.e. failure to comply with the data processing principles Art 5 (1)(f) (failure to use appropriate technical or organisational measures), this falls under the high 1st level of fines

So..there’s no way to avoid the fines unless you can totally avoid security breaches or avoid falling foul to the data processing principles.

Article 29 Working Party newsroom

EU’s newsroom site where various info on & from the Article 20 Working Party.

Currently, the guidelines:

Guidelines on the right to “data portability”, wp242rev.01 pdf

Guidelines on Data Protection Officers (‘DPOs’), wp243rev.01 pdf

Guidelines on The Lead Supervisory Authority, wp244rev.01 pdf

Guidelines on Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA), wp248_enpdf

More to add…

EU – Infographics on Data Protection (GDPR)

Warning – the infographics – not to be treated as ‘legal’ text.

GDPR text & recitals – arranged by Stefan Meier

A well arranged GDPR text & recitals by Stefan Meier.

The EU’s official GDPR text

ICO on GDPR – breach notification

ICO on GDPR – breach notification.
Next to watch – the Article 29 Working Party guidelines