Failure to comply with the GDPR – what are the risks?
Non-compliance with data protection laws can cause significant issues for an organisation but what are the key risks? Regulators can
Non-compliance with data protection laws can cause significant issues for an organisation but what are the key risks? Regulators can
When sharing personal data with another controller, there are a number of things you need to think about from a
You may have heard of “individuals’ rights” or maybe “data subject rights”, which data controllers must facilitate (and which processors
The ad tech world has, for some time, relied heavily on cookies to drive business, but it is common knowledge
Have you heard of PETs? Not the fluffy kind, but the privacy kind? In the world of privacy, PETs are
On 18 July 2024, the Irish Data Protection Commission (DPC) published a blog about AI, Large Language Models (LLMs), and
On 16 July 2024, the EDPB adopted FAQ for European businesses, giving some useful basic guidance on what the framework
On 31 July 2024, the US Senate Commerce, Science and Transportation Committee passed the Future of AI Innovation Act. Senator
X has given an undertaking to the Irish High Court to pause processing of EU and EEA personal data in
Claimants whose claims for infringement of data protection rights were dismissed by the English High Court on the basis that
On 22 July 2024, Google announced an updated approach to its Privacy Sandbox project. In the blog post, Antony Chavez
On 2 August 2024 the ICO published a progress update on the Children’s Code Strategy (the Strategy) (published in April 2024).
On 25 July 2024 the EU Commission published its second report on the GDPR. The Commission celebrated the GDPR’s successes
The EU AI Act is now officially in force. Whilst many of the provisions will apply from two years’ time,
On 22 July 2024, the ICO issued a reprimand to Chelmer Valley High School for failing to carry out a
On 17 July 2024, the EDPB adopted a statement on the data protection authorities’ (DPAs) role in the AI Act
Receiving a data subject rights request can be unnerving if you don’t know where to start, so we have put
The soft opt-in exemption under the Privacy and Electronic Communications Regulation 2003 can be a really useful tool to boost
Understanding the principles which underpin the UK GDPR can help you to develop a better understanding of the legislation. As
The maximum fine under UK GDPR and the Data Protection Act 2018 is £17.5m or 4% of an organisation’s total
Have you ever wondered what the difference is between service emails and marketing emails and why it is important? If
We spend a lot of time thinking about “active” processing when we are using personal data to achieve our goals,
Choosing a legal basis for processing can sometimes be a confusing business and, over time, a few myths have developed,
The ICO has confirmed the trial period in which the ICO explored using a range of regulatory tools (as well
The Norwegian courts have upheld a fine of approximately £4.6m against Grindr (the largest fine issued by the Norwegian regulator),
On 20 June 2024, the CJEU ruled on two joint cases against Scalable Capital (Scalable), a financial trading app.
On 13 June 2024 the ICO issued its final enterprise data strategy. The strategy states that the ICO wants to
On 13 June 2024 the Council of the European Union reached agreement on a common position in relation to a
On 9 June 2024 the implementing regulation on the reuse of “high value datasets” came into force. These rules require
On 27 June 2024 the EDPB published an AI auditing project. The aim of the project is to “map, develop
The American Privacy Rights Act markup by the House Committee on Energy and Commerce due to take place on 27
Having observed the pre-election “period of sensitivity” rules, the ICO has warned that it will be busier than usual with
On 11 June 2024 a report was issued detailing the experience of a group of expert stakeholders, including businesses, civil
Google is making a big change to how it stores location history data, such as the places a user of
How do you make sure your privacy notice gets the job done, conveying privacy information in a concise, clear, easy-to-understand
The ICO has concluded the fourth call for evidence in relation to AI and individuals’ rights. The ICO has set
On 7 June 2024, the French data protection regulator (CNIL) issued its first set of recommendations on the development of
Earlier this year, the ICO issued a reprimand against Clyde Valley Housing Association (the Association) for failing to keep its
The privacy activists noyb have filed a complaint with the Austrian regulator accusing Google of tricking people into accepting tracking
The NCSC has issued guidance aimed at small to medium sized businesses to help them to deal with situations where
In late May 2024 the UK Digital Markets, Competition and Consumers Act (the Act) was passed by Parliament. Similarly to
The EU AI Act has received the final approvals needed and all that now remains is for the act to
On 7 June 2024, the High Court issued its judgment in the case of Harrison v Cameron & Another In
On 10 June 2024, the ICO announced that together with the Office of the Privacy Commissioner of Canada they have
Although for many of us, life is now very much digital, we must not forget that hard copy documents containing
Recently the ICO fined the YMCA £7,500 for sending an email to over 150 identifiable addressees, using Cc rather than
Meta has recently updated its privacy information in relation to AI, with the changes due to take effect on 26
Are you concerned that there may be areas of non-compliance in your organisation, but are not sure where to start
A programme of work is a really useful tool to assist an organisation in complying with its legal and regulatory
It is essential for organisations to have a training programme in place which provides staff with sufficient knowledge and understanding
It appears that the Data Protection and Digital Information Bill (DPDI Bill) may have been dropped by the Government. After
The UK’s consumer connectable product security regime came into effect on 29 April 2024 and businesses in the supply chain
The Cyber Solidarity Act has now been adopted by the Council of the EU and so the Act should shortly
On 1 May 2024 the ICO and Ofcom released a joint statement in relation to online safety and data protection.
The ICO issued a reprimand to the Trust after it failed to respond to over 40% of DSARS within the
On 15 April 2024 the ICO published guidance to improve transparency in health and social care. The guidance looks at
The ICO has fined the YMCA £7,500 for sending an email to over 150 identifiable addressees, using Cc rather than
On 23 April 2024 the IAB released its response to the EDPB’s verdict on the “consent or pay” model. You
Last month the ICO released its strategic approach to AI. The report covers: The opportunities and risks of AI The
The AI (Regulation) Bill originated in the House of Lords in November 2023 and has recently reached a third reading.
The ICO has released a report on Q4 2023 data breach trends. In terms of overall numbers, there was an
The NCSC has issued joint guidance with three major insurance industry associations. The aim of the guidance is to “improve
Organisations recognise the need to put in place effective AI governance, but this is often easier said than done. The
The French data protection regulator (CNIL) has issued a practice guide to the security of data. It is a detailed
The ICO has issued guidance on how it decides when to issue fines and how the amount of these fines
The ICO has released a statement in relation to its strategy on the Children’s code. The statement looks at what
A personal data breach under GDPR (sometimes referred to as a “data breach”) is a breach of security where personal
Policies have a reputation for being dull, long documents, but that doesn’t have to be the case. Putting in place
Many organisations are unsure as to whether they need a data protection officer and, if they do need one, aren’t
So you are thinking about starting a new data processing project or making changes to existing processing. Before you start
Google’s project to remove third-party cookies from its Chrome browser is experiencing further delays. The project’s aim is to remove
Starting to address data protection can seem like a daunting task. In these situations, a back-to-basics approach is needed to
On 7 April 2024, a draft of the “American Privacy Rights Act” (the Bill) was unveiled. The Bill is reported
On 17 April 2024 the EDPB issued an opinion on the use of “consent or pay” models. These models essentially
On 12 April 2024 the ICO launched the third chapter of its AI consultation, this time in relation to the
The Data Protection and Digital Information Bill (the Bill) has dropped out of the news since the government’s controversial late
On 1 April 2024 the US and UK announced a partnership in relation to AI safety. The two countries will
Pay or consent models are causing a stir both in the UK and the EU. The ICO has launched a
The ICO has launched the second chapter of its AI consultation series this month. This chapter focuses on how the
The ICO has produced some detailed guidance on data protection in content moderation. The guidance doesn’t place additional obligations on
The ICO has issued a reprimand to South Tees Hospital NHS Trust in relation to failures to appropriately deal with
Late last month the ICO issued an enforcement notice ordering Serco Leisure to stop using facial recognition and fingerprint scanning
The guidance, which we commented on in the September 2023 DPO Digest, has now been finalised. The guidance covers key
EDPB provides clarification on “main establishment” The EDPB has issued some guidance on the meaning of “main establishment” for the
You may have seen headlines last year about Meta, the owner of Facebook, being fined €1.2bn in relation to a
Under Article 30 of the GDPR controllers and processors of personal data must document their processing activities; this is known
You’re faced with a data breach. What should you do? There are a number of steps which organisations need to
The GDPR provides individuals with a number of rights in relation to how their personal data is collected and processed
Non-compliance with data protection laws can cause significant issues for an organisation but what are the key risks? Regulators can
On 22 March 2024 the Cyberspace Administration of China finalised a new regulation which will govern cross-border data transfer. It
This is just a quick reminder that 21 March 2024 marked the end of the period in which the standard
On 21 March 2024 the NCSC issued a cyber incident response guide, aimed at CEOs, giving guidance on key things
On 7 March 2024 the CJEU ruled that the Transparency and Consent String (TC String) (a string composed of a
Last month on 7 March 2024 the Court of Justice of the EU (CJEU) passed down its judgment in the
If you need help navigating your way through technical data protection terms, look no further. We have created a list
On 1 March 2024, the ICO published guidance on sharing information in mental health emergencies at work. The guidance aims
It is worth noting that the ICO’s enforcement action in relation to direct marketing continues unabated, making up seemingly the
On 28 February 2024 the EDPB launched its coordinated enforcement framework action for 2024. This year the action will focus
On 13 February 2024 the European Parliament approved the text of the AI Act (the Act) by majority vote. The
On 13 February the ICO approved the Legal Services Operational Privacy Certification Scheme (LOCS) which is designed to “assist legal
The Information Commissioner’s Office (ICO) is launching a series of consultations on generative AI, a type of artificial intelligence that
The ICO has advised that it has had a positive response to the letters it issued to 53 of the
The ICO has issued a blog post with practical tips for app developers on how to comply with their data
The European Commission has confirmed that 11 of the 16 current adequacy decisions have been reviewed and will remain in
This case review looks at a selection of one-stop-shop decisions which relate to security of processing and data breach notification/communication.
The UK Government has published a proposed code of practice on cyber governance and called for views on the same.
The EDPB has published a report on strengthening the role of the DPO, which is based on a coordinated investigation
In March 2023, the UK Government published a white paper on “AI regulation: a pro-innovation approach” (AI White Paper), which
The Data Protection and Journalism code is a statutory code of practice under the Data Protection Act 2018 (DPA 2018).
The ICO has published an updated opinion on age assurance for the Children’s code to reflect updated practices. The updated
In yet another installment of the Italian DPA’s case against ChatGPT, on 29 January 2024 the Italian DPA notified breaches
Not often a high billing topic in the list of ICO enforcements, but one which has been the subject of
X (formerly Twitter) is facing challenges to its privacy practices from a couple of sources. The EU commission has commenced
The ICO has now released its UK addendum to the EU BCRs with accompanying guidance. The guidance walks through the
A cross-party group of nearly 30 parliamentarians have written to the ICO to voice their concerns about the expansion of
In 2022 the European Commission proposed a regulation to “unleash the full potential of health data”. The Council of the
In early October 2023, the EU Commission asked the EDPB to review a “cookie pledge initiative” prepared by the Commission,
The ICO has responded to the updated Data Protection and Digital Information Bill (the Bill), in particular, the Government’s late-stage
The CNIL has recently issued two significant fines in relation to infringements by Amazon and Yahoo. On 18 January 2024,
On 7 December 2023, the CJEU issued judgment in the case of C-634/21|SCHUFA Holding (Scoring). SCHUFA is a company which
The ICO has published two new pieces of draft guidance for consultation. The guidance relates to: Keeping employment records –
In late November 2023, the Council of the EU adopted the final text of the Data Act. Agreement now having
The NCSC has expanded its guidance on cloud computing with a section on how to “lift and shift” i.e. “replicating
The Cyber Solidarity Act (Solidarity Act) has moved a step further to becoming a reality. In early December the European
The DCMS has published its Online Advertising Task Force plan which sets out how the task force will work with
The National Cyber Security Centre reports that 18 countries are to endorse guidelines on AI security developed by the UK
The Guardian reports that the European Consumer Group BEUC have filed a complaint with the EU’s network of consumer protection
The bill had its second reading in the House of Lords on 19 December 2023. A number of issues were
The ICO have, unsurprisingly, applied for permission to appeal the decision by the First Tier Tribunal (Information Rights) reported in
On 14 December 2023, the CJEU issued judgment in the case of VB v Natsionalna agentsia za prihodite. The case
The ICO has launched a “make a subject access request” service on its website. The service allows individuals to generate
There have been several recent ICO reprimands issued in relation to security failings which had some similar themes. In the
The ICO has amended its guidance on Transfer Risk Assessments to acknowledge that it is reasonable and proportionate to rely
This guidance acknowledges the progression from tracking individuals with cookies to the use of newer technologies, aiming “to provide a
On 8 December 2023 the Council of the EU (the Council) announced that the Council and the European Parliament had
It has been reported in the press that 28 countries including the US, UK, China and the EU have signed
On 27 October 2023, the EDPB adopted an urgent binding decision giving the Irish Data Protection Commission two weeks to
The NCSC has produced guidance on a couple of “hot” cyber topics. The guidance on ransomware gives an overview of
It has been reported by a number of sources that China has proposed new rules in relation to data transfer.
The EU General Court has ruled against an application by a French MEP aimed at halting the implementation of the
The ICO has released guidance to retailers on processing personal data to tackle shoplifting. This guidance has been issued following
The First-tier Tribunal of the UK General Regulatory Chamber has overturned an enforcement notice and a £7.5 million fine which
On 24 October 2023 the European Data Protection Supervisor (EDPS) published its final recommendations for the Proposal for a Regulation
The ICO has issued guidance on managing workers’ health data in accordance with data protection law. The guidance is divided
The ICO has issued draft guidance on fining for consultation. The guidance explains: the legal framework that gives the Information
The ICO has issued a preliminary enforcement notice against Snap Inc and Snap Group (together Snap) in relation to
On 18 September 2023 the District Court of the Northern District of California (San Jose Division) granted a preliminary injunction
The European Commission has released a report which aims to help those who need to address the cybersecurity requirement under
The EDPB has published guidelines on Article 37 of the LED for consultation. The guidance relates to the application of
The ICO will be launching its new approach to UK BCRs this month. The ICO will be issuing a new
Data protection is a fluid terrain. Data protection legislation and the approach by regulators are constantly changing, so it is vital to stay up to date. In this resource library, you’ll find some expert insight and information to help you navigate a path of compliance.
All items are available to download as pdf files. To view a document, please ensure you have installed Adobe Acrobat Reader on your device.
Please complete the fields below to stay up-to-date with the latest HelloDPO news.
Our experience speaks for itself, with global powerhouse brands, tech giants at the forefront of the data processing industry, rapid growth health tech start-ups, forward-thinking financial institutions, a challenger dating app, fashion giants, one of the largest entertainment and record label conglomerates in the world, shopping meccas, national broadcasters, the UK’s biggest free streaming service, and numerous Legal 500 firms all choosing HelloDPO as their trusted Data Protection Advisory Partner.
We are here to make our data-driven world a more equitable and ethical place to live, work, and thrive by pragmatically balancing our clients’ commercial ambitions with every individual’s right to privacy.
Website developed by Bowler Hat