Photo of Philip Thomas

As part of Reed Smith’s webinar series on crisis management, on Wednesday 6 November 2019, partners Tom Webley, Philip Thomas and John M. McIntyre delivered a webinar to clients on data breaches, cyber attacks, and potential responses to such incidents.

Our recent client alert focuses on the key themes arising out of the webinar and

The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK.  Post-Brexit privacy and data protection issues that you need to consider include:

  • how to maintain uninterrupted

On February 22, 2018, Reed Smith’s IP, Tech & Data Group hosted a webinar discussing key priorities and strategies for compliance during the final three months remaining before the General Data Protection Regulation (GDPR) comes into force on May 25, 2018. We have prepared a benchmarking report based on the data of more than 250

On 17 October 2017, the Article 29 Working Party (“Art 29 WP”) published draft guidelines on automated individual decision-making and profiling (“Guidelines”).

In the Guidelines, the Art 29 WP states that profiling and automated decision making can be useful for individuals and organisations by delivering increased efficiencies and resource savings, whilst recognising that they may pose significant risks for individuals unless appropriate safeguards are put in place.

The Guidelines clarify the provisions of the General Data Protection Regulation (“GDPR”) that aim to address these risks.

What is the difference between automated decision-making and profiling?

The Guidelines distinguish between automated decision-making and profiling.

Automated decision-making refers to the ability to make decisions by technological means without human involvement. Profiling, on the other hand, entails the collection of data about an individual and analysing their characteristics or behaviour patterns in order to categorise them and/or make predictions or assessments about their (i) ability to perform a task, (ii) interests; or (iii) likely behaviour.

While the Art 29 WP notes that automated decisions and profiling are distinct, they recognise that something that starts off as a simple automated decision-making process could become one based on profiling depending on the use of the data.
Continue Reading Article 29 Working Party publishes guidelines on automated individual decision making and profiling.

On 14 September 2017, the Government published the long-awaited draft of the Data Protection Bill (the Bill). The Bill will incorporate the General Data Protection Regulation (EU) 2016/679 into UK law. While the Bill will repeal the existing Data Protection Act 1998 (the DPA), it preserves many of the tailored exemptions which continue to exist

The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has until 9 May 2018 to implement the NIS Directive into its national laws.) The closing date for responses is 30 September 2017, and the consultation is aimed at industry participants, regulators and other interested parties.

Tackling growing cyber risks

As society becomes increasingly reliant on information technology, the potential impact of failure in those systems is also rising. Recent events point towards an increase in the scale, frequency and gravity of cyber  attacks. The recent WannaCry ransomware attack illustrates only too well the adverse effects that can result from a security breach.

The European Commission’s aim with the NIS Directive is to increase the security of network and information systems within the EU. The government has announced that it supports that overall aim, and recognises the need to improve the security of UK network and information security systems, with a particular focus on “essential services”. The proposal is that (subject to meeting certain thresholds) service providers operating in the following sectors should qualify as an “essential service”: energy, health, digital and transport (air, road and maritime). Among the NIS Directive’s provisions are a duty for operators of essential services to:

  1. Take appropriate and proportionate technical and organisational measures to manage security risk; and
  2. Take appropriate measures to prevent and minimise the impact of any incidents affecting the security of the network and system used to provide the service.


Continue Reading UK government posts new NIS Directive consultation addressing cybersecurity threats

The House of Lords EU Home Affairs Sub-Committee (“the Committee”) has published a report on the EU Data Protection Package and the impact of Brexit (“the Report”). The Report considers the implications of the UK’s exit from the EU for cross-border data transfers, and for UK data protection policy more generally.

The Report looks at four elements of the EU’s data protection package: (1) the General Data Protection Regulation (“GDPR”), (2) the Police and Criminal Justice Directive (“PCJ”), (3) the EU-U.S. Privacy Shield, and (4) the EU-U.S. Umbrella Agreement. Upon leaving the EU, the UK will become a ‘third country’ under EU data protection rules, and all four measures of this data protection package will cease to apply to the UK. However, the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK.

The Government says it wants to maintain unhindered and uninterrupted data flows with the UK post-Brexit. According to the Report, the Committee supports this objective, but is concerned by the lack of detail on how the Government plans to achieve this outcome. The Committee is concerned that any arrangement that creates greater friction around data transfers between the UK and EU, post-Brexit, risks (1) hindering police and security cooperation, and (2) presenting a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage. In the Committee’s view, the Government should set out clearly, as soon as possible, how it plans to deliver this objective.
Continue Reading House of Lords publishes report on Brexit and the EU Data Protection Package

The Information Commissioner’s Office (“ICO”) has released its International Strategy 2017-2021  (“Strategy”). The Strategy supports its Information Rights Strategic Plan, which we reported on earlier this year. The first part of the Strategy refers to the challenges and priorities for the next five years, particularly in light of changes brought about by the General

On 23 May 2017, our European IT, Privacy and Data Security team hosted a breakfast roundtable to discuss the most pertinent GDPR questions that our clients are facing, with only 12 months to go until the GDPR comes fully into effect. With the many new and enhanced obligations that the GDPR is introducing for businesses,