On January 18 2021, the European Union Agency for Cybersecurity (ENISA) published its Cloud Security for Healthcare Services report, which provides cybersecurity guidelines to healthcare organisations and discusses relevant data protection considerations and cybersecurity risks when using cloud services. The report builds on the previous procurement guidelines for cybersecurity in hospitals and comes at
On February 22, 2018, Reed Smith’s IP, Tech & Data Group hosted a webinar discussing key priorities and strategies for compliance during the final three months remaining before the General Data Protection Regulation (GDPR) comes into force on May 25, 2018. We have prepared a benchmarking report based on the data of more than 250…
On 14 September 2017, the Government published the long-awaited draft of the Data Protection Bill (the Bill). The Bill will incorporate the General Data Protection Regulation (EU) 2016/679 into UK law. While the Bill will repeal the existing Data Protection Act 1998 (the DPA), it preserves many of the tailored exemptions which continue to exist…
The latest in the series of blogs from the UK Information Commissioner’s Office (ICO) looks at some of the myths around data breach reporting under the General Data Protection Regulation (GDPR). Given the misleading press stories on this topic, the ICO’s blog should provide some welcome clarification for concerned businesses as they prepare to comply with the GDPR.
Myth 1: All personal data breaches will need to be reported to the ICO.
This is not correct. It will be mandatory to report a personal data breach to the relevant supervisory authority under the GDPR if it is likely to result in a risk to people’s rights and freedoms. However, you don’t need to report the breach if this risk is unlikely.…
The House of Commons Library, which aims to provide impartial research and analysis to MPs and their staff, has published a briefing paper on the impact of Brexit on data protection law in the UK (“the Paper”).
The Paper summarises the background to EU data protection law and notes that inconsistent implementation of the Data Protection Directive (95/45/EC) across EU Member States led to the European Commission proposing a new legislative framework for data protection. In its now finalised form, this has two elements:
- The General Data Protection Regulation (Reg 2016/679), which came into force 24 May 2016, with a two-year implementation period (“GDPR”); and
- The Directive on data transfers for policing and judicial purposes (2016/680/EU), which came into force 5 May 2016, and must be transposed into national law by Member States by 6 May 2018
The GDPR will apply in the UK from 25 May 2018, although part of the Data Protection Act 1998 will need to be repealed to avoid any duplications or inconsistencies with the GDPR. Matt Hancock, Minister for Digital and Culture, told the House of Lords Select Committee on the European Union earlier this year that the Government “will bring forward legislation in the next session in order to put that into practice”. The Queen’s Speech of 21 June 2017, also introduced a new Data Protection Bill which “will ensure that the United Kingdom retains its world-class regime protecting personal data”. (See our recent blog on this for further details.)…
Continue Reading House of Commons publishes briefing paper on Brexit and data protection
Ahead of the forthcoming General Data Protection Regulation (GDPR), the Article 29 Working Party earlier this year organised the Fablab workshop.
Meeting in Brussels, more than 90 participants gathered to discuss certain operational and practical issues linked to the GDPR with representatives of industry, civil society, academics and relevant associations.
Fablab’s objective was to generate a discussion that would feed into the Article 29 Working Party’s best practices and guidelines due out at the end of the year. Four components of the GDPR were prioritized:…
Continue Reading Article 29 Working Party issues results of GDPR Fablab workshop
On 19 September 2016, the Bavarian Data Protection Authority (“DPA”) issued a new guidance paper on handling personal data breaches under the new EU General Data Protection Regulation (“GDPR”) in the course of a series of non-binding guidance papers on selected topics in relation to the GDPR, which the DPA publishes…
On 1 September 2016, the Bavarian Data Protection Authority (“DPA”) issued a new guidance paper on sanctions under the new EU General Data Protection Regulation (“GDPR”) in the course of a series of non-binding guidance papers on selected topics in relation to the GDPR, which the DPA publishes periodically, and which…
On 6 July 2016, the Bavarian Data Protection Authority issued a brief guidance paper on video surveillance under the new EU General Data Protection Regulation (“GDPR”).
This short paper is the first issue within a series of non-binding guidance papers on selected topics in relation to the GDPR, which the Bavarian Data Protection Authority has planned to publish periodically, and which can be found here.
Continue Reading Bavarian Data Protection Authority issues guidance paper on video surveillance under the General Data Protection Regulation
Earlier this month, we reported the progress of trilogue discussions on the long-awaited General Data Protection Regulation (GDPR). On 15 December 2015, almost four years after the legislative proposal was originally tabled by the European Commission, the European Parliament and the Council finally reached agreement, bringing the GDPR one step closer to adoption.
The final trilogue negotiations, which were concluded 15 December 2015, saw a “strong compromise” reached between the European Council, Parliament and Commission. The GDPR will be formally adopted by the European Parliament and Council at the beginning of 2016, and organisations will then have two years to ensure that their data practices are compliant. Some headline provisions of the agreed text are:
- Companies can be fined up to 4% of their annual turnover for data protection breaches
- Companies based outside Europe will be subject to the regulation if they offer goods and services in Europe
- Companies processing sensitive personal data must appoint a data protection officer
- Companies will only have to deal with a single supervisory authority