General Data Protection Regulation

The Sea-Change of the Concept of Privacy and its Consequences

"Privacy". It's all the rage nowadays. More and more laws are being drafted for purposes of protecting personally identifiable data, not least the massive upcoming EU General Data Protection Regulation.

But while Privacy may be becoming increasingly valued in the era of "big data" - where giant multi-national corporations devour information to fuel in-house machine learning and other forms of normative Artificial Intelligence - that certainly wasn't always the case. Not until quite recently in fact.

"Privacy" as a concept didn't even exist in formative English common law (beyond very limited torts). In fact, apart from the embryonic 4th Amendment to the U.S Constitution, the weren't any decently strong protections for privacy in the Western world until the passage of the European Convention on Human Rights. Article 8 of the ECHR may in theory ordain a right to privacy but it has so many qualifiers:

"except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

Before the information age, privacy really wasn't seen as a big deal, especially compared to the unqualified rights portrayed in the ECHR such as freedom from torture, right to a fair trial etc that were deemed a far higher priority to protect. But that's all changing now.

Read more ...

When Do You Actually Need a Data Protection Officer under the GDPR?

You can hear the rumbling on the horizon. That's right, GDPR is coming. But no need to panic; as long as you're aware of what exactly you have to comply with - and make solid, demonstrable steps towards compliance - you should be fine.

So with that in mind, let's focus on one of the absolute key areas of the legislation that has organisations concerned. That's right; appointing a Data Protection Officer. Basically, according to Articles 35-39 you must appoint one in three specified situations:

  • where processing is carried out by a public authority;
  • if the core activities of the controller or processor consist of regular and systematic monitoring of individuals on a large scale; or
  • if the core activities consist of processing special categories of personal data on a large scale.

Now, that may seem simple enough. But statutes always seems simple until you actually have to apply them. For example, what do they mean by "core activities" or "large-scale" or "regular and systematic monitoring"? There's no real body of case law to help us after all.

Have no fear, because in December 2016, the Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission) helped clarify all of this.

Read more ...

What are my Obligations under the GDPR

Personal Data Breaches

What are my Obligations under the GDPR?

EU General Data Protection Regulation_Cyber Major

Preparing for GDPR

Preparing for GDPR - What's the Deal on International Data Transfers?

I'm sure you've heard about it by now, but if not - the upcoming EU General Data Protection Regulation puts in place stringent new standards for ensuring adequate safeguards for most international transfers of personal data.

Basically, apart from in all the situations explained later in this article, you can only transfer personal data to other countries by legally protecting it - mainly through "model contractual clauses" issued by the EU Commission or using "binding corporate rules" with specific information requirements to lock into place adequate data protection standards when that data is processed in other countries.

Now, as alluded to earlier, these extra safeguards don't apply if you're transferring data to EEA countries (all the EU member states + Norway, Iceland and Liechtenstein). They don't apply either to a specific list of other countries which have been deemed to have "adequate" data protection laws and regulatory structures already in place by the EU Commission. These countries are: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

Read more ...

The Spectre of a Potential Security Meltdown
The Spectre of a Potential Security Meltdown

The Spectre of a Potential Security Meltdown

Spectre. Meltdown. These phrases sound like the titles of bad B-Movie action films. But they’re very much real. They’re the name of two massive CPU exploits that were uncovered over the past week (the first week of January 2018). Both are the biggest threats to processing hardware we’ve seen in a long time.

At their heart, both attacks take advantage of the fact that processors execute instructions speculatively. All modern processors perform speculative execution to a greater or lesser extent. They'll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect.


Read more ...

Get in Touch

  • Phone
    0207 458 4088
  • Email
    This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Address
    1 Canada Sq, Canary Wharf
    London, E14 5AB