General Data Protection Regulation (GDPR)

European Union Data Protection Authorities discussed enforcement priorities at the International Association of Privacy Professionals (IAPP) Data Protection Intensive.

Key takeaways:

  • CNIL: Online advertising and cookies are a focus right now.
  • Ireland DPC: currently handling 10,000 complaints with 23 investigations into so-called big tech companies, and two investigations at the decision-making stage. An area of

Ireland’s Data Protection Commission has published guidance on data security.

Key Takeaways

  • The most effective means of mitigating the risk of lost or stolen personal data is not to hold the data in the first place.
  • A data controller should always know what personal data they hold, where it is held and how it flows through the organization.
  • Data processors are subject to the same security obligations as data controllers.

Access Controls

  • A data controller has a duty to limit access to personal data on a “need to know” basis and regularly review access controls.
  • Multiple independent levels of authentication may be appropriate where administrators have advanced or extra access to personal data or where they have access or control of other’s account or security data.
  • There should be strict controls on the ability to download personal data from an organization’s systems.

Continue Reading

  • Connected cars are “terminal equipment” and consent under the ePrivacy regime is required.
  • Connected cars are IoT devices.
  • Geolocation is very sensitive; don’t collect unless necessary.
  • Implement data protection by design and default at every stage.
  • Connected cars pose unique challenged for transparency and consent – you must find ways to overcome them.

These are

Are opinions about someone personal data?


Key takeaways:
  • An opinion can include personal data.
  • If the opinion is not recorded — GDPR does not apply.
  • If made or recorded for someone’s “purely personal or household” activities, with no connection to a professional or commercial activity, GDPR doesn’t apply.
  • GDPR may

Speak to me in algorithms.

The European Data Protection Board (EDPB) has issued a letter on the appropriateness of the GDPR as a legal framework to protect citizens from unfair algorithms.

“Considering the already extensive existing legal framework, the EDPB considers additional legislation in the area of data protection aimed at a specific technology [such

The European Data Protection Board (EDPB) has issued final guidance for using video surveillance under GDPR. Hear are some high-level takeaways:

  • You must have a legal basis.
  • Legitimate interest could work, BUT…
  • You have to balance carefully, and putting up a sign may not be enough.
  • You have to be transparent about what you do.

“The European Commission has revealed it is considering a ban on the use of facial recognition in public areas for up to five years.

Regulators want time to work out how to prevent the technology being abused. The technology allows faces captured on CCTV to be checked in real time against watch lists, often compiled