General Data Protection Regulation (GDPR)

“The crucial, crucial change [GDPR] brought was around accountability. Accountability encapsulates everything the GDPR is about,” says UK Information Commissioner Elizabeth Denham.

Denham said companies must understand the risks that they create for others with their data processing, and mitigate those risks. GDPR also formalizes the move away from box ticking to seeing data protection

The European Parliament weighs in on data brokers and data processing in the context of elections in a published answer to a parliamentary question.

“Data brokers may act as controllers or processors depending on the degree of control they have over the processing. Under the General Data Protection Regulation (GDPR)”.

When data brokers process data

How has GDPR enforcement played out in the past year?

The Dutch Data Protection Authority (Autoriteitpersoonsgegevens, or AP) recently published a report on its 2018 activities.

The report highlights the growth of GDPR enforcement actions:

  • 27,000 people contacted the AP by telephone about the Privacy Act (2017: 9,500).
  • AP received more than 11,000 complaints.
  • AP

Beware the unsolicited email.

UK ICO fines a pensions company £40,000 for sending nearly two million direct marketing emails without consent.

Points to note:

  • You can’t generally send marketing emails without receiving the consent of the recipient.
  • Even if you use a third party mailer, it is your responsibility to ensure consent has been duly

Some in Congress are renewing calls for strict federal privacy protections.

“We need a privacy bill of rights, a set of protections that is no less stringent than the people of California enjoy, no less protected than the people of Europe have,” says Sen. Richard Blumenthal (D-Conn.)

Jerry Moran (R-Kan.) also cited both the California

The California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR) apply even to companies with fewer than 250 employees… but they may not know it yet.

A recent study reveals that “Company size definitely influences knowledge and preparedness levels. 51 percent of the companies that had at least 250 employees felt

GDPR Data minimization in action. Danish Data Protection Authority (Datatilsynet) finds cab company Taxa 4×35’s records retention practices in violation of the GDPR data minimization principle.

The cab company removed names from records after two years. For another three years, all ride records remained, together with the person’s phone number.

Key points:

  • The removal of

GDPR right of access applies in the work context too.

Four Uber drivers from London, Nottingham and Glasgow claim Uber has breached their rights by failing to disclose personal data the firm holds on them in breach of the right of access under Art 15. GDPR.

The information includes:

  • Duration of time logged on to

EDPB on the ePrivacy Directive and GDPR:

  • In situations where the ePrivacy Directive renders more specific the rules of the GDPR, the provisions of the ePrivacy Directive take precedence over the provisions of the GDPR. However, any processing of personal data which is not specifically governed by the ePrivacy Directive remains subject to the provisions

Utah legislators voted unanimously to pass landmark legislation in support of a new privacy law that will protect private electronic data stored with third parties like Google or Facebook from free-range government access.

The bill stipulates that law enforcement will be required to obtain a warrant before accessing “certain electronic information or data.” There are