The General Election and Compliance: What are Labour’s plans for GDPR, data protection and AI?

The General Election and Compliance: What are Labour’s plans for GDPR, data protection and AI?

When the election was called for 4 July, 2024, it came as a relative surprise. Both for the country, and for data protection watchers who had been preparing for the seemingly assured passage of the Data Protection and Digital Information (DPDI) Bill. 

But the legislation has not made it through the parliamentary ‘wash-up’ procedure which takes place in the final days of a parliament, so the bill will not be passed and no changes to the UK’s data protection regime will come into force in the near future. 

Continue reading

Universities accused of hiding student suicides and suicide attempts behind GDPR : Should safeguarding override data protection laws?

Universities accused of hiding student suicides and suicide attempts behind GDPR : Should safeguarding override data protection laws?

Universities are entrusted with the care and education of their students, but recent events have sparked debates about what to do when the duty of care clashes with data protection. Viv Adams, ICO Parliament and Government Affairs team Principal Policy Adviser, said that under UK law, universities have the legal authority to share personal data in situations where there’s an urgent need to prevent harm: “University staff should do whatever is necessary and proportionate to protect someone’s life. Data protection law allows organisations to share personal data in an urgent or emergency situation, including to help them prevent loss of life or serious physical, emotional or mental harm.” This provision aims to enable institutions to intervene effectively in cases of potential loss of life or serious harm, whether physical, emotional, or mental.

Continue reading

Biometric crackdown by UK regulator puts focus on big data at work

Biometric crackdown by UK regulator puts focus on big data at work

Thousands of employees’ biometric data must be deleted, according to a new ruling by the Information Commissioner’s Office. Serco, one of the UK’s largest employers was told to stop using fingerprint scanners and facial recognition software for staff clocking on and off in a warning that could force many other employers to change their practices.

Continue reading

A guide to LGPD in Brazil

A guide to LGPD in Brazil

How to comply with Lei Geral de Proteção de Dados, Brazil’s data protection law

Brazil’s Lei Geral de Proteção de Dados (LGPD) is the country’s first comprehensive personal data protection law. It entered into force in September 2020 and and aligns closely with the EU’s sweeping data privacy act, the General Data Protection Regulation (GDPR).

Before LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. The aim of the LGPD was to unify the 40 different Brazilian laws that regulated the processing of personal data.

LGPD sets forth Brazil’s conception of personal data and when its use is authorised. Comprising 65 articles, it deals with the rights of data subjects and has 10 legal bases for the processing of personal data, which is four more than GDPR.

Continue reading

On-demand webinar: GDPR – six years on

On-demand webinar: GDPR – six years on

The EU’s General Data Protection Regulation (GDPR) has now been in force for six years. During that time, fines have totalled billions of euros, with over €1 billion in fines coming in the past 12 months. The most recent fines show that both large and small businesses are subject to regulators’ scrutiny.

With fines and enforcement actions, developments in GDPR case law and new challenges of AI, data protection remains one of the most complex areas of compliance. Despite best efforts, many organisations are still falling short when it comes to getting GDPR right.

In this webinar, we examined GDPR’s widespread impact not just in Europe but around the world. As places like Brazil, California, and even China race to enact GDPR-like protections, what does the future hold for data privacy?

The webinar covered:

  • Recent GDPR fines and case studies
  • International developments and new GDPR-style laws around the world
  • Focus areas for EU data protection authorities
  • Where the UK and US stand with data protection and GDPR
  • Artificial intelligence and data protection laws
  • Best practice guidance to solidify your GDPR compliance

Watch on-demand Now

The importance of Data Protection Impact Assessments

Thanks to GDPR, DPIAs matter more than ever. Here’s why – and tips on how to do them

A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project. They always mattered but the General Data Protection Regulation (GDPR) made them matter much, much more.

As most Data Protection Officers (DPOs) and data processors are aware by now, GDPR added significant compliance burdens. Under GDPR, data breaches need to be reported to the authorities within 72 hours and each new data processing activity needs to be documented. GDPR also introduced a new obligation to do a DPIA before carrying out processing likely to result in high risk to individuals’ interests. If your DPIA identifies a high risk which you cannot mitigate, you must consult the Information Commissioner’s Office (ICO). The regulator can recommend changes to reduce the risk, give a formal warning not to carry out the processing or even ban the processing altogether. 

Continue reading

Are you managing your subject access requests?

It’s been almost six years since Europe’s data protection landscape changed with GDPR. Are you prepared for SARs?

Since the General Data Protection Regulation (GDPR) was passed there has been almost constant change for companies, with new case law, rulings and court cases making compliance with GDPR an ongoing hot topic for organisations of all shapes and sizes.

With GDPR decisions from 27 different member states coming through on an almost daily basis, it can be a challenge to ensure compliance. One of the basic rights of GDPR is a subject access request (SAR). It provides people with the right to access and receive a copy of their personal data, and other supplementary information. SARs can be made verbally or in writing, including via social media.

People are entitled to find out what personal data is held about them by an organisation, why the organisation is holding it and who else knows the information. 

Continue reading

AI regulation in China

AI regulation in China

In January 2022, China promulgated two laws specific to AI applications. While the provisions regarding the management of algorithmic recommendations for internet information services (Algorithm Provisions) have been in effect since March 2023, the provisions for managing deep synthesis of internet information services (Draft Deep Synthesis Provisions) are still in the drafting stage.

Continue reading

AI regulation in Brazil

AI regulation in Brazil

The newly elected leftist government of Lula in Brazil is in the process of developing its first law to regulate artificial intelligence. In December 2022, a Senate panel presented a report containing studies on AI regulation, along with a draft for AI regulation. 

The main aims of the legislation are to safeguard the rights of individuals affected by AI systems, categorise the level of risk associated with these systems, and establish governance measures for companies that provide or operate AI systems.

Continue reading