The new General Data Protection Regulation (GDPR) will be with us very soon, on 25 May 2018. We have been regularly updating you about this and for further detail see our updates here.
On 12 March 2018, the Information Commissioner’s Office (ICO) launched an awareness campaign about the GDPR aimed at micro-businesses (that is, those employing fewer than ten people).
The resources include a:
These are available here.
The Information Commissioner’s Office (ICO) has published draft guidance on data protection impact assessments (DPIAs) (available here). The draft guidance is intended to sit alongside the ICO’s Guide to the GDPR (available here) and will replace its current guidance on privacy impact assessments.
The draft guidance confirms that a DPIA is a way to identify data protection risk to individuals’ interests in relation to processing; it is an ongoing process and should be embedded into an organisation’s processes. Any risk should be minimised and an assessment made of whether any remaining risk is justified.
The draft guidance also notes that DPIAs are important as they can enable organisations to assess and demonstrate compliance with data principles and obligations under the GDPR.
The Information Commissioner’s Office (ICO) has published detailed guidance on legitimate interests as a basis for processing personal data (available here).
The guidance sits alongside the ICO’s Guide to the GDPR and is intended to help organisations decide when to rely on legitimate interests as a basis for processing personal data.
Although the concept of “legitimate interests” as a basis for processing is not new, the GDPR has introduced some changes. These include:
These changes mean that all organisations should be familiar with this guidance in order to ascertain whether they are able to rely on the legitimate interests as a basis for processing personal data.
The guidance recommends that organisations review their existing processing operations in order to ensure that where legitimate interests is relied on it is still the most appropriate basis for processing.
The ICO also confirms that organisations can move to legitimate interests as a basis for processing from a different basis under the Data Protection Act 1998. However, where this is the case any individuals concerned should be informed of this via an updated privacy notice and of their right to object to processing on this basis.