GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018


February 2019:

ICO's blog regarding non-payment of the Data Protection fee.

Information about ICO fines for non-payment of the Data Protection fee.

January 2019:

The French Supervisory Authority (CNIL) has fined Google 50 million euros.

Brexit guidance:

December 2018:

The Information Commissioner published its Guide to Data Protection, combining the existing guidance on the GDPR and law enforcement regimes with new guidance explaining some basic concepts, how the DPA 2018 works, and which regime applies.

They expanded the guidance on contracts, published guidance on controllers and processors and published detailed guidance on controllers and processors and contracts and liabilities. They also expanded the guidance on scope and key definitions in the guide to law enforcement processing.

There is now a page listing updates to the ICO's guidance.


November 2018:

The Information Commissioner published guidance on encryption.


October 2018 - DPA 2018 exemptions:

The ICO's guidance on the exemptions in the DPA 2018 gives simplified explanations of these exemptions.


20 September 2018 - monetary penalties:

The ICO has imposed a monetary penalty of £500,000 on Equifax Ltd under the DPA 1998.


July 2018 - breach reporting:

The ICO has stated that the number of data breaches which have been reported has considerably increased since GDPR came into force (Data Breach Today; also, see this.)


July 2018 - email encryption:

The Danish Data Protection Agency has announced that from 1 January 2019 private sector companies must use encryption when transmitting sensitive personal data by email (Bloomberg). (Announcement by Danish DPA)


International Transfers:

The ICO has published guidance on International Transfers to which GDPR Chapter V applies. This includes the following:

  • The ICO has provided a decision tree for controllers and processors when deciding whether an international transfer of personal data is permitted. A transfer of personal data can be made if it is not a restricted transfer of personal data outside of the EEA. Q1 states that a restricted transfer of personal data is made "if
    • the GDPR applies to your processing of the personal data you are transferring. The scope of the GDPR is set out in Article 2 (what is processing of personal data) and Article 3 (where the GDPR applies). Please see the section of the guide What is personal data. We will be providing guidance on where the GDPR applies later this year. In general, the GDPR applies if you are processing personal data in the EEA, and may apply in specific circumstances if you are outside the EEA and processing personal data about individuals in the EEA;
    • you are sending personal data, or making it accessible, to a receiver to which the GDPR does not apply. Usually because they are located in a country outside the EEA; and
    • the receiver is a separate organisation or individual. The receiver cannot be employed by you or by your company. It can be a company in the same group."
  • Data is not transferred to a third country if the data is merely in transit electronically through the third country. (This repeats earlier guidance on DPA 1998.)
  • The countries for which the Commission has made an adequacy decision are listed. The and the EU and EEA countries are also listed.
  • Transitional arrangements pending approval of standard contract clauses are set out.
  • Guidance is given on the exceptions in Article 49, including obtaining consent of data subjects, the scope of the 'legal claims' exception, and the scope of the 'not repetitive' exception. The 'not repetitive' exception "should not be relied on lightly and never routinely as it is only for truly exceptional circumstances".

17 July 2018:

The European Commission and Japan announced an agreement to recognise each other's data protection systems as adequate.

Disclaimer   -   Copyright   -   Privacy policy