With more and more of our day to day life happening in an online environment, many decisions are inevitably made by computers, with no human involvement – a process called automated decision-making.  Organisations use technology, including algorithms and machine-learning, to collect and analyse a range of personal data about an individual – from their buying habits to lifestyle data, from social network data to mobile phone data. Automated individual decision-making is frequently used for the purposes of profiling. Profiling is defined by the GDPR as:“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain...

One of the rights given to individuals under the GDPR, is that of data portability. But when does it apply and what exactly does it entail?The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format but only comes into play in certain situations.The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This means that individuals can move, copy or transfer personal data easily from one IT environment to another in a...

Damage to reputationFake credit card transactionsIdentity fraudCompromised bank accountsIndividuals put at risk of physical harm or intimidationPassword theftExposure of the contact details of vulnerable peopleFake applications for tax creditsMortgage fraudExposure of sensitive health and medical details These are just a few examples of what can go wrong if personal data is lost, stolen, misplaced or abused which is exactly why the GDPR has put a lot of emphasis on its Security Principle. This principle puts an obligation on all data processors to put in place appropriate technical and organisational measures to minimise potential risks.Article 5(1)(f) of the GDPR states that personal data...

Under the Data Protection (Charges and Information) Regulation 2018, every organisation or sole trader processing personal information must pay the data protection fee to the ICO. This applies to everyone except those who qualify for one of the exemptions. Failure to register is a criminal offence so should be a priority for businesses. Note that domestic use of CCTV is not included in processing which requires a fee to be paid. From 25 May 2018, people who use CCTV for domestic purposes, i.e. to monitor their property, even if it films beyond the boundaries of their property will be exempt from paying...

Under the GDPR, both data controllers and data processors have compliance obligations and responsibilities. Processors for the first time have direct liability and may be subject to penalties and civil claims by data subjects for non-compliance with the terms of the GDPR.It is very important that controllers and processors clearly document their respective obligations and the GDPR creates a requirement for a contract to be in place between them, setting out specific terms that processor/controller agreements must contain, as a minimum.  This aims to ensure that processors only carry out processing as agreed with the controller and always in compliance with...