With more and more of our day to day life happening in an online environment, many decisions are inevitably made by computers, with no human involvement – a process called automated decision-making.  Organisations use technology, including algorithms and machine-learning, to collect and analyse a range of personal data about an individual – from their buying habits to lifestyle data, from social network data to mobile phone data.  Automated individual decision-making is frequently used for the purposes of profiling. Profiling is defined by the GDPR as: “ Any form of automated processing of personal data consisting of the use of personal...

One of the rights given to individuals under the GDPR, is that of data portability. But when does it apply and what exactly does it entail? The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format but only comes into play in certain situations. The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This means that individuals can move, copy or transfer personal data easily from one IT environment to...

Damage to reputation Fake credit card transactions Identity fraud Compromised bank accounts Individuals put at risk of physical harm or intimidation Password theft Exposure of the contact details of vulnerable people Fake applications for tax credits Mortgage fraud Exposure of sensitive health and medical details   These are just a few examples of what can go wrong if personal data is lost, stolen, misplaced or abused which is exactly why the GDPR has put a lot of emphasis on its Security Principle. This principle puts an obligation on all data processors to put in place appropriate technical and organisational measures...

Under the Data Protection (Charges and Information) Regulation 2018, every organisation or sole trader processing personal information must pay the data protection fee to the ICO. This applies to everyone except those who qualify for one of the exemptions. Failure to register is a criminal offence so should be a priority for businesses.  Note that domestic use of CCTV is not included in processing which requires a fee to be paid. From 25 May 2018, people who use CCTV for domestic purposes, i.e. to monitor their property, even if it films beyond the boundaries of their property will be exempt...

Under the GDPR, both data controllers and data processors have compliance obligations and responsibilities. Processors for the first time have direct liability and may be subject to penalties and civil claims by data subjects for non-compliance with the terms of the GDPR. It is very important that controllers and processors clearly document their respective obligations and the GDPR creates a requirement for a contract to be in place between them, setting out specific terms that processor/controller agreements must contain, as a minimum.  This aims to ensure that processors only carry out processing as agreed with the controller and always in...