This includes comprehensive guidance on all aspects of data breach notification requirements for both controllers and processors, including useful examples. It covers what should be included in breach notifications, breach notification requirements in the case of cross border transfers, communications to data subjects, factors to consider when assessing risk, documentation of breaches, the role of the data protection officer and notification obligations under other legal instruments such as the EU Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS regulation), the Directive concerning measures for a high common level of security of network and information systems across the Union (NIC Directive) and the Citizens’ Rights Directive and Breach Notification Regulation.
They note that the following criteria need to be considered when assessing the risk to individuals as a result of a breach:
They note that the European Union Agency for Network and Information Security (ENISA) has produced recommendations for a methodology of assessing the severity of a breach, which controllers and processors may find useful when designing their breach management response plan. https://www.enisa.europa.eu/publications/dbn-severity
It finishes by providing an Annex containing a flowchart illustrating breach notification requirements, examples of personal data breaches and who to notify in case of each kind of breach.
The new Code rules will come into effect from 25 May 2018 at the same time as the GDPR comes into force. The revised Code sets out the rules for fundraisers regarding personal data. The changes include:
The revisions also highlight areas that may be subject to further change when the new Data Protection Bill is enacted and PECR is reviewed.
The Code changes can be found here:
This should act as a reminder to those sending marketing information to make sure they adhere to the DPA, PECR and other marketing industry regulations and standards. The penalties issued last month included:
£300K against Holmes Financial Solutios for making 8.7 million unlawful automated marketing calls;
£350K against Miss-sold Productions UK Ltd for making over 74 million unlawful automated marketing class;
£40K against Good Market Ltd for sending unlawful marketing text messages;
£250K against Barrington Claimes Ltd for making over 15M unlawful automated marketing calls;
£80K against TFLI Ltd for sending over 1.1M unlawful marketing text messages; and
£230K against Newday Ltd for sending over 44M unlawful marketing emails.
For more information on GDPR, contact firstname.lastname@example.org.