This includes comprehensive guidance on all aspects of data breach notification requirements for both controllers and processors, including useful examples. It covers what should be included in breach notifications, breach notification requirements in the case of cross border transfers, communications to data subjects, factors to consider when assessing risk, documentation of breaches, the role of the data protection officer and notification obligations under other legal instruments such as the EU Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS regulation), the Directive concerning measures for a high common level of security of network and information systems across the Union (NIC Directive) and the Citizens’ Rights Directive and Breach Notification Regulation.
They note that the following criteria need to be considered when assessing the risk to individuals as a result of a breach:
- The type of breach
- The nature, sensitivity, and volume of personal data
- Ease of identification of individuals
- Severity of consequences for individuals
- Special characteristics of the individual
- Special characteristics of the data controller
- The number of affected individuals
They note that the European Union Agency for Network and Information Security (ENISA) has produced recommendations for a methodology of assessing the severity of a breach, which controllers and processors may find useful when designing their breach management response plan. https://www.enisa.europa.eu/publications/dbn-severity
It finishes by providing an Annex containing a flowchart illustrating breach notification requirements, examples of personal data breaches and who to notify in case of each kind of breach.
Article 29 Working Party have produced updated guidance on Automated Decision Making and Profiling
Changes in relation to data protection have been made to the Code of Fundraising Practice, including two new sections and added definitions have been published following a consultation last autumn.
The new Code rules will come into effect from 25 May 2018 at the same time as the GDPR comes into force. The revised Code sets out the rules for fundraisers regarding personal data. The changes include:
- Ensuring consistent terminology between the Code and GDPR
- Emphasising that any activity involving personal data (including wealth screening, data matching, tele-appending and re-use of public information) falls under processing and that data protection rules apply
- Creates new sections on Data Protection and Direct Marketing
- Adds and expands definitions for key terms including “processing”, “consent” and “legitimate interest”
- Increases links to existing guidance from the ICO, the Fundraising Regulator and other relevant bodies.
The revisions also highlight areas that may be subject to further change when the new Data Protection Bill is enacted and PECR is reviewed.
The Code changes can be found here:
ICO reports that in the month of January it issued 6 monetary penalties for making or sending unsolicited marketing calls and messages, amounting to £1, 250, 000 in total.
This should act as a reminder to those sending marketing information to make sure they adhere to the DPA, PECR and other marketing industry regulations and standards. The penalties issued last month included:
£300K against Holmes Financial Solutios for making 8.7 million unlawful automated marketing calls;
£350K against Miss-sold Productions UK Ltd for making over 74 million unlawful automated marketing class;
£40K against Good Market Ltd for sending unlawful marketing text messages;
£250K against Barrington Claimes Ltd for making over 15M unlawful automated marketing calls;
£80K against TFLI Ltd for sending over 1.1M unlawful marketing text messages; and
£230K against Newday Ltd for sending over 44M unlawful marketing emails.