The DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues. It’s not the full story, just a brisk, 3-minute resumé, collated and condensed especially for busy privacy professionals to ensure you’re aware of what’s happening in our fascinating, dynamic and engaging industry.

DSAR guidance: Preventing misunderstandings

In our latest blog, we explore the revised DSAR response guidance from the ICO and provide a handy overview of the most important points. Following a number of official complaints about companies failing to respond to DSARs effectively, the ICO have produced the guidance to prevent further misunderstandings. Key areas are clarified, including the format of requests, what constitutes an exemption, and details about withholding information. Organisations are often unclear about the specifics of what to provide and this guidance expands on previous advice.

UK Home Office’s secret lobbying plans for controversial facial recognition technology

Minutes of an undisclosed meeting between the UK’s Home Office and biometric security company, Facewatch, have been obtained in a freedom of information request by civil liberties campaigners, Big Brother Watch. The details, seen by The Observer and reported by The Guardian newspapers, show plans to lobby the Information Commissioner’s Office (ICO) and expediate the roll-out of facial technology across high street shops and supermarkets in a bid to tackle retail crime. Campaigners insist the Home Office answer questions about their meeting and urge the priority of human rights over the highly invasive technologies. In contrast, the EU seeks to ban facial recognition in public spaces with the proposed AI Act.

ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

Patient data was unlawfully shared in a WhatsApp group by 26 members of staff at NHS Lanarkshire between April 2020 and April 2022. The data included names, phone numbers, addresses and clinical information. The NHS organisation was not initially aware of the unapproved use of the messaging platform, and the incident was reported to the ICO as soon as it was discovered. The ICO investigation found there were insufficient policies, guidance and processes in place, including a lack of risk assessments. Read the ICO statement and recommendations.

Meta to seek consent for behavioural ads

The social media giant, Meta, has announced the decision to seek user consent before showing behavioural ads to people in the EU and Switzerland. This comes after more than five years of litigation and a raft of fines for breaches in GDPR compliance. Changing the legal basis from “legitimate interest” to “consent” is only being applied to “certain data for behavioural advertising”, and it remains unclear whether this will be applied to the use of personal data for all ads. Max Schrems, Austrian lawyer and privacy activist said, “We will continue litigation if Meta will not apply the law fully.”

CNIL proposes new personal data “sandbox” to support AI innovation

France’s regulatory body, the Commission Nationale Informatique et Libertés (CNIL) has announced a new support system for innovators and organisations working on artificial intelligence (AI) projects intended for public services. Organisations facing any new issues relating to the regulation of personal data are called to apply. The “sandbox” is intended to help the development of AI whilst respecting data protection laws, especially with the proposed enforcement of the EU AI Act. Eligible organisations can apply here.

Privacy concerns over launch of digital ID platform Worldcoin

Data protection regulators in the UK, France and Germany are expressing concerns over the collection of biometric data by Worldcoin, which launched on 24 July 2023. The crypto-based company was co-founded by OpenAI’s Sam Altman and aims to provide users with “proof of personhood” in a type of digital passport that issues crypto tokens. The company uses an iris scanner to create identification codes that are saved on a decentralised blockchain. Under the GDPR and UK GDPR, the use of biometric data for identification is considered “special category data” and requires explicit consent. Many questions are being raised about whether consent can be freely given when crypto tokens are exchanged as a kind of virtual currency for someone’s biometric data.

China’s TC260 publishes list of cybersecurity national standard requirements

On 24 July 2023, China’s National Information Security Standardisation Technical Committee (TC260) released details of the cybersecurity national standard requirements for 2023. The published list seeks to strengthen the country’s cybersecurity standards in line with the developmental needs of the technology industry. The list includes the name, content and intended aim of each requirement and covers areas, such as the technical requirements for products filtering and controlling information like text and images. The published list can be viewed in Chinese here.

Big Tech companies agree to AI safeguards

Amazon, Google, Meta, Microsoft, OpenAI and two other tech companies have stated their commitment to a set of AI product development safeguards, as agreed by the US administration. The safeguards include third-party oversight, security testing, reporting vulnerabilities, flaws and risks, and digital watermarking to combat deepfakes. The White House said the voluntary commitments addressed immediate risks as longer-term Artificial Intelligence regulations were pursued. Campaigners for AI regulation voiced concerns, claiming the voluntary safeguards will not be enough to hold companies accountable.

We are recruiting!

To support our ongoing requirement to continuously grow our remarkable and extraordinary #oneteam, we are seeking candidates for the following positions:

Data Protection Officers (based in the United Kingdom or The Netherlands)
Data Protection Officer (German Speaking)
Data Protection Support Officer (DPSO)
Events & Digital Marketing Coordinator to join our #oneteam

If you are looking for a new and exciting challenge, and the opportunity to work for a Great Place to Work-Certified™ company, apply today!

You have been sent this newsletter under legitimate interest, for more information please read our Privacy Notice

The DPO Centre is a limited company registered in England and Wales (Company Number: 10874595)
Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ, United Kingdom