The DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues.
The DPIA newsletter is a round-up of the most interesting and need-to-know privacy issues from the past two weeks. A quick 3-minute read to keep you on top of the news.
Knowledge nuggets for busy privacy professionals
What is a DPIA?
No, not our newsletter, but a Data Processing Impact Assessment – a risk assessment tool and a legal requirement when processing data that is likely to pose a high risk to the rights and freedoms of individuals. Here, we have put together a useful guide, including the importance of the DPIA process, best practice, and examples of when you would be required to perform the assessment. We also discuss complex DPIAs and give some real-life business examples. Read our latest blog.
UK’s Online Safety Bill to become law
The Online Safety Bill passed debate in the House of Lords on 19 September 2023. Ofcom Chief Executive, Dame Melanie Dawes said, ‘Very soon after the bill receives Royal Assent, we’ll consult on the first set of standards that we’ll expect tech firms to meet in tackling illegal online harms, including child sexual exploitation, fraud, and terrorism.’
Critics of the bill, including think tanks and certain tech giants, have previously highlighted the challenges of balancing online safety with individual privacy rights. Some have warned that the bill could grant unprecedented censorship powers. How the bill will be enforced and how these laws impact international companies are discussed in the UK government's Guide to the Online Safety Bill.
ICO assesses UK’s data bridge adequacy decision
On 21 September 2023, the Information Commissioner’s Office issued its opinion on the UK government's adequacy decision regarding the UK Extension to the EU-US Data Privacy Framework (DPF), known as the UK ‘data bridge’. The ICO’s assessment cites four areas that could pose some risks to UK data subjects, including how the definition of ‘sensitive information’ does not specify all the categories listed in Article 9 of the UK GDPR. There is a suggestion for the Secretary of State to undertake a review every four years from the regulation’s enforcement date, as well as generally monitor the implementation of the mechanism to ensure it operates as intended. Read the ICO’s assessment
EU’s Data Governance Act now in effect
The 15-month grace period for the Data Governance Act (DGA) has now concluded, and from 24 September 2023, the regulation became officially applicable. The DGA aims to empower individuals and organisations with greater control over their data, with a primary objective of establishing a harmonised framework for data sharing and governance across EU Member States. It covers various data management aspects, including access and sharing. Vera Jourova, Vice-President of the European Commission for Values and Transparency said, ‘The Act is a milestone for creating a safe and trustworthy digital single market.’ Review the DGA
Poland’s Data Protection Authority investigates Open AI’s ChatGPT
The Urząd Ochrony Danych Osobowych (UODO) opened an investigation into OpenAI’s chatbot on 20 September 2023, following a complaint alleging ChatGPT’s operations violate the EU’s GDPR. OpenAI is accused of processing data in an unlawful and unreliable manner by a local privacy and security researcher, who also alleges OpenAI failed to properly respond to his subject access request. The UODO anticipates a ‘difficult’ investigation as OpenAI is located outside the EU but warns that new technologies must respect the GDPR.
Dutch football association criticised for paying Russian hackers
In a move criticised by fraud experts, the Royal Dutch Football Association (KNVB) has reportedly paid Russian cybercriminals an undisclosed ransom to prevent the personal information of the country’s national football team from being made public. The hackers stole the information during a cyberattack on the football organisation, which is the largest sports association in the country.
MEP Bart Groothuis posted on X, formerly Twitter, “The hack on the @KNVB, where a large ransom was paid, once again shows the need for the government to take an active role in preventing cybercrime. That is also what Europe’s cyber security legislation requires from member states.”
New Zealand’s Privacy Commissioner issues guidance on using AI tools
In a bid to help New Zealand’s agencies and individuals understand their privacy obligations whilst using AI tools, Privacy Commissioner Michael Webster has issued new guidance. The guidance, published on 21 September 2023, outlines how AI relates to the 13 Information Privacy Principles (IPPs) and is an addition to the previously published expectations around AI use. The Commissioner said, ‘The Privacy Act applies whenever you collect, use, or share personal information, and it applies when you’re using AI tools.’ Read the AI guidance
India government to finalise Data Protection Board and rules for DPDPA
The Minister of State for Electronics and Information Technology Rajeev Chandrasekhar has stated that appointments to the Data Protection Board and the rules of the new Digital Personal Data Protection Act (DPDPA) will be implemented within 30 days. The Data Protection Board will be responsible for determining non-compliance with the DPDPA rules and imposing penalties. Now in force, the DPDA is likely to have a one-year grace period. Any breaches occurring within this time will be ‘accumulated’ and addressed by the Data Protection Board once members are appointed.
We are recruiting!
To support our ongoing requirement to continuously grow our remarkable and extraordinary #oneteam, we are seeking candidates for the following positions:
Data Protection Officers (based in the United Kingdom or The Netherlands)
Data Protection Officer (German Speaking)
Data Protection Support Officer (DPSO)
Corporate Events Executive to join our #oneteam
If you are looking for a new and exciting challenge, and the opportunity to work for a Great Place to Work-Certified™ company, apply today!
You have been sent this newsletter under legitimate interest, for more information please read our Privacy Notice
The DPO Centre is a limited company registered in England and Wales (Company Number: 10874595) Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ, United Kingdom
The DPO Centre, 50 Liverpool Street, London, Greater London EC2M 7PR, United Kingdom