The DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues.
The DPIA newsletter is a round-up of the most interesting and need-to-know privacy issues from the past two weeks. A quick 3-minute read to keep you on top of the news.
Knowledge nuggets for busy privacy professionals
Vendor due diligence & GDPR compliance:
5 practical steps
The global outsourcing sector is showing continual growth, supporting organisations with important functions such as IT and data protection services. However, it’s crucial to understand the implications and responsibilities of sharing EU and UK personal data with your vendors or third parties. In our latest blog, we cover the key factors you need to know about vendor due diligence and maintaining GDPR compliance.
On 26 October 2023, the Online Safety Bill received Royal Assent. Now known as the Online Safety Act, it aims to combat harmful online content, with protections especially focussed on children. UK telecoms regulator Ofcom is responsible for enforcing the Act.
Critics, including the Wikimedia Foundation and privacy advocates, have raised concerns about Ofcom’s new power to censor online content and how the Act could lead to tech companies collecting more data from users to comply with the new rules. Ofcom plans to publish its code of practice in 3 phases, with the first phase due on 9 November 2023. A list of large or high-risk platforms subject to the Act will be published by the end of next year.
On 17 October 2023, Japan’s Personal Information Protection Commission (PPC) and the UK’s Information Commissioner’s Office (ICO) signed a Memorandum of Understanding (MoU) on data protection. The agreement is a positive step forward for both countries and details the commitment to protecting personal information and promoting best practices in data protection. Personal information will not be shared unless exceptions apply. The MoU also confirms areas for collaboration, including joint research projects and training programmes.
EDPS-EDPB raise concerns about data protection and the digital euro
The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPS) have published a joint opinion on the digital euro. They welcomed digital users having the choice to use digital currency or cash and stated that the digital euro would not be ‘programmable money’. Concerns were raised about data protection and how data protection by design would be implemented. It was highlighted that consumer trust and confidence could be undermined if these are not properly addressed.
On 20 October 2023, Belgium’s Data Protection Authority (DPA) released a checklist for the correct use of cookies to help organisations comply with current regulations. The step-by-step guidance also includes dos and don’ts for using cookies and other tracking mechanisms. The DPA reminds organisations that only strictly necessary cookies are exempt from consent.
As the AI Act enters its final stages of negotiations, the European Data Protection Supervisor has published Opinion 44/2023. In a press release, the European Data Protection Authorities state the importance of prohibiting ‘the use of AI systems that pose unacceptable risks to individuals and their fundamental rights’. The recommendations include the application of the Act to all AI systems, regardless of when they were developed or deployed, and the right for individuals to lodge complaints with the EDPS if they believe their rights have been violated.
The AI Act aims to regulate the development and use of artificial intelligence (AI) systems in the EU. It is the first comprehensive AI legislation in the world and will undoubtedly have a significant impact on the use of AI within the EU, as well as being a model for other countries.
South Korea enacts regulations on international data transfers
South Korea’s regulations on the overseas transfer of personal information came into effect on 16 October 2023. The Personal Information Protection Commission (PIPC) confirmed the new requirements, including specific procedures for getting permission to transfer personal information and standards for evaluating the level of data protection in other countries.
The order to suspend overseas transfers is a safety net that can be used if there is a risk that data will not be protected, including a procedure for appealing a suspension order.
Saudi Arabia formally publishes Personal Data Protection Law
The Kingdom of Saudi Arabia’s first data protection law, the Personal Data Protection Law (PDPL), was published on 7 September 2023. Organisations have one year to ensure compliance, and it will be enforced on 14 September 2024. The new legislation aligns with international privacy laws, in particular the GDPR.
Key details of the law include the definition of data subject rights, adequacy decisions for countries regarding data transfers, the lawfulness of processing, and scenario examples for the requirement of a privacy impact assessment. Scenarios are also included for when a transfer should be stopped or prohibited and the requirement for redoing a transfer impact assessment (TIA).
To support our ongoing requirement to continuously grow our remarkable and extraordinary #oneteam, we are seeking candidates for the following positions:
Data Protection Officers (based in the United Kingdom or The Netherlands)
Data Protection Officer (German Speaking)
Data Subject Access Rights (DSAR) Officers
Senior Graphic Designer to join our #oneteam
If you are looking for a new and exciting challenge, and the opportunity to work for a Great Place to Work-Certified™ company, apply today!
You have been sent this newsletter under legitimate interest, for more information please read our Privacy Notice
The DPO Centre is a limited company registered in England and Wales (Company Number: 10874595) Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ, United Kingdom
The DPO Centre, 50 Liverpool Street, London, Greater London EC2M 7PR, United Kingdom