The DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues.
The DPIA is an assessment of the impact of the most significant and important-to-know data protection issues from around the globe. It’s not the full story, just a quick 3-minute read, collated and condensed to keep you updated with the latest news in our ever-evolving industry.
EDPB Report: Challenges faced by DPOs in Europe
Our latest blog explores the recent European Data Protection Board (EDPB) report on a co-ordinated investigation into the role of Data Protection Officers (DPOs). Based on investigations by 25 supervisory authorities across the European Economic Area (EEA), the report highlights the challenges faced by DPOs in their role.
In the blog, we delve into some of these key challenges, including insufficient resources, insufficient knowledge and training, and conflicts of interest.
We also offer practical advice on how an outsourced Data Protection Officer (DPO) helps to address these challenges.
ICO launches second chapter of its consultation series on generative AI
On 26 February 2024, the Information Commissioner’s Office (ICO) announced the second survey for its consultation on generative AI. The general purpose of this consultation series is to examine how aspects of data protection law should apply to the development and use of generative AI.
The second chapter focuses on how the principle of ‘purpose limitation’ should be applied to the different stages of the generative AI life cycle. The ICO highlights the requirement for organisations to have a specified and explicit purpose before processing personal data.
Comments are welcomed from anyone with an interest in generative AI, including developers, users of the technology, legal advisors, and consultants.
Ministry of Defence breach fine reduced to £350,000
On 26 February 2024, the Information Commissioner’s Office (ICO) published its 73-page penalty notice, detailing the reasons for the Ministry of Defence (MoD) fine.
A £1 million penalty fine was originally issued for an email data breach that involved the MoD inadvertently sending emails using the ‘To’ field instead of ‘Bcc’. The breach exposed the details of 265 Afghan nationals seeking relocation, which could have posed a serious threat to life.
The ICO reduced the fine to £700,000, then £350,000, after considering certain mitigating factors, including the ‘urgent and pressurised circumstances of the evacuation from Afghanistan’ and the policy regarding enforcement against public bodies.
On 28 February 2024, the European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 Data Protection Authorities (DPAs) across the European Economic Area (EEA) will participate, including 7 German State-level DPAs.
The topic for this third CEF action is the implementation of the right of access. This right is crucial for data protection and is frequently exercised by individuals. The right of access allows individuals to verify whether their personal data is processed correctly by organisations.
The joint results will be analysed, and DPAs will then decide on further supervisions and enforcement actions.
Four of Apple and Microsoft’s services to be left out of Digital Markets Act
The European Commission has reversed its decision regarding Apple’s iMessage and Microsoft’s Bing, Edge, and Microsoft Advertising. These services will not be considered gatekeepers under the Digital Markets Act (DMA), as they did not meet the criteria set out by the Commission.
Whilst they won’t face the strictest regulations like other gatekeepers, they will still be required to follow certain rules. The Commission stated they will continue to monitor the four services for any significant changes.
Canada’s OPC highlights the need for stronger federal privacy measures
In two separate investigations by the Office of the Privacy Commissioner of Canada (OPC), critical privacy concerns within federal government departments and agencies have come to light.
One investigation revealed security weaknesses at Employment and Social Development Canada (ESDC) and the Canada Revenue Agency (CRA). In a major privacy breach, hackers gained unauthorised access to sensitive personal data, including financial and employment information.
The second investigation was conducted on the Royal Canadian Mounted Police (RCMP) and their use of private-sector surveillance and monitoring services. The OPC emphasised the need for the responsible and transparent use of facial recognition technology (FRT).
On 26 February 2024, the US’s National Institute of Standards and Technology (NIST) published the Cybersecurity Framework 2.0. This updated framework provides guidance to organisations of all sizes and sectors for managing cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes, allowing organisations to better understand, assess, prioritise, and communicate their cybersecurity efforts.
The CSF 2.0 is organised into six functions: Govern, Identify, Protect, Detect, Respond, and Recover
South Korea’s PIPC publishes personal information leak response manual
On 19 February 2024, South Korea’s Personal Information Privacy Commission (PIPC) released a manual with advice on how to ensure swift response and action to any personal information leaks. The guidance mentions that procedures will vary depending on factors such as data type, processing method, environment, and individual characteristics.
The manual sets out specific procedures for the leakage of sensitive personal information, including illegal data breaches.
To support our ongoing requirement to continuously grow our remarkable and extraordinary #ONETEAM, we are seeking candidates for the following positions:
Data Protection Officers (UK, Netherlands)
Data Privacy Officers (Canada)
Data Subject Access Request (DSAR) Officer
Copywriter
Marketing Assistant
Project Administrator
Recruitment Coordinator
Senior HR Advisor
If you are looking for a new and exciting challenge, and the opportunity to work for both a Great Place to Work-Certified™ company and one of the UK's Best Workplaces in Consulting & Professional Services,apply today!
You have been sent this newsletter under legitimate interest, for more information please read our Privacy Notice
The DPO Centre is a limited company registered in England and Wales (Company Number: 10874595) Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ, United Kingdom
The DPO Centre, 50 Liverpool Street, London, Greater London EC2M 7PR, United Kingdom