CJEU Clarifies the Scope of the Right to Access: Restrictions, Grounds and the Notion of “Copy”

On the 26th October 2023, the Court of Justice of the European Union (CJEU) issued a ruling in case C‑307/22 shedding light on the reach of the data subject right of access, and specifically in the context of health data, under Article 15(3) of the General Data Protection Regulation (GDPR). The case arose from a request […]
The Online Safety Act (UK): Contents, Implementation, and Compliance

The controversial Online Safety Act (OSA) came into force as UK law on 26th October, presenting online service providers with new obligations to prevent and remove harmful content from their platforms. The regulator, Ofcom, has received enhanced enforcement powers and published its implementation approach with envisaged timelines for each stage. Organisations of any size providing […]
Is your organisation subject to NIS2?: How can you prepare?

The 2016 Network and Information Systems Directive (NIS) was EU wide legislation, which aimed to impose a common level of network and information system security across critical infrastructure within the EU Member States. However, this legislation left much up to Member States to determine, such as which entities come under its scope, the specific requirements, […]
Generative AI: Capabilities, Risks and Safeguards

Rapid advances in Generative AI (GenAI), which creates text, images, and media – drawing on the patterns and structure of input data to generate new data with similar characteristics – has seen its use grow over the past few years. Predictably, we are also witnessing how technological development is outpacing regulatory developments, exposing organisations to […]
The ICO’s Guidance on Workers Monitoring: Key Hints for Companies

On October 3, 2023, the Information Commissioner’s Office (ICO) adopted a guidance to assist employers in adhering to data protection laws while monitoring workers. The guidance applies to any form of monitoring (both systematic and occasional) of people who carry out work on behalf of an organisation, regardless of the nature of the contract between […]
Top Tips for Incident Response Planning

October is Cyber Security Month and it’s a good time to reflect on your organisation’s preparedness for responding to a serious incident such as a cyber-attack. Preparing for an incident is money well spent. Having well tested plans will ensure your response to an incident is more efficient and effective than it may otherwise have […]
Information Commissioner’s Office Opinion on the UK Extension to the EU-US Data Privacy Framework

After a long-awaited adequacy decision for the free flow of data from UK to US, on 21 September 2023 the UK Secretary of State for the Department of Science, Innovation and Technology (DSIT) took the decision to establish a data bridge for transfers of personal data between the UK and US. From 12 October, UK […]
What Can We Learn from the PSNI Data Breach?

In a recent data breach, the Police Service of Northern Ireland (PSNI) fell victim to human error in a Freedom of Information (FOI) response that demonstrated the importance of ensuring that data protection and freedom of information are well integrated. Over 100 countries have implemented FOI laws, which allow individuals to request access to data […]
Navigating Data Scraping Challenges: Protecting User Privacy in the Digital Age

On August 24, 2023, 12 data protection authorities members of the Global Privacy Alliance’s International Enforcement Cooperation Working Group, including the Information Commissioner’s Office, adopted a joint statement concerning data scraping. The joint statement primarily addresses the privacy risks associated with data scraping and also offers an overview of measures that organizations and individuals can […]
Preparing for NIS 2 Directive: Obligations and Implementation Strategies

On 16 January 2023 the NIS 2 Directive (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union) came into force. NIS 2 is a continuation, expansion and replacement of the original cybersecurity directive NIS 1 (Directive EU 2016/1148). NIS 2 aims to future-proof NIS 1 on account of the […]