ICO Publishes New Guidance on Responding to Subject Access Requests (SARs)

Background On May 24, the UK Information Commissioner’s Office (ICO) published New Guidance, in the form of a Q&A, for businesses and employers on responding to Subject Access Requests (SARs). Subject Access Requests form part of the UK General Data Protection Regulation (UK GDPR) in Art.15 of the UK GDPR and Data Protection Act 2018 […]
Information Governance: know what you have, know why you have it

‘Everybody gets so much information all day long that they lose their common sense.’ – Gertrude Stein It is important for any business or organisation to know what information they hold, where they hold it, and why. Information can be highly sensitive, private or valuable. Sometimes it can be all these things at once. When […]
Data protection by design and default: what data controllers need to know and do

The Future of Privacy Forum (FPF), a prominent Washington thinktank, published a May 2023 report reflecting on data protection by design and by default. Data controllers’ duty to implement appropriate technical and organisational measures (‘TOMS’) was a novel obligation introduced into EU data protection law in 2018 through Article 25 GDPR. The law requires controllers […]
EDPB adopts the final version of Guidelines on facial recognition technology in the area of law enforcement

Introduction On May 17, 2023, the European Data Protection Board (EDPB) adopted the final version of its Guidelines on the implementation and use of facial recognition technologies (FRT). The FRT guidelines finalised are applicable to law enforcement agencies (LEAs), their officers, and legislators at the EU and EU Member State levels. This article delves into […]
Data Protection Commission’s RoPA Guidance and Practical means of achieving compliance

The Data Protection Commission (DPC) has published a guidance document to assist controllers on how to approach the development of the Record of Processing Activities (RoPA) required under Article 30 GDPR. Prior to the publishing of this guidance document, the DPC conducted a RoPA sweep involving 30 organisations across the public and private sectors in […]
The EDPB Adopts Final Version of Guidelines on Data Subject Rights – Right of Access

On 28 March 2023, the European Data Protection Board (EDPB) adopted its final Guidelines 01/2022 on data subject rights – Right of access at the end of the public consultation period. The aim of the Guidelines is to provide insight into different aspects of right of access and how it must be implemented in different […]
AI Enabled Software Products: First Steps to Compliance

Chat-GPT has propelled artificial intelligence (AI) to the fore of public debate. The popularity of the ground-breaking chatbot has accelerated an arms-race in the technology sector to develop new goods and services and to enhance existing software products with AI capabilities. All organisations that use software from third party vendors embedding this functionality into existing […]
Irelands Data Retention Bill (Communications (Retention of Data) Amendment Act 2022) and your Privacy Rights

Background For the first time since 2011, Irish Legislation governing the retention of mobile phone data such as texts, call and location data is schedule to change. The Data Retention Bill (Communications (Retention of Data) Amendment Act 2022) will address the impact of recent EU case laws, including the Graham Dwyer murder conviction. The proposed […]
The DPC Decision on Meta EU-US data transfers is imminent – what can we expect?

The DPC Decision on Meta EU-US data transfers is imminent – what can we expect? The European Data Protection Board (EDPB) has adopted a dispute resolution decision about Meta’s Facebook EU – US Data Transfers, which will be binding upon the DPC in relation to its own final decision. Although there are many territorial transfers […]
The ICO issues guidance on direct marketing and regulatory communications

The Information Commissioner’s Office (hereafter “ICO”) recently released new guidance to assist organisations to comply with data protection law when a regulatory communication message they need to send out is direct marketing. In undertaking activities that may count as direct marketing, entities have to ensure compliance with data protection requirements by balancing their interests to […]