When is a data breach notifiable to the Supervisory Authority?

Article 33 of the General Data Protection Regulation (GDPR) imposes obligations on data controllers to report personal data breaches to the relevant Supervisory Authority (SA) within 72 hours of the data controller becoming aware of the breach. These obligations arise unless the personal data breach is unlikely to result in a risk to the rights and freedoms […]

Publishing house fined for data security violation under the GDPR

In late 2021, the Spanish Data Protection Authority (‘AEPD’) initiated an investigation on the data processing activities of Bayard Revistas S.A., a publishing house in Madrid, after receiving a complaint by an individual. According to this complaint, the person in charge of Bayard’s web portal notified all data subjects via e-mail that a third party […]

What Are The Risks Of Not Sharing Data For Safeguarding Children?

Child exploitation is too often hidden in plain sight which makes it hard to detect and tackle. In response, Trilateral Research has co-designed the CESIUM Application with Lincolnshire Police to identify children who are vulnerable to exploitation. CESIUM promotes intelligence collaboration for safeguarding children by using our ethical artificial intelligence (Ethical AI) to gain new […]

Transatlantic Data Privacy Framework a Step Closer – What Next?

Transatlantic Data Privacy

With transatlantic data flows under scrutiny since court rulings in both Schrems I and Schrems II  resulting in the invalidation of previous data transfer frameworks, organisations have been seeking to ensure that US data transfers can continue to flow lawfully. Post ‘Schrems’, Standard Contractual Clauses (SCCs) have been the transfer mechanism of choice for many […]

How to plan, deliver and maintain a robust Record of Processing Activities project

Planning for Record of Processing Activities

In addition to being a requirement under Article 30 of the GDPR, the Record of Processing Activity (RoPA) can also be a key data protection compliance driver for your organisation. In previous articles, we have provided guidance on the specific requirements of Article 30, its relevance to organisations, the implications of non-compliance and the steps […]

Action taken by the ICO for failures relating to Subject Access Requests (SARs) and top tips to avoid caseload backlogs

Personal Data

In response to multiple complaints, the Information Commissioner’s Office in the United Kingdom has issued reprimands against a number of organisations for failing to meet statutory obligations under the right of access set out in the UK GDPR. These organisations, including government departments, local authorities and a high profile communications company, have been publicly named […]

EDPB instructs Irish DPC to expand infringements against Instagram in €405M fine

Instagram

This month (September 2022), the Irish Data Protection Commission (DPC) issued a decision which included the imposition of a fine on Meta related to its social media platform, Instagram. The Meta fine was issued by the DPC following input from Supervisory Authorities from other EU Member States into the DPCs draft decision and a subsequent […]

A Retention Schedule for your Organisation

Data Storage

The General Data Protection Regulation (GDPR) has been in force for over four years, and many are now well aware of the seven core principles of the GDPR. One of these which is often overlooked is storage limitation, instructing us that data must not be kept for longer than is necessary. For many, depending on […]