The ICO has confirmed a small, but important, change to the time limits for responding to subject access requests (SARs) under the GDPR. Calculation of the one-month time limit should begin from the date on which the request was received, not the day after. Therefore, if a request is received on 3rd September, the deadline for responding will be 3rd October (rather than 4th October, as previously understood). The ICO update on the subject, which follows a (2004) CJEU decision on time limits, is here and the guidance on subject access rights has been updated to reflect this.

Continue Reading Subject Access Requests – What does ‘one month’ mean?

In May this year, the General Data Protection regulation (GDPR) brought with it a new Data Subject Access Requests (DSAR) regime.  We expect that the ICO will update its Code of Practice shortly.   Until then, Andrew Peters of our Labour & Employment team has prepared a five-part blog series which discusses practical concerns for UK employers receiving DSARs post-GDPR.
Continue Reading GDPR’s Impact on Employee Data Subject Access Requests in the UK

One of the new obligations introduced by the General Data Protection Regulation (GDPR) is to prepare a data protection impact assessment (DPIA) for certain types of processing operations – i.e., those which are likely to result in a high risk. To put it simply, a DPIA is a process for building and demonstrating compliance with the GDPR, which complements the new focus on accountability, privacy by design and a far more risk-based approach.
Continue Reading Polish Supervisory Authority Publishes a Proposed “Black List” Recommendation on Processing Activities That Require a DPIA

On May 8, Georgia governor Nathan Deal vetoed Senate Bill 315, a proposed cybersecurity law imposing penalties of up to one year in jail and a $5,000 fine for “unauthorized computer access.”  In his veto, Governor Deal expressly cited concerns with the “national security implications” of the bill.  He noted the it could “inadvertently hinder the ability of government and private industries” to protect against cybersecurity breaches.
Continue Reading Cybersecurity Bill Vetoed in Georgia