As part of the UK data protection authority’s new three-year strategy (ICO25), launched on 14 July, UK Information Commissioner John Edwards announced an investigation into the use of AI systems in recruitment. The investigation will have a particular focus on the potential for bias and discrimination stemming from the algorithms and training data
On Thursday, November 7, we will host the second webinar of our EU Webinar Series, “DPIAs – What You Need To Know.”
Data Protection Impact Assessments are required under the GDPR and are indented to help organizations identify data security risks. Many data protection authorities have issued guidelines on when and how to…
Updated Black List of Processing Operations Requiring DPIA
On July 8, 2019 the updated list of operations requiring a data protection impact assessment (DPIA) was published in the official gazette of the Republic of Poland. The “black list” was updated by the Polish data protection authority, after the European Data Protection Board (EDPB) raised its objections to the original draft published by the Polish regulator on August 17, 2018. According to the EDPB’s opinion 17/2018, the original “black list” could have led to inconsistent application of the requirement for a DPIA and, therefore, should be subject to modifications.
As a result of the EDPB opinion, the Polish supervisory authority has recently made changes to the Polish “black list” of processing operations requiring a DPIA:…
On the 22 November, the CNIL released on its website an open source ready to use software tool for DPIAs, which can be downloaded for free.
The explanations on the website are currently only in French, but the CNIL’s intention is to have an English explanations as well.
Continue Reading CNIL Releases Software Tool For DPIA
The Article 29 Working Party has adopted Guidelines on Data Protection Impact Assessments (DPIAs), following its consultation on a draft version published in April 2017. The final version provides additional guidance in a number of areas without materially changing the position.
Further guidance is provided on the trigger for mandatory DPIAs – whether the processing is likely to result in a “high risk to the rights and freedoms of natural persons.” Additional emphasis is placed on the obligations of controllers in cases where a DPIA is not required, pointing out that they must implement measures to appropriately manage risks regardless and, further, that they must continuously assess the risks to identify when they may trigger the DPIA obligation. The final Guidelines also discuss the sharing of information relating to DPIAs amongst joint controllers or where similar processing operations are carried out by various data controllers.
Continue Reading GDPR Data Protection Impact Assessments Guidelines Released