As part of the UK data protection authority’s new three-year strategy (ICO25), launched on 14 July, UK Information Commissioner John Edwards announced an investigation into the use of AI systems in recruitment. The investigation will have a particular focus on the potential for bias and discrimination stemming from the algorithms and training data

Map of Warsaw, Poland

Updated Black List of Processing Operations Requiring DPIA

On July 8, 2019 the updated list of operations requiring a data protection impact assessment (DPIA) was published in the official gazette of the Republic of Poland. The “black list” was updated by the Polish data protection authority, after the European Data Protection Board (EDPB) raised its objections to the original draft published by the Polish regulator on August 17, 2018. According to the EDPB’s opinion 17/2018, the original “black list” could have led to inconsistent application of the requirement for a DPIA and, therefore, should be subject to modifications.

As a result of the EDPB opinion, the Polish supervisory authority has recently made changes to the Polish “black list” of processing operations requiring a DPIA:Continue Reading Data Protection Update for Poland

The Article 29 Working Party has adopted Guidelines on Data Protection Impact Assessments (DPIAs), following its consultation on a draft version published in April 2017.  The final version provides additional guidance in a number of areas without materially changing the position.

Further guidance is provided on the trigger for mandatory DPIAs – whether the processing is likely to result in a “high risk to the rights and freedoms of natural persons.” Additional emphasis is placed on the obligations of controllers in cases where a DPIA is not required, pointing out that they must implement measures to appropriately manage risks regardless and, further, that they must continuously assess the risks to identify when they may trigger the DPIA obligation.  The final Guidelines also discuss the sharing of information relating to DPIAs amongst joint controllers or where similar processing operations are carried out by various data controllers.
Continue Reading GDPR Data Protection Impact Assessments Guidelines Released