Global Data & Privacy Update - October 2015

Author:Mr Mark Williamson
Profession:Clyde & Co

European data protection landscape rocked by CJEU decisions

Earlier this month, the Court of Justice of the European Union (CJEU) delivered two judgments in the space of a week which have profound effects for any EU-based business which processes personal data. You can read our detailed analysis of the decisions in Schrems v Information Commissioner and Weltimmo v Hungarian Data Protection Authority here.

Opinion published on C-SIG draft Code of Conduct for Cloud Computing

The Data Protection Code of Conduct for Cloud Service Providers (the Code) was produced by C-SIG, the EU working group of cloud industry representatives, and submitted to the EU's Article 29 Working Party (WP29) for an Opinion in January 2015.

Whilst WP29 recognised that the Code contained important data protection guidance for cloud providers operating in Europe and would help them demonstrate compliance with the relevant rules, it felt that further work was needed, particularly in respect of clarifying where responsibilities lie between data controllers and cloud providers in the event of a data protection violation. WP29 also found the Code lacking in detail with regard to data portability, transparency on the location of data processing, and the requisite security measures to be implemented by cloud providers.

C-SIG is expected to amend the Code in line with WP29's Opinion and to publish a final version by the end of October 2015. Both the Opinion and the draft Code can be accessed here.

ICO advises organisations to begin preparing for the GDPR

In a recent ICO blog post, Deputy Information Commissioner, David Smith, suggested that businesses start planning now in order to mitigate the impact of the General Data Protection Regulation (GDPR), which is likely to come into force from mid-to-late 2018. He encouraged organisations to consider the following five areas in particular:

Consent and control: businesses should prepare for the heightened consent requirements of the GDPR by assessing how far and where they rely on customer consent, how this is documented and how far customers are able to control their personal information; Accountability: Record-keeping will be a key part of compliance with the GDPR and organisations should ensure that procedures are well-documented and data handling processes are transparent; Staffing: Not every organisation will be required to have a data protection officer - but all businesses should make sure they have enough data protection...

To continue reading