Data Protection

‘Computer says no’!

Over twenty years ago, the ‘Little Britain’ comedy sketch show highlighted the deep frustration felt by individuals when faced with the inexplicable decision making of a computer. A young child is denied an operation, a bank customer a premium account service, all with no other explanation given other than…’the computer says no’!

When an organisation discovers a personal data breach it is hard not to catastrophize. It is well known and understood that the GDPR has introduced a mandatory breach reporting requirement, and with mandatory reporting comes regulatory, and often, media scrutiny.

2018 has certainly been an eventful year in the history of Data Protection with the implementation of GDPR and many other key developments. In this Bootcamp led by Stewart Room, Tughan Thuraisingam, and Laia Bertran Manye from PwC's Data Protection Strategy, Legal and Compliance Team, we will provide a month by month recap on some of the significant developments over the last year and reflect on the implications for 2019.

The General Data Protection Regulation (GDPR) came into effect in all EU Member States on 25 May 2018, which means it is now only lawful for a data processor to process personal data on behalf of a data controller if the processing takes place under a written contract that contains certain mandatory contract terms.

In the first part of this blog we identified two of the key trends for businesses to consider in the post GDPR live environment – the operationalisation of the GDPR within your business, and the interaction of the GDPR with other areas of law. In this second blog post, we will explore two more key trends that your business should consider in the post GDPR live environment.

Join us for our next bootcamp: Latest update on Data Breaches - cases, guidance and class actions!

The House of Lords EU Home Affairs Sub-Committee has published their report today on the EU Data Protection reform package and the implications of Brexit.

As we embrace the GDPR ‘Live’ environment, businesses and their DPOs are now busy operationalising their privacy compliance programmes in this new business as usual (“BAU”) world of transparency, accountability and user rights.

The General Data Protection Regulation (‘GDPR’) was born with the aim to be technologically neutral (Recital 15 GDPR). The upside of this tech neutrality is that it will (hopefully) award a long lifetime to GDPR, regardless of technical innovation. The downside: it makes the accountability principle seem very broad and with practical challenges. But there is light in this space too: operationalising accountability is possible.

At PwC we believe that the future of Data Protection (‘DP’) lies in the delivery of many more DP outcomes in the actual technology and data layers of business than is currently the case. We call this ‘The Journey to Code’.

May 25 2018 has come and gone. The General Data Protection Regulation (“GDPR”) has irretrievably changed the way in which we approach and deal with personal data. At PwC, we have identified some key trends for business to consider in the post GDPR live environment.

The summer was a pleasant relief from the intensity of the run-up to the GDPR go-live date, 25th May. The holiday season coupled with legal “due process” gave us some breathing space, to take stock and reflect on what we’ve learned about data protection and the possibilities on the road ahead.

Organisations are increasingly looking to innovate by using technology which often involve novel and untested ways of using personal data. If done correctly, organisations can create a business advantage. If proper procedures are not followed (resulting in inadequate privacy protections), the consequences for an organisation can be disastrous. In order to bridge this gap, the Information Commissioner’s Office (“ICO”) has proposed a new ‘regulatory sandbox’ to work more collaboratively with organisations.

The Department of Digital, Culture, Media and Sport (DCMS) published a guidance note on 13 September 2018 on the potential implications for data protection in a ‘no deal’ Brexit scenario. There weren’t any great surprises in the guidance, which concludes that if the UK is not given “adequacy” status then post Brexit UK data importers will need to rely on established mechanisms to legitimise data transfers from the EU, such as EU standard contractual clauses.

In our fourth annual Privacy and Security Enforcement Tracker, we review the key regulatory enforcement cases in the UK and provide a synopsis of key privacy issues and trends for 34 other countries.

With the GDPR now in force, explore the findings from our Readiness Assessments, compiled over two years and across 15 different industry sectors, and consider how well prepared is your business?

The biggest overhaul of data protection in two decades - the General Data Protection Regulation or GDPR - comes into force across the EU in May. In this Beyond Brexit episode, our new host, Sally Cosgrove, is joined by Kevin Burrowes, head of clients and markets, and Stewart Room, lead partner for GDPR and data protection, to discuss the potential impact arising from Brexit.

The introduction of the EU General Data Protection Regulation (GDPR) from May 2018 will deliver a fundamental change in how personal data must be handled. Instead of being an afterthought, protections for personal data will now have to be designed into the very fabric of business operations and the technology behind them.

Data protection and privacy insights blog by Stewart Room, Partner, Joint Global Head of Data Protection and Global Legal Services Leader at PwC UK.

The Article 29 Working Party has recently published updated guidance on the Personal Data Breach notification rules in Articles 33 and 34 of the General Data Protection Regulation (GDPR). The original version was published on 3rd October 2017.

Are companies exposed to fines at 2% or 4% of their worldwide annual turnover, or are they exposed to fines based on the group worldwide annual turnover, assuming that they are part of a group?

In early August, the UK Government published its Statement of Intent in relation to a proposed Data Protection Bill. PwC’s initial analysis, which can be found here, notes that the proposed Bill largely reflects the General Data Protection Regulation (GDPR).

This morning the Minister of State for Digital, Matt Hancock, released a statement of intent for the UK’s new Data Protection Bill. The Bill has already been through a consulting phase and the Minister has set the Bill’s scheduled implementation date for May 2018, clearly aiming to coincide with the 25 May 2018 implementation date of the EU’s General Data Protection Regulation (GDPR).