Welcome to the first in a monthly series of data protection news and update Blogs from the Evalian team, providing some of the news items you may have missed together with links to 3rd party sites which provide more information.
Data Protection News & Updates
ICO issues guidance for GPs on responding to Subject Access Requests
Back in December the British Medical Association (BMA) reported findings which suggested that Subject Access Requests (SARs) to GPs had increased by more than a third since GDPR came in to force (and the right to charge for a SAR was removed, save for specific circumstances, and the time for responding was reduced).
Interestingly, the report found that 77% of the requests made to GPs during the survey period were made by companies, including solicitors and insurers, acting on patients’ behalf, while just 22% came from patients themselves.
The ICO has responded by providing guidance for GPs in a blog, which addresses steps to take when SARs are made by legal representatives or insurers.
The ICO blog is available here.
EDPB issues overview on the implementation of the GDPR
The European Data Protection Board or EDPB (the organisation made up of all EU supervisory authorities and successor to the Article 29 Working Party) has issued its first overview findings on implementation and enforcement of the General Data Protection Regulation (GDPR). The findings address the cooperation mechanism between the EU28 regulators and consistency in their approach. In overview, the EDPB believes the cooperation and consistency mechanisms are working well.
You can access the full document here.
EDPB Eighth Plenary session addresses the ePrivacy Regulation
Staying with the EDPB for a moment, the group held their Eighth Plenary session earlier this month. The progress of the proposed ePrivacy Regulation was on the agenda, along with the interplay between the GDPR and ePrivacy Regulation.
The EDPB adopted a statement calling on EU legislators to pull their fingers out (our words, not theirs) and agree and adopt the Regulation to complete the framework (the first part being GDPR) for data protection and confidentiality of electronic communications in the Union.
They also adopted an opinion on the interplay between both regulations which stated that data protection supervisory authorities were not limited in dealing with any matter that falls within the material scope of the GDPR and the ePrivacy Regulation.
You can view the EDPB’s full press release from the Eighth Plenary here.
ICO updates guidance on the meaning of personal data
Back in January, the ICO updated its guidance on the meaning of ‘personal data’ within the meaning of the GDPR and DPA 18. Although the changes aren’t major, there are some clarifications in the guidance and it’s certainly worth a view.
The updated guidance is available here.
Data Protection Resources
Recent Third party resources we liked include:
Handy guide to data breach class actions, by Herbert Smith Freehills
The guide includes an overview of class actions in the data protection space.
You can access the guide here.
Top 10 Tips for responding to Employee Subject Access Requests, Taylor Vinters
A handy summary of key considerations. Also don’t forget that a SAR is valid even if for a ‘collateral purpose’ following Dawson-Damer.
What GDPR means for LinkedIn contact ownership, by Marks & Clark
Who owns LinkedIn contacts – employer or employee? As you might expect, things aren’t necessarily clear and GDPR introduces other issues to consider.
An interesting read, available at this link.
Need help or want to chat?
If you need help with GDPR, data protection or privacy programme management, then we’d love to hear from you and we promise no hard sell. You can contact us here.Get in touch