data protection

Could businesses be sued for data leaks?

When hackers exploited vulnerability due to software not being updated at a US credit agency, important data of millions of customers in the US, Canada, and the UK were leaked. The US federal authorities have launched an investigation that could lead to millions in fines. Bosses at the firm were questioned in a congressional hearing and the agency is facing the largest class action in US history. This sounds like the plot of a financial thriller, but the Equifax case did in fact happen and is a lesson for the future.

Private enforcement under the GDPR

While the new data protection regulation provides for severe administrative penalties for failure to comply, it is well known that whether a penalty is effective is determined not by its severity but by its inevitability. Even though the personal data protection authority has been given broad powers, it does not have adequate means of exercising them. A solution could be a private enforcement mechanism within the regulation, whereby any person whose data has been breached can independently seek a judicial remedy.

Public procurement in the GDPR era

Contracting authorities have to bear in mind that protected personal data are processed in their procedures. Procedure documentation has to comply with new laws now that the GDPR is in effect.

Employers must maintain a record of processing activities

Today (24 May 2018) is the last day for adjusting business operations to comply with the new requirements of the General Data Protection Regulation. The Article 29 Data Protection Working Party takes the view that under the GDPR, practically all employers must maintain a record of processing activities with respect to their employees’ data.

A clean criminal record is no longer sensitive information

The EU’s General Data Protection Regulation enters into force tomorrow (25 May 2018). The GDPR changes the legal classification of data contained in certificates of a clean criminal record. Unlike other changes in the GDPR, this change represents a step toward liberalisation. How will data of this type be treated?

Medical data—keep or delete?

From 25 May 2018 Polish healthcare institutions will face conflicting rules on how to handle medical documentation under the EU’s General Data Protection Regulation and Polish healthcare laws. The inconsistencies could be eliminated by the new Personal Data Protection Act, but it appears unlikely that work on the new act will end on time. So what should institutions do to limit their regulatory risk?