Since 25 May 2018, controllers experiencing a personal data breach must – as a general rule – notify it to the appropriate supervisory authority. Not all breaches will require notifications: those that do not pose a risk to the rights and freedoms of natural persons will generally fall under the radar. However, if such risk shall exist, the data controller will be required to notify a given breach to the relevant supervisory authority as well as to the natural persons concerned – if the likelihood of risk is high.  Continue Reading Personal Data Breach Notification Obligations Arise from Various Sources, not Only the GDPR

In May this year, the General Data Protection regulation (GDPR) brought with it a new Data Subject Access Requests (DSAR) regime.  We expect that the ICO will update its Code of Practice shortly.   Until then, Andrew Peters of our Labour & Employment team has prepared a five-part blog series which discusses practical concerns for UK employers receiving DSARs post-GDPR. Continue Reading GDPR’s Impact on Employee Data Subject Access Requests in the UK

The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as related to obtaining consent from competition participants.

For further information on the forthcoming update to the CAP Code and its expected impact on advertising, please read the post prepared by my colleagues Carlton Daniel, Ailin O’Flaherty and me, which has published on Squire Patton Boggs  Global IP & Technology Law Blog.

European Economic AreaThe General Data Protection Regulation (GDPR) was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels and entered into force in mid-July.  The European Economic Area (EEA) currently includes all EU Member States, including, for the time being, the UK, as well as the three out of four EFTA States meaning Iceland, Liechtenstein and Norway(the fourth one being Switzerland). Additionally, on 15 July 2018, a new Act on Data Protection and the Processing of Personal Data, No. 90/2018, entered into force in Iceland. Continue Reading GDPR is Now EEA Wide!

Regulators across Europe, have recorded a sharp increase in the number of data-related complaints and data breach notifications since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR has radically reshaped how businesses can collect, use and store personal information. As a result of the new and expanded rights for people to know how their data is being used, and to decide whether it is shared or deleted, regulators are being overwhelmed with complaints and businesses are increasingly finding themselves subject to data breaches. Continue Reading Post GDPR Rise in Data-Related Complaints and Data Breach Notifications

The final countdown has started, there are a few days left before GDPR takes effect on Friday 25 May 2018. What are you doing about compliance?


If you need assistance, in the EU or outside the EU, for your GDPR compliance program do not hesitate to contact a member of our global Data Protection and Cybersecurity team.



Change is the order of the day for the automotive industry. Cars are going solo. Traffic tests of autonomous cars are occurring all over the world, even if scientists differ on whether the technology is ready to be deployed in everyday traffic. However, this concerns mainly safety issues, such as the physical safety of passengers and pedestrians that are still more or less matter of a theory, but other relevant issues, such as data protection and cybersecurity are already relevant. Continue Reading Time is Running Out… is Your Car GDPR Compliant?

“Are we prepared for the GDPR?” Not nearly as many companies as should be are asking themselves this question. As such, we have prepared this short post for those that are barely or not at all prepared for General Data Protection Regulation (GDPR) compliance – as 25 May 2018, the day GDPR will enter into force, is just around the corner. This article is not meant to be complete, however, and the action steps outlined below are not necessarily sufficient for GDPR compliance, but they may provide some direction and ideas for a last-minute quick fix to “look good” on 25 May 2018. Continue Reading Last-Minute Quick Fixes for GDPR Compliance – Recommended Action Steps

British CurrencyThe obligation on controllers to pay a fee will remain in place following the implementation of the General Data Protection Regulation, the GDPR, on 25 May 2018. The fees act as the main source of funding for the UK’s data protection supervisory authority, the Information Commissioner’s Office (the ‘ICO’). The Government, which has a statutory duty to ensure the ICO is adequately funded, has proposed a new funding structure based on the relative risk to the data processed by organisations. Continue Reading The Data Protection Fee – ICO fees under the GDPR

What is CCTV?

CCTV means closed-circuit television, also known as video surveillance. Video surveillance systems monitors the behavior, activities, or other changing information, usually, of people from a distance by means of electronic equipment.

Video surveillance can include anything from closed circuit television or automatic number-plate recognition systems, to any other system for recording, storing, receiving or viewing visual images for surveillance purposes.

In 2016, it was estimated that there were approximately 350 million video surveillance cameras installed worldwide. Continue Reading The GDPR’s Impact on CCTV and Workplace Surveillance