• All
  • Data Science
  • News
  • Privacy
  • Research Highlights
  • Security

The explicit reference to ‘pseudonymisation’ in Regulation (EU) 2016/67 (General Data Protection Regulation – GDPR) has raised several questions about the impact and effect of pseudonymisation as well as about the nature of pseudonymised data. It also raises questions about the suitability of techniques currently...

The Irish Data Protection Commissioner (DPC) has released new guidance on Subject Access Requests (SARs) for individuals and controllers.  Unsurprisingly, the majority of queries and complaints the DPC receives concern individuals exercising their “right of access” under Article 15 of Regulation (EU) 2016/679 (General Data...

Special categories of personal data, colloquially called ‘sensitive data’, were already recognised under the Data Protection Directive 95/46/EC as a category of personal data requiring further protection. Regulation (EU) 2016/679 (GDPR) has added genetic and biometric data to the list of sensitive data and enhanced...

“Culture eats strategy for breakfast,” is a famous quotation attributed to the business management guru Peter Drucker. For Drucker, organisational culture plays a central role in how organisations work. When it comes to data protection, a culture must be created where protecting the personal data...

Ensuring the security of personal data is a key requirement of the General Data Protection Regulation, found under Article 32 (Security of Processing). This obligates organisations to ensure that appropriate technical and organisational measures are in place to protect personal data. Often, the first point...

Understanding and monitoring the data assets your organisation holds is crucial since knowing whether data is personal or not determines the application of EU Data Protection Law. Whereas the processing of personal data may be vital for providing your services and products, processing personal data...

ISO27701 is set to be the international standard for Privacy Information Management Systems (PIMS). It allows organisations that have already achieved ISO 27001 to align their privacy and Information Security Management Systems (ISMS) and demonstrate an appropriate control environment. In the same way that ISO 27001...

Data protection legislation now regulates every aspect of processing personal data, and your web presence is your shop window for your customers and a visible testament to how you treat their personal data. It is often your primary channel for informing people how the business...

There has been an ongoing discussion regarding the reporting of breaches to National Authorities since Regulation (EU) 2016/679 (GDPR) went live just over a year ago. Pinsent Mason’s law firm, in their recent review of reporting of personal data breaches (PDBs) in the UK, noted...

The new world economy relies on data-driven technologies and systems. Data is knowledge and innovation, ensuring scientific progress. There is a strong debate on whether the new General Data Protection Regulation (GDPR) constitutes an enabler or hindrance for scientific research. Although the focus has been...

Privacy frameworks are a maturing area, much like Security Frameworks have been in the past decades. Publications such as the ISO/IEC 27001 series of information security standards together provide a framework for risk management through information security best practices and related controls. As new standards...

Many organisations use GPS tracking in the vehicles they operate claiming necessity for protection against theft, general fleet management and monitoring deliveries, etc. One of the first rulings under GDPR and Germany’s updated Data Protection Act (BDSG-new), has provided clearer guidance on what is appropriate...

Marketing is an area which can be considered to have experienced one of the most immediate changes in practice in light of the GDPR. With a heavier reliance on consent and an onus to ensure such consent is managed properly, the implications for making errors...

Since the GDPR took effect, a large number of personal data breaches have been reported across Europe, with major data breaches reported in the UK and Ireland. British Airways, Marriott International, Equifax , WhatsApp and Facebook are only a few examples of the investigatory action...

The Data Protection Commission (DPC) in Ireland has published guidance for organisations to follow in order to ensure their cloud-based environments are secure. The DPC recommends all organisations using any type of cloud-based environment: review their default security settings, create clear policies and properly train...

Data Protection Authorities including the ICO and the Irish Data Protection Commission have recently released updated cookie guidance and CNIL, the French Data Protection Authority, have released updated guidelines, repealing their 2013 guidelines which suggested that a valid form of consent to cookies included the...

On May 25th, 2019, the General Data Protection Regulation (GDPR) turned one. The GDPR is still very much a work in progress. In this piece, data from the European Data Protection Board (EDPB) and various Data Protection Authorities (DPAs) are used to reflect on the...

In Ireland, the role of the family in the Irish Constitution has always had a special place. In Article 41 (1.1) the Constitution sets out that: “The State recognises the Family as the natural primary and fundamental unit group of Society, and as a moral institution...

Under Article 5(c) of the GDPR, any personal data processed by a Controller must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data was gathered. This is the principle of data minimisation. A recent ruling from the...

Regulation (EU) 2016/679 (GDPR) has been welcomed with much excitement by privacy-concerned individuals - but it has also led to confusion in many contexts, including schools. The ambiguity around the lawfulness of the practice of taking photographs at school events has led the Irish Data...

In a historic move, the Danish Data Protection Authority, Datatilsynet has recommended its first fine under the GDPR regime for taxi company Taxa4x35 for its failure to adhere to principles of data minimisation and a failure to properly anonymise personal data. Organisations who wish to avoid...

In October 2018, Trilateral's newsletter included an article on the use of Biometric Data in the Workplace.  In that article, we noted that the French Data Protection Authority (CNIL) was expected to release a standard regulation to set out how such special category data could...

Following a request from Belgium’s Data Protection Authority, the European Data Protection Board (EDPB) has issued a formal opinion on the interplay between the upcoming ePrivacy Directive (The Directive) and the General Data Protection Regulation (EU) 2016/679 (GDPR). The opinion itself sits at a fairly...

‘Risk Assessment Report and Methodology’

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.