Home

Impact assessments are essentially risk management tools, whether they are concerned with the environment, society, business, or personal data. In case of personal data, Article 35 of the GDPR requires controllers to conduct a data protection impact assessment (“DPIA”) prior to undertaking processing activities that are likely to pose high risk to the rights and freedoms of natural persons. This is essentially a holistic risk assessment taking into account the nature, scope, context and purposes of the processing. 

No matter what sector your business is in, how large or small an organisation you are, or whether your products and services are B2C or B2B, today, with increasing consumption occurring online, it is imperative that your online marketing strategy is relevant, up-to-date and effective. 

Do you sometimes feel that internet works like magic; do certain incidents seem inexplicable to you, such as getting flooded with advertisements about products you may have idly surfed days ago? Whether you are a technical genius or technologically challenged, if you spend any of your time online, you have probably seen pop-up screens while surfing online, that require you to agree to the use of something called “Cookies”. Do you carelessly agree to the use of cookies, or do you take time to read the Cookie policy?

The concept of ‘consent’ should be a fairly self-explanatory one. It is not a unique idea; in fact, consent simply signifies the “meeting of minds” and has forever been one of the core principles of contract law. However, recent times have witnessed unsettling discussions surrounding ‘consent’ spanning across divergent areas of the socio-legal spectrum. In this blog post our focus is however limited to ‘consent’ in the paradigm of EU data protection law. 

The GDPR has been in force for five months. While most publications focus on the (hefty) sanction regime, the GDPR is mainly about accountability. It provides data subjects with rights to take control over their own personal data and obliges organisations to facilitate these rights. It also requires organisations to have much more insight into their own data processing activities. This is primarily reflected in three documentation obligations: for processing activities, for data protection impact assessments and for data breaches.