Tag Archives: GDPR

Dissecting 2018’s Mid-Year Data Breach Statistics

After the first six months of 2018, 4.5 billion data records have already been compromised according to a recent report. Data breaches have affected businesses large and small, from Adidas (two million records compromised) to Facebook (up to two billion accounts affected) to municipal airports and accounting firms, and 2018 has already seen more than its fair share of massive global data breaches.

The Gemalto Report

Digital security specialist Gemalto revealed in a new report that 945 data breaches led to a staggering 4.5 billion data records being compromised worldwide in the first half of 2018.

Although the total number of breaches were down from the same period the year before, the number of records compromised were up over 130 percent as the severity of individual incidents increased. Continue reading Dissecting 2018’s Mid-Year Data Breach Statistics

FTC to Enforce Voluntary GDPR Compliance Statements

U.S. based companies that have updated their privacy policies to reflect increased consumer privacy protections intending to match the European Union’s GDPR protections may have unknowingly opened themselves up to added scrutiny from the Federal Trade Commission, according to FTC spokesperson Juliana Gruenwald Henderson.

Several organizations that collect consumer data on a large scale, including Facebook and Microsoft, have taken it upon themselves to increase personal data use transparency for their consumers through clearer privacy policies. This increase in transparency is designed, in part, to increase trust among their users, as well as potentially staying one step ahead of future U.S. regulation. That domestic regulation, however, might be coming sooner than anticipated.

The FTC’s Statement

Gruenwald Henderson explained, “If a company chooses to implement some or all of GDPR across their entire operations, and as a result makes promises to U.S. consumers about their specific practices they must live up to those commitments.” She added that this enforcement, although broad in nature, would only by applied towards specific and appropriate situations and “the FTC could initiate an enforcement action if the company does not comply with the EU data protection promises for U.S. customers.”

The FTC’s statement shows the government takes seriously companies’ privacy promises to their consumers. “If the company claims that it is compliant with EU law, it better be right, because the FTC will be looking for companies that are non-compliant but say otherwise,” said David Vladeck, former director of the FTC’s Bureau of Competition. Continue reading FTC to Enforce Voluntary GDPR Compliance Statements

The Ordinance: Chicago’s Proposal to Protect Personal Data

With the passage of the General Data Protection Regulation (GDPR), many government entities here in the US have joined the bandwagon in strengthening data protection laws concerning personal information. The city of Chicago is the latest municipality to actively take on the threat of data breaches.

Chicago’s Personal Data Collection and Protection Ordinance (“the Ordinance”)  was recently introduced to its city council and is designed to equip consumers with control over their information, informed consent to its disclosure, awareness of its use, and redress for its misuse.

Data Collection & Disclosure

The purpose of the Ordinance is to regulate operators that collect sensitive customer personal information through the Internet about individual consumers in the City of Chicago.

Some of the major provisions of the Ordinance include:

  1. Obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information;
  2. Notify affected Chicago residents and the City of Chicago in the event of a data breach;
  3. Register with the City of Chicago if they qualify as “data brokers;”
  4. Provide specific notification to mobile device users for location services; and
  5. Obtain prior express consent to use geolocation data from mobile applications.

Continue reading The Ordinance: Chicago’s Proposal to Protect Personal Data

United Kingdom Expects to Adopt GDPR

Brexit brought about a lot of uncertainty, especially in the legal arena with regard to privacy laws. Recently, some of that uncertainty cleared up.

On September 14, 2017, a new bill in the UK was introduced that would adopt the EU’s General Data Protection Regulation (GDPR) and replace Data Protection Act 1998, the UK’s current data protection law. This move answers lingering questions on the status of UK data protection post Brexit.

While UK companies who operate in Europe or process European citizen data would have been subject to GDPR either way, this decision will impose GDPR requirements on smaller UK companies who only handle UK citizen data.

Under GDPR, organizations who process the personal data of EU citizens must, for example:

  • Get opt-in from customers before collecting and using customer personal data;
  • Notify the Information Commissioner’s Office (UK’s independent authority designed to uphold information rights in the public interest) within 72 hours of a data breach; and
  • Face severe non-compliance penalties.

For individuals, the new bill provides more control over one’s personal information, including the ability to access, transfer, and delete personal data while in the hands of organizations who process it.

The proposed UK law does include some exemptions aimed at protecting journalists, scientific and historical researchers, and anti-doping agencies who handle personal information.

GDPR will be effective May 25, 2018 and the UK Bill is intended to take effect prior to that date.

ePlace’s next webinar will focus on how to implement and comply with GDPR requirements. To learn how this might affect your organization in the UK, register for the webinar on October 18th 2017.

UK Government Confirms GDPR Implementation

As Brexit uncertainty continues to surround the UK, plans are being pushed forward to incorporate the EU’s General Data Protection Regulation (GDPR) into UK national law.

During the Queen’s recent speech to Parliament, the UK government reiterated their intentions to implement the GDPR as scheduled. The plan layout is detailed here.

The Queen added in her remarks, “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

The UK’s proposed Data Protection Bill will aim to continue the free flow of data between the UK and other EU member states post-Brexit. It will also replace the Data Protection Act of 1998.

Working Party Releases Final GDPR Guidance Materials

The Article 29 Working Party adopted the final versions of several guidance documents related to GDPR compliance. The first versions were initially released last December for comment.

The guidance documents provide organization covered under GDPR with guidelines on the following topics:

  • Data Protection Officers
  • Data Portability
  • Lead Supervisory Authorities

In conjunction with these documents, the Working Party also released their draft guidelines on Data Protection Impact Assessments. The guidance aims to help organizations determine when a data protection impact assessment is required under GDPR. Focus areas include:

  • Scope of a DPIA
  • Processing operations subject to a DPIA
  • Steps to conduct a DPIA
  • Consultation requirements with Supervisory Authorities
  • Further recommendations

UK Government on GDPR Implementation

In the privacy community, everyone is keeping a close watch on how Brexit – Britain’s departure process from the EU – is going to affect data protection legislation going forward.

The UK Government Minister responsible for data protection – Matt Hancock – recently provided insight into the UK’s implementation plan for the EU’s GDPR in the midst of the looming Brexit process.

Here are the key takeaways:

GDPR Support

Hancock confirmed the UK Government’s continued support for GDPR. He reaffirmed the GDPR will come into effect in the UK on May 25, 2018. He also noted the UK would seek to implement the GDPR in full, providing the UK with the greatest chance to secure a free flow of data with the EU.

UK Data Protection Law

Hancock admitted some provisions of the existing UK Data Protection Act will need to be addressed before GDPR comes into effect. The UK Government wants to ensure there is no duplication or contradictions between the two laws.

Data Transfers

Hancock also addressed the issue of data transfers outside the EU. Specifically, he expects to see development of a data transfer framework between the UK and U.S. to ensure uninterrupted flow of data between the two countries.

Hancock frequently used the phrase, “to ensure unhindered data flows after Brexit.” It appears the goal is to have a seamless transition into GDPR to ensure normal business operations and economic activity isn’t disrupted.

Article 29 Working Party Sets 2017 Goals

The Article 29 Working Party released their 2017 plans for continuing the implementation of the EU General Data Protection Regulation (GDPR). The Working Party’s 2017 Action Plan has two main areas of focus:

Finalizing 2016 Topics

In its 2017 Action Plan, the Working Party has committed to finalize its work on topics undertaken in 2016, including guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments, administrative fines, the setting up the European Data Protection Board (EDPB) structure in terms of administration (e.g. IT, human resources, service level agreements and budget) and the preparation of the one-stop-shop and the EDPB consistency mechanism.

New 2017 Priorities

In the 2017 Action Plan, the Working Party has committed to produce guidelines on the topics of consent and profiling and transparency in the second part of 2017. At the same time, the Working Party will work on the update of already existing opinions and referentials on data transfers to third countries and data breach notifications.

Guidance on Selecting a Data Protection Officer

Manager is unlocking a virtual lock in a lineup of eight padlocks. Business concept and technology metaphor for cyber attack computer crime information security and data encryption. Copy space.

With the application of the European General Data Protection Regulation (GDPR) now 18 months away, does your organization have a Data Protection Officer (DPO) in place? Many organizations struggle with appointing the right person to handle all the required roles of a Data Protection Officer.

The Centre for Information Policy Leadership at Hunton Williams LP published a white paper to help companies comply with the DPO provisions by the May 25, 2018 effective date. The white paper, Ensuring the Effectiveness and Strategic Role of the Data Protection Officer, provides companies with guidance on navigating the GDPR provisions regarding the DPO’s role.

The white paper will be useful for organizations of different sizes and industries. It promotes a flexible approach to implementing the GDPR’s DPO obligations. Included are best practices for complying with the GDPR and maximizing the potential of the DPO’s functions and duties.

Specific issues discussed include: Mandatory vs. non-mandatory DPOs; Sanctions for DPO violations; DPO expertise, skills, and certifications; Strategic and business roles of the DPO; and much more.

How do the New EU Data Protection Rules Impact US Businesses?

Recently, the new General Data Protection Regulation (GDPR) was agreed upon by the European Parliament and Council, and will replace the Data Protection Directive set up in Europe back in 1995. The GDPR is intended to create a greater degree of data protection harmonization across EU members.

One key provision of the GDPR is that the scope of the regulation has been expanded to include all businesses that control or process personal data of individuals in the EU, regardless of where the company is based. This creates some impact to US-based businesses operating in the EU, especially with the increase in fines for non-compliance, which can be as high as 4% of the company’s total revenue.

Vendor management is also addressed in the new regulation, as vendors handling personal data have strict limitations on transferring that data with approval of the data controller.

Training also made an appearance in the GDPR, with requirements to provide appropriate data protection training to employees that regularly access personal data.

Another key provision to make note of is the new data breach notification requirements. The GDPR now requires data controllers to notify their supervisory authority within 72 hours of discovering the breach. On top of that, they must also notify the data subjects when the breach is likely to cause a high risk of to the individuals’ rights and freedoms.

How to Prepare for GDPR

Businesses that collect personal information and operate within the European Union should take steps to prepare for the implementation of the GDPR.

  1. Make sure that as a part of your privacy program, personal information is only collected and kept to the extent necessary.
  2. Appoint a data protection officer, or chief privacy officer, to manage the company’s privacy practices and make sure they align with the European regulations.
  3. Train employees on the data protection basics. Make sure they are appropriately trained to keep the personal data they work with safe and protected.
  4. Review contracts with third-parties that act as data processors for the personal information your company controls. Ensure that appropriate safeguards and incident reporting procedures are in place.
  5. Make sure incident response policies and procedures are in place to respond effectively in the event of a breach.