Global Data Privacy and Cyber Security a Proactive Alliance

Global Data Privacy and Cyber Security a Proactive Alliance

New laws are taking effect across the globe to regulate the collection, use, retention, disclosure and disposal of personal information. At the same time, the rate of cyber attacks, data breaches and unauthorised use of personal data is growing exponentially.

In the current environment, it is more important than ever, particularly for those organisations handling financial data, health information and other personally identifiable information, to understand the rights and obligations of individuals and organisations with respect to personal information.

Our latest article provides an overview of some of the new data privacy laws, rules and regulations that are, or soon will be, in effect, outlines cyber security and data protection best practices and compliance programmes to help organisations comply with the evolving new data privacy requirements, and touches on the role of new technologies in mitigating risks and supporting compliance.

The exponential evolving data privacy regulatory space

 

The European Union’s enforcement of the Global Data Protection Regulation (GDPR) commenced way back  on 25 May 2018, and came with  sweeping changes in the privacy and data security policies for the vast majority of companies operating, not only in the EU, but across the globe.

The provisions of the GDPR that are important for all companies to take note of include the requirement for explicit and informed consent for collecting personal data and mechanisms to withdraw such consent, breach notifications, the right to access all data that a company has collected, and the right to be forgotten through the erasure and cessation of the dissemination of data. Penalties for breach of the GDPR are steep  of course – up to 4 percent of annual global turnover or €20m, whichever is greater.

The regulatory environment in the US comprises a somewhat convoluted, patchwork system of federal and state laws governing privacy and data security concerns that is continuing to evolve to try to address the rash of data breaches and unauthorised use of personal data that are occurring with ever-increasing frequency.

All 50 states, as well as the District of Columbia, Puerto Rico and the US Virgin Islands enacted laws requiring notification of security breaches involving personal information. Companies can face both civil and criminal penalties for a data breach of sensitive information, and some state and federal laws provide the right for individual citizens to file class action lawsuits for privacy violations. Massive class action lawsuits, like the 2013 Target data breach litigation and the currently pending 2017 Equifax data breach litigation, highlight the significant risks that companies face in the wake of a cyber security attack or as a consequence of either not having best practices and compliance programmes in place or simply not following them.

 

Importance of cyber security and data protection best practices.

 

The stakes have never been greater than they are right now with respect to the collection, use, retention, disclosure and disposal of personal information. With the present regulatory framework and knowledge of where it is heading, companies can expect to continue to face rising costs and escalating risks associated with their privacy and data security practices.

A number of resources are available that can provide guidance and assistance with addressing privacy and data security practices, as well as to ensure that the practices and programmes implemented are compliant with relevant laws and regulations. The EU and some US Federal agencies, including the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST), have been promulgating updated guidelines and recommendations for privacy and data security best practices in a variety of industries, including some of the newer Internet of Things and peer platform (sharing economy) marketplaces. Additionally, several industry groups have adopted self-regulatory programmes and rules, including certification programmes, to which a company can voluntarily abide.

In view of these guidelines and others, companies are further encouraged to establish internal policies and procedures to ensure compliance. Business policies may include a top-level information security and privacy policy, which expresses a commitment to data security and privacy from the top-level officers of a company, a risk management programme, an acceptable use policy, access compartmentalisation, communications monitoring, breach reporting, a document retention policy and outsourcing policies. Technical policies may include a variety of commitments to technical controls to ensure the protection of data, including encryption, passwords, authentication protocols, disaster recover, intrusion detection, physical security, patching and the like.

For companies with a public-facing website, website privacy policies are a must. Additionally, a written incident response plan is critical for establishing protocols for initiating a response team, assessing data breach activity, containing the data breach, and providing guidelines for including other parties, such as law enforcement and officials that require notification under data breach laws. Further, a company must continue to audit and maintain certification as necessary to ensure that their policies and procedures are enforced and remain current. A variety of enterprise privacy management software and compliance solutions may be used internally to help companies audit their systems.

 

Privacy and data security must form part of the conversation when utilising new technology

 

While it may be easier said than done to implement new policies and best practices, companies are faced with the additional challenges of evaluating and deploying new technologies that simultaneously may both hinder and help with compliance in view of the new privacy and data security regulations. For example, block-chain technology offers significant advantages for a wide variety of applications from a data security perspective, offering the ability to record transactions in a decentralised and immutable fashion. However, these same technological principles may raise complex issues when looking at compliance with new privacy regulations. For example, in connection with the “right to be forgotten” under the GDPR, how is a subject’s personal information to be erased from an immutable and fully-distributed block-chain? A variety of solutions have been proposed to provide for greater control and management of information with block-chain, including anonymous transactions and voting systems, secret contracts and blind auctions, but they will have to be evaluated in view of the evolving regulatory framework.

Artificial intelligence (AI), and specifically machine learning (ML) techniques, are now widely employed to enable computers to learn and adapt to new input. Such AI technology can be used in cyber security systems to provide automated processes for the identification of new threats and the implementation of technology controls and protection. On the flip-side, hackers have also started to weaponise AI, creating programmes that can study systems, evaluate vulnerabilities or even create persuasive phishing schemes based on the behavior of social networks. AI applications may also raise privacy issues, especially given the large volume of data required to build a model and the often ‘black box’ lack of transparency behind the logic used by AI agents to arrive at a decision about a person.

New outward-facing tools and platforms have also been developed in order to allow users to control how their data is being used. For example, Facebook recently released a set of privacy tools, including a unified privacy dashboard, and has announced the launch of a new clear history tool. Such tools cannot be overlooked, as they may be essential for compliance with the new privacy regulations, such as data portability, right to be forgotten, and withdrawal of consent of the collection of personal data.

 

Conclusion

 

Recognition of the new and evolving international privacy and security regulations is a requirement, especially in view of the threat of increasing liability and risk with statutory penalties and class action lawsuits. Implementing a compliance programme with a set of best practices for privacy and data security will surely help mitigate these risks, but it is a continuing process, especially as companies face new hurdles when rolling out new systems and technologies.

This is particularly true where newer technologies, such as block-chain and AI, are incorporated into systems in a manner that simultaneously offers important contributions to security and privacy while exposing new vulnerabilities and concerns. Thus, companies may be well-served by a privacy by design approach that promotes privacy and data security compliance from the start in order to mitigate risk down the road.

 

Find out More

Importance of Third Party Due Diligence in GDPR Compliance

Importance of Third Party Due Diligence in GDPR Compliance

Organisations are realising that failure to protect customer data is creating long-term business problems. One of the biggest is the fear of being unable to manage the fallout of a data breach involving a third-party processor.

 

Consumer reaction to data breaches

 

In a recent survey 69 percent of 7,500 consumers surveyed from France, Germany, Italy, U.K. and the U.S. say they have or would “boycott an organisation that showed a lack of integrity for protecting customer data” the concerns are real.

Furthermore, 62 percent of consumers felt inclined to blame the company (controller) certainly not a third party processor — if they lost their personal data.

 

Responsibility 

 

Placing your data, the cloud, doesn’t mean you wash your hands of all your responsibility. With the introduction of the GDPR, third-party risk became even more heightened. If the data handler or data processor suffers a breach, you, the data controller, would almost certainly be held accountable. However, if you are going to work with third parties and you have done your due diligence, the regulators are obviously going to look on that very differently.

The recent low-cost airline Lion Air group found 30 million records posted online including passport details, names, addresses, contact details etc. It seems that an AWS bucket container was not secured and was left open.

With the Asia region still playing catch-up with privacy laws the fines imposed and the obligations to report the breach and more importantly the data subjects are sketchy to say the least.  It is not certain yet whether the Lion Group or any of the third parties involved were subject to GDPR. If it were to be the case the fine and damage of the brand could result in a large dent and could threaten its operations.

Quite often security is an afterthought. Data centre hosting can be myriad of ample complex contracts, data centre for example owned  by one company, operated by another, with a contract to yet another and everyone points fingers at each other  .

From a legal standpoint, there can still be issues with cloud service providers.

Most controllers concentrate on two requirements of their processors

  • Processor will follow the processing  instructions, and
  • that they will keep the data secure.

But  third party due diligence needs to go further and deeper.

 

A full 3rd party due diligence audit should take place, and this option should be clearly stated in data processing addendum’s / SCC’s (Standard Contract Clauses).

Under the GDPR, serious breaches must be reported within 72 hours — not almost a year, like Uber. If a data breach carries a “high risk of adversely affecting individuals’ rights and freedoms” the regulation is even more strict saying a breach must be reported without “undue delay.”

There only exception is for cases where a data controller judges that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons,” but even in this case the breach must be thoroughly documented internally, along with the reason for not informing a DPA, something a DPA can at any time ask to see.

A large percentage of data breaches reported were found not to have met the criteria of reporting, because companies possible rushed the decision process in fear of missing that 72-hour window.

 

There are already notions that organisations are comparing which would be the most lenient authorities, so a multinational for example may choose to report a breach to an authority with less enforcement powers.

Third parties are very often the weak link in data security. According to some reports, third-party failure plays a part in 63 percent of all data breaches.

However, the headlines about breaches always centre upon the controller and rarely mention the third-party processors that may have played a part in the breach.

 

Third party due diligence frameworks

 

The process approach

  • Life cycle phase 1: Planning—Management develops plans to manage relationships with third parties.
  • Life cycle phase 2: Due diligence and third-party selection—The enterprise conducts due diligence on all potential third parties before selecting and entering into contracts or relationships.
  • Life cycle phase 3: Contract negotiation— Management reviews or has legal counsel review contracts before execution.
  • Life cycle phase 4: Ongoing monitoring—Management periodically reviews third-party relationships.
  • Life cycle phase 5: Termination and contingency planning—Management has adequate contingency plans that address steps to be taken in the event of contract default or termination.

 

Relentless Privacy and Compliance Services Ltd’s outsourced DPO service manages all third party contracts and due diligence.

 

Find Out More

 

GDPR Privacy By Design and By Default Your Guide

GDPR Privacy By Design and By Default Your Guide

A good idea Now Established

 

The General Data Protection Regulation (GDPR) changed European privacy rules significantly. The introduction of the concepts ‘Privacy by Design’ and ‘Privacy by Default’ are two of these changes. Although a new  legal requirement under the GDPR, these concepts are not new. Considering privacy from the start of the development process is essential to address privacy successfully.

 

Essential part to the GDPR

 

The GDPR changed European privacy rules significantly. The introduction of the concepts ‘Privacy by Design’ and ‘Privacy by Default’ are two of these changes. Privacy by Designs holds that organisations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data. Privacy by default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones. Although Privacy by Design and Privacy by Default has become a legal requirements under the GDPR, these concepts are not new. Considering privacy from the start of the development process is essential to address privacy successfully.

 

Increasing efficiency by thinking of privacy in advance

 

The GDPR requires organisations to consider privacy at the earliest stage. Privacy must be one of the ingredients of a new product or service, rather than the icing on the cake that is added at the end. This might seem complex, but it is actually easier than applying privacy considerations after a design is fully developed. When you think upfront about what personal data you want to use, for what purpose and how you will do this legitimately, it reduces the chance that you discover at a later stage that embedding privacy is technologically challenging, expensive or even impossible.

The application of Privacy by Design will therefore make the development process more efficient. Knowing what data you want to use, and giving data subjects a choice on how their data is used by applying Privacy by Default, makes it easier to be transparent those data subjects. And transparency is key when it comes to earning the trust to collect the data in the first place. In other words: applying Privacy by Design and Privacy by Default is simply a good idea. That is why many organisations already have incorporated these concepts in to their development processes.

 

Embedding privacy in the design process, where to start?

 

In order to embed privacy in the design process several aspects must be taken into consideration.

  • Operate within legal boundaries and be accountable

Under the GDPR organisations are not only responsible for adhering to privacy principles, they must be able to demonstrate compliance with them too. A privacy strategy is essential to make choices early in the development process regarding how you want to deal with privacy within your new service or product. Assess upfront if the idea can be executed within the relevant legal boundaries. A good instrument for doing this is carrying out a Data Privacy Impact Assessment (DPIA). A DPIA will help you identify privacy risks within your new design. Don’t forget to keep your DPIA findings. This will allow you to demonstrate your rationale behind certain decisions at a later stage.

 

  • Think of ethics

 

The ethical aspects of the concept must also be taken into consideration early on. An organization should determine how transparent it wants to be on its data processing and how much it wants to know about data subjects involved. A helpful questions is: would you use the product or service yourself?

  • Communication is key

 

Communication towards data subjects is very important to address at the initial design stages and throughout the complete development process. Communication lines must be clear, also when something goes wrong. For data subjects it must be clear where they can turn if they want to know more about the processing of their personal data and how they can exercise their rights.

 

  • Data security, quality and retirement

 

And of course it is important to think about adequate security measures, how the quality of data can be guaranteed and what will be done with the data when the product or service retires.

 

Implementation

 

Successful implementation of both Privacy by Design and Privacy by Default requires that employees – especially those involved in the development of new products and services – have enough basic knowledge on privacy. Clear policies, guidelines and work instructions related to data protection should be developed and a privacy specialist should be available to assist in applying these requirements. The development method (agile, waterfall etc.) used within the organization must be taken into account, in order to apply the concepts throughout the whole development process. This will enable the development teams to take appropriate measures in the relevant phases. And finally, when a design has been completed, it must be adopted by the organization and monitored and maintained throughout its lifetime.

Privacy by Design and by Default, what is not to like?

 

Mandating Privacy by Design and by Default is the formalisation of a good idea. The GDPR is aimed to give data subjects more power over their personal data. Implementing Privacy by Design and Privacy by Default clearly reflects that aim. Offering the most privacy friendly option as a default setting will give people an actual say over which parts of their personal data can be used. The incorporation of Privacy by Design in the development process is the only way to apply privacy successfully. For organisations these concepts provide an opportunity to increase efficiency and gain data subjects’ trust. What is there not to like?

 

Privacy Email Alert 

Get the latest GDPR News delivered to your email box.

Recently voted one of the top twenty data privacy blogs on the net

 

Our Blog

 

Singapore PDPA Revision of It’s Personal Data Protection Act

Singapore PDPA Revision of It’s Personal Data Protection Act

The Personal Data Protection Commission (PDPC) has revised Chapter 6 (Organisations) and Chapter 15 (Access and Correction Obligations) of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act, or PDPA (the Guidelines).

Chapter 6 has been revised to provide clarity on the obligations of organisations and data intermediaries where personal data is transferred overseas.

 

  • Where an organisation engages a data intermediary to process personal data on its behalf and for its purposes, the organisation is responsible for complying with the Transfer Limitation Obligation, regardless of whether the personal data is transferred by the organisation to an overseas data intermediary, or transferred overseas by the data intermediary in Singapore.
  • The onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary to ensure it is capable of doing so.

 

Chapter 15 has been revised to provide clarity on access requests to personal data received by organisations.

 

The PDPC has also introduced a new chapter on “Cloud Services” in the Guidelines on the PDPA for selected topics to provide clarity on the responsibilities of organisations using cloud services to process personal data in the cloud and the responsibilities of cloud service providers (CSPs) when processing personal data on behalf and for the purposes of organisations.

 

  • Where organisations need not accede to an access request Generally, an organisation must respond to an access request by providing access to the personal data requested, or by informing the individual of a rejection of the access request where it has valid grounds not to provide access. The Guidelines clarify that organisations are not required to accede to a request
    • if an exception (as set out in the Fifth Schedule of the PDPA) from the access requirement applies;
    • if applicant has not paid the fee for services provided to the applicant to enable the organisation to respond to the applicant’s request, provided the organisation has provided the applicant a written estimate of the fee; or
    • if any of the grounds in Section 21(3) of the PDPA are applicable such as where the provision of the personal data or other information could reasonably be expected to threaten the safety or physical or mental health of an individual other than the requesting individual, or to cause immediate or grave harm to the safety or physical or mental health of the requesting individual.
    • Access requests relating to legal proceedings Where personal data has been collected for the purpose of prosecution and investigations, etc, organisations are not required to accede to the access request pursuant to an exemption under the PDPA. Access need not be provided in respect of a document related to a prosecution if all proceedings related to the prosecution have not been completed.The Guidelines clarify that where personal data has been collected prior to the commencement of prosecution and investigations but is nevertheless relevant to the proceedings, an individual should obtain access through criminal and civil discovery avenues rather than through an access request under the PDPA. The PDPA does not affect discovery obligations under law that parties to a legal dispute may have (e.g., pursuant to any order of court).

Obligations 

 

    • Obligations of the organisation
      • When using cloud services, the organisation is responsible for complying with all obligations under the PDPA in respect of personal data processed by the CSP on its behalf and for its purposes.
      • As mentioned above, the organization that engages a CSP as a data intermediary to provide cloud services is also responsible for complying with the Transfer Limitation Obligation with respect to any overseas transfer of personal data in using the CSP’s cloud services, regardless of whether the CSP is located in Singapore or overseas.

 

    • Obligations of the CSP

 

      • Where the CSP is processing personal data on behalf and for the purposes of another organisation pursuant to a written contract, the CSP is considered a “data intermediary” and subject to the Protection and Retention Limitation Obligations under the PDPA in respect of the personal data that it processes or hosts for the organisation in data centres outside Singapore.
      • The CSP, as an organisation in its own right, remains responsible for complying with all data protection provisions in respect of its own activities which do not constitute processing of personal data under the contract.

 

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

 

PDPA Service

Global Data Privacy Strategy Your Guide

Global Data Privacy Strategy Your Guide

When the EU’s General Data Protection Regulation (GDPR) went into effect May 25, 2018, it triggered a wave of privacy legislation around the globe. And businesses everywhere have been scrambling to prepare.

Every organization doing business in the EU must comply with GDPR requirements. In addition, other regions—Brazil, Australia, Japan and Turkey, to name a few—have passed new privacy laws that businesses worldwide also now must follow. In the U.S., California announced the California Consumer Privacy Act (CCPA), which has gone into effect Jan. 1, 2020. Other states are following suit with regulations as well.

While the U.S. has yet to initiate a nationwide privacy policy, the Federal Trade Commission (FTC) began a series of probes into the practices of various large, high-tech companies. The scrutiny and resulting congressional hearings related to Facebook and Google highlighted just how much personal data is now out there and how much of it is being bought and sold, unbeknownst to consumers. In recent weeks, the FTC expanded its probe to include internet service providers AT&T, Comcast, Verizon and T-Mobile, which could signal a national privacy regulation is not that far off and should spur organizations in all industries to start making data privacy a priority—if anyone is still dragging their feet.

The sheer number of regulations that companies must comply with has rapidly increased in a short period of time, with geographically specific policies adding layers of complexity to most organizations’ data security operations. Businesses everywhere are waking up to the need to bolster their approach to how they handle employee and customer data. GDPR compliance was really just the beginning.

Consumers too are spurring organizations into action, demanding to know that their data is being treated securely. These consumers have raised the bar in terms of what they expect from organizations. Failures now mean class action lawsuits, as British Airways discovered after a hacker stole payment card data associated with 380,000 transactions. The GDPR not only requires organizations to notify authorities within 72 hours when they suspect a breach, but it also gives Europeans compensation rights.

 

Data Privacy: How to Get Started

 

Thinking about information policies is one thing, but knowing how to begin to refine them is another entirely. Adding to the complexity in global regulations is the enormous amount of data that your organization generates daily. Business is built on and carried out with information. We draw up plans and presentations and spreadsheets. We write reports and send emails, all of which can contain sensitive business information as well as personally identifiable information (PII). Some of it belongs to the business itself, some belongs to employees or to our customers.

Information-handling has gotten cumbersome for most organizations. Businesses are generating so much data that companies don’t even know where all their data resides or what type of information all those files and folders contain. While structured data—such as credit card information and Social Security numbers—can be fairly easily tracked and protected, unstructured data is much more difficult to safeguard.

Unstructured data is information buried deep within the documents and emails mentioned above. It includes details about people and business sometimes written in prose or as notes, so it’s not easily plucked out and secured. One of the biggest obstacles to a well-defined information-handling strategy is that many organizations struggle to accurately identify sensitive data as employees use and share it in their day-to-day work.

Organizations need to create and deploy reliable processes for improving information-handling to help people understand what data they’ve got, where it is stored and how sensitive it is. They also need tools to help ensure that it is protected.

The risks of poor information handling are enormous, from enabling a large-scale hack to allowing unfortunate employee errors. So what can organizations do to avoid fines, customer liability and expensive breach recoveries?

 

5 Things Businesses Can Do

 

Organizations need to nurture an internal culture for data categorization and risk assessment. Executives and business stakeholders as well as IT leaders must fully understand the security and privacy risks associated with the data they create, consume and handle. Everyone needs tools and processes built into their day-to-day workflow to help easily recognize privacy risks and deploy safeguards.

Here are five basic ways organizations can implement stronger information-handling policies and prepare to meet the complex range of privacy regulations out there:

 

Understand the regulations: In short – Do your homework. Get to know the regulations your organization must follow. How does each regulation define personal information? What are the safeguards they require? Where are the commonalities between regulations? Use these details as a starting point for developing a global privacy policy that considers sensitive data from all angles and all regions.

Know where PII resides: Because so much structured and unstructured data is created daily, it can be difficult to know where personal information is located. As noted earlier, unstructured data is usually buried in emails, Word files, presentations and other documents. According to a recent article in the Harvard Business Review, 80% of data analysts’ time is spent simply discovering and preparing data and less than 1% of an organization’s unstructured data is analyzed or used at all. Without knowing what personal data employees generate and where it resides, organizations will have difficulty complying with regulations.

Understand internal politics around data: Different companies have different organizational structures. That said, most have a data team that may be led by a chief data officer (CDO). These executives are tasked with responsibility for the complete life cycle of organizational data. Additionally, they typically understand its value and they know how it functions within the business. Most companies also have a data security team, led by a chief information security officer (CISO). These executives oversee locking down data and systems to ensure sensitive information is not stolen or inadvertently shared publicly. They are ever-alert to the next big malware attack and work to keep security technologies up to date across the company. They also manage employee access rights and other internal data security initiatives.

But when it comes to regulations, who oversees what? Regulation requirements can be confusing, and compliance will require a collaboration between data and security teams. It is critical to understand what the company needs to do to meet regulation requirements and then work together to design a path toward compliance. It is essential to name executive ownership of the data privacy program and map out how that person will ensure regulation compliance across the organization. That person will ultimately be accountable in the event of regulatory questions, punitive consequences or data breaches.

Implement data security solutions that streamline compliance processes: Privacy regulation compliance begins by getting a better handle on data. Data identification and categorization tools can provide an understanding what types of data is within an organization; how sensitive each type is and also how each type should be treated to comply with data privacy policies. Rather than add another layer of complexity onto operations, these tools should streamline processes by integrating with any other security tools your organization already uses—such as data loss prevention (DLP) technologies, cloud access security brokers (CASB) and enterprise digital rights management (EDRM) tools.

Consider tools that employ machine learning: It may sound complicated, but machine learning can have the opposite effect on consistent implementation of privacy policies consistently across an organization. With these types of tools, a data steward trains machine learning algorithm to help users identify and label data as they create documents and send emails. Based on the type of data a user is dealing with, the tool then gives an instruction for how to handle the information according to regulations and policies. As policies evolve, the data steward retrains the algorithms to help make the data categorization tools more effective. As the tools become smarter and smarter, certain aspects of policy management can be automated.

Ultimately, businesses must be able to identify sensitive information across their enterprise—at creation and at rest. They need to encrypt and protect that information when it is in motion, whether it’s being emailed or uploaded to a cloud repository. And they need to apply identity and access technologies to ensure that all data is being shared with the appropriate people.

By getting ahead of the game and implementing a foundation of data privacy policies that include identification and categorization for better information-handling, organizations can ensure they will be ready to meet any regulations regardless of which region initiated them.

Place your Global Data Protection   with Relentless Privacy and Compliance Services the Data privacy partner of choice.

 

 

Global Privacy Services

GDPR Still Challenging Internal Legal and Compliance Teams

GDPR Still Challenging Internal Legal and Compliance Teams

Despite their positive intentions, legislators and regulators have posed major problems for corporate counsel by failing to foresee the enormity of the task of audit-able compliance, both within the public and private sectors.

So if anything,as we approach two years is a timely opportunity to reflect on whether or not guidance from legal practitioners – in-house or external – has been capable of execution.

 

GDPR policy direction and regulatory enforcement 

 

 

If we look closely at several key GDPR principles such as the “right to be forgotten” and “purpose limitation”, they each require major investment not only in policy and process but also in technology. For example, the regulation effectively demands that organisations have complete visibility over all data stored, in any format and in any location. This involves near real time reporting and requires the ability to respond to a Subject Access Request in a month and data breach within 72 hours. This takes the GDPR preparation below the level of providing a privacy policy and the accompanying DSAR request link on the company website..

 

Compliance: The story so far the good and the not so good

 

 

 

 

In practical terms, the private sector has largely taken the GDPR seriously, providing direction on active and demonstrable consent to retail customers. Anecdotal evidence has also suggested that the “privacy by design” concept is being respected when it comes to integrating compliance features into new products and services. In one instance, a global UK-headquartered bank CDO has made sure that anonymisation is in place when analysing its Personal Data to improve its wealth management products and services.

Yet, surprisingly large institutions, especially the insurance and recruitment sectors, are still at an mid stage of data discovery. This includes identifying precisely where, and in what form and volume, Personal Data lies across their legacy data landscape. As a result, such discovery should be urged by legal counsel, along with a gap analysis on their processes and technology – at least to provide an in-flight road map for remediation.

 

Beyond sanctions: The business benefits of successful compliance

 

 

 

While defending against fines and reputational damage is undoubtedly front of mind for the private sector, there are several positive up-sides to effective GDPR compliance – all worth the attention of legal practitioners.

 

 

    • Promoting GDPR compliance to improve operational efficiency

 

 

Deletion of unwarranted Personal Data retention has led to two major UK insurers to pro-actively down-size the “dark data” they hold, representing on average in excess of 30 per cent of all information held by corporate. This has resulted in reduced back-up and data storage costs and, in turn, increased ROI. Simultaneously, they have effectively cleansed data in anticipation of executing digital transformation initiatives.

 

 

    • Using GDPR as a benchmark for better due diligence during M&A

 

 

This can be applied both from the point of view of a subsidiary sale, as well as the data discovery necessary on a subsidiary purchase.

 

    • Provisional linkage of data in all formats for revenue gains

 

 

By ensuring compliance, organisations have the ability not only to facilitate replies to a Subject Access Request, but also achieve greater goals from compliant data mining and value extraction – ultimately leading to enhanced revenues.

 

The GDPR ambiguity

 

 

For legal counsel, the GDPR has sparked a host of complex issues from both the regulatory enforcement and policy guidance side. However, for the perceptive the regulation has, somewhat paradoxically, provided a key opportunity for executing key business goals and driving a competitive edge

Legal Counsel and internal  compliance teams need a full 360 view of GDPR  and promote the benefits of the regulation.

 

 

Start your 360 review today  by booking a  GDPR Comprehensive gap analysis and remediation assessment and report 

 

GDPR Assessment

 

Data Discovery Scan

 

The Use of Cookies on Websites Update from the ICO

The Use of Cookies on Websites Update from the ICO

The Information Commissioner’s Office (the UK’s data protection regulator) have  issued long-awaited guidance on the use of cookies (“ICO Guidance”). This has helped highlight the steps organisations must take in order to use cookies lawfully. As a result, a great number of  online organisations will need to update their current approach to comply with the law.

The regulations which govern the use of cookies in the UK (which are based on an EU directive) provide that website operators may only use cookies where:

  1. clear and comprehensive information about the purposes of, or access to, the information in the cookie are provided to the user; and
  2. the consent of the user has been obtained (unless the cookie falls within the “strictly necessary” exemption – as described further below).

 

ICO Guidance

 

The ICO Guidance has now helped to clarify the above requirements.

The key points are as follows:

 

  • Clarification of the “strictly necessary” exemption

 

User consent is not required for cookies which are “strictly necessary”. The ICO Guidance clarifies that this means that the use of the cookie must be “essential” for the provision of the service which has been requested by the user or to ensure compliance with applicable law.

The ICO provides examples of the types of cookies which would fall within the meaning of “strictly necessary”. Perhaps not surprisingly, advertising cookies, such as the Facebook pixel, which are commonly used by retailers and allow them to target users online (for example, through their social media accounts) are not considered to be “strictly necessary”.

Examples of the types of cookies which would benefit from this exemption include those which:

  • remember the goods in a user’s basket when a user is shopping online; or
  • are required to provide adequate security standards to ensure compliance with the GDPR.

 

It follows that cookies which are often considered important but are not essential to the provision of the service to the user or for compliance with the law do not come within the strictly necessary exemption. This means that “performance cookies”, such as Google Analytics, which measure the way in which individuals use a website and can help to evaluate the success of promotions and campaigns are not covered by this exemption.

 

  • Clear and comprehensive information

 

The ICO Guidance emphasises the need to provide users with transparent information concerning the use of cookies. The information to be provided must be in accordance with the higher standards of transparency as required by the GDPR. As such, this information must be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

In relation to cookies, this means that online organisations need to review and update their cookie policies to ensure that these are drafted in a sufficiently clear and easily accessible manner for a normal user to be able to understand how cookies are being used on the website.

 

  • The standard of consent is high

 

The ICO confirmed that the standard of consent for using cookies is the same as that set out under the GDPR, even for cookies which do not involve the processing of personal data. Under the GDPR consent must be:

  • fully informed and freely given;
  • express as opposed to implied;
  • specific (that is, not bundled with other matters); and
  • capable of being withdrawn.

 

So implied consent can no longer be relied on for cookies. Websites which use non-essential cookies without specifically requiring users to consent to these upon their first access to a site are therefore not compliant. As a result, non-essential cookies need to be switched off until a user has taken an affirmative act to opt-in to the use of these.

Of the various online organisations’ websites that we reviewed at the end of November 2019, a large proportion of these were still relying on implied consent, using language along the lines of: “By continuing to use our website, you consent to us using cookies in accordance with our cookies policy”. This does not constitute a valid consent under the relevant regulations.

 

  • Take home points

 

    • If past history is anything to go on, it would be reasonable to expect the ICO to seek to make examples of businesses which do not comply in the future. Meanwhile it is the case that the ICO is currently receiving a large number of complaints in relation to cookies and it can be expected that this is also resulting in bad publicity for the retailers concerned on social media.
    • Irrespective of the above potential ICO fines and bad publicity, retailers are being trolled by some individuals who are bringing court cases claiming infringement of data protection law and forcing retailers to settle out of court by paying them off.

 

Relentless Privacy and Compliance  GDPR assessment service covers all policies for compliance providing an in depth gap analysis and remediation report.

 

GDPR Enquiry

Brexit and the UK Data Protection Law 2020 and Beyond

Brexit and the UK Data Protection Law 2020 and Beyond

The UK data protection law and Brexit

 

The UK government’s general election victory on 12 December 2019 means parliament will now  pass the  European Union (Withdrawal Agreement) Bill.

Brexit will, therefore, finally go ahead on 31 January 2020.

Now that the withdrawal agreement has been passed by parliament, the government will have until 31 December 2020 to negotiate the UK’s future relationship with the EU – although it is still possible for this deadline to be extended.

No trade deal of this size and complexity has ever been agreed between the EU and a third country in such a short time, so the risk of the UK’s trade relationship with the EU defaulting to WTO (World Trade Organization) terms still exists.

During the 11-month transition period, EU law – including the EU GDPR (General Data Protection Regulation) – will continue to apply in the UK.

This post explains what we know so far about how Brexit will affect international transfers of personal data after 31 December 2020.

 

Speak to a Data Protection expert

 

If you need guidance or advice on how Brexit will affect your organisation’s data protection obligations, get in touch with one of our experts. Simply call +44 (0) 121 582 0192, or request a call back using the form at the foot of this post.

 

Data protection law in the UK before Brexit

 

UK organisations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018.

The EU GDPR entered into force on 24 May 2016, before the UK’s referendum on EU membership. Following a two-year transition period, the Regulation took effect on 25 May 2018, superseding the EU’s DPD (Data Protection Directive) 1995 and all member state law that implemented it – including the UK DPA 1998.

Although it applies directly in member states with all the force of a domestic law, the EU GDPR leaves certain areas to individual member states to interpret and implement. In the UK, this is achieved by Part 2, Chapter 2 of the DPA 2018, which should be read alongside the Regulation.

As well as modifying the EU GDPR, the DPA 2018 applies a broadly similar regime of data protection – known as “the applied GDPR” – to certain areas that fall outside the EU GDPR’s scope, including processing by public authorities.

It also sets out data processing regimes for law enforcement purposes and the intelligence services.

 

Data protection law in the UK after Brexit: the UK General Data Protection Regulation

 

Although the EU GDPR will no longer apply directly in the UK at the end of the transition period (31 December 2020), UK organisations must still comply with the Regulation’s requirements.

First, the DPA 2018 enacts the EU GDPR’s requirements in UK law.

Second, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit.

 

This new regime will be known as ‘the UK GDPR’.

 

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 also provides that transfers of personal data from the UK to the US that rely on the EU-US Privacy Shield can continue. See Post-Brexit international data transfers: adequacy decisions, below, for more information.

There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the EU GDPR.

The EU GDPR will – like all other EU regulations – continue to apply in the UK until the end of the transition period (31 December 2020).

 

From this point, the UK GDPR will apply.

 

The UK will be classified as a third country from the end of the transition period. Until an adequacy decision is reached, UK organisations that process personal data on behalf of EU data controllers will need to rely on other measures – such as standard contractual clauses or binding corporate rules – to transfer personal data from the EEA to the UK. This is discussed in greater depth below.

Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.

The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.

 

Post-Brexit international data transfers: adequacy decisions

 

In order for international data flows from the EEA to the UK to continue unhindered after Brexit, the European Commission will need to determine that the UK, as a third country, offers personal data an adequate level of protection via an adequacy decision as per Article 45 of the EU GDPR.

The UK hopes that, by enacting the EU GDPR’s requirements in domestic law it should be able to demonstrate that it will continue to enforce international data protection requirements after it leaves the EU.

To date, the Commission has adopted 13 adequacy decisions: with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified under the EU-US Privacy Shield). Talks with South Korea are ongoing.

Both the EU and UK hope to complete the adequacy decision process within the transition period, although it is worth noting that there is significant time pressure: the last third country to strike such a deal with the EU was Japan, and that process took just over two years. The UK has only 11 months.

If an adequacy decision is not reached by 31 December 2020, organisations in the UK will have to rely on binding corporate rules or standard contractual clauses to transfer personal data from organisations in the EEA. (The EU GDPR also makes provision for personal data to be transferred to third countries based on approved codes of conduct – such as the EU-US Privacy Shield – but no such code has been agreed for transfers from the EEA to the UK yet.) It is important to note that, as the UK’s ICO will no longer be a supervisory authority under the EU GDPR, it will not be able to approve binding corporate rules for transfers of personal data from the EEA to the UK. Such binding corporate rules will, therefore, need to be approved by a supervisory authority within the EU.

Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is higher.

Prudent organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached.

The Information Commissioner’s Office has published guidance and resources for organisations after Brexit >>

The EDPB (European Data Protection Board) has published an information note on data transfers under the GDPR in the event of a
no-deal Brexit >>

 

Transfers of UK personal data to the US

 

As to transfers of UK personal data to the US, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 makes provision to preserve the effect of the EU-US Privacy Shield in the UK in the event of a no-deal Brexit.

US organisations that participate in the Privacy Shield will have to update their “public commitment to comply with the Privacy Shield to include the UK”.

The US Department of Commerce has published guidance for US Privacy Shield organisations on how personal data can continue to flow from the UK to the US in a no-deal scenario, including the model language to use in their updated statements >>

Brexit Information Enquiry

Opt In

4 + 1 =

Expert Services

Expert support: Accessing specialist expertise from experienced DPO’s with the right skillset to navigate the new data processing and data security landscape can be difficult, time-consuming and expensive. By outsourcing to us, your organisation benefits from:

  • Access to a team of expert DPO’s with a proven track record;
  • Cost savings in recruitment, employment and retention;
  • Truly independent DPO’s, which means there are no conflicts of interest between the DPO and other business services;
  • Access to a team of experts working at the leading edge of their field with visibility of the latest trends and application of best practice; and
  • A service that is flexible according to your organisation’s needs, with pricing to match.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other