News, articles, legislation and analysis, all about data protection and cybersecurity technologies
Analysis: Top 10 Serious GDPR Incidents in 2018 – High-Tech Bridge Web Security Company published on his Security Blog a Top 10 analysis of the last year most important security and privacy incidents related to GDPR.
Legislation: The new Data Protection law adopted in Spain – In December 2018, the Official Gazette of Spain published the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights.
Guidance: New Guidance on Data Sharing Published by CNIL – The French Data Protection Authority released guidance on the standards organizations must meet to share information with business partners and data brokers, with a focus on compliance under the EU GDPR.
Data Breach: First Hospital GDPR Violation Penalty Issued in Portugal – The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Centro Hospitalar Barreiro Montijo for failing to restrict access to patient data stored in its patient management system.
Research: 50 Percent of Firms Still Not GDPR Compliant – According to the IAPP-EY Annual Governance Report 2018, organizations tackled the hard work of implementing GDPR programs, spent an average of $1.3 million to become compliant and learned many lessons trying to solve most challenging issues.
Books: 10 TITLES FOR YOUR GDPR LIBRARY – Please review my recommended list of books selected under GDPR Ready Initiative framework having various criteria like subject popularity, reviewing notes, relevance, and EU coverage. You are free to come with your own reading suggestion on this subject.
Top 10 Serious GDPR Incidents in 2018
The article is beginning with a comprehensive analysis of the new approach to personal data protection around the world and the main three essential differences between GDPR and previous regulation: reversing the risk ratio between low fines and the high cost of security, changing the strategy related to data breach reporting, and putting the user on the first place by establishing constraints for personal data controllers and processors.
The article is offering a look at ten most dramatic incidents reported in 2018:
- GDPR Compliance in a WordPress plugin discovered by Wordfence.
- Action opened against Twitter by University College London researcher Michael Veale.
- Complaints opened by Privacy International to the regulatory bodies in Britain, Ireland and France about seven different financial and marketing companies, claiming they gathered personal data without explicit consent.
- The August data breach of payment information from British Airways
- Germany’s First GDPR Fine issued in November 2018 to Social and dating website Knuddels.de which reported a data breach of 1.87 million username and password combinations and 800,000 users’ email addresses in September.
- Portuguese Hospital Fined €400,000 In July 2018
- Google’s Location Tracking In August 2018 investigated by the Associated Press
- AggregateIQ, a data analytics firm that has been linked with Cambridge Analytica, was accused of mishandling people’s data prior to and after GDPR enforcement.
- Facebook’s Fines and Lawsuits 2018 was a difficult year for Facebook, with controversies, data breaches and scandals becoming a semi-regular occurrence.
- Marriott, the parent company of Starwood discovered the data breach affecting up to 500 million customers’ personal data in September, long after GDPR came into effect. Complicating matters somewhat, however, is that it appears to have been an open, ongoing breach since 2014.
The new Data Protection law adopted in Spain
According to an article published on the IAPP site, the New Organic Law is founded on five key issues: The object of the law, data subject rights, the data protection officer, the processing of personal data by political parties, and digital rights in the labour field.
According to Article 1, the Organic Law has a double object. First, it adapts the Spanish legal system to the General Data Protection Regulation and further provides specifications or restrictions of its rules as explained in the GDPR. In this sense, the law states that the fundamental right to data protection of natural persons, under Article 18.4 of the Spanish Constitution, shall be exercised under the GDPR and this law. Second, the law guarantees the digital rights of citizens and employees, beyond the GDPR. For example, the law includes provisions on the right to internet access, the right to digital education, the right to correction on the internet and the right to digital disconnection in the workplace.
The law includes also some specifications with regard to data subjects’ rights. Article 12.1 of the law states that a data subject’s rights may be exercised personally or through a legal or voluntary representative. And Article 12.3 of the law provides that the processor may attend, on behalf of the controller, any request of an exercise of a data subject’s rights when provided in the contract or other legal instruments that bind them.
More functions for DPO. We have to remember Spain was the first EU country which released since 2017 a DPO certification scheme, entitled Certification Scheme od Data Protection Officers from the Spanish Data Protection Agency (DPO-AEPD Scheme).
Following Article 37(4) of the GDPR, the law specifies and clarifies other cases in which the designation of a DPO is mandatory. Among them are: bar associations and their general counsels; public and private universities; information society service providers when developing large-scale profiles of service users; and the operators that develop game activity through electronic, computer, telematics and interactive channels, in accordance with the game, or sports federations when processing minors´ personal data.
The law also includes an additional function for the DPO who may intervene in case of a complaint against a controller or processor with supervisory authority. In this case, before submitting the complaint to the supervisory authority, the DPO, when they have been designated, may intervene and communicate to the complainant the organization’s resolution within two months of the receipt of such complaint.
Beyond data protection, several articles refer to the protection of privacy in the labor field, such as the right to privacy and use of digital devices in the workplace (Article 87), the right to digital disconnection in the workplace (Article 87), the right to privacy against the use of video surveillance devices and sound recording in the workplace (Article 89), the right of privacy against the use of geolocation systems in the workplace (Article 90) or the digital rights in collective bargaining (Article 91).
New Guidance on Data Sharing Published by CNIL
According to a post from Hunton Andrews Kurth’s Privacy & Information Security Law Blog the CNIL guidance states companies that share data with these parties must first obtain consent from the data subject before any information is passed along, identify the third parties that will receive the data, and inform data subjects should the list of entities that will obtain the data change.
The CNIL guidance establishes the 5 key conditions:
- Prior consent: Organizations must seek the individual’s consent prior to sharing personal data with the organization’s partners.
- Identification of the partners: The data collection form must provide notice of the particular partner(s) who may receive the personal data.
- Notification of changes to the list of partners: Individuals must be informed of any updates to the list of partners and, in particular, of the fact that their personal data may be shared with new partners.
- Limit to further sharing without consent: The partners may not share the personal data with their own partners without seeking the individual’s informed consent.
- Notice to be provided by the partners at the time of the first communication to the individual: The partners who process the personal data to send their own marketing communications must inform the concerned individuals of the source from which the data originates, and how the individuals may exercise their data protection rights.
First Hospital GDPR Violation Penalty Issued in Portugal
The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Centro Hospitalar Barreiro Montijo located near Lisbon for failing to restrict access to patient data stored in its patient management system. CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.
According to a HIPAA Journal article, CNPD founded three violations of the GDPR. First was a violation of Article 5(1)(c) minimization principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) on the processing basic principles. For those, the fine was 150,000 euros.
Non-application of technical and organizational measures to prevent unlawful access to personal data under Article 5(1)(f), and Article 83(5)(a) was considered as a second violation of integrity and confidentiality as a result of, a violation of the processing basic principles, being fined with 150,000 euros.
Finally, according Article 32(1)(b), the CNPD considered the incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the non-implementation of the technical and organizational measures to ensure a level of security adequate to the risk, including a process to regularly testing, assessing and evaluating the technical and organizational measures to ensure the security of the processing. There the fine was for 100,000 euros.
When determining the amount of the penalty the CNPD also considered the fact that the defendant took measures to regularize the situation.
50 Percent of Firms Still Not GDPR Compliant
According to the IAPP-EY Annual Governance Report 2018, organizations tackled the hard work of implementing GDPR programs, spent an average of $1.3 million to become compliant, and learned many lessons trying to solve most challenging issues.
One of the Report’s conclusion is fewer than 50 percent of survey respondents report they are “fully compliant” with the GDPR, and nearly one in five admit that full GDPR compliance is truly impossible. Another evolution trend is related to considerable growth in the number of privacy professionals working for European organizations and responding to the survey. 47 percent was the growth of IAPP members participating in the Survey. In the same time, it was significant growth in the number of full-time staff dedicated to privacy, reflecting a real concern at the organization level to be prepared. In fact, one key finding is that privacy is increasingly a stand-alone issue of corporate significance, not tied as integrally to a data breach as in previous years.
Other key results:
- 76 percent of all respondents believe their firm falls under the scope of the GDPR.
- 25 percent of respondents have changed vendors in response to GDPR
- 30 percent say they are considering future vendor changes.
- 56 percent say they are far from compliance or will never comply.
- 75 percent of respondent firms reporting they have appointed a DPO.
- 48 percent have created the DPO position to serve a valuable business function
- Six in 10 privacy leaders have taken the DPO duties on themselves
10 TITLES FOR YOUR GDPR BOOKS LIBRARY
Anyone interested to find available documentation about GDPR could read thousands of web resources including best practices, buyer’s guides, solution handbooks or implementation kits. All of these are very useful, but many times we need more advised recommendation related to the General Data Protection Regulation. And the best way to find a bit of professional advice is to read a book. Despite we are living now in a fully digital era, many of us still need the classical page-to-page reading books – even in print or online version.
In my documentation process for the specific content of GDPR, I had to review some interesting book. Although many of us are on vacation, I think that this year-end period in which GDPR was a hot topic for all, is the best time to stay quiet and browse an interesting book.
Is important to note this is not a “Top 10” classification. Is just a personal selection. A recommended list of books selected by GDPR Ready Initiative having various criteria like subject popularity, reviewing notes, relevance, and EU coverage. Images credit to various online bookshops.
You are free to come with your own reading suggestion on this subject.