GDPR READY WEEKLY NEWS – No 6, February 2019

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

Guidelines: Codes of Conduct and Monitoring Bodies – The European Data Protection Board released guidelines on Codes of Conduct and certification mechanisms.

2018 Control activity results: 725 investigations were carried out by the Romanian Supervisory Authority – According to a brochure released during the official Data Privacy Day in 28th of January 2019, the Romanian Supervisory Authority published the first control activity results for 2018.

Cybersecurity: How easy is to spy on WhatsApp chats? – One Avira blog article is telling us about the silent danger shadowing in the WhatsApp messaging service.

Data Breaches: First GDPR fine in Hungary for exposing data subject’s rights – The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently issued two decisions dealing with breaches of data protection rules set by the (‘GDPR’).

Brexit: “No deal” implication in the law enforcement sector – ICO released guidance for processing personal data in the event of a no-deal Brexit.

Data protection: 12 Types of Data That Businesses Need to Protect but Often Do Not – According to a 7wdata.be article businesses often do not adequately protect all of the information that they should be securing.

Research: CEO considered the weakest link in security measures – shows a new report from The Bunker, an UK’s cloud, and managed services and data centre provider.  

Guidelines

Codes of Conduct and Monitoring Bodies

The GDPR does not introduce a right to or an obligation of certification for controllers and processors; as per Article 42(3), certification is a voluntary process to assist in demonstrating compliance with the GDPR.

Member States and supervisory authorities should encourage the establishment of certification mechanisms and have to determine the engagement in the certification process and lifecycle These guidelines are limited in scope; they are not a procedural manual for certification in accordance with the GDPR.

The primary aim of these guidelines is to identify overarching criteria that may be relevant to all types of certification mechanisms issued in accordance with Articles 42 and 43 of the GDPR. To this end, the guidelines:

  • explore the rationale for certification as an accountability tool;
  • explain the key concepts of the certification provisions in Articles 42 and 43;
  • explain the scope of what can be certified under Articles 42 and 43 and the purpose of certification.

The GDPR allows for a number of ways for the Member States and supervisory authorities to implement Articles 42 and 43. The guidelines provide advice on the interpretation and implementation of the provisions in Articles 42 and 43 and will help the Member States, supervisory authorities and national accreditation bodies establish a more consistent, harmonised approach for the implementation of certification mechanisms in accordance with the GDPR. DOWNLOAD THE GUIDELINES HERE  

Control activity results in 2018

During the year 2018, a total of 725 investigations were carried out by the Romanian Supervisory Authority

Source: Romanian Supervisory Authority

According to a brochure released during the official Data Privacy Day in 28th of January 2019, the Romanian Supervisory Authority published the first control activity results for 2018.

During this period, the Supervisory Authority received a total number of 5020 of complaints and intimations. Out of these, 3064were received starting with the 25th of May 2018, the date from which the provisions of Regulation (EU) 2016/679 become applicable.

The main areas covered by the complaints and intimations received by the Supervisory Authority in 2018 were:

  • video surveillance by different entities
  • receiving unsolicited commercial messages by telephone, email or SMS
  • the disclosure of personal data over the Internet
  • violation of the rights provided by Regulation (UE) 2016/679
  • data reporting to “Biroul de Credit”
  • violation of security and confidentiality measures of personal data processing by not implemented by the data controllers the appropriate technical and organisational measures in order to ensure the security of the processing
  • non-compliance with the privacy by design/privacy by default principles by certain entities within the framework of the processing (in the case of online applications)
  • non-observance of the conditions for consent in the online environment
  • non-observance of the legal conditions for the uses of cookies

Also, according to the same brochure, during the year 2018, a total of 725 investigations were carried out both in writing and in situ, and the total amount of the sanctions with a fine applied during the same period is 631500 Romanian Lei. Furthermore, after the 25th of May 2018, in order to comply with the provisions of Article 33 of the GRPR, the data controllers have submitted a number of309 notifications of the personal data breach (security breaches). DOWNLOAD THE BROCHURE HERE

Cybersecurity

How easy is to spy on WhatsApp chats?

Avira blog article is telling us about the silent danger shadowing in the WhatsApp messaging service. If you want to share your little secrets with friends be extremely careful.

Around 1.2 billion people globally share intimate details and business secrets service each day. Anyone could penetrate the WhatsApp chats without any hacking knowledge. Here are some ways to do this:

Using a spying app – thousands of commercial monitoring services are popping up on the internet. These can help hobbyist spies keep tabs on everything that’s happening on target smartphones in one fell swoop – including entire WhatsApp chat histories. In addition, they can even gain access to incoming, outgoing, and even missed calls, the calendar, photos, location histories, and lots more besides – everything beautifully presented and accessible online.

Using the official WhatsApp app – Being also available for computers, is apparently easy to abuse this service for spying purposes each time the victim’s smartphone connects to the home Wi-Fi network.

Adopting hacker methods – the WhatsApp snoop pretends to hold the intended victim’s smartphone. But what’s actually happening is that this person is using special apps to swap their device’s MAC address with the target’s smartphone MAC address. While it sounds complicated, the whole thing is relatively easy to achieve when it’s being done within the close circle of family or friends. READ FULL ARTICLE HERE  

Data Breaches

First GDPR fine in Hungary for exposing data subject’s rights

The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently issued two decisions dealing with breaches of data protection rules set by the European General Data Protection Regulation (‘GDPR’).

The subsequent investigations led to the levy of a fine of EUR 3,135 against one company. These are the first cases in which the NAIH considered the imposition of fines. Both procedures were conducted at the request of the data subjects, and the identities of the companies were not released. In one of the case, an individual visited the infringing company’s office and asked to inspect certain documents related to a dispute.

The company refused the request, and the individual requested a copy of relevant CCTV recordings as evidence in the litigation. The company refused the request, arguing that the recordings did not support the individual’s claims, but only proved that he was present in a given place at a given time.

After reviewing this case, the NAIH found that the company infringed the individual’s access rights, and clarified the following principles on the right to access:

  • the data controller cannot request any justification from an individual making a data request;
  • the data controller is not in a position to determine whether the required data would be necessary for the individual’s litigation purposes.

The NAIH imposed a fine of HUF 1,000,000 (EUR 3,135) against the company, which represents 6.5 % of its annual net sales revenue and considered the following circumstances when determining the amount of the fine: According to a lexology.com article Hungarian rules on CCTV operation are currently not in line with the GDPR, and stipulate that if an individual requests a data controller not to delete a CCTV recording, he must prove that the recording affects his rights or legal interests. This provision violates the GDPR, and cannot apply.

As a result, Hungarian companies are advised to update their subject access rights (SAR) procedures to reflect the GDPR. MORE ABOUT THIS HERE  

Brexit:

“No deal” implication in the law enforcement sector

ICO released guidance for processing personal data in the event of a no-deal Brexit. 

This checklist highlights five steps law enforcement authorities can take to prepare for data protection compliance if the UK leaves the EU without a deal.

This guidance is for ‘competent authorities’ processing personal data for law enforcement purposes under Part 3 of the Data Protection Act 2018 (DPA 2018). The relevant law enforcement processing regime in Part 3 of the DPA 2018 will continue to apply after the UK will leave the EU.

Therefore, the best preparation is to ensure compliance with the DPA 2018 MORE ABOUT THIS HERE  

Data protection

12 Types of Data That Businesses Need To Protect But Often Do Not

According to a 7wdata.be article businesses often do not adequately protect all of the information that they should be securing. $400 billion per year are espionage hacking costs in the United States, estimated the Office of the Director of National Intelligence in November 2015.

Security professionals commonly discover that many businesses that, in fact, do expend significant resources on information security often neglect to adequately shield some of their data that should be better protected. Some examples here:

While most people realize that payroll data and other records containing personal information must be protected, many folks neglect to afford proper protection for communications regarding performance on projects and other materials that could be highly damaging to a firm if they leak. Such HR-related information may exist in all sorts of formats, and hackers can exploit it to social engineer their way into an Organization.

Also, consider the damage to morale and staff productivity if HR data leaks – such adverse effects are often christened “indirect damage,” but, direct or not, they can certainly be quite costly to a company’s top and bottom lines.

Furthermore, when a business sees to hire new people, how many stars will want to join a firm that they know has leaked private information about prior employees? Many organizations that spend a lot to protect data, neglect to adequately protect the same information when it is stored in backups.

Organizations must address the risk of data on employees’ and contractors’ flash drives, memory cards, smartphones, home computers, and all sorts of other devices that can store information. Many firms do so only in part. READ FULL ARTICLE HERE  

Research

CEO considered the weakest link in security measures

Shows a new report from The Bunker, a UK’s cloud managed services and data centre provider. The report concluded that senior executives are still often the weakest link in the corporate cybersecurity chain and that cybercriminals target this vulnerability to commit serious data breaches.

According to the white paper, “Are You the Weakest Link? How Senior Executives Can Avoid Breaking the Cybersecurity Chain”, many senior executives ignore the threat from hackers and cybercriminals and often feel that security policies in their respective organisations do not apply to their unique position.

“Many businesses assume that a cloud-hosted service, such as Office 365, comes with automatic back-up and security provisions. Unfortunately, it does not,” said Phil Bindley, Managing Director, The Bunker. “Unless stated and agreed, vendors do not guarantee complete system security or data backup as standard, so organisations need to be careful and have a full understanding of the SLAs in place. We advise people to replace the word ‘cloud’ with ‘someone else’s computer’, to get a better perspective of the risks that need to be mitigated when deploying a cloud-based service”.

All employees -especially those at the top of the corporate ladder- need to realise that cybercriminals use social engineering, email phishing and malware to access personal accounts, and C-level staff especially need to avoid becoming the weakest link in the cybersecurity chain by adhering to regularly updated, company-wide security policies regarding data sharing and backup.

“Reviewing corporate policies, with a focus on people, premises, processes, systems and suppliers will provide valuable insights into which areas to improve, and by championing a ‘security first’ corporate culture, organisations and their senior executives will be well positioned to avoid the high financial costs, reputational damage and unexpected downtime that could result from a cyberattack or data breach,” concluded Phil Bindley.  DOWNLOAD A FREE COPY OF THE WHITE PAPER  

One thought on “GDPR READY WEEKLY NEWS – No 6, February 2019

Comments are closed.