GDPR READY WEEKLY NEWS – No 6, February 2019

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

Guidelines: Codes of Conduct and Monitoring Bodies – The European Data Protection Board released guidelines on Codes of Conduct and certification mechanisms.

2018 Control activity results: 725 investigations were carried out by the Romanian Supervisory Authority – According to a brochure released during the official Data Privacy Day in 28th of January 2019, the Romanian Supervisory Authority published the first control activity results for 2018.

Cybersecurity: How easy is to spy on WhatsApp chats? – One Avira blog article is telling us about the silent danger shadowing in the WhatsApp messaging service.

Data Breaches: First GDPR fine in Hungary for exposing data subject’s rights – The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently issued two decisions dealing with breaches of data protection rules set by the (‘GDPR’).

Brexit: “No deal” implication in the law enforcement sector – ICO released guidance for processing personal data in the event of a no-deal Brexit.

Data protection: 12 Types of Data That Businesses Need to Protect but Often Do Not – According to a 7wdata.be article businesses often do not adequately protect all of the information that they should be securing.

Research: CEO considered the weakest link in security measures – shows a new report from The Bunker, an UK’s cloud, and managed services and data centre provider.  

Guidelines

Codes of Conduct and Monitoring Bodies

The GDPR does not introduce a right to or an obligation of certification for controllers and processors; as per Article 42(3), certification is a voluntary process to assist in demonstrating compliance with the GDPR.

Member States and supervisory authorities should encourage the establishment of certification mechanisms and have to determine the engagement in the certification process and lifecycle These guidelines are limited in scope; they are not a procedural manual for certification in accordance with the GDPR.

The primary aim of these guidelines is to identify overarching criteria that may be relevant to all types of certification mechanisms issued in accordance with Articles 42 and 43 of the GDPR. To this end, the guidelines:

  • explore the rationale for certification as an accountability tool;
  • explain the key concepts of the certification provisions in Articles 42 and 43;
  • explain the scope of what can be certified under Articles 42 and 43 and the purpose of certification.

The GDPR allows for a number of ways for the Member States and supervisory authorities to implement Articles 42 and 43. The guidelines provide advice on the interpretation and implementation of the provisions in Articles 42 and 43 and will help the Member States, supervisory authorities and national accreditation bodies establish a more consistent, harmonised approach for the implementation of certification mechanisms in accordance with the GDPR. DOWNLOAD THE GUIDELINES HERE  

Control activity results in 2018

During the year 2018, a total of 725 investigations were carried out by the Romanian Supervisory Authority

Source: Romanian Supervisory Authority

According to a brochure released during the official Data Privacy Day in 28th of January 2019, the Romanian Supervisory Authority published the first control activity results for 2018.

During this period, the Supervisory Authority received a total number of 5020 of complaints and intimations. Out of these, 3064were received starting with the 25th of May 2018, the date from which the provisions of Regulation (EU) 2016/679 become applicable.

The main areas covered by the complaints and intimations received by the Supervisory Authority in 2018 were:

  • video surveillance by different entities
  • receiving unsolicited commercial messages by telephone, email or SMS
  • the disclosure of personal data over the Internet
  • violation of the rights provided by Regulation (UE) 2016/679
  • data reporting to “Biroul de Credit”
  • violation of security and confidentiality measures of personal data processing by not implemented by the data controllers the appropriate technical and organisational measures in order to ensure the security of the processing
  • non-compliance with the privacy by design/privacy by default principles by certain entities within the framework of the processing (in the case of online applications)
  • non-observance of the conditions for consent in the online environment
  • non-observance of the legal conditions for the uses of cookies

Also, according to the same brochure, during the year 2018, a total of 725 investigations were carried out both in writing and in situ, and the total amount of the sanctions with a fine applied during the same period is 631500 Romanian Lei. Furthermore, after the 25th of May 2018, in order to comply with the provisions of Article 33 of the GRPR, the data controllers have submitted a number of309 notifications of the personal data breach (security breaches). DOWNLOAD THE BROCHURE HERE

Cybersecurity

How easy is to spy on WhatsApp chats?

Avira blog article is telling us about the silent danger shadowing in the WhatsApp messaging service. If you want to share your little secrets with friends be extremely careful.

Around 1.2 billion people globally share intimate details and business secrets service each day. Anyone could penetrate the WhatsApp chats without any hacking knowledge. Here are some ways to do this:

Using a spying app – thousands of commercial monitoring services are popping up on the internet. These can help hobbyist spies keep tabs on everything that’s happening on target smartphones in one fell swoop – including entire WhatsApp chat histories. In addition, they can even gain access to incoming, outgoing, and even missed calls, the calendar, photos, location histories, and lots more besides – everything beautifully presented and accessible online.

Using the official WhatsApp app – Being also available for computers, is apparently easy to abuse this service for spying purposes each time the victim’s smartphone connects to the home Wi-Fi network.

Adopting hacker methods – the WhatsApp snoop pretends to hold the intended victim’s smartphone. But what’s actually happening is that this person is using special apps to swap their device’s MAC address with the target’s smartphone MAC address. While it sounds complicated, the whole thing is relatively easy to achieve when it’s being done within the close circle of family or friends. READ FULL ARTICLE HERE  

Data Breaches

First GDPR fine in Hungary for exposing data subject’s rights

The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently issued two decisions dealing with breaches of data protection rules set by the European General Data Protection Regulation (‘GDPR’).

The subsequent investigations led to the levy of a fine of EUR 3,135 against one company. These are the first cases in which the NAIH considered the imposition of fines. Both procedures were conducted at the request of the data subjects, and the identities of the companies were not released. In one of the case, an individual visited the infringing company’s office and asked to inspect certain documents related to a dispute.

The company refused the request, and the individual requested a copy of relevant CCTV recordings as evidence in the litigation. The company refused the request, arguing that the recordings did not support the individual’s claims, but only proved that he was present in a given place at a given time.

After reviewing this case, the NAIH found that the company infringed the individual’s access rights, and clarified the following principles on the right to access:

  • the data controller cannot request any justification from an individual making a data request;
  • the data controller is not in a position to determine whether the required data would be necessary for the individual’s litigation purposes.

The NAIH imposed a fine of HUF 1,000,000 (EUR 3,135) against the company, which represents 6.5 % of its annual net sales revenue and considered the following circumstances when determining the amount of the fine: According to a lexology.com article Hungarian rules on CCTV operation are currently not in line with the GDPR, and stipulate that if an individual requests a data controller not to delete a CCTV recording, he must prove that the recording affects his rights or legal interests. This provision violates the GDPR, and cannot apply.

As a result, Hungarian companies are advised to update their subject access rights (SAR) procedures to reflect the GDPR. MORE ABOUT THIS HERE  

Brexit:

“No deal” implication in the law enforcement sector

ICO released guidance for processing personal data in the event of a no-deal Brexit. 

This checklist highlights five steps law enforcement authorities can take to prepare for data protection compliance if the UK leaves the EU without a deal.

This guidance is for ‘competent authorities’ processing personal data for law enforcement purposes under Part 3 of the Data Protection Act 2018 (DPA 2018). The relevant law enforcement processing regime in Part 3 of the DPA 2018 will continue to apply after the UK will leave the EU.

Therefore, the best preparation is to ensure compliance with the DPA 2018 MORE ABOUT THIS HERE  

Data protection

12 Types of Data That Businesses Need To Protect But Often Do Not

According to a 7wdata.be article businesses often do not adequately protect all of the information that they should be securing. $400 billion per year are espionage hacking costs in the United States, estimated the Office of the Director of National Intelligence in November 2015.

Security professionals commonly discover that many businesses that, in fact, do expend significant resources on information security often neglect to adequately shield some of their data that should be better protected. Some examples here:

While most people realize that payroll data and other records containing personal information must be protected, many folks neglect to afford proper protection for communications regarding performance on projects and other materials that could be highly damaging to a firm if they leak. Such HR-related information may exist in all sorts of formats, and hackers can exploit it to social engineer their way into an Organization.

Also, consider the damage to morale and staff productivity if HR data leaks – such adverse effects are often christened “indirect damage,” but, direct or not, they can certainly be quite costly to a company’s top and bottom lines.

Furthermore, when a business sees to hire new people, how many stars will want to join a firm that they know has leaked private information about prior employees? Many organizations that spend a lot to protect data, neglect to adequately protect the same information when it is stored in backups.

Organizations must address the risk of data on employees’ and contractors’ flash drives, memory cards, smartphones, home computers, and all sorts of other devices that can store information. Many firms do so only in part. READ FULL ARTICLE HERE  

Research

CEO considered the weakest link in security measures

Shows a new report from The Bunker, a UK’s cloud managed services and data centre provider. The report concluded that senior executives are still often the weakest link in the corporate cybersecurity chain and that cybercriminals target this vulnerability to commit serious data breaches.

According to the white paper, “Are You the Weakest Link? How Senior Executives Can Avoid Breaking the Cybersecurity Chain”, many senior executives ignore the threat from hackers and cybercriminals and often feel that security policies in their respective organisations do not apply to their unique position.

“Many businesses assume that a cloud-hosted service, such as Office 365, comes with automatic back-up and security provisions. Unfortunately, it does not,” said Phil Bindley, Managing Director, The Bunker. “Unless stated and agreed, vendors do not guarantee complete system security or data backup as standard, so organisations need to be careful and have a full understanding of the SLAs in place. We advise people to replace the word ‘cloud’ with ‘someone else’s computer’, to get a better perspective of the risks that need to be mitigated when deploying a cloud-based service”.

All employees -especially those at the top of the corporate ladder- need to realise that cybercriminals use social engineering, email phishing and malware to access personal accounts, and C-level staff especially need to avoid becoming the weakest link in the cybersecurity chain by adhering to regularly updated, company-wide security policies regarding data sharing and backup.

“Reviewing corporate policies, with a focus on people, premises, processes, systems and suppliers will provide valuable insights into which areas to improve, and by championing a ‘security first’ corporate culture, organisations and their senior executives will be well positioned to avoid the high financial costs, reputational damage and unexpected downtime that could result from a cyberattack or data breach,” concluded Phil Bindley.  DOWNLOAD A FREE COPY OF THE WHITE PAPER  

Advertisements

GDPR READY WEEKLY NEWS – No 5, February 2019

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

Survey: Greece, Italy and Romania have reported the fewest breaches per capita – More than 59,000 personal data breaches notified to regulators in the first eight months after GDPR coming into force, according to a DLA Piper survey.

Public Policies: The GDPR Cookies Paradox – Asking users to consent when surfing on a website is far from GDPR spirit.

Inside Threats: Security Principle of GDPR – Data breaches caused by negligent and malicious insiders have increased by 26% and 53% respectively in the past two years.

Brexit: What will be the impact Protection – If the UK exits the EU UK on 29 March 2019 without a deal the UK would still be subject to the GDPR but as of 30 March 2019, the UK would become a “third country”

Legislation: Tech giants join forces to support US GDPR – Apple chief executive Tim Cook’s call for the US to introduce GDPR-style legislation

IoT: Child smartwatch as possible serious risk – The European Commission has ordered the recall of a smart watch aimed at kids that allows miscreants to pinpoint the wearer’s location, posing a potentially “serious risk”.

Image of the week: CYBERSECURITY REFERENCE MODEL  

 Survey

Greece, Italy and Romania have reported the fewest breaches per capita

According to a DLA Piper GDPR survey, eight months since GDPR came into force, more than 59,000* personal data breaches have been notified to regulators.

These range from minor breaches, such as errant emails sent to the wrong recipient, to major cyber attacks affecting millions of individuals and making front-page headlines.

The Netherlands, Germany and the UK had the most data breaches notified to supervisory authorities, with around 15,400, 12,600 and 10,600 respectively. The countries with the fewest breaches notified were Liechtenstein, Iceland and Cyprus with around 15, 25 and 35 breaches respectively.

According to a breach notified per capita classification, the countries with the most breaches notified are the Netherlands, Ireland and Denmark. At the opposite edge Greece, Italy and Romania have reported the fewest breaches per capita.

Until now, 91 reported fines have been imposed under the new GDPR Regulation. The highest GDPR fine imposed to date is €50 million, (not relating to a personal data breaches) was a decision by the CNIL made against Google.

The German data protection authority LfDI Baden-Württemberg imposed a €20,000 fine a company for failing to hash employee passwords, resulting in a security breach. The same German data protection authority imposed an €80,000 fine in January 2019 for publishing health data on the internet. German authorities have also reported 62 other fines.

The majority of fines are relatively low in value, including a €4,800 fine issued in Austria for the operation of an unlawful CCTV system that was deemed excessive for its partial surveillance of a public sidewalk. Cyprus also reported four fines, with a total value of €11,500, and Malta reported 17 fines, a surprisingly large number given the relatively small size of the country. Not all of the countries covered by this report make breach notification statistics publicly available and many provided data for only part of the period covered by this report. READ FULL REPORT HERE  

Public Policies

The GDPR Cookies Paradox

Last November, members of the European Consumer Organisation, BEUC, lodged formal complaints against Google with their national Data Protection Authorities based on research carried out by the Norwegian Consumer Council (NCC).

The study analysed settings in Facebook, Google and Windows 10, and found that the interfaces were designed in a way that makes turning off privacy-intrusive settings much harder than turning them on. The NCC said that “default settings, dark patterns, techniques and features of interface design” are meant to “manipulate users,” and drive them towards privacy-intrusive options. This abusive business practice that NCC described as “unethical, deceptive and manipulative,” could violate the GDPR’s principles of “informed consent,” “data protection by design, and data protection by default.”

According to the study, many sites require users to give consent or leave the site, while many interfaces “nudge” users into making what may not be a fully informed choice, through a combination of design and wording tactics that may obscure privacy-friendly choices, offer an illusion of control, or require users expend more time and effort in choosing the pro-privacy option.

Users are encouraged to click on the “Agree” button through clever design. Scare tactics are also used, as popups are worded to compel users to choose certain options, while information is omitted or downplayed. Users are often asked to review hundreds of ad trackers.

The problem is often heightened with mobile sites, where the limited size of smartphone screens can further cramp the interface, making it more cumbersome for users to manage their consent options.

Could be ePrivacy the key to real consent? Although the GDPR lists some methods by which personal data may be collected and processed, ePrivacy Directive it is that really sets out when and how cookies can be used. Tracking people without their consent is already illegal under the ePrivacy Directive, but the GDPR establishes a stronger definition of consent – that it must be freely given, specific and informed.

Unfortunately for those pinning their hopes on a revised ePrivacy Regulation, negotiations have stalled as national governments cannot agree on their position. The European Parliament reached its position back in October 2017, but cannot begin negotiations without the member states. MORE ABOUT THE NCC STUDY  

Inside Threats

Security Principle of GDPR

Eight months after the introduction of GDPR, the European Commission reports that regulators have received more than 95,000 complaints about possible data breaches. What is certain is that the pattern of cyber-attacks and insider-led data breaches shows no signs of declining.

It is crucial for organisations to keep abreast of serious threats to their cybersecurity, and the insider threat is one that cannot be ignored. Given its significance, organisations need to implement “appropriate technical or organisational measures” to prevent, detect and respond to the insider threat.

According to the ICO, the sixth GDPR principle known as the “security principle”, is the “integrity and confidentiality” principle outlined in Article 5(f) and requires that organisations use “appropriate technical or organisational measures” to process personal data in a manner that “ensures appropriate security of the personal data and protects against both its unauthorised or unlawful processing and its accidental loss, destruction or damage”.

What is “appropriate technical or organisational measures” meaning? This should be understood to include maintaining an information security policy and taking steps to make sure that policy is in place.

While many organisations have basic cybersecurity measures in place, such as protection against malware, backups for data, and password protected systems, often these methods are focused on protecting against external cyber intrusions. But it’s also essential for organisations to evaluate whether their “technical and organisational” measures are up to snuff with respect to cyber threats that originate from within company firewalls. Insider threats occur when someone with authorised access to critical information or systems misuses that access and breaches data security, either intentionally or accidentally.

The most famous insider threat is the story of Edward Snowden. Recent research conducted by Ponemon Institute (The Costs of Insider Threats, 2018) research indicates that data breaches caused by negligent and malicious insiders have increased by 26% and 53% respectively in the past two years and the cost of the insider threat to individuals and businesses has only risen. As insider threats become progressively more common and damaging, organisations need to factor the insider threat into their information security measures in order to avoid falling foul of the security principle.

The security principle expressly acknowledges that both the security measures were taken and the level of security for processing personal data should be appropriate to the particular circumstances at hand, bearing in mind the risks that processing poses and the costs-versus-benefits of the security measures taken.

Preventative measures can include employee cybersecurity training and clear organisational policies that set out the security precautions and restrictions employees should abide by.

Detecting insider threats can be challenging, but solutions that provide full visibility into activity, with real-time alerting of suspicious activity, go a long way to identifying questionable behaviour and stopping data loss before it happens. Importantly, such tools can be implemented without infringing on employee privacy. ORIGINAL ARTICLE HERE  

Brexit

What will be the impact Protection

If the UK exits the EU UK on 29 March 2019 without a deal the UK would still be subject to the GDPR but as of 30 March 2019, the UK would become a “third country”.

One of the ways in which personal data can be lawfully exported to a third country is by what is called an an ‘adequacy decision’ from the European Commission.

Argentina, Canada, Switzerland and many other countries already have been recognised as  providing adequate protection but there is little chance that UK will have been deemed ‘adequate’ by the European Commission by 30 March 2019. The Information Commissioners Office (ICO) has said; ‘an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months.’ SOURCE GDPR REPORT  

Legislation

Tech giants join forces to support US GDPR

Apple chief executive Tim Cook’s call for the US to introduce GDPR-style legislation is gaining momentum among the technology giants, with Cisco and Microsoft the latest firms urging the US to follow in the footsteps of the European Union.

The company told the Financial Times that it wants US politicians to devise and implement their own version of the European regulation in the coming months despite criticism that the legislation is too harsh on businesses and overly broad.

Cisco’s chief legal officer Mark Chandler explained to the FT that GDPR has been successful in Europe and now is the time for the US to adopt a similar policy. “We believe that the GDPR has worked well, and that with a few differences, that is what should be brought in in the US as well,” said Mark Chandler

Microsoft chief executive Satya Nadella has also given his backing to new US legislation and actually gone one further by calling for a ‘global GDPR’ to be drafted: “One of the things we do not want to do is fragment the world and increase transaction costs, because ultimately it’s going to be born in our economic figures. I hope we all come together, the United States and Europe first, and China. All the three regions will have to come together and set a global standard.” SOURCE DATAIQ  

IoT

Child smartwatch as possible serious risk 

The European Commission has ordered the recall of a smart watch aimed at kids that allows miscreants to pinpoint the wearer’s location, posing a potentially “serious risk”.

The commission uses its Rapid Alert System for Non-Food products (Rapex) to send out alerts to other nations in the European Economic Area about dangerous products in their markets.

The latest weekly report includes German firm Enox’s Safe-KID-One watch, which is marketed to parents as a way of keeping tabs on their little ones – ostensibly to keep them safe – and comes with one-click buttons for speed-dialling family members.

According to an article published by The Register, the commission said the device does not comply with the Radio Equipment Directive and detailed “serious” risks associated with the device. “The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data,” the directive said. READ HERE THE ORIGINAL ARTICLE  

GDPR READY WEEKLY NEWS – No 4, February 2019

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

Research: Cisco Study finds 78% of GDPR-Ready Firms were breached – Cisco released its 2019 Data Privacy Benchmark Study revealing the impact and business benefits from data privacy, based on statements received from 3200 privacy and security professional in 18 countries.

Standards: Avoiding GDPR Consequences adopting ISO 27001 – One of the most popular methods for addressing information security concerns throughout a business is the ISO 27001 Information Security Standard.

Study: 95K Complaints received in Europe – since the General Data Protection Regulation (GDPR) was enacted on 25 May 2018 Data Protection Authorities (DPAs) across Europe received 95,180 complaints regarding the mishandling of personal data and companies reported a record number of 41,502 data breaches

Data Breach: Airbus’ employees in Europe impacted – Airbus SE detected a cyber-incident on Airbus “Commercial Aircraft business” information systems, which resulted in unauthorised access to data. No detected impact on Airbus’ commercial operations.

Vulnerabilities: Total Donations plugin could expose WordPress Websites – Owners and administrators of WordPress websites that use the “Total Donations” plugin are advised to remove the plugin after a zero-day vulnerability and design flaws were seen actively exploited in the wild.  

Research:

Cisco Study finds 78% of GDPR-Ready Firms were breached

According to Cisco Study organizations are benefitting from their privacy investments beyond compliance.  While only 59% of companies believe they are ready for all or most of GDPR’s requirements, those that are ready are capturing substantial business benefits such as reduced sales friction and greater data security compared to the others.  

Specifically, GDPR-ready companies are experiencing shorter sales delays due to customer’s privacy concerns.  Their average delay was 3.4 weeks compared to 5.4 weeks for those that are the least ready for GDPR. The GDPR-ready companies are also less likely to be breached (74% were breached) compared to the least ready for GDPR (89% breached). 

And, most interestingly, when a breach did occur, fewer data records were impacted.  GDPR-ready companies averaged 79,000 records impacted compared with 212,000 records impacted for the least GDPR-ready.   As a result, only 37% of the GDPR-ready companies had data breaches costing more than $500,000, compared with 64% of the least GDPR-ready companies.

Nearly all companies (97%) say they are receiving auxiliary benefits today from their data privacy investments and that privacy is a competitive differentiator in their markets. Cisco recommends that companies:

  • Invest in privacy maturity to address the requirements of GDPR and other relevant privacy regulations and frameworks;
  • Measure any privacy-related sales delays with existing customers or prospects, identify the causes of delays, and take action to reduce them;
  • Minimize the amount of personal data that is stored and processed, and put in place appropriate protections for this data based on risk to help reduce costs and minimize the impact if/when there is a data breach
  • Once data is appropriately protected, work to maximize the value of the organization’s data assets over the lifecycle of the data

  READ MORE ABOUT CISCO STUDY  

Standards:

Avoiding GDPR Consequences adopting ISO 27001

ISO 27001 is an excellent resource for businesses who want to secure their corporate data, regardless of whether they have internet accessible systems or work with personal or sensitive data.

Although it’s not designed specifically with the challenges of GDPR compliance in mind, it can easily be modified to do so with the appropriate knowledge. An Information Security Management System (ISMS) will put in place processes that will help preserve the confidentiality, integrity and availability of corporate data and although it does not specifically address personal information, the identification of relevant tandardslaws and regulations with which compliance is required as part of the Standard. Under this, any organization processing Personally Identifiable Information (PII) would need to be compliant with the DPA (and/or GDPR).

According to an article published in Infosecurity Magazine, the implementing an ISO 27001 Certified ISMS that complies with GDPR and DPA requires the following steps:

Understanding the Organization – Identify and document what information is held and how it is used, as well as any external and internal issues that affect the needs and expectations of customers and suppliers.

  • Culture of Security – To be truly effective, information security practices and concerns should be considered at all points in business operations, from planning to implementation and post-production activities.
  • Continual Improvement – Part of this is ensuring that the right resources and tools are available in the first instance, but businesses should also be measuring and analysing any changes, risks and opportunities
  • Incident Reporting – businesses must be prepared to notify those affected and report the issue to the relevant authorities. Incidents should be treated as learning experiences with data collected and analyzed to prevent similar issues from occurring in future.
  • Security Controls – To comply with ISO 27001, businesses will need to define and implement information security controls describing specific behaviors and steps that must be taken in certain situations to ensure the information security is maintained. READ ORIGINAL ARTICLE HERE  

Study:

95K Complaints received by DPAs in Europe

Following the 95,180 complaints introduced by both individuals and organizations mandated by individuals since the enactment of the GDPR, a number of 255 investigations were initiated by national Data Protection Authorities, and 41,502 data breaches were reported by companies since 25 May 2018.

European Commission’s statistics say that the most common types of GDPR complaints were related to telemarketing, promotional e-mails, and to video surveillance/CCTV, which were found to violate multiple provisions.

European Commission’s joint statement said that:  ”We are already beginning to see the positive effects of the new rules. Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work. They have by now received more than 95,000 complaints from citizens. “

As reported by Cisco in its Data Privacy Benchmark Study, companies which closely follow the requirements of the GDPR experience benefits such as lower frequency and effect of data breaches, as well as shorter downtimes, fewer records being impacted by the attacks, and lower overall costs. READ MORE HERE  

Data Breach:

Airbus’ employees in Europe impacted

Airbus SE detected a cyber-incident on Airbus “Commercial Aircraft business” information systems, which resulted in unauthorised access to data. There is no impact on Airbus’ commercial operations.

This incident is being thoroughly investigated by Airbus’ experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins.

Investigations are ongoing to understand if any specific data was targeted, however, we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe.

The company is in contact with the relevant regulatory authorities and the data protection authorities pursuant to the GDPR (General Data Protection Regulation). READ THE NEWS ANNOUNCEMENT HERE

Vulnerabilities

Total Donations plugin could expose WordPress Websites

Total Donations is a plugin that lets non-profit, political, and religious organizations accept donations. According to Wordfence, the security flaws affect all versions of the plugin, including version 2.0.5. Successfully exploiting the zero-day can let unauthenticated attackers remotely modify values in the donation form.

The zero-day is related to the way Asynchronous JavaScript and XML (AJAX) incorrectly carries out the plugin’s access control function. AJAX is a web development technique used for creating dynamic web pages and applications. W

ordfence noted that 49 of 88 AJAX actions in Total Donations could be exploited by hackers to access and steal data, alter the site’s content and settings, or remotely hijack the website. Around 33 percent of all websites are powered by the WordPress content management system (CMS).

The scale of sensitive or mission-critical data they store and manage make them an obvious target for cybercriminals and hackers. In December 2018, for instance, a 20,000-strong botnet of compromised WordPress websites was found using dictionary attacks (using preprogrammed credentials) to break into and infect other WordPress websites.

According to Trend Micro, WordPress isn’t the only target. Popular content management systems like Joomla, Drupal, and Magento were also targeted and used as vehicles to deliver a variety of threats — from ransomware to cryptocurrency-mining and payment data-stealing malware. READ HERE FULL ARTICLE  

GDPR READY WEEKLY NEWS – No 3, January 2019

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

Celebration: Happy Data Protection Day! – Today 28 January 2019 we are celebrating in all EU countries the Data Protection Day. Outside Europe, it is also a global celebration called the “Privacy Day”.

GDPR FINES: Google will appeal the €50M – The search giant claimed it had “worked hard” to create a transparent and straightforward GDPR consent process for its ads personalisation settings, and was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond”.

BREXIT: How will personal data continue to flow after Brexit? – Elizabeth Denham’s latest blog busts the myths for UK small and medium-sized businesses transferring personal data to and from the EEA

DATA BREACH: 70,000 “special customers” affected by a retailer vulnerability – Here is a special data breach described on IT Governance’s site. Practically thousands of data about a Home improvement retailer has suffered a data breach affecting 70,000 of its… well, not customers, exactly.

RESEARCH: Data and Analytics Trends in 2019 – Business 2 Community recently published an analysis article watching the main trends in Data and Analytics for this year.

DPIA: A PIA TOOL 2.0 released by CNIL – A year after its first release, the PIA tool upgrades in the 2.0 version featuring PIA templates. Alongside this new version, a wiki has been published taking its content from the PIA-3 guide.

CELEBRATION

Data Protection Day!

Today 28 January 2019 we are celebrating in all EU countries the Data Protection Day. Outside Europe, it is also a global celebration called the “Privacy Day”.

On 26 April 2006, the Committee of Ministers of the Council of Europe decided to launch a Data Protection Day, to be celebrated each year on 28 January. This date corresponds to the anniversary of the opening for signature of the Council of Europe’s Convention 108 for the Protection of individuals with regard to automatic processing of personal data which has been for over 30 years a cornerstone of data protection, in Europe and beyond.

On the Data Protection Day, hundreds of events will be organised all over Europe to raise awareness on data protection and inform citizens of their rights and of good practices, thereby enabling them to exercise these rights more effectively.

The Data Protection Day should be a special occasion, a time set aside by each and every one of us to familiarise ourselves with a largely unknown, yet major, a facet of our everyday lives. The aim of the Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. They should also be made aware of the risks inherent and associated with the illegal mishandling and unfair processing of their personal data.

The objective of the Data Protection Day is, therefore, to inform and educate the public at large as to their day-to-day rights, but it may also provide data protection professionals with the opportunity of meeting data subjects.

SOURCE

GDPR FINES

Google will appeal the €50m data protection fine

The search giant claimed it had “worked hard” to create a transparent and straightforward GDPR consent process for its ads personalisation settings, and was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond”.

The fine, issued by France’s CNIL last Monday, is considered the first major financial penalty on a large technology company since the EU’s General Data Protection Regulation entered into force last May.

The French data protection watchdog said Google had violated EU privacy rules because it did not properly ask its users for consent on how to use their personal data. Google’s challenge before the Council of State — France’s top administrative court — would further define how the tech sector interprets requirements on consent under the GDPR.

The French data protection agency, CNIL, said that Google had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalisation. It said that consent cannot be valid because it isn’t unambiguous or specific – the choice for personalisation is a pre-ticked box, and users must give full agreement to the Terms of Service and data processing in the Privacy Policy, rather than to unbundled purposes.

This is not dissimilar to a number of other organisations’ consents, and since the ruling there have been widespread questions over the impact it will have on other industries, such as publishers.

READ ORIGINAL CNIL’s ANNOUNCEMENT

BREXIT

How will personal data continue to flow after Brexit?

Elizabeth Denham’s latest blog busts the myths for UK small and medium-sized businesses transferring personal data to and from the EEA The sharing of customers’, citizens’ and employees’ personal data between EU member states and the UK is vital for business supply chains to function and public authorities to deliver effective public services.

At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution can be put in place. However, in the event of ‘no deal’, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.

Looking to one of most discussed issue related to the possibility Brexit will stop the transferring of personal information from the UK to the EU, the official Fact answer is: “In a ‘no deal’ situation the UK Government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But transfers of personal data from the EEA to the UK will be affected.”

READ FULL ARTICLE ON MRS DENHAM’s BLOG

DATA BREACH

70,000 “special customers” affected by a retailer vulnerability

Here is a special data breach described on IT Governance’s site. Practically thousands of data about a Home improvement retailer has suffered a data breach affecting 70,000 of its… well, not customers, exactly. The breached database contained a list of people who had been caught stealing products from the UK retailer stores.

The document included the names of the offenders, the items they had stolen, the value of the goods and the stores they were taken from. The database should have only been accessible to certain employees, but security specialists at CtrlBox found the database an ElasticSearch server, left publicly available and without password protection.

As the data contains alleged criminal records, it could be considered sensitive information under the GDPR. According to IT Governance Founder and Executive Chairman Alan Calder, the incident is “a classic illustration of the reality that the majority of security breaches go undiscovered for substantial time periods and are then often discovered by third parties.”

READ THE ORIGINAL ARTICLE ON IT GOVERNANCE BLOG

RESEARCH

Data and Analytics Trends in 2019

Business 2 Community recently published an analysis article watching the main trends in Data and Analytics for this year. In the new digital era organizations are realizing that simply being “data-driven” won’t guarantee future success.

According to this article, Forrester notes that it’s not “data-driven,” but rather “insights-driven,” businesses that are growing at an average of more than 30% each year, and by 2021 are predicted to take $1.8 trillion annually from their less-informed peers. Organizations that are intent on lasting into the next decade and beyond must stop doing analytics for analytics’ sake, notes Forrester and other top thought leaders who have shared these 10 Enterprise Analytics Trends to Watch in 2019:

The Data Mindset Moves from Visualization to Outcomes – Forrester Analytics show that most organizations have a way to go, however, in reaching this level. Their research reveals that more than half (57%) of global data and analytics decision makers are still in the early stages of their insights-driven business transformation and fall into Forrester’s beginner maturity segment. Only 8% demonstrate advanced insights-driven competencies, according to their findings.

Explainable AI Requires Investment – enterprise organizations should look to invest in explainable AI in 2019, with very important reason: to manage regulations, ethical use of data, transparency, compliance requirements, and risk. As artificial intelligence becomes more sophisticated

Consumer-grade, Zero-click Intelligence Arrives – the arrival of user experiences like those consumers enjoy – but for enterprise analytics. Whether by voice assistant, hovering over a hyperlink, or stepping up to a screen in an office, real-time intelligence will be delivered to all employees in a way that’s easily consumed by every individual, finally breaking down the barrier to organization-wide analytics adoption.

READ MORE TRENDS IN FULL ARTICLE

DPIA

A PIA TOOL 2.0 RELEASED BY CNIL

A year after its first release, the PIA tool upgrades in the 2.0 version featuring PIA templates. Alongside this new version, a wiki has been published taking its content from the PIA-3 guide.

To celebrate its first anniversary and 130 000 downloads, the PIA tool includes a new feature for creating PIA templates. This feature has been imagined to facilitate the PIA management by allowing to customise the PIA in regard to one’s industry and to apply one template across few types of analysis.

A template based on the PIA framework applied to IoT devices is already available in the tool. In addition, several minor improvements and fixes have been added such as:

  • blocking the tool from being instantiated several times;
  • harmonization of graphic elements across the interface;
  • improvement of the PIA report display interface;
  • overall optimisation of the tool (stability, execution, better management of some behaviours, code refactoring, etc.).

This new version is also an opportunity to implement a new governance model for the Github repositories of the tool in order to ease the integration of the community contribution and to highlight the commitment of the contributors. For more information, we invite you to read the governance description, the contribution guide, the code of conduct and the roadmap for future developments of the tool.

READ MORE

GDPR READY WEEKLY NEWS – No 2, January 2019

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

Guidelines: Specific rulings issued by the Hungarian data protection authority – During the last months the Hungarian Data Protection Authority (NAIH) released important opinions related to ID cards photocopying, newsletter subscriptions and general data transfers.

Analysis: Future of Privacy in 2019 according to Gartner Predicts – “Privacy requirements dramatically impact an organization’s strategy, purpose and methods for processing personal data”.

Trusted Services: ENISA about acceptance of eIDAS audits – ENISA has published a new report to explore the paths to global acceptance of the eIDAS auditing framework for trust service providers (TSPs) issuing qualified website authentication certificates (QWACs).

Data Breaches: Personal data of 40,000 temporary workers exposed on the Internet – As a result of a “human error”, the profiles of thousands of users of Mistertemp, an online temp agency, have been accessed online without protection.

International Transfers: Second Review of EU-US Privacy Shield Shows Improvements – On December 19th the European Commission publishes its report on the second annual review of the status of the EU-U.S. Privacy Shield.

Guidelines

Specific rulings issued by the Hungarian data protection authority

During the second part of 2018, the Hungarian Data Protection Authority (NAIH) issued important opinions on GDPR issues in the areas of photocopying ID cards, eDM subscriptions and general data transfers, which Hungarian-based companies and employers must include in their data processing operations.

According to an article published by Lexology.com, in the new NAIH opinions companies and employers are not allowed to copy personal documents like IDs or school diploma unless prescribed by law. NAIH argues that since most companies or employers are not in the position to check a document’s authenticity in official databases, keeping a copy of it is irrelevant. Also, NAIH decided that companies must carefully analyse how benefits offered by newsletter subscription could influence the voluntary nature of the newsletter “opt-in”.

For example, if a newsletter subscription is not mandatory to obtain access to a certain service, non-subscribers should have equal access to this newsletter service…

Relating the personal data transfers, according to NAIH, data controllers should name in their privacy notices the recipients the data transferred, and the purpose of the transfer, preferably in table format. For example, a travel agency, which organises trips to different destinations, should not list all the hotels it provides personal data to, since this information may differ from time to time.

READ THE ORIGINAL ARTICLE HERE

Analysis

Future of Privacy in 2019 according to Gartner Predicts

According to Gartner, security and risk management leaders must take note of the following predictions for privacy to ensure transparency and customer assurance.

By 2020, the backup and archiving of personal data will represent the largest area of privacy risk for 70% of organizations, up from 10% in 2018 – Over the next two years, organizations that don’t revise data retention policies to reduce the overall data held, and by extension the data that is backed up, will face a huge sanction risk for noncompliance as well as the impacts associated with an eventual data breach.

By 2022, 75% of public blockchains will suffer “privacy poisoning”, inserted personal data that renders the blockchain noncompliant with privacy laws – Businesses looking to implement blockchain technology must determine whether the data being used is subject to any privacy laws. For example, public blockchains need an immutable data structure, meaning once data is recorded, it cannot easily be modified or deleted. Looking to the Privacy rights granted to individuals, the services based on public blockchain technologies are raising justified concerns because “by default” personal data can’t be replaced, anonymized or structurally deleted. Organizations that implement blockchain systems without managing privacy issues “by design” will risk storing personal data that can’t be deleted…

By 2023, over 25% of GDPR-driven proof-of-consent implementations will involve blockchain technology, up from less than 2% in 2018 – According to  Bart Willemsen, Senior Director Analyst at Gartner, “The application of blockchain to consent management is an emerging scenario at an early stage of experimentation.” Some organizations are already exploring the use of blockchain for consent management “because the potential immutability and tracking of orthodox blockchains could provide the necessary tracking and auditing required to comply with data protection and privacy legislation.”

MORE IN THE SMARTER WITH GARTNER ARTICLE

Trust Services

ENISA about acceptance of eIDAS audits

The eIDAS Regulation sets up a framework to grant qualified status to an array of trust services (e.g. electronic signatures, seals etc.) aiming to enhance consumer trust in the digital environment. According to ENISA, qualified trust services undergo regular assessments by accredited bodies, overseen by national and EU authorities for the purpose of meeting requirements laid out in the eIDAS framework. Taking the viewpoint of a global audience, ENISA has published a new report to address aspects of conformity assessment in an effort to improve the global acceptance of eIDAS audits. Towards this goal, the report recommends to:

  • adopt a harmonised conformity assessment approach in the EU and promote it at the international level
  • promote and reference specific standards on the auditing of TSPs and conformity assessment

The report also carries out a review of concurring international auditing schemes for qualified TSPs and the accreditation of the respective CABs. Strategies largely based on improving existing European standards are also proposed for the purpose of fostering cooperation with browser vendors and thus improve better acceptance of eIDAS audits.

READ THE FULL REPORT HERE

Data Breaches

Personal data of 40,000 temporary workers exposed on the Internet

As a result of a “human error”, the profiles of thousands of users of Mistertemp, an online temp agency, have been accessed online without protection.

According to an article published by Le Monde, tens of thousands of temporary employee profiles managed by temporary agency Mistertemp have been freely accessible for at least three weeks on the Internet, according to a computer security researcher. The personal data on display includes their identity, physical address, e-mail address and telephone numbers, and for some of them, their Social Security numbers.

One of the servers containing this information was poorly configured, becoming accessible to anyone who had his address, without any password. The length of time that this database has remained accessible to all-comers is difficult to determine.

A cybersecurity researcher discovered it on December 21st and the company removed this database from the Internet in January 9th. In the current state of its investigation, the company does not know when this information was made public. According to the company, no banking data or identity documents were exposed, the latter being stored in a different database.

READ FULL ORIGINAL ARTICLE IN FRENCH

International Transfers

Second Review of EU-US Privacy Shield Shows Improvements

In December 19th the European Commission publishes its report on the second annual review of the functioning of the EU-U.S. Privacy Shield.

The good news is the last report is better than the previous, showing that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S. The steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year’s report have improved the functioning of the framework.

The bad news is the Commission still expect the US authorities to nominate a permanent Ombudsperson to replace the one that is currently acting. 

The Ombudsperson is an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed. According to Andrus Ansip, Commission Vice-President for the Digital Single Market, “Today’s review shows that the Privacy Shield is generally a success. More than 3,850 companies have been certified, including companies like Google, Microsoft and IBM – along with many SMEs. This provides an operational ground to continuously improve and strengthen the way the Privacy Shield works. We now expect our American partners to nominate the Ombudsperson on a permanent basis so we can make sure that our EU-US relations in data protection are fully trustworthy.”

The second review took into account relevant developments in the U.S. legal system in the area of privacy. The Department of Commerce launched a consultation on a federal approach to data privacy to which the Commission contributed and the US Federal Trade Commission is reflecting on its current powers in this area. In the context of the Facebook/Cambridge Analytica scandal, the Commission noted the Federal Trade Commission’s confirmation that its investigation of this case is ongoing.

SOURCE: EUROPEAN COMISSION PRESS RELEASE

GDPR: TO BE OR NOT TO BE A CALAMITY FOR SMEs

From the very beginning, many considered SMEs as collateral victims of GDPR.  Lacking investment resources in sophisticated encryption and protection software or expensive hours for audit and consulting services being the main reasons for this… But what only a few peoples are considering, is the fact a SMEs can be many times more flexible and open for a real change and reliable alignment efforts.

Size does not matter…

The main purpose of the Regulation is to change the ways organizations obtain and manage personal data and to put the data subject in the core of data processes. Even most of the GDPR articles addressing large data volume and large scale data processing, small organizations such as micro-enterprises or individual professionals have also to show respect for the processing of personal data.

Many time small entrepreneurs are thinking their company are too small to lose the time with data protection processes. This is terribly wrong. GDPR applies to organizations of any size if data processing takes place regularly or if the processing includes special categories of data defined in Article 9 of the GDPR. This is even apparent from the definitions of the Controller and Personal Data Processor. According to GDPR, Art.4.7. “Controller” means a natural or legal person, a public authority, an agency or another body which, alone or with others, establishes the purposes and means of processing personal data. According to Art.4.8. “Processor” means a natural or legal person, public authority, agency or other body processing personal data on behalf of the Operator;

Even a licensed consultant or individual who constantly and regularly processes personal data may be a personal data Controller or Processor, depending on the type of activity being performed. If there are types of services in which the purpose and means are set, the individual specialist can act as an associate operator in dealing with his clients. If there are types of activities where the individual specialist performs only operations requested by his clients, he/she acts as a personal data processor with all the responsibilities of such a position. As small company manager is very important to better identify our position as Controller/ Processor in any business line we are involved.

Do we process personal data? So we don’t have a place to return…

Even if we haven’t the funds resources of the big ones, as managers of a small company, we are directly responsible for the continuity of the business and admitting this, we are willing to invest. In a small company, as an entrepreneur, we are also a sponsor and a project manager. And I’m more capable and more interested in choosing the best and most efficient team, which often includes all the other employees.

Are smaller companies more exposed to cyber-attacks than medium or large organisations? Theoretically yes…; it should be because we don’t have the infrastructure that others have access to. A Juniper Research study estimates that over half of SMEs in EU countries consider themselves safe from cyber-attacks, but half of them have suffered a data breach. In this context, the need to protect personal data more effectively has never been more obvious, even at the level of SMEs.

GDPR strengthens the protection of personal information. Irrespective of size, all companies operating in the EU now have the obligation to collect, store and use personal information in a safer way. Although there are a few areas where SMEs are recognized as having fewer resources and capacities than larger businesses, small businesses can enjoy a manoeuvring space in terms of documentation and record keeping. The degree of freedom at this stage is still uncertain.

The British Government recently estimated that only 40 percent of enterprises with fewer than 50 employees and only 66 percent of firms with 50-249 people were aware of the importance of GDPR.

5 Serious reasons for alignment

Here are five serious reasons why SMEs need to understand this regulation urgently and align their processes with it:

  1. GDPR comes with new rights, so new obligations – First, GDPR gives new people rights to their personal data. Theoretically, we can now go to a bank or supermarket to ask them to erase our data from their systems. This is theoretically only because there are some legal frames imposing us to expect at least 10 years to receive all personal data. Here is a real right: ask a provider to move your data and your agreement to another service provider… That’s a real right known as Data Portability. For example, you have the right to move the services file from one telco provider to another. But that does not mean that the old supplier will erase our data.
  2. Suppliers are now under the microscope – GDPR comes with new responsibilities on data processors. If we process data on behalf of a Data Controller, we need to keep its instructions in order to align the GDPR. If we make a mistake as a data processor, and the Controller can prove this, we could become directly accountable in front of Authorities.
  3. Do we need DPOs or not? – At SME level, obviously not. This does not exclude the recommendation to consider a project team and a project coordinator. Permanent tasks, even in an SME, such as keeping records of processing, consent, or breaches reporting, come in addition to the ingrained task of assimilating internal policies across departments.
  4. Employees as a weak link – Studies show that at least one-third of personal data vulnerabilities are due to personnel error. There is no substitute for training employees about their core responsibilities within GDPR. In addition, make sure your company specialists, such as traders, HR representatives and board members, receive specific training on their roles about what they need to do to comply with GDPR.
  5. We need to tell our clients what we do with their data – According to GDPR, customers have the right to be informed – in clear language – about what we do with their personal data. Our online privacy policy should be written in plain language, telling our customers about where we get the data, what we do with them, and who we share with. If we have a web page for our business, we have to put our trust on privacy on the site on the Personal data privacy page and to update Terms & Conditions and Cookies Policy.

Small companies or individual specialists who ensure their compliance with GDPR benefit not only from safer and more professional business processes but also from a certain competitive advantage over competitors who did not pay much attention to the provisions of the new Regulation. GDPR compliance is a label of trust, loyalty, and respect for our customers and partners and the personal data they entrust us with.

GDPR READY WEEKLY NEWS – No1, January 2019

 

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

 

Analysis: Top 10 Serious GDPR Incidents in 2018 – High-Tech Bridge Web Security Company published on his Security Blog a Top 10 analysis of the last year most important security and privacy incidents related to GDPR.

Legislation: The new Data Protection law adopted in Spain – In December 2018, the Official Gazette of Spain published the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights.

Guidance: New Guidance on Data Sharing Published by CNIL – The French Data Protection Authority released guidance on the standards organizations must meet to share information with business partners and data brokers, with a focus on compliance under the EU GDPR.

Data Breach: First Hospital GDPR Violation Penalty Issued in Portugal – The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Centro Hospitalar Barreiro Montijo for failing to restrict access to patient data stored in its patient management system.

Research: 50 Percent of Firms Still Not GDPR Compliant – According to the IAPP-EY Annual Governance Report 2018, organizations tackled the hard work of implementing GDPR programs, spent an average of $1.3 million to become compliant and learned many lessons trying to solve most challenging issues.

Books: 10 TITLES FOR YOUR GDPR LIBRARY – Please review my recommended list of books selected under GDPR Ready Initiative framework having various criteria like subject popularity, reviewing notes, relevance, and EU coverage. You are free to come with your own reading suggestion on this subject.

Analysis

Top 10 Serious GDPR Incidents in 2018

The article is beginning with a comprehensive analysis of the new approach to personal data protection around the world and the main three essential differences between GDPR and previous regulation: reversing the risk ratio between low fines and the high cost of security, changing the strategy related to data breach reporting, and putting the user on the first place by establishing constraints for personal data controllers and processors.

The article is offering a look at ten most dramatic incidents reported in 2018:

  • GDPR Compliance in a WordPress plugin discovered by Wordfence.
  • Action opened against Twitter by University College London researcher Michael Veale.
  • Complaints opened by Privacy International to the regulatory bodies in Britain, Ireland and France about seven different financial and marketing companies, claiming they gathered personal data without explicit consent.
  • The August data breach of payment information from British Airways
  • Germany’s First GDPR Fine issued in November 2018 to Social and dating website Knuddels.de which reported a data breach of 1.87 million username and password combinations and 800,000 users’ email addresses in September.
  • Portuguese Hospital Fined €400,000 In July 2018
  • Google’s Location Tracking In August 2018 investigated by the Associated Press
  • AggregateIQ, a data analytics firm that has been linked with Cambridge Analytica, was accused of mishandling people’s data prior to and after GDPR enforcement.
  • Facebook’s Fines and Lawsuits 2018 was a difficult year for Facebook, with controversies, data breaches and scandals becoming a semi-regular occurrence.
  • Marriott, the parent company of Starwood discovered the data breach affecting up to 500 million customers’ personal data in September, long after GDPR came into effect. Complicating matters somewhat, however, is that it appears to have been an open, ongoing breach since 2014.

READ THE FULL STORY HERE

Legislation

The new Data Protection law adopted in Spain

According to an article published on the IAPP site, the New Organic Law is founded on five key issues: The object of the law, data subject rights, the data protection officer, the processing of personal data by political parties, and digital rights in the labour field.

According to Article 1, the Organic Law has a double object. First, it adapts the Spanish legal system to the General Data Protection Regulation and further provides specifications or restrictions of its rules as explained in the GDPR. In this sense, the law states that the fundamental right to data protection of natural persons, under Article 18.4 of the Spanish Constitution, shall be exercised under the GDPR and this law. Second, the law guarantees the digital rights of citizens and employees, beyond the GDPR. For example, the law includes provisions on the right to internet access, the right to digital education, the right to correction on the internet and the right to digital disconnection in the workplace.

The law includes also some specifications with regard to data subjects’ rights. Article 12.1 of the law states that a data subject’s rights may be exercised personally or through a legal or voluntary representative. And Article 12.3 of the law provides that the processor may attend, on behalf of the controller, any request of an exercise of a data subject’s rights when provided in the contract or other legal instruments that bind them.

More functions for DPO. We have to remember Spain was the first EU country which released since 2017 a DPO certification scheme, entitled Certification Scheme od Data Protection Officers from the Spanish Data Protection Agency (DPO-AEPD Scheme)

Following Article 37(4) of the GDPR, the law specifies and clarifies other cases in which the designation of a DPO is mandatory. Among them are: bar associations and their general counsels; public and private universities; information society service providers when developing large-scale profiles of service users; and the operators that develop game activity through electronic, computer, telematics and interactive channels, in accordance with the game, or sports federations when processing minors´ personal data.

The law also includes an additional function for the DPO who may intervene in case of a complaint against a controller or processor with supervisory authority. In this case, before submitting the complaint to the supervisory authority, the DPO, when they have been designated, may intervene and communicate to the complainant the organization’s resolution within two months of the receipt of such complaint.

Beyond data protection, several articles refer to the protection of privacy in the labor field, such as the right to privacy and use of digital devices in the workplace (Article 87), the right to digital disconnection in the workplace (Article 87), the right to privacy against the use of video surveillance devices and sound recording in the workplace (Article 89), the right of privacy against the use of geolocation systems in the workplace (Article 90) or the digital rights in collective bargaining (Article 91).

SOURCE IAPP

Guidance

New Guidance on Data Sharing Published by CNIL

According to a post from Hunton Andrews Kurth’s Privacy & Information Security Law Blog the CNIL guidance states companies that share data with these parties must first obtain consent from the data subject before any information is passed along, identify the third parties that will receive the data, and inform data subjects should the list of entities that will obtain the data change.

The CNIL guidance establishes the 5 key conditions:

  • Prior consent: Organizations must seek the individual’s consent prior to sharing personal data with the organization’s partners.
  • Identification of the partners: The data collection form must provide notice of the particular partner(s) who may receive the personal data.
  • Notification of changes to the list of partners: Individuals must be informed of any updates to the list of partners and, in particular, of the fact that their personal data may be shared with new partners.
  • Limit to further sharing without consent: The partners may not share the personal data with their own partners without seeking the individual’s informed consent.
  • Notice to be provided by the partners at the time of the first communication to the individual: The partners who process the personal data to send their own marketing communications must inform the concerned individuals of the source from which the data originates, and how the individuals may exercise their data protection rights.

READ HERE THE FULL STORY

 

Data Breaches

First Hospital GDPR Violation Penalty Issued in Portugal

The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Centro Hospitalar Barreiro Montijo located near Lisbon for failing to restrict access to patient data stored in its patient management system. CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

According to a HIPAA Journal article, CNPD founded three violations of the GDPR. First was a violation of Article 5(1)(c) minimization principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) on the processing basic principles. For those, the fine was 150,000 euros. 

Non-application of technical and organizational measures to prevent unlawful access to personal data under Article 5(1)(f), and Article 83(5)(a) was considered as a second violation of integrity and confidentiality as a result of, a violation of the processing basic principles, being fined with 150,000 euros. 

Finally, according Article 32(1)(b), the CNPD considered the incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the non-implementation of the technical and organizational measures to ensure a level of security adequate to the risk, including a process to regularly testing, assessing and evaluating the technical and organizational measures to ensure the security of the processing. There the fine was for 100,000 euros.

When determining the amount of the penalty the CNPD also considered the fact that the defendant took measures to regularize the situation.

READ HERE THE FULL ARTICLE 

Research

50 Percent of Firms Still Not GDPR Compliant

According to the IAPP-EY Annual Governance Report 2018, organizations tackled the hard work of implementing GDPR programs, spent an average of $1.3 million to become compliant, and learned many lessons trying to solve most challenging issues.

One of the Report’s conclusion is fewer than 50 percent of survey respondents report they are “fully compliant” with the GDPR, and nearly one in five admit that full GDPR compliance is truly impossible. Another evolution trend is related to considerable growth in the number of privacy professionals working for European organizations and responding to the survey. 47 percent was the growth of IAPP members participating in the Survey. In the same time, it was significant growth in the number of full-time staff dedicated to privacy, reflecting a real concern at the organization level to be prepared. In fact, one key finding is that privacy is increasingly a stand-alone issue of corporate significance, not tied as integrally to a data breach as in previous years.

Other key results:

  • 76 percent of all respondents believe their firm falls under the scope of the GDPR.
  • 25 percent of respondents have changed vendors in response to GDPR
  • 30 percent say they are considering future vendor changes.
  • 56 percent say they are far from compliance or will never comply.
  • 75 percent of respondent firms reporting they have appointed a DPO.
  • 48 percent have created the DPO position to serve a valuable business function
  • Six in 10 privacy leaders have taken the DPO duties on themselves

READ HERE THE IAPP ARTICLE AND DOWNLOAD FULL REPORT

Books

10 TITLES FOR YOUR GDPR BOOKS LIBRARY

Anyone interested to find available documentation about GDPR could read thousands of web resources including best practices, buyer’s guides, solution handbooks or implementation kits. All of these are very useful, but many times we need more advised recommendation related to the General Data Protection Regulation. And the best way to find a bit of professional advice is to read a book. Despite we are living now in a fully digital era, many of us still need the classical page-to-page reading books – even in print or online version.

In my documentation process for the specific content of GDPR, I had to review some interesting book. Although many of us are on vacation, I think that this year-end period in which GDPR was a hot topic for all, is the best time to stay quiet and browse an interesting book.

Is important to note this is not a “Top 10” classification. Is just a personal selection. A recommended list of books selected by GDPR Ready Initiative having various criteria like subject popularity, reviewing notes, relevance, and EU coverage. Images credit to various online bookshops.

You are free to come with your own reading suggestion on this subject.

READ THE FULL ARTICLE HERE