Since the GDPR came into force, there's been a surge in data breach reporting across the EU. The flood of reports though, over 280,000 data breaches submitted across the EU, resulted only in around 500 fines to companies. The vast majority of data breaches were likely reported to Supervisory Authorities unnecessarily. The EDPB has released a new example-based guidelines which should help controllers and DPOs in deciding whether or not to notify their Data Protection Authority
After several complaints against the CARREFOUR group, the CNIL carried out checks between May and July 2019 with the companies CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). The CNIL noted shortcomings in the processing of customer and potential user data. The President of the CNIL therefore decided to initiate a sanctioning procedure against the group. At the end of this procedure, the restricted committee - the CNIL body responsible for imposing sa
GDPR Articles 24, 25, 28, 29, 30, 32, and 35 provide for a good reading, but the question comes natural: how many readers have actually understood where these articles lead to and are not, instead, naively thinking there's not much but legal contractual requirements, easily accomplished, and technical requirements which are already in place?
Luckily, or unfortunately for the naive enterprises and C-levels, there's much more to read between the lines than what is stated in tho
A new research from market analysts Forrester, indicates that insider threat will rise considerably in 2021. The research predicts data breaches from insider incidents will be at least 1 out of every 3. The report states, “In 2021, we will begin to see contours of the new economic, social, and cultural orders forged in the crucible of the COVID-19 pandemic.” Forrester reports essentially combines three factors which lead them to expect an increase in insider incidents: • More
The Italian #dataprotection authority ('Garante') has initiated an investigation over the use of a software called 'DeepNude' which, through the use of AI DeepFake technology, enabled Telegram's users to generate fake nude images and pictures of women, which were subsequently shared on the app. Through the use of DeepNude, Telegram exposes individuals to the risk of serious #privacy and reputation damages. The risks is even higher when related to minors and young women who co
The amended Swiss #DPA (Data Protection Act) has key strengthening which should prompt Swiss company to fully adopt the #GDPR. The differences are now mostly editorial and how DPA describes essentially the same rules: Strengthened individuals' rights: data subjects must be informed about the Controller's identity and contact information; purpose(s) of processing; the identity of third party recipients; and full cross-border disclosure. Strengthened automated decision making:
Data protection legislation (RGPD and directive n ° 2016-680) requires a profound change in the governance of data and files: in addition to the required business formalities upstream of the deployment of general processing, companies will also have to implement "appropriate technical and organizational measures" and prove their compliance with the GDPR and the directive. If certain formalities with national Data Protection Authorities (DPAs) might have disappeared when havi
On the 6th of October, the European Union Court of Justice (CJEU) deliberated that the scope of the EU GDPR, its principles, and the individuals' rights to privacy, extend to data collection and data retention for processes with a 'general' purpose of national security. In brief, the UK government held that the bulk communications data details were not under the scope of GDPR for access by security agencies, and the CJEU ruled that EU GDPR has jurisdiction over national rules
This should not come as a surprise to anyone. Swiss companies have looked at what happened in the EU with the GDPR with a more or less distracted eye, wrongly assuming that they would have to deal, in any case, only with the Swiss DPA. Notwithstanding the fact that GDPR territoriality is the whole world (suffice to deal with data subjects' personal data - per GDPR definition - and you are subject to the GDPR), the bet that the DPA would not change and not approach more and mo
If not properly guided, companies tend to consider a DPIA just as another name given to their usual process risk assessment. There is a fundamental difference between a DPIA and what companies always carried out assessing what risk they face with a given business process. UK's programme to trace covid-19 infections has allegedly broken data protection laws. The oversight was first brought to light by the digital privacy campaigners Open Rights Group. The reason was indeed the
The GDPR applies to companies outside the EU because of its extra-territorial in scope, as explained in Article 3, "Territorial scope." One thing to keep in mind is that GDPR is not 'data privacy' or a refined version: the law is designed to protect the data subjects’ rights, while data privacy, broadly and mostly, regulates and protects businesses. If you think your 'data privacy' organization is de-facto making you compliant with the GDPR, we have news for you: you're not.
.In the Watergate investigation, Howard H. Baker Jr famously asked "What did the President know and when did he know it?" We all know what the answers to that questions led to and ultimately sealed the fate of Richard Nixon. Companies under a GDPR compliance audit, especially in the case where the Data Protection Authority is involved, can be sure that "What" and "When" will be asked, related to personal data, but rest assured: not just that. Organizations shall follow the si
GDPR is the applicable law, and it enjoyed a 'grace period' from Authorities. Companies might have become complacent in these two years rather than focusing resources and efforts on establishing, maintaining, controlling, and strengthening their own GDPR compliance implementation. Don't wonder whether your are in violation of the GDPR: if you do actually wonder, you can bet you are already in violation. A non-profit foundation which pursues claims for violations of privacy ri
The U.S. National Institute of Standards and Technology this week released a long-awaited guidance update, Special Publication 800-53 Revision 5, describing "next-generation security and privacy controls" and how to use them. "This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations and the nation from a diverse set of threats and risks, incl
The German Data Protection Authority has issued the second-largest fine to a single company under the EU General Data Protection Regulation (GDPR). The GDPR changed the way personal data can be collected and used, and it also mandates companies to be fair and transparent. This is where H&M failed. The company has been fined €35.3m and had to apologise “unreservedly” for having put in place an illegal surveillance affecting several hundred employees. The world’s second largest