Tag: GDPR

Belgium publishes new data protection law

12. September 2018

On September 5 2018, the new data protection law (“Law of 30 July”) was published in the Belgian Official Gazette (“Belgisch Staatsblad”) and entered into force with this publication.

After the “Law of 3 December 2017”, which replaced the Belgian Privacy Commission with the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit”), the Law of 30 July is the second law that implements the General Data Protection Regulation (GDPR).

The laws regulate various essential areas of data protection. New regulations are for instance, the reducing of the age of consent from 16 (as regulated in GDPR) to 13 years old for information society services or the requirement to list persons who have access to genetic, biometric and health-related data. Therewith, Belgium has also made use of the possibility to deviate from the GDPR in different scopes.

With the law of 30 July, Belgium has thus completed the incorporation of the GDPR into national law. The Law is available in French and Dutch.

Category: Belgium · GDPR
Tags: ,

WP 29 adopts guidelines on transparency under the GDPR

21. December 2017

The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.

Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.

In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:

– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”

In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.

Many companies have not started preparing for the GDPR

27. June 2017

The General Data Protection Regulation (GDPR) will be applicable to all EU Member States from May 25th 2018. The GDPR will not just apply to EU companies, but also to non-EU companies that have dealings with data subjects that are located in the EU (see also Art. 3 (2) GDPR).

Companies, in specific, that fall under the regulations of the GDPR should be prepared to fulfil the requirements that are stated by the GDPR, due to the risk of an imposition of a fine if they fail to comply with the GDPR. This is in particular relevant since the fines for infringements of the GDPR have increased significantly (see also Art. 83 GDPR).

The implementations that companies have to make to comply with the GDPR involve high expenses and probably will be more time consuming than expected in most cases, depending on the size and complexity of the company. Especially the time factor has to be considered since it is less than a year left until May 2018.

However, according to a report of TrustArc, 61 % of the asked companies have not yet started with the implementation of their GDPR compliance programs.

TrustArc interviewed 204 privacy professionals from companies of different industries that will fall under the GDPR. These companies were divided into three categories based on the count of their employees: 500-1000 employees, 1000-5000 employees and more than 5000 employees.

23 % stated that they have started with the necessary implementations, 11 % that the implementations are driven forward and just 4 % stated that they had finished all necessary implementations to reach GDPR compliance.

The Report also shows the cost that companies expect to be need to implement what will be necessary to comply with the GDPR. Overall, 83% expect that their expenses will be in the six figures.

Article 29 WP will release guidelines on the GDPR by the end of 2016

26. October 2016

As Bloomberg reports, the Article 29 WP will provide guidance on the GDPR soon. Isabelle Falque-Pierrotin, Chairwoman of the CNIL as well as of the Article 29 WP, acknowledged that the GDPR text is ambiguous in some aspects. Therefore, these guidelines aim at serving as an operational toolbox.

Amongst others, the guidance to the GDPR shall refer to the following aspects:

  • The designation of the leading Supervisory Authority in case of complaints or in relation to other procedures. Moreover, aspects of the bilateral cooperation and competence to resolve disputes by the Supervisory Authorities and the European Data Protection Board shall be clarified.
  • Guidance on the figure of Data Protection Officers is one of the priorities of the Article 29 WP, as it will play an essential role in companies on achieving GDPR compliance.
  • The right to data portability has been regulated for the first time in the GDPR. This right will allow data subjects to access their data and transfer data to other data controllers, for example upon the change of telephone provider. The guidance should focus on its scope and implementation.
  • The standard by which the proof of consent will take place, will have to be specified. This is especially important for small and medium-sized companies, for which a “simple pedagogical tool” will be developed.
  • A formal guidance on the Privacy Shield will not take place until the EU Commission has reviewed its functioning after the first year, this is summer or early fall 2017.

At the moment, the Article 29 WP remains neutral with regard to the Brexit. However, Falque-Pierrotin remarked that the Privacy Shield may be also useful in UK regarding international data flows with the U.S.A.

Further guidance is also expected in 2017, especially regarding topics such as the EU-U.S. Privacy Shield and the implication of the Brexit in privacy issues.

UK Data Protection Commissioner speaks about “Brexit” and the GDPR

5. October 2016

Last week, Elizabeth Denham, held her first speech as UK Information Commissioner (ICO). In this speech she referred, amongst others, to the effects of the Brexit with regard to the application of the GDPR.

Denham remarked that the GDPR involves the modernization of European Data Protection and the necessity of these new rules in order to ensure cross-border commerce and the protection of individuals. As the GDPR may be applicable before the UK has left the EU, she ensured that the ICO will keep on providing guidance and advice on the GDPR.

Furthermore, she stated that even after the UK has formally left the EU, flows of personal information will be still necessary, so that the level of data protection in the UK should be essentially equivalent to the one in the EU. Therefore, she encourages businesses to improve and adapt their practices to the GDPR.

Category: GDPR · UK
Tags: , ,

Survey results about the impact of the GDPR and the EU-U.S. Privacy Shield published

4. August 2016

Recently, the IAPP (International Association for Privacy Professionals) published the results of a survey carried out by Baker & McKenzie regarding the perspectives and expectations that Privacy Professionals have about the changing legislative scope in the field of Data Protection.

The participants were senior managers and individuals involved in the fields of data protection and data security that belonged to multi-national organizations, government agencies, regulatory bodies or policy and academic institutions.

Most of the respondents acknowledge that both, GDPR and Privacy Shield, imply that organizations have to implement an action-plan accordingly. This will imply higher costs and efforts. Furthermore, 70% of the respondents stated that the most difficult requirements of the GDPR to comply with are consent, data mapping and international data transfers. A 45% stated that their organization does not have adequate tools currently to be compliant and implementing the required tools may be involved with significant costs.

Moreover, the majority of the participants recommended organizations to self-certify as soon as possible, so that they would still have nine months to make contractors also comply with the principles. Also, they believe that the Privacy Shield should be complemented by other mechanisms to transfer personal data such as Binding Corporate Rules or Standard Contractual Clauses.

75.4% of Cloud Apps are not compliant with GDPR

18. July 2016

According to the Netskope Cloud Report from June 2016, almost 75.4% of the cloud apps are not compliant with the GDPR. The main reason for this incompliance is the lack of awareness that most organizations have about the amount of cloud apps being used at the company.

The compliance evaluation was based on eight aspects of the GDPR: geographic requirements, data retention, data privacy, terms of data ownership, data protection, data processing agreement, auditing and certifications.

Compliance with the GDPR involves not only that customers as data controllers implement the provisions of the GDPR accordingly, but also that cloud apps vendors (as data controllers) are also compliant. This compliance requirement of the data processor is one of the new requirements that the GDPR imposes. Data processors are also subject to strict data processing requirements and are liable for breach of their obligations. This way, customers are liable for the use they make of the cloud apps and cloud vendors are liable for inherent security and enterprise-readiness.

The report reveals that the main incompliances relate to the data export requirements after termination of service, to excessively long retention periods and to data ownership terms. Moreover, malware also represents an increasing problem regarding cloud apps.

Upon the entry into force of the GDPR, companies shall be able to

  • Identify existing cloud apps in their organization and analyze the risks involved
  • Identify cloud apps storing sensitive data
  • Adopt measures in order to be compliant according to the eight main aspects mentioned above
  • Identify cyber threats and implement adequate measures to safeguard personal data

The role of the DPOs under the new GDPR: the German reference

7. June 2016

The new GDPR, which will enter into force in May 2018, updates the current European Data Protection legislation. One of the key aspects of the Regulation is the obligation to appoint a Data Protection Officer (DPO) in the following cases:

  • If the processing is carried out by a public authority, except court acting in their judicial capacity
  • If the core activities of the controller or the processor consist of processing operations which according to their nature or scope require regular and systematic monitoring of data subjects on a large scale or
  • If the core activities of the controller or the processor consist of processing on a large scale of sensitive data

Currently, several jurisdictions mention the possibility to appoint a DPO, but Germany is the only EU member State that imposes the obligation to appoint a DPO if more than nine people within an organization handle with personal data. The DPO can be a member of the organization or an external expert.

According to German Data Protection law, DPOs are appointed by the management of the organization but fulfill their duties without being subject to any instructions of the data controller. Moreover, they have the obligation to report the management regarding the compliance status of the organization and, even if they recommendations are not followed, the DPO has fulfilled his/her duty. This DPO culture in Germany means also that not only people with legal backgrounds are DPO; furthermore, the role of the DPO is assumed by persons with different backgrounds, for example by engineers or HR employees that have been given this responsibility.

Thomas Spaeing, CEO of the German Association of Data Protection Officers, remarks the importance that the appointed person knows the processes and organization of the company and that he/her can integrate the legislation with the organizational data processing activities. The DPO should be seen as a person who helps businesses implementing data protection processes in interest of both, the data subjects and the company itself.

The GDPR mentions the possibility to appoint either an external or an internal DPO and describes their position in similar terms to those existing under German Data Protection law. In Germany, this will not mean a greater change in the local legislation, but other countries who do not even currently regulate the institution of the DPO, will have to make any necessary changes to be compliant with the requirements of the GDPR until May 2018.

The new Dutch data breach notification obligation: 1.500 notifications in 2016

17. May 2016

From the 1st January 2016, data controllers located in The Netherlands are obliged to notify serious data breaches according to the Amendment made to Art. 34 of the current Dutch Data Protection Act. This obligation implies:

  • Notifying the Dutch DPA in the cases where there is a considerable probability that the breach hast serious adverse effects on the privacy if the affected individuals; and
  • Notifying the data subjects affected if there is a considerable probability that the privacy of the data subject is negatively affected.

According to a representative of the Dutch DPA, already 1.500 data breach notifications have been received since the new rule entered into force. This is not surprising for the Dutch DPA, as currently more than 130.000 organizations located in the Netherlands are subject to the data breach notification obligation. However, the Dutch DPA suspects that the number of occurred data breaches is actually higher.

In order to review the notifications, the Dutch DPA has implemented a software that separates the notifications that require action from the DPA from those that do not require additional action. The ones that do not require additional action are archived for future references, while the formers are further examined by the Dutch DPA. Nevertheless, the DPA has examined all received notifications, in order to identify the main sources of data breaches, which result to be based on one of the following reasons:

  • Loss of devices that were not encrypted; or
  • Disposal of information without observing adequate security measures, such as the use of a shredder or the disposal in locked containers; or
  • Insecure transfer of information, especially related to sensitive data; or
  • The access by unauthorized third parties to data bases and personal data.

This shows that most of data breaches occur because organizations do not implement adequate technical and organizational security measures or they do not follow the existing obligations regarding IT security and data protection, or employees are not trained in theses aspects.

Moreover, two-thirds of the reports were subject to a further investigation by the Dutch DPA and actions have been already taken against around 70 organizations. Also, in some cases additional information was required from the organization or the individuals had to be notified about the data breach. Information to data subjects is required if sensitive personal data is affected by the breach, the Dutch DPA has enumerated some of the data categories that are included in the definition of sensitive personal data: financial information, data that may lead to an stigmatization or exclusion of the data subject, user names, passwords or data that can be misused for identity fraud.

The new GDPR also regulates the obligation to notify data breaches. According to the Regulation, the DPA should be always notified, unless it is unlikely that the breach results in a risk for the privacy of data subjects. Furthermore, data subjects should be directly notified if the breach could result in a high risk for their privacy, so that the regulation of data breaches in the GDPR is stricter than that in The Netherlands regarding the notification to data subjects.

 

GDPR published in the Official Journal of the EU

9. May 2016

After the EU Parliament voted the final draft of the GDPR on April 14th and the EU Commission signed it, the GDPR was finally published in the Official Journal of the EU on May 4th. The GDPR will harmonize several aspects of data protection in order to achieve a higher data protection level within the EU.

The Regulation will enter into force 20 days after publication in the Official Journal of the EU but will be directly applicable two years after its entry into force, this is ending May 2018. This means that organizations have two years to implement the provisions of the GDPR and be compliant.

Pages: 1 2 Next
1 2