Categories
Life with GDPR

SARs Update

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, host the award-winning Life with GDPR. In this episode, Jonathan Armstrong shares that SARs remain a significant area of concern for businesses. He joins Tom to discuss a recent individual’s complaint with the Austrian DPA, in which the response was incomplete and the individual took their case to an Austrian Federal Administrative Court. Jonathan shares that this tactic is being used by those under regulatory and governmental investigation. Tom and Jonathan’s insight is invaluable for staying informed of the most up-to-date news on SARs.

 Key Highlights

·      Challenges of Filing Data Protection Complaints in Austria [00:057]

·      Legal Implications of Acquiring a Business Under Regulatory or Governmental Investigation [00:11:03]

·      Ending a Podcast[00:15:50]

 Notable Quotes

1.     “We know that SARS are onerous, and it may be that the GIST route might be a way of saving some of the effort involved, not in searching for data necessarily, but in the whole redaction task, which is substantial because obviously you have to redact records so as not to expose the data of other individuals in many cases.”

2.     “And the officer stream result also seems to be in accordance with guidance from other DPAs as well. So probably the right decisions in both cases but obviously still some complexity involved in dealing with hours.”

3.     “We’ve definitely seen [SARs] in the context of regulatory or other governmental investigation. There are the cases in the public domain, for example, which is a case, which involves Russian oligarchs battling it out in the UK courts after group a investigated group b.”

4.     “And as I say, we’ve used the gist route previously. We know that people have complained to the ICR to other regulators but so far, that hasn’t been anything that regulators criticized in the cases that we’ve been involved with.””

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Life with GDPR

Russian Cyber Attack Gangs Sanctioned

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, co-host the award-winning podcast, Life with GDPR. In the most recent episode, they review the recent sanctions the UK and US have imposed on seven Russia-based individuals linked to ransomware. They explain that there are around 20-30 known vulnerabilities in software that could be responsible for the majority of ransomware attacks, and if these are taken care of, individuals and organizations are less likely to become susceptible. Finally, the host delve into how some ransomware attackers may become public about their actions in order to try and make those affected pay up. Listen to Life with GDPR for the most up-to-date and helpful advice about cyber security and ransomware.

 Key Highlights

·      Sanctions levied against Russian cyber-attack gangs [00:01:28]

·      Steps to take to Protect Against Ransomware Attacks [00:06:12]

·      The Dangers of Ransomware Attacks [00:10:49]

 Notable Quotes

1.     “Sanctioning ransomware gangs is not especially new. The US has done it before, but this is a move that’s a giant move from the UK and the US to sanction 7 Russia based individuals.”

2.     “It’s good business sense to payers because x is less than y. So just because GDPR is on the agenda of ransomware gangs, it obviously means that organizations have to take that much more seriously because ransomware gangs trying to push GDPR figures.”

3.     “Have a plan to deal with ransomware. It is inevitable a ball that somebody will target you. Maybe create a playbox so that you can work through key considerations in add advance.”

4.     “You’re only as strong as your weaker link. And oftentimes, it is suppliers, HR providers, payroll providers, outsourced sales solutions that are a real area of vulnerability.””

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Blog

Cookies, Compliance and GDPR

Are you feeling overwhelmed by GDPR enforcement and data privacy regulations? Are you concerned about the implications of big tech companies, such as Facebook and Instagram, on the data privacy of your customers? The recent fines imposed on Meta, formerly known as Facebook, of €210,000,000 for Facebook and €180,000,000 for Instagram has created a ripple of concern across the globe. I recently had the opportunity to visit with Jonathan Armstrong, partner at Cordery Compliance to explore the implications of this ruling and provide practical steps that organizations can take to ensure they are abiding by GDPR compliance. Be prepared to take a deep dive into the world of Cookie and Online Behavioral Advertising, and learn how to protect your customer data.

Armstrong outline the three steps you need to follow to also get compliance and transparency:

  1. Be transparent about how you handle personal data.
  2. Look at your legal basis for processing data.
  3. Look at any argument based on necessity carefully.

Be transparent about how you handle personal data.

Step 1 for GDPR compliance is to be transparent about how you handle personal data. In order to do this, organizations need to understand what data is being processed, where it is being stored, and how it is being used. Transparency is a core element of GDPR and companies need to ensure that they are providing clear information about their data processing activities to customers and other users of their services. Organizations need to look at the data flows to and from their services, as well as any third parties they are working with, in order to be fully transparent about what personal data they are collecting and how they are using it.

Companies should also look at the legal basis for processing data to ensure that it is compliant with GDPR. Furthermore, organizations should be careful to make sure that any arguments they make based on necessity are supported with evidence to prove that their use of data is necessary. Finally, companies should be aware of the potential risks of online advertising, particularly with big tech companies like Facebook and Instagram, and be cautious when booking online advertising campaigns.

Look at your legal basis for processing data.

Step 2 is to review the legal basis for processing data. To do so, you will need to go through your data processing activities and determine what the legal basis is for each of them. This can be done through a data inventory, which is a list of all the data you are collecting and using. This will help you to identify if you are processing data based on consent, contractual obligation, or some other legal basis.

Once you have identified the legal basis, you will need to make sure that the basis is GDPR compliant. This means that you must ensure that the legal basis is legitimate, freely given, and specific. You must also make sure that you are transparent with individuals about how their data is being used, that they have the right to access and control their data, and that you are providing adequate security for the data. Finally, you must ensure that you have the right processes in place to ensure that any data you are processing is done so in accordance with GDPR.

Look at any argument based on necessity carefully.

When looking at any argument based on necessity, it is important to look at it carefully in order to determine if it meets the requirements of GDPR. Necessity is defined in GDPR as the process of processing personal data necessary for the performance of a contract, or necessary for compliance with a legal obligation, or necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

When analyzing an argument based on necessity, it is important to take into account the specifics of the situation, and to ensure that the data processing is indeed necessary for the purpose it is being used for. Additionally, it is important to consider the rights of the data subject, and to ensure that any processing of their data does not override their fundamental rights and freedoms. If the argument is found to be valid and necessary, it is important to ensure that the data is processed in a transparent and secure manner, in accordance with the GDPR requirements.

For more information, check the podcast I did with Jonathan on this topic on Life with GDPR. Check out Cordery Compliance here.

Categories
Life with GDPR

NIS II

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we take up NIS II and are pleased to be joined by Jonathan Marks and Matt Kelly for a robust conversation.

Highlights include:

  • What is NIS II and how does it differ from NIS I?
  • NIS II governs by sectors.
  • What are the implications for global companies?
  • Where can you go for more information.

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
Life with GDPR

Cookies, Cookies & More Cookies

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. Data protection has become a priority for many authorities with the French regulator, CNIL,  recently issuing fines and penalties to Microsoft for not complying with the data protection laws. Changes were made to their practices in March 2022, and similar action was taken against Google and Amazon.

In this episode, we discuss the regulatory landscape for cookies which has become difficult for businesses to maneuver, requiring board-level oversight of data privacy, data protection, and data security. Together, these measures are deemed necessary in order to mitigate the biggest risks to organizations. Max Schrems and his pressure group were two of the key adjutants and had filed a substantial number of complaints. This eventually led to a large fine at the end of 2022, announced this month, from CNIL, the French Data Protection Regulator, against Microsoft, for €60 million. This fine highlighted the fact that cookies had been on the agenda for many Data Protection Authorities and the severity of the consequences for not following GDPR requirements. The implications of this case will have a lasting effect on the relations between European Data Protection Authorities and corporations, as well as the resources necessary to stay compliant.

Highlights include:

·      [00:04:16] Microsoft’s Changes to Cookie Practices

·      [00:09:21] Navigating Regulatory Landscapes for Businesses

·      [00:14:21] The Importance of Data Privacy Board Oversight

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Life with GDPR

Meta Fined In Ireland

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we discuss the recently released find by the Ireland Data Protection Commission against Meta for two legacy companies, €210m for its Facebook operation and €180m for Instagram for GDPR breaches.  The DPC also ordered Meta to change its data protection practices within three months.  Those changes may have a more lasting effect on Meta than the fines.  The two fines come in fifth and sixth places, respectively, in the largest GDPR fines of all time.

Some of the highlights  include:

  1. What were the facts?
  2. Why this matter has far wider implications than simply Big Tech.
  3. Max Schrems says this is a huge blow for Meta.
  4. The convoluted appeal process is going forward.
  5. Lessons learned.

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Everything Compliance

Episode 109, The New Year’s Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Jonathan Armstrong, Jonathan Marks, Tom Fox, and Matt Kelly, all discussing issues they are looking at as we begin 2023. We conclude with our fan-fav Shout Outs and Rants section.

  1. Matt Kelly looks at some of the ESG issues he will be following in 2023, including SEC rules around ESG, potential audit requirements, who will hold this function internally, and the new role of the ESG Controller. He rants about Zulily and its SOX compliance failures which allowed an employee to embezzle over $300,000.

2. Jonathan Marks looks at corporate governance issues in 2023, including board structure and guidance, recent Board failures, and Board oversight and monitoring. He shouts out to the NFL to cancelling the game between the Bengals and Bills.

3. Tom Fox shouts out to the 50th anniversary of School House Rock and lists his top five.

4. Jonathan Armstrong gives us a preview of 5 key issues he is following for 2023: ESG, GDPR fines, ransomware, supply chain risk issues, and crypto scams. He rants about the mistreatment of Prince Harry’s dog and asks if the dog was traumatized when Prince William knocked his brother (Prince Harry) down and broke the dog’s food bowl.

5. Jay Rosen reviews acronyms that drive him crazy. He shouts out to EMS personnel in Cincinnati for training and being prepared when Damar Hamlin went into cardiac arrest during the Bills game and saved his life.

The members of Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Life with GDPR

Sullivan Conviction from GDPR Perspective

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we discuss the recent conviction of Joe Sullivan, former CISO at Uber, for his role in hiding a data breach that hit the company. Sullivan was convicted in the US in October 2022 in connection with an investigation into a ransomware attack on Uber in 2016. However, we look at the conviction from the GDPR and UK perspective and ask whether it portends potential liability for CISOs and CCOs in the EU and UK. For instance, does this mean there are likely to be more prosecutions against executives? And could we see similar prosecutions in Europe? For a more detailed discussion and links to the case, check out the Cordery Compliance News Alert on the case, which you can find in the link below.

Some of the highlights include:

1.     What were the facts?

2.     Was Sullivan guilty of negligence or intentional conduct?

3.     Why were prior Uber convictions so significant?

4.     What happens next?

5.     Could this lead to more prosecutions of executives?

6.     What does this mean under GDPR and in the UK?

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Life with GDPR

US Response to GDPR Data Flow Protections

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we discuss the US/EU/UK agreement for data transfer from the EU/UK to the United States under the Data Protection Framework. Some of the highlights  include:

1.     What is the Data Protection Framework?

2.     How will the Data Protection Review Court work?

3.     What dare the safeguards around the US national security review be?

4.     What happens next?

5.     What are the views of Max Schrems?

6.     Will there be an EU/UK split?

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Daily Compliance News

October 11, 2022 the Rethink Edition

In today’s edition of Daily Compliance News:

  • Corruption and money laundering are destroying the planet. (FCPA Blog)
  • UK to ‘rethink’ replacing GDPR. (TechCrunch)
  • Meta appeals €405 million fine. (Cordery Compliance)
  • More whistleblowers at EY (FT)