Tag: GDPR

Categories
Daily Compliance News

Daily Compliance News: May 23, 2023 – The €1.2 Bn Fine Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Succession (in real life). (NYT)
  • Fired SFO investigator wins wrongful termination suit. (MLex)
  • Meta fined €1.2 billion by EU over GDPR violations (Cordery Compliance)
  • Court decision unsealed in whistleblower decision. (Bloomberg Law)
Categories
Life with GDPR

Life With GDPR: Data Transfer Update

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. Join them in this episode as they delve into the hot-button issue of data transfers from the EU to the US. With potential new rulings looming, the replacement for privacy shield is said to be doomed to fail. The European data protection board is investigating complaints against Google and Facebook that could affect up to 95% of US corporations using Google Analytics! How can your organization comply with GDPR regulations while avoiding the nearly €3 billion in fines levied since 2018, including practical tips such as conducting compliance checks and due diligence? Don’t miss the explosive potential of this episode and what it could mean for businesses around the world.

Key Takeaways:

·      Data transfers from the EU to the US and privacy concerns

·      Data Transfer Regulations & Compliance

·      Data Protection Compliance for Business Websites

·      Impending Large GDPR Fine

Notable Quotes:

“It is not going to get any easier anytime soon, unfortunately.”

“This case is likely to affect, I think, 95% of corporate America.”

“Regulators definitely have an appetite to investigate this.”

“I expect that the find that I’m hearing rumors of will tip us over the €300MM level.”

 Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go to their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Maria D’Avanzo on Privacy Issues in the US and Beyond

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Join Tom Fox, the host of FCPA Compliance Report, as he speaks with Maria D’Avanzo, Chief Evangelist Officer at Traliant about privacy issues in the US and around the world. Discover the challenges businesses face due to the lack of national law in the US, with multiple state laws led by California. Compare this to the EU, where GDPR has been in place since 2018, and similar laws have been implemented in other countries such as Singapore, Australia, and Brazil. Learn how GDPR has changed the way businesses handle privacy by making it a part of business processes. Discover the importance of consulting with a good outside counsel, especially for global privacy policy implementation.

Explore how to handle cybersecurity incidents and disclosure of information, as regulations on this topic are still developing. Hear from Maria on how to address these incidents internally and the importance of an incident response plan. Find out how collaborating with the Chief Information Security Officer is crucial in developing a specific plan for these incidents, including a group effort from various departments.

Hear about instances where organizations share confidential information or data, leading to legal backlash and damage to reputation. This section discusses the Tesla case and suggests a broader conversation about company culture may be necessary to prevent such privacy infringements. Don’t miss out on this insightful podcast and tune in now to get important insights into privacy and cybersecurity from two industry experts!

Key Highlights

·      The Evolution of Privacy Issues Post-GDPR

·      Navigating Privacy Laws and Meeting Legal Standards

·      Cybersecurity Incident Disclosure Decision Making

·      Importance of Cybersecurity Incident Response Plan

·      The Impact of Sharing Sensitive Information

Resources

Maria D’Avanzo on LinkedIn

Traliant

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Man Chooses the Target

Compliance Man Takes a EuroTrip – Geert Vermeulen on EU Whistleblower Directive

Compliance Man is back for a new season! Get ready for a EuroTrip with Tom Fox and Tim Khasanov-Batirov on their hit podcast, Compliance Man! In this episode, Compliance Man podcast hosts, Tom Fox, and Tim Khasanov-Batirov, speak with a compliance professional and founder of the Integrity Coordinator, Geert Vermeulen, about the challenges of implementing effective whistleblower policies in Europe. They discuss cultural differences, strict requirements on external whistleblowing, and the burden of proof on companies to show that retaliation did not occur. The speakers emphasize the importance of understanding cultural differences and developing precise policies to promote a speak-up culture. The conversation ends with a reflection on the evolution of whistleblower procedures in Europe and thoughts on where things might be headed in the future. This is a must-listen podcast for anyone interested in compliance and corporate culture.

Vermeulen highlights the challenge of implementing the directives into the national laws of member states, which has resulted in differences between states. Each state has its own specifications about what can be reported and what must not be reported. For instance, every state has different rules regarding protection against retaliation.

Here are some tips to help cope with this challenge:

1. Get familiarized with the national laws of the member states where your organization operates.

2. Set up a streamlined procedure and ensure that all employees are aware of the internal complaints and whistleblowing process.

3. Ensure that your whistleblowing process is confidential and that whistleblowers are protected against retaliation. 

Key Highlights

·      Lack of tradition of whistleblowing in Europe

·      Whistleblowing in emerging markets

·      One worldwide whistleblowing program?

·      Whistleblower protection and communication

·      Interplay of EU Whistleblower Directive and GDPR

·      The evolution of whistleblowing in Europe

 Resources

Geert Vermeulen on LinkedIn

The Integrity Coordinator

Tim Khasanov-Batirov on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Life with GDPR

DPO Update

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, host the award-winning Life with GDPR. In this episode, Tom and Jonathan discuss the Data Protection Officer (DPO) role in light of GDPR – an important requirement outlined in Article 37. They discuss how the European Court of Justice views the role, how Germany had a DPO system in place before GDPR, and that DPOs should be supported by their employer and protected against any potential conflicts of interest. They touch on the shortage of suitable DPOs due to the price and resource requirements of the role, as well as the example of a data protection authority showing up to an organization and finding a person who had been recently trained. Tune in to discover more key insights about the role of the DPO as you stay knowledgeable on GDPR compliance with Life with GDPR.

Key Takeaways:

European Court of Justice and the GDPR System [00:05:46]

DPO Roles and Responsibilities [00:10:50]

Data Protection Authority Visit to an Organization [00:15:26]

Notable Quotes:

  1. “The Role of a DPO, in simple terms, is to sort of act as a sort of police officer to police the organization’s handling of data.”
  2. “If you look at GDPR article 37 5, it says that a data protection officer must be designated on the basis of professional qualities. In particular, expert knowledge of data protection law and practices, and there’s a number of duties in Article 39 they have to be able to perform.”
  3. “Regulators will expect to see competency. And it’s probably easier for a regulator to judge competency than it is to judge conflict of interest.”
  4. “I think it is definitely worthwhile putting resources in training and also currency.”

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
Life with GDPR

SARs Update

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, host the award-winning Life with GDPR. In this episode, Jonathan Armstrong shares that SARs remain a significant area of concern for businesses. He joins Tom to discuss a recent individual’s complaint with the Austrian DPA, in which the response was incomplete and the individual took their case to an Austrian Federal Administrative Court. Jonathan shares that this tactic is being used by those under regulatory and governmental investigation. Tom and Jonathan’s insight is invaluable for staying informed of the most up-to-date news on SARs.

 Key Highlights

·      Challenges of Filing Data Protection Complaints in Austria [00:057]

·      Legal Implications of Acquiring a Business Under Regulatory or Governmental Investigation [00:11:03]

·      Ending a Podcast[00:15:50]

 Notable Quotes

1.     “We know that SARS are onerous, and it may be that the GIST route might be a way of saving some of the effort involved, not in searching for data necessarily, but in the whole redaction task, which is substantial because obviously you have to redact records so as not to expose the data of other individuals in many cases.”

2.     “And the officer stream result also seems to be in accordance with guidance from other DPAs as well. So probably the right decisions in both cases but obviously still some complexity involved in dealing with hours.”

3.     “We’ve definitely seen [SARs] in the context of regulatory or other governmental investigation. There are the cases in the public domain, for example, which is a case, which involves Russian oligarchs battling it out in the UK courts after group a investigated group b.”

4.     “And as I say, we’ve used the gist route previously. We know that people have complained to the ICR to other regulators but so far, that hasn’t been anything that regulators criticized in the cases that we’ve been involved with.””

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Life with GDPR

Russian Cyber Attack Gangs Sanctioned

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, co-host the award-winning podcast, Life with GDPR. In the most recent episode, they review the recent sanctions the UK and US have imposed on seven Russia-based individuals linked to ransomware. They explain that there are around 20-30 known vulnerabilities in software that could be responsible for the majority of ransomware attacks, and if these are taken care of, individuals and organizations are less likely to become susceptible. Finally, the host delve into how some ransomware attackers may become public about their actions in order to try and make those affected pay up. Listen to Life with GDPR for the most up-to-date and helpful advice about cyber security and ransomware.

 Key Highlights

·      Sanctions levied against Russian cyber-attack gangs [00:01:28]

·      Steps to take to Protect Against Ransomware Attacks [00:06:12]

·      The Dangers of Ransomware Attacks [00:10:49]

 Notable Quotes

1.     “Sanctioning ransomware gangs is not especially new. The US has done it before, but this is a move that’s a giant move from the UK and the US to sanction 7 Russia based individuals.”

2.     “It’s good business sense to payers because x is less than y. So just because GDPR is on the agenda of ransomware gangs, it obviously means that organizations have to take that much more seriously because ransomware gangs trying to push GDPR figures.”

3.     “Have a plan to deal with ransomware. It is inevitable a ball that somebody will target you. Maybe create a playbox so that you can work through key considerations in add advance.”

4.     “You’re only as strong as your weaker link. And oftentimes, it is suppliers, HR providers, payroll providers, outsourced sales solutions that are a real area of vulnerability.””

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Blog

Cookies, Compliance and GDPR

Are you feeling overwhelmed by GDPR enforcement and data privacy regulations? Are you concerned about the implications of big tech companies, such as Facebook and Instagram, on the data privacy of your customers? The recent fines imposed on Meta, formerly known as Facebook, of €210,000,000 for Facebook and €180,000,000 for Instagram has created a ripple of concern across the globe. I recently had the opportunity to visit with Jonathan Armstrong, partner at Cordery Compliance to explore the implications of this ruling and provide practical steps that organizations can take to ensure they are abiding by GDPR compliance. Be prepared to take a deep dive into the world of Cookie and Online Behavioral Advertising, and learn how to protect your customer data.

Armstrong outline the three steps you need to follow to also get compliance and transparency:

  1. Be transparent about how you handle personal data.
  2. Look at your legal basis for processing data.
  3. Look at any argument based on necessity carefully.

Be transparent about how you handle personal data.

Step 1 for GDPR compliance is to be transparent about how you handle personal data. In order to do this, organizations need to understand what data is being processed, where it is being stored, and how it is being used. Transparency is a core element of GDPR and companies need to ensure that they are providing clear information about their data processing activities to customers and other users of their services. Organizations need to look at the data flows to and from their services, as well as any third parties they are working with, in order to be fully transparent about what personal data they are collecting and how they are using it.

Companies should also look at the legal basis for processing data to ensure that it is compliant with GDPR. Furthermore, organizations should be careful to make sure that any arguments they make based on necessity are supported with evidence to prove that their use of data is necessary. Finally, companies should be aware of the potential risks of online advertising, particularly with big tech companies like Facebook and Instagram, and be cautious when booking online advertising campaigns.

Look at your legal basis for processing data.

Step 2 is to review the legal basis for processing data. To do so, you will need to go through your data processing activities and determine what the legal basis is for each of them. This can be done through a data inventory, which is a list of all the data you are collecting and using. This will help you to identify if you are processing data based on consent, contractual obligation, or some other legal basis.

Once you have identified the legal basis, you will need to make sure that the basis is GDPR compliant. This means that you must ensure that the legal basis is legitimate, freely given, and specific. You must also make sure that you are transparent with individuals about how their data is being used, that they have the right to access and control their data, and that you are providing adequate security for the data. Finally, you must ensure that you have the right processes in place to ensure that any data you are processing is done so in accordance with GDPR.

Look at any argument based on necessity carefully.

When looking at any argument based on necessity, it is important to look at it carefully in order to determine if it meets the requirements of GDPR. Necessity is defined in GDPR as the process of processing personal data necessary for the performance of a contract, or necessary for compliance with a legal obligation, or necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

When analyzing an argument based on necessity, it is important to take into account the specifics of the situation, and to ensure that the data processing is indeed necessary for the purpose it is being used for. Additionally, it is important to consider the rights of the data subject, and to ensure that any processing of their data does not override their fundamental rights and freedoms. If the argument is found to be valid and necessary, it is important to ensure that the data is processed in a transparent and secure manner, in accordance with the GDPR requirements.

For more information, check the podcast I did with Jonathan on this topic on Life with GDPR. Check out Cordery Compliance here.

Categories
Life with GDPR

NIS II

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we take up NIS II and are pleased to be joined by Jonathan Marks and Matt Kelly for a robust conversation.

Highlights include:

  • What is NIS II and how does it differ from NIS I?
  • NIS II governs by sectors.
  • What are the implications for global companies?
  • Where can you go for more information.

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
Life with GDPR

Cookies, Cookies & More Cookies

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. Data protection has become a priority for many authorities with the French regulator, CNIL,  recently issuing fines and penalties to Microsoft for not complying with the data protection laws. Changes were made to their practices in March 2022, and similar action was taken against Google and Amazon.

In this episode, we discuss the regulatory landscape for cookies which has become difficult for businesses to maneuver, requiring board-level oversight of data privacy, data protection, and data security. Together, these measures are deemed necessary in order to mitigate the biggest risks to organizations. Max Schrems and his pressure group were two of the key adjutants and had filed a substantial number of complaints. This eventually led to a large fine at the end of 2022, announced this month, from CNIL, the French Data Protection Regulator, against Microsoft, for €60 million. This fine highlighted the fact that cookies had been on the agenda for many Data Protection Authorities and the severity of the consequences for not following GDPR requirements. The implications of this case will have a lasting effect on the relations between European Data Protection Authorities and corporations, as well as the resources necessary to stay compliant.

Highlights include:

·      [00:04:16] Microsoft’s Changes to Cookie Practices

·      [00:09:21] Navigating Regulatory Landscapes for Businesses

·      [00:14:21] The Importance of Data Privacy Board Oversight

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn