Categories
Life with GDPR

DPO Update

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, host the award-winning Life with GDPR. In this episode, Tom and Jonathan discuss the Data Protection Officer (DPO) role in light of GDPR – an important requirement outlined in Article 37. They discuss how the European Court of Justice views the role, how Germany had a DPO system in place before GDPR, and that DPOs should be supported by their employer and protected against any potential conflicts of interest. They touch on the shortage of suitable DPOs due to the price and resource requirements of the role, as well as the example of a data protection authority showing up to an organization and finding a person who had been recently trained. Tune in to discover more key insights about the role of the DPO as you stay knowledgeable on GDPR compliance with Life with GDPR.

Key Takeaways:

European Court of Justice and the GDPR System [00:05:46]

DPO Roles and Responsibilities [00:10:50]

Data Protection Authority Visit to an Organization [00:15:26]

Notable Quotes:

  1. “The Role of a DPO, in simple terms, is to sort of act as a sort of police officer to police the organization’s handling of data.”
  2. “If you look at GDPR article 37 5, it says that a data protection officer must be designated on the basis of professional qualities. In particular, expert knowledge of data protection law and practices, and there’s a number of duties in Article 39 they have to be able to perform.”
  3. “Regulators will expect to see competency. And it’s probably easier for a regulator to judge competency than it is to judge conflict of interest.”
  4. “I think it is definitely worthwhile putting resources in training and also currency.”

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
Life with GDPR

SARs Update

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, host the award-winning Life with GDPR. In this episode, Jonathan Armstrong shares that SARs remain a significant area of concern for businesses. He joins Tom to discuss a recent individual’s complaint with the Austrian DPA, in which the response was incomplete and the individual took their case to an Austrian Federal Administrative Court. Jonathan shares that this tactic is being used by those under regulatory and governmental investigation. Tom and Jonathan’s insight is invaluable for staying informed of the most up-to-date news on SARs.

 Key Highlights

·      Challenges of Filing Data Protection Complaints in Austria [00:057]

·      Legal Implications of Acquiring a Business Under Regulatory or Governmental Investigation [00:11:03]

·      Ending a Podcast[00:15:50]

 Notable Quotes

1.     “We know that SARS are onerous, and it may be that the GIST route might be a way of saving some of the effort involved, not in searching for data necessarily, but in the whole redaction task, which is substantial because obviously you have to redact records so as not to expose the data of other individuals in many cases.”

2.     “And the officer stream result also seems to be in accordance with guidance from other DPAs as well. So probably the right decisions in both cases but obviously still some complexity involved in dealing with hours.”

3.     “We’ve definitely seen [SARs] in the context of regulatory or other governmental investigation. There are the cases in the public domain, for example, which is a case, which involves Russian oligarchs battling it out in the UK courts after group a investigated group b.”

4.     “And as I say, we’ve used the gist route previously. We know that people have complained to the ICR to other regulators but so far, that hasn’t been anything that regulators criticized in the cases that we’ve been involved with.””

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Life with GDPR

Russian Cyber Attack Gangs Sanctioned

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, co-host the award-winning podcast, Life with GDPR. In the most recent episode, they review the recent sanctions the UK and US have imposed on seven Russia-based individuals linked to ransomware. They explain that there are around 20-30 known vulnerabilities in software that could be responsible for the majority of ransomware attacks, and if these are taken care of, individuals and organizations are less likely to become susceptible. Finally, the host delve into how some ransomware attackers may become public about their actions in order to try and make those affected pay up. Listen to Life with GDPR for the most up-to-date and helpful advice about cyber security and ransomware.

 Key Highlights

·      Sanctions levied against Russian cyber-attack gangs [00:01:28]

·      Steps to take to Protect Against Ransomware Attacks [00:06:12]

·      The Dangers of Ransomware Attacks [00:10:49]

 Notable Quotes

1.     “Sanctioning ransomware gangs is not especially new. The US has done it before, but this is a move that’s a giant move from the UK and the US to sanction 7 Russia based individuals.”

2.     “It’s good business sense to payers because x is less than y. So just because GDPR is on the agenda of ransomware gangs, it obviously means that organizations have to take that much more seriously because ransomware gangs trying to push GDPR figures.”

3.     “Have a plan to deal with ransomware. It is inevitable a ball that somebody will target you. Maybe create a playbox so that you can work through key considerations in add advance.”

4.     “You’re only as strong as your weaker link. And oftentimes, it is suppliers, HR providers, payroll providers, outsourced sales solutions that are a real area of vulnerability.””

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Blog

Cookies, Compliance and GDPR

Are you feeling overwhelmed by GDPR enforcement and data privacy regulations? Are you concerned about the implications of big tech companies, such as Facebook and Instagram, on the data privacy of your customers? The recent fines imposed on Meta, formerly known as Facebook, of €210,000,000 for Facebook and €180,000,000 for Instagram has created a ripple of concern across the globe. I recently had the opportunity to visit with Jonathan Armstrong, partner at Cordery Compliance to explore the implications of this ruling and provide practical steps that organizations can take to ensure they are abiding by GDPR compliance. Be prepared to take a deep dive into the world of Cookie and Online Behavioral Advertising, and learn how to protect your customer data.

Armstrong outline the three steps you need to follow to also get compliance and transparency:

  1. Be transparent about how you handle personal data.
  2. Look at your legal basis for processing data.
  3. Look at any argument based on necessity carefully.

Be transparent about how you handle personal data.

Step 1 for GDPR compliance is to be transparent about how you handle personal data. In order to do this, organizations need to understand what data is being processed, where it is being stored, and how it is being used. Transparency is a core element of GDPR and companies need to ensure that they are providing clear information about their data processing activities to customers and other users of their services. Organizations need to look at the data flows to and from their services, as well as any third parties they are working with, in order to be fully transparent about what personal data they are collecting and how they are using it.

Companies should also look at the legal basis for processing data to ensure that it is compliant with GDPR. Furthermore, organizations should be careful to make sure that any arguments they make based on necessity are supported with evidence to prove that their use of data is necessary. Finally, companies should be aware of the potential risks of online advertising, particularly with big tech companies like Facebook and Instagram, and be cautious when booking online advertising campaigns.

Look at your legal basis for processing data.

Step 2 is to review the legal basis for processing data. To do so, you will need to go through your data processing activities and determine what the legal basis is for each of them. This can be done through a data inventory, which is a list of all the data you are collecting and using. This will help you to identify if you are processing data based on consent, contractual obligation, or some other legal basis.

Once you have identified the legal basis, you will need to make sure that the basis is GDPR compliant. This means that you must ensure that the legal basis is legitimate, freely given, and specific. You must also make sure that you are transparent with individuals about how their data is being used, that they have the right to access and control their data, and that you are providing adequate security for the data. Finally, you must ensure that you have the right processes in place to ensure that any data you are processing is done so in accordance with GDPR.

Look at any argument based on necessity carefully.

When looking at any argument based on necessity, it is important to look at it carefully in order to determine if it meets the requirements of GDPR. Necessity is defined in GDPR as the process of processing personal data necessary for the performance of a contract, or necessary for compliance with a legal obligation, or necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

When analyzing an argument based on necessity, it is important to take into account the specifics of the situation, and to ensure that the data processing is indeed necessary for the purpose it is being used for. Additionally, it is important to consider the rights of the data subject, and to ensure that any processing of their data does not override their fundamental rights and freedoms. If the argument is found to be valid and necessary, it is important to ensure that the data is processed in a transparent and secure manner, in accordance with the GDPR requirements.

For more information, check the podcast I did with Jonathan on this topic on Life with GDPR. Check out Cordery Compliance here.

Categories
Life with GDPR

NIS II

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we take up NIS II and are pleased to be joined by Jonathan Marks and Matt Kelly for a robust conversation.

Highlights include:

  • What is NIS II and how does it differ from NIS I?
  • NIS II governs by sectors.
  • What are the implications for global companies?
  • Where can you go for more information.

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
Life with GDPR

Cookies, Cookies & More Cookies

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. Data protection has become a priority for many authorities with the French regulator, CNIL,  recently issuing fines and penalties to Microsoft for not complying with the data protection laws. Changes were made to their practices in March 2022, and similar action was taken against Google and Amazon.

In this episode, we discuss the regulatory landscape for cookies which has become difficult for businesses to maneuver, requiring board-level oversight of data privacy, data protection, and data security. Together, these measures are deemed necessary in order to mitigate the biggest risks to organizations. Max Schrems and his pressure group were two of the key adjutants and had filed a substantial number of complaints. This eventually led to a large fine at the end of 2022, announced this month, from CNIL, the French Data Protection Regulator, against Microsoft, for €60 million. This fine highlighted the fact that cookies had been on the agenda for many Data Protection Authorities and the severity of the consequences for not following GDPR requirements. The implications of this case will have a lasting effect on the relations between European Data Protection Authorities and corporations, as well as the resources necessary to stay compliant.

Highlights include:

·      [00:04:16] Microsoft’s Changes to Cookie Practices

·      [00:09:21] Navigating Regulatory Landscapes for Businesses

·      [00:14:21] The Importance of Data Privacy Board Oversight

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Life with GDPR

ICO Gets Serious About Subject Access Requests

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we discuss the recent action by the ICO against seven UK organizations that failed to respond to Subject Access Requests (SAR), which follows a trend across Europe of more enforcement action on SAR. Some of the highlights  include:

1.     What is a Subject Access Request (SAR)?

2.     Why are these companies in the ‘Naughty Corner.’

3.     How does this follow a trend across Europe of more enforcement action on SAR?

4.     What happens next?

5.     Who is the constituency for change in the SAR process in the UK?

6.     What are the lessons learned?

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
FCPA Compliance Report

A Dark Day for Dechert

In this episode, I visit with Jonathan Armstrong, partner at Cordery Compliance in London. We consider the recent payment by the international law firm Dechert of £20 million for its conduct and that of its former partner Neil Gerrard in the ENCR affair. The matter was a dark day for Dechert and a black eye on the legal profession. Some of the highlights include:

Key areas we discuss on this podcast are:

·      What were the failures of the law firm?

·      What led to the £20 million interim payment?

·      Will there be discipline against the law firm?

·      What is the role of a law firm in overseeing investigations?

·      How are the implications of holding investigative data under GDPR going forward?

·      Who watches the watchers (and investigators)?

 Resources

Jonathan Armstrong on Cordery Compliance

Hannah Walker in Law.com on the scandal

Categories
Life with GDPR

Meta Fined €405 million by Irish Data Protection Commission

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we discuss the recent fine by the Irish Data Protection Commission levied against Meta €405 million for Instagram Data Protection Infringements. Some of the highlights  include:

1.     What is the background of the case?

2.     What was the basis for the fine?

3.     What happens next?

4.     What did other national agencies and commissions, particularly the EDPB say?

5.     What are the lessons learned?

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Life with GDPR

US Response to GDPR Data Flow Protections

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we discuss the US/EU/UK agreement for data transfer from the EU/UK to the United States under the Data Protection Framework. Some of the highlights  include:

1.     What is the Data Protection Framework?

2.     How will the Data Protection Review Court work?

3.     What dare the safeguards around the US national security review be?

4.     What happens next?

5.     What are the views of Max Schrems?

6.     Will there be an EU/UK split?

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.