avatar

Editor

Author's details

Date registered: December 30, 2013

Latest posts

  1. UK: Government triggers Article 50 — March 29, 2017
  2. AUSTRALIA: Mandatory data breach reporting comes to Australia — February 14, 2017
  3. POLAND: GIODO special team publishes the “Proposed procedures before the Inspector General” — February 14, 2017
  4. UK: Implementation of the Network and Information Security Directive — February 13, 2017
  5. Data Protection Day 2017! — January 26, 2017

Author's posts listings

UK: Government triggers Article 50

After months of speculation and legal and political wrangling, Theresa May, the UK Prime Minister, has today triggered Article 50 and formally begun the process of the withdrawal of the UK from the European Union.

For latest insights on all aspects of Brexit, including the GDPR and data transfers to / from the UK after April 2019, please see our dedicated Brexit microsite.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-triggers-article-50/

AUSTRALIA: Mandatory data breach reporting comes to Australia

By Peter Jones (Partner, Sydney) and Josephine Gardiner (Associate, Sydney)

After a gestation period that would make African Bush Elephants proud, it is finally here…

It would be an understatement to say that data breach notification laws have been on the table for some years in Australia. The long-awaited mandatory data breach laws, which passed the Senate on Monday, are the result of a long and winding five year road through the Australian Parliament, three governments and many abandoned attempts. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which amends the Privacy Act 1988, will legally compel organisations to disclose a data breach to the Australian Privacy Commissioner and affected individuals in certain circumstances.

When will the regime start?

At the time of writing, an exact commencement date has not been set (though our bet is that it will be within the next 12 months).

What’s it all about?

Basically, the legislation requires an entity to report a ‘serious data breach’ to customers, the Privacy Commissioner and, potentially, the media.

What is a ‘serious data breach’ you ask? Well, given the importance of this term to the notification regime, it is not ideal that more objective certainty has not been provided. We do know that a serious data breach includes unauthorised access to, disclosure of, or loss of customer information held by the entity (for example personal information, credit reporting information or tax file information) and puts individuals affected at ‘real risk of serious harm.’ This will require judgement calls to be made by organisations as to when notification is required to be made, introducing compliance uncertainty, at least until a number of incidents have arisen and been considered by the Privacy Commissioner.

The notification should include specific details including the information involved and how those affected can respond to the incident (by cancelling credit cards or changing a passwords for example). The entity must not only make such a notification after a breach has been known to have occurred, but also when it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The entity must comply with these notification steps as soon as practicable. We note too that there are also quite robust obligations to undertake investigations into whether there has been a data breach where an entity has a ‘suspicion’ that there may have been such a breach.

It is recommended that entities currently bound by the Privacy Act review their internal procedures to update data breach response plans and related requirements to align with the new requirements. Easy, huh?

Well, not so fast. We all know that privacy provides fertile ground for legal exposure but also reputation and brand damage. If an obligation to notify arises, how do you manage the potentially competing demands of legally mandated notification with PR advice which, often, recommends against notification unless you have first identified the problem, resolved it/put in place workarounds and ideally come to some view on ‘customer compensation’. Crisis management advisers may well be popping the odd champagne cork or two (although probably not Krug or Cristal just yet).

Also, in a world where personal information is increasingly the subject of third party processing and storage arrangements, how will your compliance obligations be cascaded into the agreements with those third party suppliers? Do any existing ‘compliance with law’ obligations extend to cover the operational requirements of the new regime? Are contract amendments required? What leverage do you have to require those amendments?  How can you provide for contract certainty where the legislative requirements are not themselves absolutely crystal clear? Will third party providers, particularly global vendors such as cloud providers, accept obligations to ‘self-police’ breach and disclosure matters?

Maybe not so easy after all…

Consequences of non-compliance

If an individual or business fails to comply with the new notification legislation, it can be liable for serious or repeated interferences with the privacy of an individual and can face a civil penalty of up to $360,000 and $1.8 million respectively.

How will the new laws impact your business?

The US and EU have already established advanced regulation in this area. While Australia is late to the party, the overall effect of the laws for Australia will align – to some extent – privacy requirements with a wide range of other jurisdictions. For international companies operating already under other mandatory breach notification regimes, the changes may be minimal, such as tweaking internal compliance functions. However, for companies with local footprints only, these changes may be more significant.

We realise that the legislation has not yet commenced but reviewing your business’ privacy regime would not be a bad place to start. It should also be a priority to ensure your customers information is not compromised in any way and to ensure you have operational procedures in place to adequately manage a data breach event. Thinking this through your existing and future supplier environment and the nature of required upstream contract obligations will also be needed.

Response to the new laws?

Despite the bill only being passed yesterday, concerns with the legislation have already been expressed by legislators (Senator Cory Bernardi for one). Specifically, some have criticised the ability of the Office of the Australian Information Commissioner (OAIC) to manage the new regime given its current resourcing levels.

Additionally, others are concerned that the legislation is one of the strictest disclosure laws in the world. Its threshold is relatively low as disclosure must be made by the entity not only if it knows a breach has occurred but in the event they believe a breach may have occurred (plus the onerous investigation obligations that are triggered by having a ‘suspicion’ that a breach may have occured). This can be seen as both a positive and a negative depending on what which side of the privacy debate spectrum you sit on.

Senator Bernardi has also called out what he considers to be the unnecessary red tape and the ‘lack of specificity.’ Specifically, he claims that, ‘a serious breach’ is too broadly defined in the laws suggesting that someone with a mere ‘mailing list could fall foul’ of the new rules. Some of these arguments were supported by the recently formed group, Data Governance Australia, whose CEO Graeme Samuels (former head of the ACCC) stated that the legislation was ‘heavy handed’ and suggested a voluntary industry code of conduct instead.

On the other side are those who put the privacy of the individuals above the concerns of over regulation. Senator Penny Wong for example has pointed out that before these laws commence, a government agency, a bank or an online store can incur a breach of an individual’s data and would not have to alert the individual to protect themselves (mainly out of fear of damage to the corporation’s reputation).

So, what will the OAIC do? Again, if we were placing bets we would probably place a responsible wager on the Privacy Commissioner pursuing a suitable ‘example’ in the initial 12 months of the regimes.

Commentary

In Timothy Pilgrim’s (Australia’s Privacy Commissioner as well as the Acting Information Commissioner) statement made yesterday, he welcomed the new data breach legislation and working with the government, businesses and consumer groups in preparation for commencement of the new laws.

However, as noted, it is difficult to escape the reality that the legislation adds further grey areas to an already difficult area of law for businesses to navigate (as the Privacy Act in Australia is largely a ‘principles-based’, as opposed to a prescriptive, regime). For example, the lack of specification as to what constitutes ‘serious harm.’ The interpretation of such ambiguities and the overall application of the laws can only be clarified through a combination of Privacy Commissioner guidance and eventual action.

On a practical level, another potential problem of this legislation is that the data breach scheme could lead to ‘notification fatigue’ among members of the public. This means that a bombardment of notifications could eventually undermine the effectiveness of the entire reporting scheme. As the cyber threat environment continues to evolve, and as ‘big data’ analytics and the internet of things continue to expand in Australia, the chances of a breaches occurring (and such breaches meeting the required standard) could increase dramatically and ‘notification fatigue’ could come with it.

Ultimately, if the new notification regime was in itself perceived to provide something of a panacea for individuals, and to provide greater clarity to business in terms of the Legislature’s requirements, in our view that perception can be challenged.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-mandatory-data-breach-reporting-comes-to-australia/

POLAND: GIODO special team publishes the “Proposed procedures before the Inspector General”

By Damian Karwala (Senior Associate, Warsaw)

The Polish Data Protection Authority, GIODO (Generalny Inspektor Ochrony Danych Osobowych), as well as data controllers and data processors in Poland are currently preparing for the General Data Protection Regulation (GDPR). Among other things, GIODO has recently proposed that Administrators of Information Security (so-called “ABIs”, or Administratorzy Bezpieczeństwa Informacji – the Polish counterparts of Data Protection Officers), who are registered in the national register kept by GIODO, will ex lege become Data Protection Officers under the GDPR. According to information on GIODO’s website: “one of the provisions that should be included in the new personal data protection act, pursuant to the necessity to implement the GDPR, is a transitional provision, according to which the ABIs registered in a national, open register should ex lege become Data Protection Officers” (available here in Polish).

This statement is explained by the current status and competencies of ABIs. The function of ABI, in its current state, was introduced in Poland on 1 January 2015 with the aim of preparing a group of privacy professionals to meet the requirements of the GDPR and increasing the professionalisation of this role in organisations. In GIODO’s opinion, its proposal will make “information security administrators who have met all the criteria currently required to fulfill this function [i.e. under Polish regulations] able to continue performing this function without having to take into consideration any further formal actions”. However, this position raises some doubts because, despite their close similarities, the status of ABIs and DPOs is somewhat different. As a result, it does not seem plausible that national data controllers could “automatically” change the name ‘ABI’ into ‘DPO’ without taking any further action, e.g. in relation to a DPO’s obligation to act as a contact point for data subjects and the supervisory authority.

This was one of many issues raised by GIODO in the proposed procedure prepared by a special team working on the reform of data protection law in Poland, appointed by GIODO on 8 July 2016. The draft of this procedure (“Proposed procedures before the Inspector General”, available here in Polish) was sent to the Ministry of Digital Affairs on 27 January 2017, where it is currently subject to further work.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/poland-giodo-special-team-publishes-the-proposed-procedures-before-the-inspector-general/

UK: Implementation of the Network and Information Security Directive

By Ross McKean (Partner, London) and Linzi Penman (Associate, Edinburgh)

With the annual cost of cybercrime and cyber espionage to the world economy estimated in the hundreds of billions of dollars and accusations from various Western governments and law enforcement agencies that a sustained campaign of cyber-attacks targeting democracy and critical infrastructure is being carried out in the West, there has been sustained pressure on legislators to toughen cyber laws.

The cybersecurity strategy for the European Union and the European agenda on security provide an overall framework for the numerous EU initiatives to improve cybersecurity and tackle cybercrime. This remains a key priority for the EU institutions which have repeatedly stated that the digital economy within the single market depends on trust in secure information networks and systems.

Progress was made at an EU level in 2016 with a view to bolstering cybersecurity across Europe, with the adoption of the Network and Information Security Directive which requires implementation by Member States on or before 9 May 2018. The Directive is the first EU-wide piece of legislation concerning cybersecurity with its core objectives being to:

  • enhance cyber security at a national level,
  • increase cooperation among Member States on the matter, and
  • impose certain obligations aimed at improving cybersecurity on operators of ‘essential services’ (i.e. water, energy, transport, health, finance, banking, ISPs, DNS).

UK Position – DCMS implementation of NIS Directive

The UK Government advised last year that it is ‘taking stock of the EU referendum outcome and looking at what impact this might have, if any, on the UK Government’s plans for implementing the NIS Directive’.  This coupled with reports that the UK Government may use access to UK intelligence services as a bargaining chip in the forthcoming Brexit negotiations and reports that GCHQ has concerns about the ability of its European equivalent organisations to keep secrets, had led some to question whether the NIS Directive would be implemented at all in the UK. However, Stuart Peters – the Head of EU Cyber Security Regulatory Policy – noted last week that the UK “will still be members of the EU in May 2018 when the Directive is due to come into force…. [and the] UK Government is therefore continuing to implement the Directive.”

Next Steps

As of yet, there are no official proposals as to how the UK will implement the NIS Directive, however the Department of Culture, Media and Sport notes that the government intends to submit its proposed plan by the end of February/beginning of March, with an impact assessment and public consultation planned to be conducted in April and June 2017, respectively.

View further details of the changes envisaged under the NIS Directive >>

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-implementation-of-the-network-and-information-security-directive/

Data Protection Day 2017!

At DLA Piper we pride ourselves in providing the insights, tools and know how you need to plan ahead and manage change in a privacy landscape that is constantly evolving. With publication of the final text of the EU General Data Protection Regulation in April 2016, many organisations are now actively looking ahead to a challenging timetable to secure GDPR readiness, ahead of May 2018.

International Data Protection Day provides an opportunity to reflect on where we see organisations are in terms of managing privacy to an appropriate standard of protection, and share some of the materials and learning we have created to help those on the compliance journey navigate the road ahead.

Data Protection Laws of the World

We are pleased to launch the 2017 edition of our newly designed Data Protection Laws of the World, which now covers over 95 jurisdictions. This highly regarded complimentary go-to guide offers a high-level snapshot of selected aspects of data protection laws across the globe, in an easily accessible online format.

Access the handbook

Data Privacy Snapshot

Over 250 organisations have completed our Data Privacy Scorebox to assess current levels of privacy compliance in their respective business operations. Our inaugural Global Data Privacy Snapshot draws on data from the scorebox assessments to provide a perspective on current maturity levels in levels of compliance across the market. The report pays particular focus on maturity levels in the Financial Services, Life Sciences and Healthcare, and Technology and Telecoms sectors, with an overall finding that suggests most organisations have a lot of work on their plate to achieve the levels of compliance they need.

This report will be launching soon.

Data Privacy Scorebox

Launched in 2016, this online tool will help you assess your organisation’s data protection maturity level. Complete a survey covering areas such as storage of data, use of data, and customers’ rights to generate a report that shows your organisation’s maturity levels against 12 key areas of privacy compliance. The report includes a practical action point check list and peer benchmarking data.

Access the scorebox.

Privacy Matters Blog

Our Privacy Matters blog is where you will find the latest updates (often within hours) from our global privacy team on all matters related to data protection, privacy and security. Subscribe with your email address on the home page to receive a message whenever a new post is made.

Access the blog.

Want to know more about the EU Data Protection Regulation? 

We maintain a dedicated GDPR microsite, where you can find lots of useful information to help you learn about the EU Data Protection Regulation – what it covers, the impact it is likely to have on organisations across different sectors, actions to take now to prepare, as well as regular updates and information on our webinars and events.

You will also find our summary Guide to the GDPR which many organisations find a helpful quick guide to the key requirements of the GDPR.

Access the microsite.

COMING SOON: EU GDPR App

We are soon to launch an EU GDPR App which gives easy access to the Regulation text. Available for download on iOS and Android, the App will provide a handy guide to the GDPR so you can quickly access Articles, link to relevant Recitals and make comparisons back to the Directive. The App will be available in 13 different languages.

For more information on any of these tools or to contact us, please email dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/data-protection-day-2017/

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

 

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.

 

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-new-european-eprivacy-rules-in-the-making-internet-services-but-also-iot-heavily-impacted/

EUROPE: Let the data flow!

By Patrick Van Eecke and Charlotte Suffys

The European Commission is further developing its Digital Single Market strategy. The strategy envisions to (i) provide better access to digital goods, (ii) create a good environment for digital networks and innovative services, (iii) maximise growth of a European Digital Economy. Earlier this month, the Commission published its Inception Impact Assessment titled ‘European free flow of data initiative within the Digital Single Market, which reiterates the detriment to the Digital Economy when data is required to stay local. The European Free Flow of Data Initiative is a key component of the Digital Single Market strategy which complements other actions of the Commission exampled by the launch of a European Cloud Initiative. The European Free Flow of Data Initiative will impact sectors like the health sector, the financial sector but as well the legal sector.

The Inception Impact Assessment follows a web-based public consultation on the regulatory environment for data and cloud computing which was concluded at the beginning of January 2016. The public consultation highlighted the need to address data location restrictions, legal and technical restrictions to the free flow of data. It also highlighted the need to create new frameworks for ‘data liability’ and to provide guidance on merging issues around data access and associated mechanisms, data ownership, data usage, and data transfers. After the public consultation, a consultation workshop specified to the free flow of data was held to further focus on these issues.

Aside from the legal uncertainty of emerging concepts which are currently often constructed by contractual means, the Inception Impact Assessment details four problem drivers for the free movement of data:

  • Problem 1: Diverging data location restrictions and approach in the Member States,.
  • Problem 2: Unjustified or disproportionate data location restrictions in specific sectors or situations.
  • Problem 3: The lack of European defined standards and practices on network, information security, prevention and investigation is causing data location restrictions.
  • Problem 4: Commercial users apply self-imposed data location restrictions in light of legal uncertainty and the lack of transparent requirements.

The Commission report indicates that the focus of the regulatory intervention is directed at tackling data location restrictions and that emerging issues will only be dealt with in a Communication at this point.

Although it is still an open question if intervention would be preferred under a legislative instrument or if soft-law approaches are recommended to reduce data location restrictions, it is clear that – when mapping the options for the European Commission to take action – data location restrictions, fragmentation and weakness in sectoral policies would remain in existence without EU action.

The Inception Impact Assessment only announces the very start of the Commission’s decision-making process which will be followed by a legislative proposal and an accompanying Impact Assessment. In the meantime the Inception Impact Assessment remains open for feedback.

Please feel free to contact Patrick Van Eecke to learn more about the data policy objective of the European Commission.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-let-the-data-flow/

HUNGARY: Hungarian DPA issues 12 step guide on the GDPR

By Zoltan Kozma (Senior Associate, Budapest)

The Hungarian Data Protection Authority published on its website a 12 step guide on how to get ready for the GDPR. Similar to the guides already issued by other DPAs from various jurisdictions (e.g. UK and Belgium), the guide includes 12 steps data controllers and data processors should follow in order to achieve compliance. Although this is a useful initial guideline from the Hungarian DPA for controllers and processors, it still leaves room for interpretation. Further guidance and other tools can be expected from the DPA to assist with preparation for GDPR compliance by 25 May 2018.

The guide includes the following steps:

1. Increase awareness

Awareness must be ensured within the organization to get ready for compliance with the GDPR.

2. Criteria of the data controlling activities must be reviewed

Purpose and context of the data processing activities, together with the concept of processing the personal data must be reviewed. With a well prepared data protection policy, compliance with the accountability principle and lawful processing can be achieved.

3. Appropriate information should be provided to data subjects

Attention must be paid to the fact that where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.

4. Rights of data subjects

Rules regarding the rights of data subjects and data processing procedures must be checked. The most important new right of data subjects is data portability, which means that data subjects shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Data subjects must be able to have their data deleted from any accessible sources.

5. Right of access by the data subjects

New rules regarding access requests and timescales to respond must be checked. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month. That period may be extended by two further months where necessary.

Right of access can be ensured by a secure online system through which data subjects can have easy and quick access to their information.

6. Legal basis for processing personal data

Data processing activities must be looked at within the organization and in compliance with the legal bases provided for in the new Regulation, informational self-determination must be ensured. Be aware that on the basis of ‘right to be forgotten’, if requested by the data subject, the personal data must be erased without undue delay, should the data subject withdraw his or her consent to the data processing. Accordingly, consent means a stronger erasure obligation on the side of the data controller.

7. Conditions of consent must be reviewed

If processing is based on consent, data processing operations must be checked to ensure compliance with the new criteria of the GDPR. Like the Info Act, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not determined in either the Info Act or in the GDPR, however, in any case consent is only valid if it is freely given, specific, informed and unambiguous.

8. More emphasis on children’s rights

If an organization processes children’s data, more emphasis should be placed on children’s rights in relation to information society services. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is under the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes, provided that such lower age is not below 13 years.

9. Notification of data breach

Pursuant to the current rules of the Info Act, data breaches must be recorded by the controller and information must be provided only at the request of the data subjects.

Pursuant to the new rules in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

10. Data protection by design and data protection impact assessment

Under the new rules, in certain cases data controllers must carry out a data protection impact assessment. Although this might impose administrative burden on data controllers, however, in the case of high risk data processing situations it can be justifiable to carry out a data protection impact assessment.

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk, in the absence of measures taken by the controller to mitigate the risk.

11. Data protection officers

The GDPR requires more data controllers to appoint data protection officers than the Info Act, e.g. if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

12. Competence of supervisory authorities

Under the GDPR each supervisory authority shall be competent for the performance of the tasks assigned to it and  exercise of the powers conferred on it in accordance with the GDPR on the territory of its own Member State.

The supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.

Should the activity of the organization not be limited to only one country, it must be checked in which country most of the data processing is carried out (usually the seat of the parent company) and on this basis it should be reviewed which country’s supervisory authority will proceed as lead supervisory authority in respect of the data processing.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/hungary-hungarian-dpa-issues-12-step-guide-on-the-gdpr/

UK: ICO issues record fine to TalkTalk for data breach

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”) has publicly announced the imposition of a £400,000 ‘monetary penalty’ on the British telecommunications company and internet service provider, TalkTalk.  The penalty was issued to TalkTalk in response to a cyber-attack in October 2015 which compromised the personal data of over 150,000 customers.

The penalty, imposed under statutory powers granted to the ICO by the Data Protection Act 1998 (“DPA”), is the largest to date, and falls just short of the maximum fine of £500,000 which the ICO is allowed to levy by law.  It follows on the heels of a much smaller fixed penalty of £1,000 which was also imposed on TalkTalk by the ICO, in that case for failing to notify the ICO about the data breach within the timescales required for telecommunications companies by the Privacy and Electronic Communications Regulations 2003.

In the notice issued to TalkTalk with the more recent penalty, the ICO details the ways in which it found the company to be in contravention of its obligation under the DPA to “take appropriate technical and organisational measures against the unlawful or unauthorised processing of personal data”, also known as the seventh principle of the DPA.

Crucially, TalkTalk had not taken sufficient measures to ensure that the customer database which was targeted by the attack could not be accessed by a hacker performing an SQL injection attack, in which malicious statements in the SQL programming language can be used to control a web application’s database server. The ICO found that TalkTalk was operating a vulnerable and outdated database which was accessible via webpages related to its legacy Tiscali business.

In setting the level of the penalty, the ICO identified a number of aggravating factors which made the data breach particularly serious. These were:

  • the number of individuals (data subjects) affected;
  • the sensitivity of the data (in over 15,000 cases, the data included bank account numbers and sort codes);
  • the potential consequences of the breach for the data subjects; and
  • the fact that TalkTalk ought reasonably to have known that there was a risk a breach of this kind would occur.

However, the ICO did stop short of deciding that the contraventions of the DPA were ‘deliberate’.

This record penalty comes at a time of ever increasing awareness about the prevalence of cyber-attacks, and the consequential breaches of customer data. A recent Lloyd’s of London report revealed that, of the large European companies surveyed, 92% were aware of having experienced a data breach in the last five years.[1] In 2016 alone, large scale breaches involving familiar names such as Yahoo, Inc., Sage Group plc and Seagate Technology plc have  been in the headlines.

The penalty also arrives approximately 18 months ahead of a change in the law across the EU (including, it is anticipated, the UK) from the current data protection regime to the General Data Protection Regulation (“GDPR”).  The GDPR will significantly increase enforcement risks for companies who breach data protection rules, including in respect of data breaches.  It will allow for fines of up to the greater of EUR 20 million, or 4% of a company’s total worldwide annual turnover.  It will also introduce a mandatory data breach reporting regime for all companies, whereby companies will be required to give notice to a supervisory authority about a data breach within 72 hours of becoming aware of the breach.

For telecommunications companies like TalkTalk, as well as other providers of critical infrastructure such as banks, utility companies and transport operators, the GDPR rules will sit alongside another new set of rules in the Network and Information Security Directive, which also include a data breach reporting regime, as well as provisions for information sharing and the setting of guidelines in respect of data breach management.

It is also interesting to note the GDPR contains specific indicators which supervisory authorities should take into account when setting the level of fines.  These include:

  • the number of data subjects affected and the level of damage suffered by them;
  • the technical and organisational security measures which had been implemented;
  • the degree of cooperation with the supervisory authority;
  • the manner in which the infringement became known to the authority (i.e. was the authority notified?); and
  • whether the infringement was either intentional or negligent.Some of these are very similar to the guidelines relied upon by the ICO in determining the level of TalkTalk’s penalty, leading to the conclusion that this data breach would have been met with a much higher penalty if it were to have occurred in October 2018, rather than 2015.

DLA Piper’s specialist Data Protection, Privacy and Security group operates on a global basis to provide sophisticated data management and data security advice.  We can help businesses both to crisis-manage the fall-out of data breaches, as well as to organise policies and procedures to ensure compliance, and to mitigate against the risk of breaches occurring in the first place.

[1] ‘Facing the cyber risk challenge.’ Lloyd’s of London. 20 September 2016.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-ico-issues-record-fine-to-talktalk-for-data-breach/

Older posts «