Short description:
In this webinar, we will be exploring the current trends, predictions and other things of relevance to GDPR enforcement. Further, we will touch on the big fines such as Facebook, Google, Experian as well as guide you how to stay out of trouble with the regulation.
Main points covered:
• A summary of ICO enforcement action in the UK over the past 12 months
• What organizations got wrong?
• The big fines – Facebook and Experian
• Trends and predictions
• How to keep out of trouble with the regulator
Presenter:
Our presenter for this webinar, James Castro-Edwards is a partner and Head of Data Protection at Wedlake Bell LLP. James advises domestic and multinational organizations on data protection issues. His experience includes managing global data protection compliance projects for multinationals and advising domestic companies on complex data protection issues. He has also developed and delivered innovative data protection training programs for multinational clients, including a data protection officers’ training course which was accredited by a European government. James leads the firm’s outsourced data protection officer service, ProDPO.
James frequently speaks on data protection and cybersecurity issues and is widely published, having written articles for a wide variety of titles including The Times and The Guardian, and wrote The Law Society textbook on the General Data Protection Regulation (GDPR).
Recorded Webinar: https://youtu.be/QAF1XXTBFyg
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
1.
2. 1. Living with the GDPR: What is keeping organisations busy?
• Data subjects’ requests
• Data breach reporting
• Obligations for controllers
• Obligations for processors
• Data sharing
• Controllers and processors
• data processing addenda
• data sharing agreements
• Data protection impact assessments
2. Enforcement action
• The big fines – Facebook, Equifax and Google.
• A summary of ICO enforcement action in the UK over the past 12 months
• What organisations got wrong
• Trends and predictions
• How to keep out of trouble with the regulator
3. Keeping on top of GDPR compliance
• Record of processing activities
• Data breach log
3. 1. Living with the GDPR: What is keeping organisations busy?
4. 1. Living with the GDPR: What is keeping organisations busy?
• Data subjects’ requests
• The GDPR confers broader rights upon individuals, including the ‘Right to be forgotten’;
• Organisations must respond to data subjects’ requests, and usually cannot charge a fee;
• The publicity around the GDPR means that individuals are more aware of their rights, and hence more likely to exercise them;
• The result is that organisations face a large volume of data subjects’ requests, which they must deal with within the prescribed
period;
• The obligation falls upon controllers, though processors may need to assist, depending upon the terms of the engagement
contract.
5. 1. Living with the GDPR: What is keeping organisations busy?
• Data breach reporting
• Obligations for controllers
• Controllers must report personal data breaches to the data protection authority within 72 hours;
• Breaches that are unlikely to result in a risk do not need to be notified but must be recorded on the incident
log;
• in serious cases breaches must be reported to affected data subjects.
• Obligations for processors
• Processors must notify the controller promptly - but not the data protection authority.
6. 1. Living with the GDPR: What is keeping organisations busy?
• Data sharing
• The GDPR is more prescriptive than the previous law in relation to data sharing arrangements, which may need to be
documented;
• The GDPR applies to both controllers and processors, but the obligations upon each are different;
• Controllers and processors must enter into a contract that incorporates a number of prescribed provisions – ‘data
processing addenda’;
• Joint controllers should consider data sharing agreements;
• Organisations must understand whether they are a controller or a processor – a service provider is not automatically a
processor.
7. 1. Living with the GDPR: What is keeping organisations busy?
• Data protection impact assessments (DPIA)
• Controllers must carry out a data protection impact assessment before undertaking any processing activities that are likely to
result in a high risk to data subjects;
• In practice, organisations must be able to recognise privacy risks and how to mitigate them.
9. 2. Enforcement action
• The big fines – Facebook, Equifax and Google.
• A summary of ICO enforcement action in the UK over the past 12 months
• What organisations got wrong
• Trends and predictions
• How to keep out of trouble with the regulator
10. 2. Enforcement action
• The big fines: Facebook
• The ICO announced on 25th October that it had fined Facebook £500,000 for data protection breaches;
• The fine followed an ICO investigation, which found that between 2007 and 2014, Facebook processed users’ personal
information unfairly by allowing app developers to use their personal data without sufficiently clear and informed consent,
and allowing access even if users had not downloaded the app, but were ‘friends’ with people who had;
• Researcher Dr Aleksandr Kogan and his company GSR used a personality quiz to harvest the Facebook data of up to 87
million people;
• Facebook also failed to keep personal data secure by failing to carry out suitable checks on third party app developers using
the platform, including SCL Group, the parent company of Cambridge Analytica;
• £500,000 is the maximum penalty available to the ICO under the Data Protection Act 1998, which was in force at the time
the breach took place.
• Lessons learned?
• Transparency is key – if you are relying on individuals’ consent to process their personal data, you must inform them exactly
what you are doing, and ensure they have a genuine choice.
• Third parties – if you share personal data with third parties, you must have a lawful basis for doing so.
11. 2. Enforcement action
• The big fines: Equifax
• The ICO Fined credit rating agency Equifax £500,000 for failing to protect the personal data of 15 million Britons;
• A cyber attack on Equifax’s US-based systems in 2017 exposed personal data relating to 146 million people;
• Up to 15 million UK Citizens were affected;
• Equifax Inc. in the US had been warned about a critical vulnerability by the US Department of Homeland Security in
March 2017, but did not take appropriate action to fix the vulnerability, according to the ICO;
• Equifax Ltd in the UK failed to take appropriate steps to ensure its US parent - which was processing personal data on its
behalf – was protection the information;
• The fine was the first time the ICO used the maximum penalty available under the Data Protection Act 1998, which was
in force when the breach took place.
• Lessons learned?
• Security is a crucial part of data protection. Ensure your technical and organisational security measures are up to date.
12. 2. Enforcement action
• The big fines: Google
• The French data protection regulator, the CNIL has fined Google a record EUR 50M (£44M) for alleged data protection
breaches;
• The CNIL said that Google made it too difficult for users to find essential information such as retention periods and
purposes of processing, with information spread across multiple documents;
• As a result, users were unable to effectively exercise their rights;
• The fine is one of the first issued under the GDPR.
• Lessons learned?
• Transparency is key – the GDPR seeks to give individuals choice and control over how their personal data is used.
• Transparency is a fundamental component of choice and control: make sure your privacy notices are up to date and
easy to follow.
13. 2. Enforcement action
• ICO Enforcement Action in 2018.
• In the UK, fines issued by the ICO have steadily increased, but the ICO has yet to issue a penalty under the
GDPR, which has a higher maximum than the Data Protection Act 1998;
• The majority of enforcement activity has been around weak security and non-compliant direct marketing;
• The ICO publishes a wealth of guidance; organisations have no excuse for not complying.
14. 2. Enforcement action
• Trends and predictions
• The GDPR has been in effect for nearly one year and regulators are starting to use the powers granted under it;
• The magnitude of fines is increasing;
• Individuals are increasingly aware of their rights and how to complain;
• Organisations must ensure they comply with the new law or risk enforcement action from the regulator.
15. 3. Keeping on top of GDPR compliance
• Record of processing activities
• The ROPA should include a description of the personal data being processed by organisations,
• it should include information about the personal data that organisations process about:
• Employees (+ ex-employees & job applicants);
• Customers (+ prospects & enquirers );
• Suppliers.
• An accurate ROPA will require data mapping;
• Organisations should consider whether their processing meets the principles;
• The accountability principle means that they must be able to demonstrate compliance.
16. 3. Keeping on top of GDPR compliance
• Data breach log
• Organisations must generally report data breaches to the data protection authority;
• Breaches that have not been reported must be recorded on the organisation’s data breach log;
• The breach log should demonstrate that the organisation has systems in places so its staff recognise
incidents and properly escalate them;
• Staff should be properly trained, and subject to appropriate data protection policies.
17. GDPR
Training Courses
• GDPR Introduction
1 Day Course
• GDPR Foundation
2 Days Course
• Certified Data Protection Officer
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/gdpr
www.pecb.com/events