Join James Tumbridge, a lawyer with the specialist law firm Venner Shipley and one of the authors of the UK Data Protection Act 2018, and Ivan Tsarynny, CEO & Founder of Feroot Privacy, to discuss the unique data protection laws of EU jurisdictions and the potential impact regulations can have on your business operations, expansion plans and governance structure. Topics for discussion include: - Lessons learned from the courts, regulator inquiries and fines over the past year - How to stay informed of current privacy regulations by learning about those who have been impacted already - Significant trends in GDPR behaviours - An overview of jurisdictional regulations & how to best prepare - Key issues to keep in mind for governance, corporate structures and domiciles in data protection terms

1. GDPR One Year Later: What can we learn
from the investigations & penalties?
| FEROOT EXPERT WEBINAR SERIES Tuesday, May 14, 2019
James Tumbridge
Partner
Venner Shipley LLP
Ivan Tsarynny
Co-founder & CEO
Feroot Privacy

2. Optimize Your Webinar Experience
Raise Your Hand if you…
Can’t You Hear?
Having Trouble?
Chat your thoughts or
questions
Ask Questions
See Answers

3. https://blog.feroot.com/
Feroot Expert Webinar Series

4. Next Webinar: June 2019
 Hidden Data Collection
 Ungoverned third-parties
 Data Leakage
@FerootPrivacy
linkedin.com/company/feroot/

5. Coming Soon! 2019 Data Collection Study
 Hidden Data Collection
 Ungoverned third-parties
 Data Leakage
@FerootPrivacy
linkedin.com/company/feroot/
2019 Data Collection
Research Report

6. James Tumbridge
Our Presenters Today
Ivan Tsarynny
Partner
Venner Shipley LLP
Founder & CEO
Feroot

7. Agenda
1. The New Data Economy: What Privacy Regulation
Means for Business Operations & Growth
2. Significant Trends in GDPR Behaviours
3. *Lessons Learned from EU Regulators & Fines (and
how this impacts you!)
4. How Best to Prepare (legally & operationally)
5. Q&A (10 mins)

8. Turmoil in the Data Economy
Regions Organizations Regulations Details
Europe 94,000+ GDPR General Data Protection Regulation
UK 19,000+ DPA Data Protection Act
California 2,000+ (est.) CCPA California Consumer Privacy Act
Canada 10,000+ PIPEDA
Personal Information Protection and Electronic
Documents Act
USA 102,000+ TBD Rumored Federal Privacy Regulation in the U.S.
+ Brand Reputation Damage
+ Loss of Customer Trust
+ Fines and penalties

9. Organizations are using more SaaS products than ever before.
There are over 7,000 marketing SaaS tools in 2019, up from ~350 in 2012
Marketing SaaS products used by an average enterprise
121 2018 Netscope Cloud Report

10. Interest
Convert
(pay)
Selection
Usage
(pay)
Renewal
(pay)
Revenue Funnel
Marketing
Privacy
and Security
GDPR
e-Privacy
CCPA
FTC
COPPA
PCI-DSS
HIPAA

11. James Tumbridge
Partner
Venner Shipley LLP
GDPR One Year Later: What can we learn
from investigations & penalties?

12. 9,053,156,308
Data records lost or stolen since 2013

13. 1.1 Billion
Identities Stolen in 2016 - 2018

14. Only
4%of breaches were “Secure Breaches” -
where encryption was used and the stolen
data was rendered useless

15. $3.8 Million
Global Average Total Cost of a Breach
( Poneman Institute – “The 2018 Cost of a Data Breach Study”)

16. [Data Breaches under the GDPR

17. Awareness of the new law
A) Annual worldwide mentions in the media B) Google searches for GDPR
Source: Factiva Source: Google Trends
• In 2018, the GDPR received more attention than certain celebrities
• And featured in Google searches more often than certain American superstars!

18. Most common types of complaints
under the GDPR
Telemarketing Promotional
emails
Videosurveillance
and CCTV

19. Complaints to Data Protection Authorities
under the GDPR
• Steady increase in complaints
• Complaints can come from
any individual
• GDPR introduced mandatory
data breach notification for all
data controllers

20. Number of data breach notifications
• Prior to GDPR there was no
single breach-notification
regulation for the European Union
• Data Protection Officer obliged to
report breach within 72 hours
• Sharp and steady increase
observed
Accumulated over time from all data
protection authorities in Europe
Source: European Data Protection Board

21. • Sharp increase in breach notifications to ICO:
• 8,000 between May -Dec 2018
– Compare with 3,311 and 2,565 notifications in the years ending 31st March
2017 and 2018, respectively
• UK is third behind the Netherlands and Germany in the data breach
reporting league table
• Despite this increase, so far there reports are limited on enforcement–
but it is growing
• However, as investigations take place, enforcement action likely to
increase
Breach notifications under the GDPR

22. Cross-border cases under GDPR
Investigations initiated by Data Protection
Authorities
Investigations by Data Protection Authorities
on the basis of individual complaints
• Many companies (e.g. social media
platforms) provide services in more
than one country
• GDPR provides that in most cases one
national authority takes the lead to
investigate (‘one-stop shop’)
• In the vent of disagreement the
European Data Protection Board will
arbitrate

23. Data Subject Access Requests (SARS)
• The introduction of the GDPR saw an immediate rise in SARS (possibly due
to abolition of fee under the GDPR)
• In particular as a first move in the context of a potential claim in
employment disputes
• Recent guidance from the court states SARS cannot be refused even when
only motivated by potential litigation
• Organisations should be ready to respond to SARS and fully understand
how the exemptions available may apply

24. [

25. Fines issued under the GDPR
• Fines up to 4% of worldwide
turnover
• Google fined 50 million euros
by French authority (largest
fine so far, and represents
90% of total fines issued to
date)Source: European Commission
55, 955 871 euros – the total value of penalties imposed in
the first 9 months*
*European Data Protection Board

26. Fines under the GDPR – a reminder
• Two tiers of penalties:
• Lower level:
– 10 million euros or 2 % of annual turnover (whichever is higher)
– (for infringements of Controllers and processors, Certification body and Monitoring body)
• Upper level:
– Up to 20 million euros or 4% of annual turnover (whichever is higher)
– For infringements of the basic principles of processing, the data subjects’ rights, non-
compliant transfers to third countries, and non-compliance with an order by a supervisory
authority)
• Remember, under the DPA 1998 the maximum fine was £500 K

27. How are fines assessed under GDPR?
• The UK ICO has said that fines under the GDPR are to be ‘effective,
proportionate and dissuasive’
• Each case assessed individually. Factors to be taken into account:
– Nature, gravity and duration of the breach
– Number of data subjects involved
– Categories of personal data affected (e.g. special category data0
– Damage caused and action taken to mitigate the damage
– Any relevant previous infringements
– Degree of cooperation with the regulator

28. The Google fine
• Google fined 50 million euros for lack of transparency, inadequate information and lack of
valid consent in relation to its use of personal data used for personalising ads
• French authority justified fine on basis that:
– Google would otherwise continue to infringe the essential principles of GDPR
(transparency and consent)
– Infringements were not a one-off and were ongoing
– The number of people affected
– Google’s economic model partly based on ad personalisation, therefore vital it
complies

29. Fines in the UK
• The ICO has issued numerous six-figure penalties, but none have exceeded
£500K – the maximum penalty under DPA 1998
• While no enforcement fines have yet been made under the DPA 2018, the
ICO has issued over 100 fines for non-payment of data protection fees.
Under the DPA 2018, all non-exempt organisations must pay an annual fee
to the ICO, and failing to do so may result in fines of up to £4,350
• Under the DPA 2018, fees for small organisations are only £35, while fees
for larger organisations have risen to £2,900

30. Fines in the UK
• Equifax: Fined the maximum £500,000 in September 2018 after 15 million
customers’ data was hacked in 2017.
• Had the breach happened and been enforced under the GDPR, the
maximum fine could have reached £100 million.
• Facebook: Fine the maximum £500,000 in October 2018 for sharing
personal data with other organisations, including the parent company of
Cambridge Analytica, between 2007 and 2014.
• Under the GDPR, the maximum possible fine would have been roughly
£1.25 billion.

31. Fines –Selling customer data
UK -
• Bounty: Fined £400,000 on April 11th 2019 for selling information to data
brokers and sharing the personal data of 14 million individuals without
proper consent.
Issued under DPA 1998, but if made under the GDPR, the maximum
fine could have reached £17 million.
• Hall and Hanley: Most recent ICO fine – Fined £120,000 on May 7th for
sending over 3 million unlawful spam text messages without valid consent,
as is required under the Privacy and Electronic Communications
Regulations (PECR)

32. Fines – failure to minimise
Denmark
• First GDPR penalty notice in Denmark 1.2 million kroner fine
recommended by Danish DPA (approx. 2.8% turnover).
• DPA found that Taxa did not adhere to the GDPR’s data minimisation
principle by over-retaining personal data long after the envisioned retention
period.
• Taxa had deleted customers’ names and addresses but had retained
customers’ telephone numbers for an additional three years
• Shows readiness of authorities to get closer to the 4% annual turnover cap,
and to question your retention and review systems.

33. Fines – did you inform/check consent?
Poland :
• Polish DPA issued € 220,000 fine to Swedish marketing firm Bisnode.
• DPA found Bisnode failed to comply with the GDPR’s transparency
obligations (Article 14).
• Bisnode obtained the personal data of almost 8 million people from public
registers but did not inform them how their data would be processed.
• In addition to the fine, Bisnode was ordered to contact over 6 million
people it has not previously notified (at an estimated € 8 million in postal
costs alone).

34. Fines – Video Surveillance
Austria:
• € 4,800 fine imposed by Austrian DPA on a retail establishment for illegal video
surveillance activities.
• The retailer was found to have monitored a public space without proper
transparency and notice.
• The fine is noteworthy as the Austrian Data Protection Act states that the
DPA will exercise only remedial powers (and, in particular, to issue
reprimands) for first-time infringers.

35. Fines on processors too
Italy
• Several websites affiliated to Italian political party ‘Movimento 5 Stelle’ were run
through the Rousseau web platform.
• The platform suffered a data breach in 2017 which led to the DPA requiring the
implementation of many security measures, in addition to the obligation to update
the privacy information notice.
• Rousseau did not fully comply - fined €50,000 - It is noteworthy that this fine was
issued against the data processor and not the data controller (Movimento 5 Stelle).
• Interestingly, the regulator initiated proceedings before May 2018, but issued a fine
under the GDPR since Rousseau had not adopted security measures required
though an order issued only after the 25th of May 2018 (Unique to Italy?)

36. Fines even when you are hacked
Germany
• Following a hacking attack large amounts of users’ personal information
were compromised, including over 800,000 email addresses.
• Knuddels.de informed the German regulatorand the users affected.
• The investigation found that passwords were stored in an unencrypted an
plain text form.
– Violation of Article 32(1)(a) – the pseudonymisation and encryption of data
• € 20,000 fine. It is understood that the immediate reporting of the breach
and notification of users resulted in a fine at the lower end of the
spectrum.

37. Fines medical data and staff miss use
Portugal:
• € 400,000 fine imposed by Portuguese DPA on Centro Hospitalar Barreiro Montijo
after staff members illicitly accessed patient data:
– Violation of Article 5(1)(c) – data minimisation principle
– Violation of Article 83(5)(a) – processing principles
– Violation of Article 5(1)(f) – effective organisational measures (‘integrity and confidentiality’)
• The striking fact about this fine is that the regulator acted upon a newspaper
article and not a complaint.

38. Fines – Lessons to Learn?
• Selling data – dangerous
• You need consent/clear informing of data subjects
• Retention decisions - Fines for not auditing and removing unnecessary
personal data, not using minimisation
• Biometric data – HMRC voice example – do you have adequate consent?
• Medical data – it is treated with more severity
• Good policies and prompt notice reduce fines
• Processors have risks too
• Get your security and anonymising in order

39. [

40. • Policies and procedures - Essential - comply with guidance on transparency and
consent from the European Data Protection Board
– Do you have a policy to handle Subject Access Requests (SARs)?
– Do you have annual training/records?
• Customer & supplier relationships - Review contracts with customers and suppliers
– Consider if data being transferred outside EU/EEA and make sure you comply
• Privacy Impact Assessments
– Is there a process in place to carry them out?
• Security breaches – be prepared – who is in charge what are your actions
How to prepare from legal point of view

41. Interest
Convert
(pay)
Selection
Usage
(private data)
Renewal
(pay)
Revenue Funnel
Marketing
Privacy
and Security
GDPR
e-Privacy
CCPA
FTC
COPPA
PCI-DSS
HIPAA
How to prepare from the operations point of view

42. 1. Get an up to date policy
2. Assess data flows
3. Do an impact assessment
4. Get training and audit records
5. Have a response plan to breaches
Check list

43. THANK YOU!
https://www.linkedin.com/in/james-tumbridge-
655b5584/
jtumbridge@vennershipley.co.uk

44. Q&A

45. “Will I get fined?”

46. “Where does risk typically reside in
organizations?”

47. “Regulatory enforcement in year two?”

48. “What are the extra-territorial impacts of GDPR?”

49. “Can I cold email businesses in the EU with highly
targeted messages? On LinkedIn too?”

50. “Is GDPR working or is it too
burdensome?”

51. “What are the best companies doing that the merely
good ones are not?”
“Which is the best strategy for GDPR compliance for a
medium size organization?”
“What is the best method (or the #1 thing) I should do
to effectively reduce risk and fines?”
Best Practices?

52. More Questions?
Email:
questions@feroot.com
@FerootPrivacyquestions@feroot.com linkedin.com/company/feroot/

53. Yes!
You will receive a recording of this webinar
and links to related resources.

54. Feroot Privacy Monitoring
Feroot helps you detect authorized and unauthorized data
collection on your website.