Join James Tumbridge, a lawyer with the specialist law firm Venner Shipley and one of the authors of the UK Data Protection Act 2018, and Ivan Tsarynny, CEO & Founder of Feroot Privacy, to discuss the unique data protection laws of EU jurisdictions and the potential impact regulations can have on your business operations, expansion plans and governance structure.
Topics for discussion include:
- Lessons learned from the courts, regulator inquiries and fines over the past year
- How to stay informed of current privacy regulations by learning about those who have been impacted already
- Significant trends in GDPR behaviours
- An overview of jurisdictional regulations & how to best prepare
- Key issues to keep in mind for governance, corporate structures and domiciles in data protection terms
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations and Penalties?
1. GDPR One Year Later: What can we learn
from the investigations & penalties?
| FEROOT EXPERT WEBINAR SERIES Tuesday, May 14, 2019
James Tumbridge
Partner
Venner Shipley LLP
Ivan Tsarynny
Co-founder & CEO
Feroot Privacy
2. Optimize Your Webinar Experience
Raise Your Hand if you…
Can’t You Hear?
Having Trouble?
Chat your thoughts or
questions
Ask Questions
See Answers
4. Next Webinar: June 2019
Hidden Data Collection
Ungoverned third-parties
Data Leakage
@FerootPrivacy
linkedin.com/company/feroot/
5. Coming Soon! 2019 Data Collection Study
Hidden Data Collection
Ungoverned third-parties
Data Leakage
@FerootPrivacy
linkedin.com/company/feroot/
2019 Data Collection
Research Report
7. Agenda
1. The New Data Economy: What Privacy Regulation
Means for Business Operations & Growth
2. Significant Trends in GDPR Behaviours
3. *Lessons Learned from EU Regulators & Fines (and
how this impacts you!)
4. How Best to Prepare (legally & operationally)
5. Q&A (10 mins)
8. Turmoil in the Data Economy
Regions Organizations Regulations Details
Europe 94,000+ GDPR General Data Protection Regulation
UK 19,000+ DPA Data Protection Act
California 2,000+ (est.) CCPA California Consumer Privacy Act
Canada 10,000+ PIPEDA
Personal Information Protection and Electronic
Documents Act
USA 102,000+ TBD Rumored Federal Privacy Regulation in the U.S.
+ Brand Reputation Damage
+ Loss of Customer Trust
+ Fines and penalties
9. Organizations are using more SaaS products than ever before.
There are over 7,000 marketing SaaS tools in 2019, up from ~350 in 2012
Marketing SaaS products used by an average enterprise
121 2018 Netscope Cloud Report
17. Awareness of the new law
A) Annual worldwide mentions in the media B) Google searches for GDPR
Source: Factiva Source: Google Trends
• In 2018, the GDPR received more attention than certain celebrities
• And featured in Google searches more often than certain American superstars!
18. Most common types of complaints
under the GDPR
Telemarketing Promotional
emails
Videosurveillance
and CCTV
19. Complaints to Data Protection Authorities
under the GDPR
• Steady increase in complaints
• Complaints can come from
any individual
• GDPR introduced mandatory
data breach notification for all
data controllers
20. Number of data breach notifications
• Prior to GDPR there was no
single breach-notification
regulation for the European Union
• Data Protection Officer obliged to
report breach within 72 hours
• Sharp and steady increase
observed
Accumulated over time from all data
protection authorities in Europe
Source: European Data Protection Board
21. • Sharp increase in breach notifications to ICO:
• 8,000 between May -Dec 2018
– Compare with 3,311 and 2,565 notifications in the years ending 31st March
2017 and 2018, respectively
• UK is third behind the Netherlands and Germany in the data breach
reporting league table
• Despite this increase, so far there reports are limited on enforcement–
but it is growing
• However, as investigations take place, enforcement action likely to
increase
Breach notifications under the GDPR
22. Cross-border cases under GDPR
Investigations initiated by Data Protection
Authorities
Investigations by Data Protection Authorities
on the basis of individual complaints
• Many companies (e.g. social media
platforms) provide services in more
than one country
• GDPR provides that in most cases one
national authority takes the lead to
investigate (‘one-stop shop’)
• In the vent of disagreement the
European Data Protection Board will
arbitrate
23. Data Subject Access Requests (SARS)
• The introduction of the GDPR saw an immediate rise in SARS (possibly due
to abolition of fee under the GDPR)
• In particular as a first move in the context of a potential claim in
employment disputes
• Recent guidance from the court states SARS cannot be refused even when
only motivated by potential litigation
• Organisations should be ready to respond to SARS and fully understand
how the exemptions available may apply
25. Fines issued under the GDPR
• Fines up to 4% of worldwide
turnover
• Google fined 50 million euros
by French authority (largest
fine so far, and represents
90% of total fines issued to
date)Source: European Commission
55, 955 871 euros – the total value of penalties imposed in
the first 9 months*
*European Data Protection Board
26. Fines under the GDPR – a reminder
• Two tiers of penalties:
• Lower level:
– 10 million euros or 2 % of annual turnover (whichever is higher)
– (for infringements of Controllers and processors, Certification body and Monitoring body)
• Upper level:
– Up to 20 million euros or 4% of annual turnover (whichever is higher)
– For infringements of the basic principles of processing, the data subjects’ rights, non-
compliant transfers to third countries, and non-compliance with an order by a supervisory
authority)
• Remember, under the DPA 1998 the maximum fine was £500 K
27. How are fines assessed under GDPR?
• The UK ICO has said that fines under the GDPR are to be ‘effective,
proportionate and dissuasive’
• Each case assessed individually. Factors to be taken into account:
– Nature, gravity and duration of the breach
– Number of data subjects involved
– Categories of personal data affected (e.g. special category data0
– Damage caused and action taken to mitigate the damage
– Any relevant previous infringements
– Degree of cooperation with the regulator
28. The Google fine
• Google fined 50 million euros for lack of transparency, inadequate information and lack of
valid consent in relation to its use of personal data used for personalising ads
• French authority justified fine on basis that:
– Google would otherwise continue to infringe the essential principles of GDPR
(transparency and consent)
– Infringements were not a one-off and were ongoing
– The number of people affected
– Google’s economic model partly based on ad personalisation, therefore vital it
complies
29. Fines in the UK
• The ICO has issued numerous six-figure penalties, but none have exceeded
£500K – the maximum penalty under DPA 1998
• While no enforcement fines have yet been made under the DPA 2018, the
ICO has issued over 100 fines for non-payment of data protection fees.
Under the DPA 2018, all non-exempt organisations must pay an annual fee
to the ICO, and failing to do so may result in fines of up to £4,350
• Under the DPA 2018, fees for small organisations are only £35, while fees
for larger organisations have risen to £2,900
30. Fines in the UK
• Equifax: Fined the maximum £500,000 in September 2018 after 15 million
customers’ data was hacked in 2017.
• Had the breach happened and been enforced under the GDPR, the
maximum fine could have reached £100 million.
• Facebook: Fine the maximum £500,000 in October 2018 for sharing
personal data with other organisations, including the parent company of
Cambridge Analytica, between 2007 and 2014.
• Under the GDPR, the maximum possible fine would have been roughly
£1.25 billion.
31. Fines –Selling customer data
UK -
• Bounty: Fined £400,000 on April 11th 2019 for selling information to data
brokers and sharing the personal data of 14 million individuals without
proper consent.
Issued under DPA 1998, but if made under the GDPR, the maximum
fine could have reached £17 million.
• Hall and Hanley: Most recent ICO fine – Fined £120,000 on May 7th for
sending over 3 million unlawful spam text messages without valid consent,
as is required under the Privacy and Electronic Communications
Regulations (PECR)
32. Fines – failure to minimise
Denmark
• First GDPR penalty notice in Denmark 1.2 million kroner fine
recommended by Danish DPA (approx. 2.8% turnover).
• DPA found that Taxa did not adhere to the GDPR’s data minimisation
principle by over-retaining personal data long after the envisioned retention
period.
• Taxa had deleted customers’ names and addresses but had retained
customers’ telephone numbers for an additional three years
• Shows readiness of authorities to get closer to the 4% annual turnover cap,
and to question your retention and review systems.
33. Fines – did you inform/check consent?
Poland :
• Polish DPA issued € 220,000 fine to Swedish marketing firm Bisnode.
• DPA found Bisnode failed to comply with the GDPR’s transparency
obligations (Article 14).
• Bisnode obtained the personal data of almost 8 million people from public
registers but did not inform them how their data would be processed.
• In addition to the fine, Bisnode was ordered to contact over 6 million
people it has not previously notified (at an estimated € 8 million in postal
costs alone).
34. Fines – Video Surveillance
Austria:
• € 4,800 fine imposed by Austrian DPA on a retail establishment for illegal video
surveillance activities.
• The retailer was found to have monitored a public space without proper
transparency and notice.
• The fine is noteworthy as the Austrian Data Protection Act states that the
DPA will exercise only remedial powers (and, in particular, to issue
reprimands) for first-time infringers.
35. Fines on processors too
Italy
• Several websites affiliated to Italian political party ‘Movimento 5 Stelle’ were run
through the Rousseau web platform.
• The platform suffered a data breach in 2017 which led to the DPA requiring the
implementation of many security measures, in addition to the obligation to update
the privacy information notice.
• Rousseau did not fully comply - fined €50,000 - It is noteworthy that this fine was
issued against the data processor and not the data controller (Movimento 5 Stelle).
• Interestingly, the regulator initiated proceedings before May 2018, but issued a fine
under the GDPR since Rousseau had not adopted security measures required
though an order issued only after the 25th of May 2018 (Unique to Italy?)
36. Fines even when you are hacked
Germany
• Following a hacking attack large amounts of users’ personal information
were compromised, including over 800,000 email addresses.
• Knuddels.de informed the German regulatorand the users affected.
• The investigation found that passwords were stored in an unencrypted an
plain text form.
– Violation of Article 32(1)(a) – the pseudonymisation and encryption of data
• € 20,000 fine. It is understood that the immediate reporting of the breach
and notification of users resulted in a fine at the lower end of the
spectrum.
37. Fines medical data and staff miss use
Portugal:
• € 400,000 fine imposed by Portuguese DPA on Centro Hospitalar Barreiro Montijo
after staff members illicitly accessed patient data:
– Violation of Article 5(1)(c) – data minimisation principle
– Violation of Article 83(5)(a) – processing principles
– Violation of Article 5(1)(f) – effective organisational measures (‘integrity and confidentiality’)
• The striking fact about this fine is that the regulator acted upon a newspaper
article and not a complaint.
38. Fines – Lessons to Learn?
• Selling data – dangerous
• You need consent/clear informing of data subjects
• Retention decisions - Fines for not auditing and removing unnecessary
personal data, not using minimisation
• Biometric data – HMRC voice example – do you have adequate consent?
• Medical data – it is treated with more severity
• Good policies and prompt notice reduce fines
• Processors have risks too
• Get your security and anonymising in order
40. • Policies and procedures - Essential - comply with guidance on transparency and
consent from the European Data Protection Board
– Do you have a policy to handle Subject Access Requests (SARs)?
– Do you have annual training/records?
• Customer & supplier relationships - Review contracts with customers and suppliers
– Consider if data being transferred outside EU/EEA and make sure you comply
• Privacy Impact Assessments
– Is there a process in place to carry them out?
• Security breaches – be prepared – who is in charge what are your actions
How to prepare from legal point of view
42. 1. Get an up to date policy
2. Assess data flows
3. Do an impact assessment
4. Get training and audit records
5. Have a response plan to breaches
Check list
51. “What are the best companies doing that the merely
good ones are not?”
“Which is the best strategy for GDPR compliance for a
medium size organization?”
“What is the best method (or the #1 thing) I should do
to effectively reduce risk and fines?”
Best Practices?
Hi everyone, and welcome to Feroot’s Expert Webinar Series.
If you do have any questions, sound issues, or just want to say a friendly hello, we encourage you to use the bar along the bottom of your screen to chat with us.
Let’s test it out now, raise your hand if you can hear me okay?
Raise your hand if any of you attended the Smart Technology Summit we hosted with Ann others this September?
And stay tuned for our next webinar in January 2019 on Best Practices for Transparency Notices, Managing Consent, Data Mapping and more.
We are also releasing a study very soon on automated data collection, in particular 3rd party trackers, hidden data collection and side-loaded code that puts you at risk of privacy and security breaches.
Today we have James Tumbridge with us.
James is one of the authors of the UK Data Protection Act 2018 that implemented the GDPR in the UK. He is a lawyer with the specialist law firm Venner Shipley and regularly advises clients on a global basis on the structure and approach to data collection and holding, as well as international data transfers and compliance issues.
And my name is Ivan Tsarynny and I will be your moderator
Here is our agenda today.
We’ll be analyzing each fine and how this impacts business operations.
Make sure to stay till the end for Q&A because we’ve taken all your questions from registration and hope to address them in this final section. Feel free to ask questions throughout the webinar as well using your chat box.
Problem is much bigger than you thought.
130 tools used on avg by HR
And now…onto you James!
Look for 2018 stats
Practical ways to prepare? What does the marketing and sales team need to know?
If marketing department is buying a list for prospecting, what does it mean? How do they do it properly?
If your company uses a CRM and they bought another tool and has access to your customer records and CRM and needs to copy and transfer the data without your knowledge, how do you ensure you’re doing everything in the right way?
If you’re using analytics or ads on your site and they transfer the data outside of EU or even engage subprocessers you’re not aware of, that collect personal data on your behalf.
Feroot Global Privacy Database allows you to quickly and efficiently manage third-party vendors across applications, both dynamically and automatically. No more chasing down vendors for their latest privacy agreements. No more updating stale spreadsheets. Enter information once, connect to third-party party vendors, and everything from consent management to documentation flows appropriately and continually to the key stakeholders. Your organization will save time, resources, and money, and avoid the tedious task of updating data flow charts every time a new vendor is added to your tech stack.
Feroot Privacy platform helps implement PrivacyOps frameworks that will unify, automate and coordinate all aspects of GDPR Subject Access Request compliance obligations. Feroot effectively manages all stakeholder touch-points and supports an organization’s ability to process requests efficiently and to document responses for compliance and legal purposes.
Look for 2018 stats
Look for 2018 stats
Look for 2018 stats
Look for 2018 stats
Look for 2018 stats
Look for 2018 stats
Look for 2018 stats
Look for 2018 stats
And it looks like we have time or 1 or 2 quick questions from the audience.
1.
2.
OR
Okay, it looks like we’ve run out of time for more questions, but we will get back to you!
In the meantime, keep em coming. Email us questions@feroot.com
If there is something you really want to know, we have a community of experts we can tap into for the answers and we will get back to you.
Great, thank you everyone. We will follow up with a recording tomorrow as well as some links to resources.
Feroot Global Privacy Database allows you to quickly and efficiently manage third-party vendors across applications, both dynamically and automatically. No more chasing down vendors for their latest privacy agreements. No more updating stale spreadsheets. Enter information once, connect to third-party party vendors, and everything from consent management to documentation flows appropriately and continually to the key stakeholders. Your organization will save time, resources, and money, and avoid the tedious task of updating data flow charts every time a new vendor is added to your tech stack.
Feroot Privacy platform helps implement PrivacyOps frameworks that will unify, automate and coordinate all aspects of GDPR Subject Access Request compliance obligations. Feroot effectively manages all stakeholder touch-points and supports an organization’s ability to process requests efficiently and to document responses for compliance and legal purposes.
CLICK TO NEXT SLIDE